60 Hits in 3.1 sec

Learning Inputs in Greybox Fuzzing [article]

Valentin Wüstholz, Maria Christakis
2018 arXiv   pre-print
In this paper, we present a technique that extends greybox fuzzing with a method for learning new inputs based on already explored program executions.  ...  However, greybox fuzzers randomly mutate program inputs to exercise new paths; this makes it challenging to cover code that is guarded by complex checks.  ...  Hybrid fuzzers combine fuzzing with other techniques to join their benefits and achieve better results.  ... 
arXiv:1807.07875v1 fatcat:um32we3subgc5icptuliw6yoga

ct-fuzz: Fuzzing for Timing Leaks [article]

Shaobo He and Michael Emmi and Gabriela Ciocarlie
2019 arXiv   pre-print
In particular, we present the ct-fuzz tool, which lends coverage-guided greybox fuzzers the ability to detect two-safety property violations.  ...  Testing-based methodologies like fuzzing are able to analyze complex software which is not amenable to traditional formal approaches like verification, model checking, and abstract interpretation.  ...  The views and conclusions contained herein are the authors' and should not be interpreted as necessarily representing the o cial policies or endorsements, either expressed or implied, of DHS or the US  ... 
arXiv:1904.07280v1 fatcat:vys7cgmscnbq7kovfbcy446bfq

Harvey: A Greybox Fuzzer for Smart Contracts [article]

Valentin Wüstholz, Maria Christakis
2019 arXiv   pre-print
However, greybox fuzzers randomly mutate program inputs to exercise new paths; this makes it challenging to cover code that is guarded by narrow checks, which are satisfied by no more than a few input  ...  First, Harvey extends standard greybox fuzzing with a method for predicting new inputs that are more likely to cover new paths or reveal vulnerabilities in smart contracts.  ...  IV compares A and B with respect to instruction coverage. For 23 out of 27 benchmarks, B achieves significantly higher coverage. The results for path coverage are very similar.  ... 
arXiv:1905.06944v1 fatcat:xfvwoivjbjh2zmbknow5m46vfm

Program State Abstraction for Feedback-Driven Fuzz Testing using Likely Invariants [article]

Andrea Fioraldi
2020 arXiv   pre-print
Coverage-guided fuzzers suffer from the fact that covering a program point does not ensure the trigger of a fault.  ...  This better approximates the program state coverage and, on some targets, improves the ability of the fuzzer in finding faults. We developed a prototype using LLVM and AFL++ called InvsCov.  ...  In order to effectively fuzz deep paths, the fuzzer must produce valid inputs, and this can be achieved using a model of the input format to guide the mutator, like in [79] [7] .  ... 
arXiv:2012.11182v1 fatcat:sgpph6cvrrefzbnk3cxfkydjve

Model-Based Grey-Box Fuzzing of Network Protocols

Yan Pan, Wei Lin, Liang Jiao, Yuefei Zhu, Irshad Azeem
2022 Security and Communication Networks  
Considering the client, the results show that it achieves 1.5X branch coverage (on average) compared with the default AFL, and 1.3X branch coverage compared with AFLNET and StateAFL, using the typical  ...  The StateFuzzer tool used for evaluation is presented to demonstrate the validity and feasibility of the proposed approach.  ...  Acknowledgments is work was supported by the National Key Research and Development Project of China (2019QY1300). e authors would like to express their gratitude to EditSprings (https://  ... 
doi:10.1155/2022/6880677 fatcat:rq63r47bd5bgtmwnpkuvxlonke

Carving Parameterized Unit Tests [article]

Alexander Kampmann, Andreas Zeller
2018 arXiv   pre-print
a large variety of randomly selected input values.  ...  If a unit-level test fails, we lift it to the system level to ensure the failure can be reproduced there.  ...  Table 4 contrasts the number of tests produced and branch coverage achieved. It is worthwhile to note that BASILISK achieves its coverage through fewer tests than RADAMSA.  ... 
arXiv:1812.07932v1 fatcat:5evp3v74nngcjemo3v5elexvom

MUZZ: Thread-aware Grey-box Fuzzing for Effective Bug Hunting in Multithreaded Programs [article]

Hongxu Chen, Shengjian Guo, Yinxing Xue, Yulei Sui, Cen Zhang, Yuekang Li, Haijun Wang, Yang Liu
2020 arXiv   pre-print
However, directly applying grey-box fuzzing to input-dependent multithreaded programs can be extremely inefficient.  ...  Grey-box fuzz testing has revealed thousands of vulnerabilities in real-world software owing to its lightweight instrumentation, fast coverage feedback, and dynamic adjusting strategies.  ...  Other specialization techniques, such as the context-sensitive instrumentation used by Angora [7] , or the typestate-guided instrumentation in UAFL [52] , provide similar solutions and achieve inspiring  ... 
arXiv:2007.15943v1 fatcat:lnjyjzixh5c5fnnlizhlm6yph4

IC-Cut: A Compositional Search Strategy for Dynamic Test Generation [chapter]

Maria Christakis, Patrice Godefroid
2015 Lecture Notes in Computer Science  
Our results show that IC-Cut alleviates path explosion while preserving or even increasing code coverage and bug finding, compared to the current generationalsearch strategy used in SAGE.  ...  We have implemented this algorithm as a new search strategy in the whitebox fuzzer SAGE, and present detailed experimental results obtained when fuzzing the ANI Windows image parser.  ...  The goal is to collect symbolic constraints on inputs, from predicates in branch statements along the execution, and then to infer variants of the previous inputs, using a constraint solver, in order to  ... 
doi:10.1007/978-3-319-23404-5_19 fatcat:273uwmajircd3asxmzuerqnt2i

