Hongliang Liang,Xiaoxiao Pei,Xiaodong Jia,Wuwei Shen,Jian Zhang

DOI: https://doi.org/10.1109/tr.2018.2834476

IF: 5.883

2018-01-01

IEEE Transactions on Reliability

Abstract:As one of the most popular software testing techniques, fuzzing can find a variety of weaknesses in a program, such as software bugs and vulnerabilities, by generating numerous test inputs. Due to its effectiveness, fuzzing is regarded as a valuable bug hunting method. In this paper, we present an overview of fuzzing that concentrates on its general process, as well as classifications, followed by detailed discussion of the key obstacles and some state-of-the-art technologies which aim to overcome or mitigate these obstacles. We further investigate and classify several widely used fuzzing tools. Our primary goal is to equip the stakeholder with a better understanding of fuzzing and the potential solutions for improving fuzzing methods in the spectrum of software testing and security. To inspire future research, we also predict some future directions with regard to fuzzing.

Zhenhua Yu,Zhengqi Liu,Xuya Cong,Xiaobo Li,Li Yin

DOI: https://doi.org/10.32604/cmc.2023.042361

2024-01-01

Abstract:As one of the most effective techniques for finding software vulnerabilities, fuzzing has become a hot topic in software security. It feeds potentially syntactically or semantically malformed test data to a target program to mine vulnerabilities and crash the system. In recent years, considerable efforts have been dedicated by researchers and practitioners towards improving fuzzing, so there are more and more methods and forms, which make it difficult to have a comprehensive understanding of the technique. This paper conducts a thorough survey of fuzzing, focusing on its general process, classification, common application scenarios, and some state-of-the-art techniques that have been introduced to improve its performance. Finally, this paper puts forward key research challenges and proposes possible future research directions that may provide new insights for researchers.

Valentin J.M. Manès,HyungSeok Han,Choongwoo Han,Sang Kil Cha,Manuel Egele,Edward J. Schwartz,Maverick Woo,Valentin J.M. Manes

DOI: https://doi.org/10.1109/tse.2019.2946563

IF: 7.4

2021-11-01

IEEE Transactions on Software Engineering

Abstract:Among the many software testing techniques available today, fuzzing has remained highly popular due to its conceptual simplicity, its low barrier to deployment, and its vast amount of empirical evidence in discovering real-world software vulnerabilities. At a high level, fuzzing refers to a process of repeatedly running a program with generated inputs that may be syntactically or semantically malformed. While researchers and practitioners alike have invested a large and diverse effort towards improving fuzzing in recent years, this surge of work has also made it difficult to gain a comprehensive and coherent view of fuzzing. To help preserve and bring coherence to the vast literature of fuzzing, this paper presents a unified, general-purpose model of fuzzing together with a taxonomy of the current fuzzing literature. We methodically explore the design decisions at every stage of our model fuzzer by surveying the related literature and innovations in the art, science, and engineering that make modern-day fuzzers effective.

engineering, electrical & electronic,computer science, software engineering

Xiaogang Zhu,Sheng Wen,Seyit Camtepe,Yang Xiang

DOI: https://doi.org/10.1145/3512345

IF: 16.6

2022-01-28

ACM Computing Surveys

Abstract:Fuzz testing (fuzzing) has witnessed its prosperity in detecting security flaws recently. It generates a large number of test cases and monitors the executions for defects. Fuzzing has detected thousands of bugs and vulnerabilities in various applications. Although effective, there lacks systematic analysis of gaps faced by fuzzing. As a technique of defect detection, fuzzing is required to narrow down the gaps between the entire input space and the defect space. Without limitation on the generated inputs, the input space is infinite. However, defects are sparse in an application, which indicates that the defect space is much smaller than the entire input space. Besides, because fuzzing generates numerous test cases to repeatedly examine targets, it requires fuzzing to perform in an automatic manner. Due to the complexity of applications and defects, it is challenging to automatize the execution of diverse applications. In this paper, we systematically review and analyze the gaps as well as their solutions, considering both breadth and depth. This survey can be a roadmap for both beginners and advanced developers to better understand fuzzing.

