Spectral Fuzzing: Evaluation & Feedback

This paper presents an instrumentation framework for assessing and improving fuzzing, a powerful technique to rapidly detect software vulnerabilities. We address the major current limitation of fuzzing techniques, namely the absence of evaluation metrics and the absence of automated quality assessment techniques for fuzzing approaches. We treat the fuzzing process as a signal and show how derived measures like power and entropy can give an insightful perspective on a fuzzing process. We demonstrate how this perspective can be used to compare the efficiency of several fuzzers, derive stopping conditions for a fuzzing process, or help to identify good candidates for input data. We show through the Linux implementation of our instrumentation framework how the approach was successfully used to assess two different fuzzers on real applications. Our instrumentation framework leverages a tainted data approach and uses data lifetime tracing with an underlying tainted data graph structure

Improving Fuzz Testing using Game Theory

International audienceWe propose a game theoretical model for fuzz testing, consisting in generating unexpected input to search for software vulnerabilities. As of today, no performance guarantees or assessment frameworks for fuzzing exist. Our paper addresses these issues and describes a simple model that can be used to assess and identify optimal fuzzing strategies, by leveraging game theory. In this context, payoff functions are obtained using a tainted data analysis and instrumentation of a target application to assess the impact of different fuzzing strategies

Deliverable D2.1 Closed loop fuzzing algorithms

Delivrable D2.1 for french ANR-08-VERS-017 (Vampire) projectThe techniques and tools described in this report propose a way to measure the impact of a fuzzer on a running system. The work focuses on protocols fuzzing. So tested systems are protocol entities and inputs protocol messages. Therefore the elementary measure assesses the impact of a crafted protocol message injected into the running system under test. From this point several interesting uses can be derived: • The overall impact, the coverage of a sequence generated by a the fuzzer can be calculated. • Then two fuzzers can be compared. • One or several sequences can be optimized: only messages introducing the best coverage can be selected to limit the cost (duration) to apply the test. • The process, the strategy that generates sequences can itself take advantage of this impact measurement to directly produce new optimized sequences. The Session Initiation Protocol (SIP) is the target protocol of the study