Symbolic Security Predicates: Hunt Program Weaknesses [article]

Alexey Vishnyakov, Vlada Logunova, Eli Kobrin, Daniil Kuts, Darya Parygina, Andrey Fedotov
2021 arXiv   pre-print
We aim to model the control flow inside a function with a single symbolic formula. This assists bug detection, speeds up path exploration, and overcomes overconstraints in path predicate.  ...  Dynamic symbolic execution (DSE) is a powerful method for path exploration during hybrid fuzzing and automatic bug detection.  ...  In particular, Sydr is able to report null pointer dereference, division by zero, out-of-bounds access, and integer overflow errors.  ... 
arXiv:2111.05770v1 fatcat:ezepsl77pndftpv5f4loouv4qm

Symbolic execution for software testing in practice

Cristian Cadar, Patrice Godefroid, Sarfraz Khurshid, Corina S. Păsăreanu, Koushik Sen, Nikolai Tillmann, Willem Visser
2011 Proceeding of the 33rd international conference on Software engineering - ICSE '11  
We also give a preliminary assessment of the use in academia, research labs, and industry.  ...  Symbolic execution is a program analysis technique introduced in the 70s that has received renewed interest in recent years, due to algorithmic advances and increased availability of computational power  ...  Acknowledgements Sen's work was supported in part by Microsoft (Award #024263) and Intel (Award #024894) funding and by matching funding by U.C.  ... 
doi:10.1145/1985793.1985995 dblp:conf/icse/CadarGKPSTV11 fatcat:mb643zlyczcizdxtzkbbtnr7ha

SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis

Yan Shoshitaishvili, Ruoyu Wang, Christopher Salls, Nick Stephens, Mario Polino, Andrew Dutcher, John Grosen, Siji Feng, Christophe Hauser, Christopher Kruegel, Giovanni Vigna
2016 2016 IEEE Symposium on Security and Privacy (SP)  
We present a systematized implementation of these techniques, which allows other researchers to compose them and develop new approaches.  ...  Our framework has been open-sourced and is available to the security community. IEEE Symposium on Security and Privacy  ...  Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright notation thereon.  ... 
doi:10.1109/sp.2016.17 dblp:conf/sp/Shoshitaishvili16 fatcat:dw3axxn4mbczjmhpwhwd5jnfe4

From proof-of-concept to exploitable

Yan Wang, Wei Wu, Chao Zhang, Xinyu Xing, Xiaorui Gong, Wei Zou
2019 Cybersecurity  
For kernel UAF, we leverage a lightweight symbolic execution to identify, analyze and evaluate the system calls valuable and useful for exploiting vulnerabilities.  ...  For userspace programs, we adopt a control-flow stitching solution to stitch crashing paths and diverging paths together to generate exploit.  ...  Funding We would like to thank the anonymous reviewers for their constructive comments.  ... 
doi:10.1186/s42400-019-0028-9 fatcat:54lfptjaavcdtgrq56iq5ol7oy

Automated Software Test Generation: Some Challenges, Solutions, and Recent Advances [chapter]

George Candea, Patrice Godefroid
2019 Lecture Notes in Computer Science  
The automation of software testing promises to delegate to machines what is otherwise the most labor-intensive and expensive part of software development.  ...  The past decade has seen a resurgence in research interest for this problem, bringing about significant progress.  ...  results of that symbolic execution are memoized using local input-preconditions and output post-conditions.  ... 
doi:10.1007/978-3-319-91908-9_24 fatcat:5udblyuumbcgndtoglrytm5c6m

Taint-based directed whitebox fuzzing

Vijay Ganesh, Tim Leek, Martin Rinard
2009 2009 IEEE 31st International Conference on Software Engineering  
We have used BuzzFuzz to automatically find errors in two open-source applications: Swfdec (an Adobe Flash player) and MuPDF (a PDF viewer).  ...  Leek, and M. Rinard. "Taint-based directed whitebox fuzzing. Abstract We present a new automated white box fuzzing technique and a tool, BuzzFuzz , that implements this technique.  ...  Acknowledgements We are grateful to Pedram Amini and Adam Kiezun for providing us with a large number of Flash and PDF files, respectivley, for testing purposes.  ... 
doi:10.1109/icse.2009.5070546 dblp:conf/icse/GaneshLR09 fatcat:a663gcshr5cw5h3jxa44362mhu

D3.2 Security, Safety and Validation Support Definition

Cristiano Giuffrida, Herbert Bos, Kaveh Razavi
2019 Zenodo  
This is done both proactively (using software verification techniques) and reactively (using software hardening techniques).  ...  This deliverable describes the definition of the UNICORE security and safety primitives, which allow UNICORE applications to minimize the attack and failure surface in production.  ...  Greybox fuzzers typically start from a blackbox fuzzing baseline (sending random inputs to the target program) and progressively mutate the input to improve testing coverage.  ... 
doi:10.5281/zenodo.3518279 fatcat:wdiiucvwtzfojlo6oc3lpn2jhy
« Previous Showing results 1 — 15 out of 60 results