computer science, theory & methods

Yan Wang,Peng Jia,Luping Liu,Cheng Huang,Zhonglin Liu

DOI: https://doi.org/10.1371/journal.pone.0237749

IF: 3.7

2020-08-18

PLoS ONE

Abstract:Security vulnerabilities play a vital role in network security system. Fuzzing technology is widely used as a vulnerability discovery technology to reduce damage in advance. However, traditional fuzz testing faces many challenges, such as how to mutate input seed files, how to increase code coverage, and how to bypass the format verification effectively. Therefore machine learning techniques have been introduced as a new method into fuzz testing to alleviate these challenges. This paper reviews the research progress of using machine learning techniques for fuzz testing in recent years, analyzes how machine learning improves the fuzzing process and results, and sheds light on future work in fuzzing. Firstly, this paper discusses the reasons why machine learning techniques can be used for fuzzing scenarios and identifies five different stages in which machine learning has been used. Then this paper systematically studies machine learning-based fuzzing models from five dimensions of selection of machine learning algorithms, pre-processing methods, datasets, evaluation metrics, and hyperparameters setting. Secondly, this paper assesses the performance of the machine learning techniques in existing research for fuzz testing. The results of the evaluation prove that machine learning techniques have an acceptable capability of prediction for fuzzing. Finally, the capability of discovering vulnerabilities both traditional fuzzers and machine learning-based fuzzers is analyzed. The results depict that the introduction of machine learning techniques can improve the performance of fuzzing. We hope to provide researchers with a systematic and more in-depth understanding of fuzzing based on machine learning techniques and provide some references for this field through analysis and summarization of multiple dimensions.

multidisciplinary sciences

Xiyue Gao,Zhuang Liu,Jiangtao Cui,Hui Li,Hui Zhang,Kewei Wei,Kankan Zhao

DOI: https://doi.org/10.48550/arXiv.2311.06728

2023-11-12

Abstract:Database Management System (DBMS) fuzzing is an automated testing technique aimed at detecting errors and vulnerabilities in DBMSs by generating, mutating, and executing test cases. It not only reduces the time and cost of manual testing but also enhances detection coverage, providing valuable assistance in developing commercial DBMSs. Existing fuzzing surveys mainly focus on general-purpose software. However, DBMSs are different from them in terms of internal structure, input/output, and test objectives, requiring specialized fuzzing strategies. Therefore, this paper focuses on DBMS fuzzing and provides a comprehensive review and comparison of the methods in this field. We first introduce the fundamental concepts. Then, we systematically define a general fuzzing procedure and decompose and categorize existing methods. Furthermore, we classify existing methods from the testing objective perspective, covering various components in DBMSs. For representative works, more detailed descriptions are provided to analyze their strengths and limitations. To objectively evaluate the performance of each method, we present an open-source DBMS fuzzing toolkit, OpenDBFuzz. Based on this toolkit, we conduct a detailed experimental comparative analysis of existing methods and finally discuss future research directions.

Databases

Qi Lanlan,Wen Jiangtao,Huang Hui,Wang Xiong,Wu Zhiyong

DOI: https://doi.org/10.1007/978-3-642-38460-8_10

2013-01-01

Abstract:From Miller firstly introduced the fuzzing in 1990 and found failures in over 25 % of UNIX programs, to recent TaintScope system presented by Peking University and the discovery of 27 0day vulnerabilities in several popular software including Adobe Acrobat, the practical experiences and results have illuminated that fuzzing are effective for vulnerability mining. In this paper, fuzzing is studied and surveyed. First, new features of fuzzing are analyzed. And then, give the definition of Cd and Md. Cd and Md describe the ability to implement vulnerability mining on the vulnerability of the test case. Based on the Cd and Md, this paper also gives a new fuzzing architecture Feedback Fuzz.

Kaiyu Shi,Xiangzhan Yu,Yue Zhao

DOI: https://doi.org/10.1145/3444370.3444625

2020-01-01

Abstract:With the rapid advancement of modern technology, software are getting more and more intelligent, whereas the related security issues are also becoming more and more prominent [1]. Developers can easily introduce bugs into a system due to mistakes or poor consideration, which in serious cases may lead to security breaches that can jeopardize the entire system or the entire network. Therefore, efficient and automated security testing techniques or theories are of great importance to software testing and vulnerability detection.

