280 research outputs found
Token-Level Fuzzing
Fuzzing has become a commonly used approach to identifying bugs in complex,
real-world programs. However, interpreters are notoriously difficult to fuzz
effectively, as they expect highly structured inputs, which are rarely produced
by most fuzzing mutations. For this class of programs, grammar-based fuzzing
has been shown to be effective. Tools based on this approach can find bugs in
the code that is executed after parsing the interpreter inputs, by following
language-specific rules when generating and mutating test cases. Unfortunately,
grammar-based fuzzing is often unable to discover subtle bugs associated with
the parsing and handling of the language syntax. Additionally, if the grammar
provided to the fuzzer is incomplete, or does not match the implementation
completely, the fuzzer will fail to exercise important parts of the available
functionality. In this paper, we propose a new fuzzing technique, called
Token-Level Fuzzing. Instead of applying mutations either at the byte level or
at the grammar level, Token-Level Fuzzing applies mutations at the token level.
Evolutionary fuzzers can leverage this technique to both generate inputs that
are parsed successfully and generate inputs that do not conform strictly to the
grammar. As a result, the proposed approach can find bugs that neither
byte-level fuzzing nor grammar-based fuzzing can find. We evaluated Token-Level
Fuzzing by modifying AFL and fuzzing four popular JavaScript engines, finding
29 previously unknown bugs, several of which could not be found with
state-of-the-art byte-level and grammar-based fuzzers
The Progress, Challenges, and Perspectives of Directed Greybox Fuzzing
Most greybox fuzzing tools are coverage-guided as code coverage is strongly
correlated with bug coverage. However, since most covered codes may not contain
bugs, blindly extending code coverage is less efficient, especially for corner
cases. Unlike coverage-guided greybox fuzzers who extend code coverage in an
undirected manner, a directed greybox fuzzer spends most of its time allocation
on reaching specific targets (e.g., the bug-prone zone) without wasting
resources stressing unrelated parts. Thus, directed greybox fuzzing (DGF) is
particularly suitable for scenarios such as patch testing, bug reproduction,
and specialist bug hunting. This paper studies DGF from a broader view, which
takes into account not only the location-directed type that targets specific
code parts, but also the behaviour-directed type that aims to expose abnormal
program behaviours. Herein, the first in-depth study of DGF is made based on
the investigation of 32 state-of-the-art fuzzers (78% were published after
2019) that are closely related to DGF. A thorough assessment of the collected
tools is conducted so as to systemise recent progress in this field. Finally,
it summarises the challenges and provides perspectives for future research.Comment: 16 pages, 4 figure
XSS Vulnerability Detection Using Model Inference Assisted Evolutionary Fuzzing
Workshop website: http://www.spacios.eu/sectest2012/International audienceWe present an approach to detect web injection vulnerabilities by generating test inputs using a combination of model inference and evolutionary fuzzing. Model inference is used to obtain a knowledge about the application behavior. Based on this understanding, inputs are generated using genetic algorithm (GA). GA uses the learned formal model to automatically generate inputs with better fitness values towards triggering an instance of the given vulnerability
- …