FairFuzz: Targeting Rare Branches to Rapidly Increase Greybox Fuzz Testing Coverage

In recent years, fuzz testing has proven itself to be one of the most effective techniques for finding correctness bugs and security vulnerabilities in practice. One particular fuzz testing tool, American Fuzzy Lop or AFL, has become popular thanks to its ease-of-use and bug-finding power. However, AFL remains limited in the depth of program coverage it achieves, in particular because it does not consider which parts of program inputs should not be mutated in order to maintain deep program coverage. We propose an approach, FairFuzz, that helps alleviate this limitation in two key steps. First, FairFuzz automatically prioritizes inputs exercising rare parts of the program under test. Second, it automatically adjusts the mutation of inputs so that the mutated inputs are more likely to exercise these same rare parts of the program. We conduct evaluation on real-world programs against state-of-the-art versions of AFL, thoroughly repeating experiments to get good measures of variability. We find that on certain benchmarks FairFuzz shows significant coverage increases after 24 hours compared to state-of-the-art versions of AFL, while on others it achieves high program coverage at a significantly faster rate

Human Borna disease virus 1 (BoDV-1) encephalitis cases in the north and east of Germany

In 2021, three encephalitis cases due to the Borna disease virus 1 (BoDV-1) were diagnosed in the north and east of Germany. The patients were from the states of Thuringia, Saxony-Anhalt, and Lower Saxony. All were residents of known endemic areas for animal Borna disease but without prior diagnosed human cases. Except for one recently detected case in the state of Brandenburg, all >30 notified cases had occurred in, or were linked to, the southern state of Bavaria. Of the three detected cases described here, two infections were acute, while one infection was diagnosed retrospectively from archived brain autopsy tissue samples. One of the acute cases survived, but is permanently disabled. The cases were diagnosed by various techniques (serology, molecular assays, and immunohistology) following a validated testing scheme and adhering to a proposed case definition. Two cases were classified as confirmed BoDV-1 encephalitis, while one case was a probable infection with positive serology and typical brain magnetic resonance imaging, but without molecular confirmation. Of the three cases, one full virus genome sequence could be recovered. Our report highlights the need for awareness of a BoDV-1 etiology in cryptic encephalitis cases in all areas with known animal Borna disease endemicity in Europe, including virus-endemic regions in Austria, Liechtenstein, and Switzerland. BoDV-1 should be actively tested for in acute encephalitis cases with residence or rural exposure history in known Borna disease-endemic areas.Peer Reviewe

Parser-Directed Fuzzing

To be effective, software test generation needs to well cover the space of possible inputs. Traditional fuzzing generates large numbers of random inputs, which however are unlikely to contain keywords and other specific inputs of non-trivial input languages. Constraint-based test generation solves conditions of paths leading to uncovered code, but fails on programs with complex input conditions because of path explosion. In this paper, we present a test generation technique specifically directed at input parsers. We systematically produce inputs for the parser and track comparisons made; after every rejection, we satisfy the comparisons leading to rejection. This approach effectively covers the input space: Evaluated on five subjects, from CSV files to JavaScript, our pFuzzer prototype covers more tokens than both random-based and constraint-based approaches, while requiring no symbolic analysis and far fewer tests than random fuzzers

Huddle Up: Using Mediation to Help Settle the National Football League Labor Dispute

In a patient transferred from Togo to Cologne, Germany, Lassa fever was diagnosed 12 days post mortem. Sixty-two contacts in Cologne were categorised according to the level of exposure, and gradual infection control measures were applied. No clinical signs of Lassa virus infection or Lassa specific antibodies were observed in the 62 contacts. Thirty-three individuals had direct contact to blood, other body fluids or tissue of the patients. Notably, with standard precautions, no transmission occurred between the index patient and healthcare workers. However, one secondary infection occurred in an undertaker exposed to the corpse in Rhineland-Palatinate, who was treated on the isolation unit at the University Hospital of Frankfurt. After German authorities raised an alert regarding the imported Lassa fever case, an American healthcare worker who had cared for the index patient in Togo, and who presented with diarrhoea, vomiting and fever, was placed in isolation and medevacked to the United States. The event and the transmission of Lassa virus infection outside of Africa underlines the need for early diagnosis and use of adequate personal protection equipment (PPE), when highly contagious infections cannot be excluded. It also demonstrates that larger outbreaks can be prevented by infection control measures, including standard PPE