吴志勇,王红川,孙乐昌,潘祖烈,刘京菊

DOI: https://doi.org/10.3969/j.issn.1001-3695.2010.03.006

2010-01-01

Abstract:By analyzing and comparing several definitions of Fuzzing,this paper gave a new definition accroding to the know-ledge and methods using currently,summerized its new ideas,new methods and corresponding defeats from these aspects like differences from black-box testing,framework and test data generation mechanism.Based on these defeats and the requiments from practical application,proposed concrete research directions and methods.

NIE Sen,LI Xiao,WANG Yi-jun,XUE Zhi

DOI: https://doi.org/10.3969/j.issn.1009-8054.2013.12.025

2013-01-01

Abstract:As the problem of software vulnerabilities becomes increasingly serious,smart Fuzzing technology is widely applied in the field of vulnerability mining and software security.Frameworks for smart Fuzzing based on symbolic execution and taint analysis are developed.Under the concept of vulnerability problem and software test methodology,this paper describes theories in smart Fuzzing technology and some released smart Fuzzing frameworks,including the bottlenecks.Finally,this paper proposes a blueprint of smart Fuzzing framework based on whole system symbolic execution and cloud computing infrastructure.It can be used as a practical platform toward the COTS software fuzzing.

Cristian Daniele,Seyed Behnam Andarzian,Erik Poll

DOI: https://doi.org/10.1145/3648468

IF: 16.6

2024-02-17

ACM Computing Surveys

Abstract:Fuzzing is a very effective testing methodology to find bugs. In a nutshell, a fuzzer sends many slightly malformed messages to the software under test, hoping for crashes or incorrect system behaviour. The methodology is relatively simple, although applications that keep internal states are challenging to fuzz. The research community has responded to this challenge by developing fuzzers tailored to stateful systems, but a clear understanding of the variety of strategies is still missing. In this paper, we present the first taxonomy of fuzzers for stateful systems and provide a systematic comparison and classification of these fuzzers.

computer science, theory & methods

Jian Yang,Huanguo Zhang,Jianming Fu

DOI: https://doi.org/10.1109/greencom-ithings-cpscom.2013.389

2013-01-01

Abstract:In order to simulate the attacks at multi input points for the fuzzing, in this paper, we present a white-box combinatorial fuzzing framework based on symbolic execution and combinatorial testing. According to the attack attributes plug-in gained by means of static analysis in advance, our fuzzing framework exploits symbolic execution to collect constraint conditions of attack points where the program may contain an error and to identify the input vector that influence attack points and the constraint interval of every input in input vector, uses constraint solving or interval computation to identify the feasibility of attack points, applies combinatorial coverage strategies to searching interval combination of input vector for the feasible attack points, chooses corresponding strategies of test case generation to generate test case from the interval combination of input vector, and finally injects the combinatorial test case vector to find security vulnerabilities in programs according to the attack strategies in the attack attributes plug-in. Our experimental results indicate that our fuzzing framework can not only effectively expose errors located deep within large applications, but also can avoid the combination explosion to a certain extent.

Shihao Jiang,Yu Zhang,Junqiang Li,Hongfang Yu,Long Luo,Gang Sun

2024-02-27

Abstract:As one of the most successful and effective software testing techniques in recent years, fuzz testing has uncovered numerous bugs and vulnerabilities in modern software, including network protocol software. In contrast to other fuzzing targets, network protocol software exhibits its distinct characteristics and challenges, introducing a plethora of research questions that need to be addressed in the design and implementation of network protocol fuzzers. While some research work has evaluated and systematized the knowledge of general fuzzing techniques at a high level, there is a lack of similar analysis and summarization for fuzzing research specific to network protocols. This paper offers a comprehensive exposition of network protocol software's fuzzing-related features and conducts a systematic review of some representative advancements in network protocol fuzzing since its inception. We summarize state-of-the-art strategies and solutions in various aspects, propose a unified protocol fuzzing process model, and introduce the techniques involved in each stage of the model. At the same time, this paper also summarizes the promising research directions in the landscape of protocol fuzzing to foster exploration within the community for more efficient and intelligent modern network protocol fuzzing techniques.

