Targeted Greybox Fuzzing with Static Lookahead Analysis

Automatic test generation typically aims to generate inputs that explore new paths in the program under test in order to find bugs. Existing work has, therefore, focused on guiding the exploration toward program parts that are more likely to contain bugs by using an offline static analysis. In this paper, we introduce a novel technique for targeted greybox fuzzing using an online static analysis that guides the fuzzer toward a set of target locations, for instance, located in recently modified parts of the program. This is achieved by first semantically analyzing each program path that is explored by an input in the fuzzer's test suite. The results of this analysis are then used to control the fuzzer's specialized power schedule, which determines how often to fuzz inputs from the test suite. We implemented our technique by extending a state-of-the-art, industrial fuzzer for Ethereum smart contracts and evaluate its effectiveness on 27 real-world benchmarks. Using an online analysis is particularly suitable for the domain of smart contracts since it does not require any code instrumentation---instrumentation to contracts changes their semantics. Our experiments show that targeted fuzzing significantly outperforms standard greybox fuzzing for reaching 83% of the challenging target locations (up to 14x of median speed-up)

Combining Static and Dynamic Analysis for Vulnerability Detection

In this paper, we present a hybrid approach for buffer overflow detection in C code. The approach makes use of static and dynamic analysis of the application under investigation. The static part consists in calculating taint dependency sequences (TDS) between user controlled inputs and vulnerable statements. This process is akin to program slice of interest to calculate tainted data- and control-flow path which exhibits the dependence between tainted program inputs and vulnerable statements in the code. The dynamic part consists of executing the program along TDSs to trigger the vulnerability by generating suitable inputs. We use genetic algorithm to generate inputs. We propose a fitness function that approximates the program behavior (control flow) based on the frequencies of the statements along TDSs. This runtime aspect makes the approach faster and accurate. We provide experimental results on the Verisec benchmark to validate our approach.Comment: There are 15 pages with 1 figur

Scaling in the Positive Plaquette Model and Universality in SU(2) Lattice Gauge Theory

We investigate universality, scaling, the beta-function and the topological charge in the positive plaquette model for SU(2) lattice gauge theory. Comparing physical quantities, like the critical temperature, the string tension, glueball masses, and their ratios, we explore the effect of a complete suppression of a certain lattice artifact, namely the negative plaquettes, for SU(2) lattice gauge theory. Our result is that this modification does not change the continuum limit, i.e., the universality class. The positive plaquette model and the standard Wilson formulation describe the same physical situation. The approach to the continuum limit given by the beta-function in terms of the bare lattice coupling, however, is rather different: the beta-function of the positive plaquette model does not show a dip like the model with standard Wilson action.Comment: 35 pages, preprint numbers FSU-SCRI-94-71 and HU Berlin-IEP-94/1