Decision procedures for path feasibility of string-manipulating programs with complex operations

The design and implementation of decision procedures for checking path feasibility in string-manipulating programs is an important problem, with such applications as symbolic execution of programs with strings and automated detection of cross-site scripting (XSS) vulnerabilities in web applications. A (symbolic) path is given as a finite sequence of assignments and assertions (i.e. without loops), and checking its feasibility amounts to determining the existence of inputs that yield a successful execution. Modern programming languages (e.g. JavaScript, PHP, and Python) support many complex string operations, and strings are also often implicitly modified during a computation in some intricate fashion (e.g. by some autoescaping mechanisms). In this paper we provide two general semantic conditions which together ensure the decidability of path feasibility: (1) each assertion admits regular monadic decomposition (i.e. is an effectively recognisable relation), and (2) each assignment uses a (possibly nondeterministic) function whose inverse relation preserves regularity. We show that the semantic conditions are expressive since they are satisfied by a multitude of string operations including concatenation, one-way and two-way finite-state transducers, replaceall functions (where the replacement string could contain variables), string-reverse functions, regular-expression matching, and some (restricted) forms of letter-counting/length functions. The semantic conditions also strictly subsume existing decidable string theories (e.g. straight-line fragments, and acyclic logics), and most existing benchmarks (e.g. most of Kaluza’s, and all of SLOG’s, Stranger’s, and SLOTH’s benchmarks). Our semantic conditions also yield a conceptually simple decision procedure, as well as an extensible architecture of a string solver in that a user may easily incorporate his/her own string functions into the solver by simply providing code for the pre-image computation without worrying about other parts of the solver. Despite these, the semantic conditions are unfortunately too general to provide a fast and complete decision procedure. We provide strong theoretical evidence for this in the form of complexity results. To rectify this problem, we propose two solutions. Our main solution is to allow only partial string functions (i.e., prohibit nondeterminism) in condition (2). This restriction is satisfied in many cases in practice, and yields decision procedures that are effective in both theory and practice. Whenever nondeterministic functions are still needed (e.g. the string function split), our second solution is to provide a syntactic fragment that provides a support of nondeterministic functions, and operations like one-way transducers, replaceall (with constant replacement string), the string-reverse function, concatenation, and regular-expression matching. We show that this fragment can be reduced to an existing solver SLOTH that exploits fast model checking algorithms like IC3. We provide an efficient implementation of our decision procedure (assuming our first solution above, i.e., deterministic partial string functions) in a new string solver OSTRICH. Our implementation provides built-in support for concatenation, reverse, functional transducers (FFT), and replaceall and provides a framework for extensibility to support further string functions. We demonstrate the efficacy of our new solver against other competitive solvers

Symbolic Execution and Constraint Solving (Dagstuhl Seminar 14442)

This report documents the program and the outcomes of Dagstuhl Seminar 14442 "Symbolic Execution and Constraint Solving", whose main goals were to bring together leading researchers in the fields of symbolic execution and constraint solving, foster greater communication between these two communities and exchange ideas about new research directions in these fields. There has been a veritable revolution over the last decade in the symbiotic fields of constraint solving and symbolic execution. Even though key ideas behind symbolic execution were introduced more than three decades ago, it was only recently that these techniques became practical as a result of significant advances in constraint satisfiability and scalable combinations of concrete and symbolic execution. Thanks to these advances, testing and analysis techniques based on symbolic execution are having a major impact on many sub-fields of software engineering, computer systems, security, and others. New applications such as program and document repair are being enabled, while older applications such as model checking are being super-charged. Additionally, significant and fast-paced advances are being made in research at the intersection of traditional program analysis, symbolic execution and constraint solving. Therefore, this seminar brought together researchers in these varied fields in order to further facilitate collaborations that take advantage of this unique and fruitful confluence of ideas from the fields of symbolic execution and constraint solving

Concolic testing for deep neural networks

Concolic testing combines program execution and symbolic analysis to explore the execution paths of a software program. In this paper, we develop the first concolic testing approach for Deep Neural Networks (DNNs). More specifically, we utilise quantified linear arithmetic over rationals to express test requirements that have been studied in the literature, and then develop a coherent method to perform concolic testing with the aim of better coverage. Our experimental results show the effectiveness of the concolic testing approach in both achieving high coverage and finding adversarial examples