Networking and Internet Architecture

Yuwei Li,Shouling Ji,Chenyang Lv,Yuan Chen,Jianhai Chen,Qinchen Gu,Chunming Wu

DOI: https://doi.org/10.48550/arxiv.1901.01142

2019-01-01

Abstract:Fuzzing is a technique of finding bugs by executing a software recurrently with a large number of abnormal inputs. Most of the existing fuzzers consider all parts of a software equally, and pay too much attention on how to improve the code coverage. It is inefficient as the vulnerable code only takes a tiny fraction of the entire code. In this paper, we design and implement a vulnerability-oriented evolutionary fuzzing prototype named V-Fuzz, which aims to find bugs efficiently and quickly in a limited time. V-Fuzz consists of two main components: a neural network-based vulnerability prediction model and a vulnerability-oriented evolutionary fuzzer. Given a binary program to V-Fuzz, the vulnerability prediction model will give a prior estimation on which parts of the software are more likely to be vulnerable. Then, the fuzzer leverages an evolutionary algorithm to generate inputs which tend to arrive at the vulnerable locations, guided by the vulnerability prediction result. Experimental results demonstrate that V-Fuzz can find bugs more efficiently than state-of-the-art fuzzers. Moreover, V-Fuzz has discovered 10 CVEs, and 3 of them are newly discovered. We reported the new CVEs, and they have been confirmed and fixed.

Mingzhe Wang,Jie Liang,Chijin Zhou,Yuanliang Chen,Zhiyong Wu,Yu Jiang

DOI: https://doi.org/10.1109/ICST49551.2021.00043

2021-01-01

Abstract:Fuzzing is a promising method for discovering vulnerabilities. Recently, various techniques are developed to improve the efficiency of fuzzing, and impressive gains are observed in evaluation results. However, evaluation is complex, as many factors affect the results, for example, test suites, baseline and metrics. Even more, most experiment setups are lab-oriented, lacking industrial settings such as large code-base and parallel runs. The correlation between the academic evaluation results and the bug-finding ability in real industrial settings has not been sufficiently studied. In this paper, we test representative fuzzing techniques to reveal their efficiency in industrial settings. First, we apply typical fuzzers on academic widely used small projects from LAVA-M suite. We also apply the same fuzzers on large practical projects from Google's fuzzer-test-suite, which is rarely used in academic settings. Both experiments are performed in both single and parallel run. By analyzing the results, we found that most optimizations working well on LAVA-M suite fail to achieve satisfying results on Google's fuzzer-test-suite (e.g. compared to AFL, QSYM detects 82x more synthesized bugs in LAVA-M, but only detects 26% real bugs in Google's fuzzer-test-suite), and the original AFL even outperforms most academic optimization variants in industry widely used parallel runs (e.g. AFL covers 13% more paths than AFLFast). Then, we summarize common pitfalls of those optimizations, analyze the corresponding root causes, and propose potential directions such as orchestrations and synchronization to overcome the problems. For example, when running in parallel on those large practical projects, the proposed horizontal orchestration could cover 36%-82% more paths, and discover 46%-150% more unique crashes or bugs, compared to fuzzers such as AFL, FairFuzz and QSYM.

Xiaohan Zhang,Cen Zhang,Xinghua Li,Zhengjie Du,Bing Mao,Yuekang Li,Yaowen Zheng,Yeting Li,Li Pan,Yang Liu,Robert Deng

DOI: https://doi.org/10.1145/3696788

IF: 16.6

2024-10-12

ACM Computing Surveys

Abstract:Communication protocols form the bedrock of our interconnected world, yet vulnerabilities within their implementations pose significant security threats. Recent developments have seen a surge in fuzzing-based research dedicated to uncovering these vulnerabilities within protocol implementations. However, there still lacks a systematic overview of protocol fuzzing for answering the essential questions such as what the unique challenges are, how existing works solve them, and so on. To bridge this gap, we conducted a comprehensive investigation of related works from both academia and industry. Our study includes a detailed summary of the specific challenges in protocol fuzzing and provides a systematic categorization and overview of existing research efforts. Furthermore, we explore and discuss potential future research directions in protocol fuzzing.

