The Art, Science, and Engineering of Fuzzing: A Survey Valentin - - PowerPoint PPT Presentation

▶

Jul 19, 2023 333 likes •518 views

The Art, Science, and Engineering of Fuzzing: A Survey Valentin J.M. Mans, HyungSeok Han, Choongwoo Han, Sang Kil Cha, Manuel Egele, Edward J. Schwartz, and Maverick Woo A Complex Field 2 Fuzzing: Potential Definitions Some say:

SLIDE 1

The Art, Science, and Engineering of Fuzzing: A Survey

Valentin J.M. Manès, HyungSeok Han, Choongwoo Han, Sang Kil Cha, Manuel Egele, Edward J. Schwartz, and Maverick Woo

SLIDE 2

A Complex Field

SLIDE 3

Fuzzing: Potential Definitions

Some say: “Fuzzers are tools to make crashes.”

è What kind of crash? è PerfFuzz1 just looks for “algorithmic complexity vulnerabilities”.

Some say: “Fuzzers create inputs, either by mutating seeds (e.g. zzuf),
r based on models, like grammars (e.g. Peach).”

è Random Testing may not use any seed. è Concolic execution use neither.

1 C. Lemieux, R. Padhye, K. Sen, and D. Song, “PerfFuzz: Automatically generating pathological inputs,” in Proceedings of the

International Symposium on Software Testing and Analysis, 2018, pp. 254–265.

SLIDE 4

Common Pitfalls

A definition should:

Not be goal oriented.

è Fuzzers are tools: there goal is defined by the user.

Not be method oriented.

è The field has shown too much diversity.

SLIDE 5

Fuzzing: What it is?

* This is a simplified version of the definition in the paper.

Fuzzing refers to a process of repeatedly running a program with generated inputs to test if a program violates a correctness policy.*

SLIDE 6

Fuzzers: How to Model Them?

Fuzzer InputGen InputEval

test cases

PreProcess

ConfUpdate

execinfos

Schedule ① ② ③

SLIDE 7

Survey Methodology

We surveyed the field for 10+ years:

vMajor Github repositories vMajor conferences (Security & Software Engineering)

Let’s look at two examples: zzuf , AFL

SLIDE 8

Example

Fuzzer zzuf InputGen InputEval

test cases

PreProcess

ConfUpdate

execinfos

Schedule

Seed bit flip Simple Execution

SLIDE 9

Example

Fuzzer AFL InputGen InputEval

test cases

PreProcess

ConfUpdate

execinfos

Schedule

Instrumentation Mutation operations Instrumented Execution Coverage-based Fitness Function Round Robin++

SLIDE 10

Genealogy

SLIDE 11

Companion Website: fuzzing-survey.org

SLIDE 12

AFL: A Grey-box Hub

SLIDE 13

Black-box Hubs

LangFuzz BFF

SLIDE 14

Grey-box Outliers

CalFuzzer Sidewinder

SLIDE 15

Companion Website: fuzzing-survey.org

Make a PR to add fuzzers J

github.com/SoftSec-KAIST/Fuzzing-Survey

SLIDE 16

Share your fuzzer!

Sharable links: fuzzing-survey.org/?k=Ankou

SLIDE 17

The Art, Science, and Engineering of Fuzzing: A Survey

Fuzzing: Potential Definitions

Common Pitfalls

Fuzzing: What it is?

Fuzzers: How to Model Them?

Survey Methodology

Example

Example

Genealogy

Companion Website: fuzzing-survey.org

AFL: A Grey-box Hub

Black-box Hubs

Grey-box Outliers

Companion Website: fuzzing-survey.org

Make a PR to add fuzzers J

Share your fuzzer!

Question?