Fuzzing with Code Fragments
- USENIX 2012
by
Christian Holler, Kim Herzig, Andreas Zeller
Proceedings of the 21st USENIX Conference on Security Symposium, Pages 38-38, USENIX Association, August 2012.
See also
More information is available at http://dl.acm.org/citation.cfm?id=2362793.2362831.
Abstract
Fuzz testing is an automated technique providing random data as input to a software system in the hope to expose a vulnerability. In order to be effective, the fuzzed input must be common enough to pass elementary consistency checks; a JavaScript interpreter, for instance, would only accept a semantically valid program. On the other hand, the fuzzed input must be uncommon enough to trigger exceptional behavior, such as a crash of the interpreter. The LangFuzz approach resolves this conflict by using a grammar to randomly generate valid programs; the code fragments, however, partially stem from programs known to have caused invalid behavior before. LangFuzz is an effective tool for security testing: Applied on the Mozilla JavaScript interpreter, it discovered a total of 105 new severe vulnerabilities within three months of operation (and thus became one of the top security bug bounty collectors within this period); applied on the PHP interpreter, it discovered 18 new defects causing crashes.
BibTeX Entry
@inproceedings{holler-usenix-2012, title = "Fuzzing with Code Fragments", author = "Christian Holler and Kim Herzig and Andreas Zeller", year = "2012", month = aug, booktitle = "Proceedings of the 21st USENIX Conference on Security Symposium", location = "Bellevue, WA", pages = "38--38", publisher = "USENIX Association", }