computer science, theory & methods

Zhaowei Zhang,Hongzheng Zhang,Jinjing Zhao,Yanfei Yin

DOI: https://doi.org/10.3390/electronics12132904

IF: 2.9

2023-07-02

Electronics

Abstract:Network protocols, as the communication rules among computer network devices, are the foundation for the normal operation of networks. However, security issues arising from design flaws and implementation vulnerabilities in network protocols pose significant risks to network operations and security. Network protocol fuzzing is an effective technique for discovering and mitigating security flaws in network protocols. It offers unparalleled advantages compared to other security analysis techniques thanks to the minimal requirement for prior knowledge of the target and low deployment complexity. Nevertheless, the randomness in test case generation, uncontrollable test coverage, and unstable testing efficiency introduce challenges in ensuring the controllability of the testing process and results. In order to comprehensively survey the development of network protocol fuzzing techniques and analyze their advantages and existing issues, in this paper, we categorized and summarized the protocol fuzzing and its related techniques based on the generation methods of test cases and testing conditions. Specifically, we overviewed the development trajectory and patterns of these techniques over the past two decades according to chronological order. Based on this analysis, we further predict the future directions of fuzzing techniques.

engineering, electrical & electronic,computer science, information systems,physics, applied

Wenjie Wang,Donghai Tian,Rui Ma,Hang Wei,Qianjin Ying,Xiaoqi Jia,Lei Zuo

DOI: https://doi.org/10.23919/jcc.2021.08.001

2021-01-01

China Communications

Abstract:Fuzzing is an effective technique to find security bugs in programs by quickly exploring the input space of programs. To further discover vulnerabilities hidden in deep execution paths, the hybrid fuzzing combines fuzzing and concolic execution for going through complex branch conditions. In general, we observe that the execution path which comes across more and complex basic blocks may have a higher chance of containing a security bug. Based on this observation, we propose a hybrid fuzzing method assisted by static analysis for binary programs. The basic idea of our method is to prioritize seed inputs according to the complexity of their associated execution paths. For this purpose, we utilize static analysis to evaluate the complexity of each basic block and employ the hardware trace mechanism to dynamically extract the execution path for calculating the seed inputs' weights. The key advantage of our method is that our system can test binary programs efficiently by using the hardware trace and hybrid fuzzing. To evaluate the effectiveness of our method, we design and implement a prototype system, namely SHFuzz. The evaluation results show SHFuzz discovers more unique crashes on several real-world applications and the LAVA-M dataset when compared to the previous solutions.

Jian Yang,Huanguo Zhang,Jianming Fu,Fan Yang

DOI: https://doi.org/10.1109/icciautom.2011.6184020

2013-01-01

Abstract:In essence, fuzzing is a kind of penetration testing by injecting fault to simulate the attacks. However, current fuzzings do not simulate the attacks in a real sense. They pay more attention to the injection of malformed semi-valid data at a single input point. Nevertheless, an attack is usually a set of cooperative aggressive behaviors at multi input points. In this paper, we present PCFuzzing, a penetration combinatorial fuzzing framework for the software in host environment by simulating attack trace at multi input points. Based on the attack attributes plug-in gained by means of static analysis in advance, PCFuzzing uses dynamic taint tracing to automatically find the input vector that influence values used at key program attack points (points where the program may contain an error), uses symbolic execution and constraint solving to identify the constraint boundary of every input in input vector and constraint relationship of the inputs in input vector, uses combinatorial testing strategies to generate and combine the malformed test case vector, and then injects the combinatorial test case vector to find security vulnerabilities in programs according to the attack strategies in the attack attributes plug-in. Our experimental results indicate that our PCFuzzing can not only effectively expose errors located deep within large applications, but also can avoid the combination explosion to a certain extent because taint tracer in framework uses dynamic taint tracing to reduce the number of inputs involved in the combination and constraint collector in framework uses symbolic execution and constraint solving to narrow the value ranges of input data.

Lili Yu,Zi Yuan,Chao Liu,Feng Chen

DOI: https://doi.org/10.1109/icodse.2017.8285893

2013-01-01

Abstract:Security is very important aspect of a web application. Therefore security testing is needed to find vulnerabilities on web applications. One of security testing technique is fuzz testing. Fuzz testing or fuzzing is a software testing technique done by giving a set of invalid inputs to the application under test. Fuzz testing is usually done by a tool. In fuzz testing for web application, a set of HTTP requests will be sent to the application under test in order to see how the application behaves when getting various inputs. It would be better if fuzz testing for web application can run automatically on certain conditions. In this research, we develop a platform and tools for web application fuzz testing automation that can be integrated to Jenkins. The tool has been tested on web applications with known vulnerabilities. In 13 of the 15 test cases, the tool can successfully found the presence of vulnerabilities. Based on the results, most vulnerabilities can be detected based on HTTP response content.