Using a Guided Fuzzer and Preconditions to Achieve Branch Coverage with Valid Inputs.

In this paper, we present a technique that extends greybox fuzzing with a method for learning new inputs based on already explored program executions. ... However, greybox fuzzers randomly mutate program inputs to exercise new paths; this makes it challenging to cover code that is guarded by complex checks. ... Hybrid fuzzers combine fuzzing with other techniques to join their benefits and achieve better results. ...

arXiv:1807.07875v1 fatcat:um32we3subgc5icptuliw6yoga

In particular, we present the ct-fuzz tool, which lends coverage-guided greybox fuzzers the ability to detect two-safety property violations. ... Testing-based methodologies like fuzzing are able to analyze complex software which is not amenable to traditional formal approaches like verification, model checking, and abstract interpretation. ... The views and conclusions contained herein are the authors' and should not be interpreted as necessarily representing the o cial policies or endorsements, either expressed or implied, of DHS or the US ...

arXiv:1904.07280v1 fatcat:vys7cgmscnbq7kovfbcy446bfq

However, greybox fuzzers randomly mutate program inputs to exercise new paths; this makes it challenging to cover code that is guarded by narrow checks, which are satisfied by no more than a few input ... First, Harvey extends standard greybox fuzzing with a method for predicting new inputs that are more likely to cover new paths or reveal vulnerabilities in smart contracts. ... IV compares A and B with respect to instruction coverage. For 23 out of 27 benchmarks, B achieves significantly higher coverage. The results for path coverage are very similar. ...

arXiv:1905.06944v1 fatcat:xfvwoivjbjh2zmbknow5m46vfm

Coverage-guided fuzzers suffer from the fact that covering a program point does not ensure the trigger of a fault. ... This better approximates the program state coverage and, on some targets, improves the ability of the fuzzer in finding faults. We developed a prototype using LLVM and AFL++ called InvsCov. ... In order to effectively fuzz deep paths, the fuzzer must produce valid inputs, and this can be achieved using a model of the input format to guide the mutator, like in [79] [7] . ...

arXiv:2012.11182v1 fatcat:sgpph6cvrrefzbnk3cxfkydjve

Open Access

Considering the client, the results show that it achieves 1.5X branch coverage (on average) compared with the default AFL, and 1.3X branch coverage compared with AFLNET and StateAFL, using the typical ... The StateFuzzer tool used for evaluation is presented to demonstrate the validity and feasibility of the proposed approach. ... Acknowledgments is work was supported by the National Key Research and Development Project of China (2019QY1300). e authors would like to express their gratitude to EditSprings (https:// www.editsprings.cn ...

doi:10.1155/2022/6880677 fatcat:rq63r47bd5bgtmwnpkuvxlonke

DOAJ

a large variety of randomly selected input values. ... If a unit-level test fails, we lift it to the system level to ensure the failure can be reproduced there. ... Table 4 contrasts the number of tests produced and branch coverage achieved. It is worthwhile to note that BASILISK achieves its coverage through fewer tests than RADAMSA. ...

arXiv:1812.07932v1 fatcat:5evp3v74nngcjemo3v5elexvom

However, directly applying grey-box fuzzing to input-dependent multithreaded programs can be extremely inefficient. ... Grey-box fuzz testing has revealed thousands of vulnerabilities in real-world software owing to its lightweight instrumentation, fast coverage feedback, and dynamic adjusting strategies. ... Other specialization techniques, such as the context-sensitive instrumentation used by Angora [7] , or the typestate-guided instrumentation in UAFL [52] , provide similar solutions and achieve inspiring ...

arXiv:2007.15943v1 fatcat:lnjyjzixh5c5fnnlizhlm6yph4

Open Access

Our results show that IC-Cut alleviates path explosion while preserving or even increasing code coverage and bug finding, compared to the current generationalsearch strategy used in SAGE. ... We have implemented this algorithm as a new search strategy in the whitebox fuzzer SAGE, and present detailed experimental results obtained when fuzzing the ANI Windows image parser. ... The goal is to collect symbolic constraints on inputs, from predicates in branch statements along the execution, and then to infer variants of the previous inputs, using a constraint solver, in order to ...

doi:10.1007/978-3-319-23404-5_19 fatcat:273uwmajircd3asxmzuerqnt2i

We aim to model the control flow inside a function with a single symbolic formula. This assists bug detection, speeds up path exploration, and overcomes overconstraints in path predicate. ... Dynamic symbolic execution (DSE) is a powerful method for path exploration during hybrid fuzzing and automatic bug detection. ... In particular, Sydr is able to report null pointer dereference, division by zero, out-of-bounds access, and integer overflow errors. ...

arXiv:2111.05770v1 fatcat:ezepsl77pndftpv5f4loouv4qm

Open Access Multiple Versions

We also give a preliminary assessment of the use in academia, research labs, and industry. ... Symbolic execution is a program analysis technique introduced in the 70s that has received renewed interest in recent years, due to algorithmic advances and increased availability of computational power ... Acknowledgements Sen's work was supported in part by Microsoft (Award #024263) and Intel (Award #024894) funding and by matching funding by U.C. ...

doi:10.1145/1985793.1985995 dblp:conf/icse/CadarGKPSTV11 fatcat:mb643zlyczcizdxtzkbbtnr7ha

We present a systematized implementation of these techniques, which allows other researchers to compose them and develop new approaches. ... Our framework has been open-sourced and is available to the security community. IEEE Symposium on Security and Privacy ... Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright notation thereon. ...

doi:10.1109/sp.2016.17 dblp:conf/sp/Shoshitaishvili16 fatcat:dw3axxn4mbczjmhpwhwd5jnfe4

For kernel UAF, we leverage a lightweight symbolic execution to identify, analyze and evaluate the system calls valuable and useful for exploiting vulnerabilities. ... For userspace programs, we adopt a control-flow stitching solution to stitch crashing paths and diverging paths together to generate exploit. ... Funding We would like to thank the anonymous reviewers for their constructive comments. ...

doi:10.1186/s42400-019-0028-9 fatcat:54lfptjaavcdtgrq56iq5ol7oy

DOAJ

The automation of software testing promises to delegate to machines what is otherwise the most labor-intensive and expensive part of software development. ... The past decade has seen a resurgence in research interest for this problem, bringing about significant progress. ... results of that symbolic execution are memoized using local input-preconditions and output post-conditions. ...

doi:10.1007/978-3-319-91908-9_24 fatcat:5udblyuumbcgndtoglrytm5c6m

We have used BuzzFuzz to automatically find errors in two open-source applications: Swfdec (an Adobe Flash player) and MuPDF (a PDF viewer). ... Leek, and M. Rinard. "Taint-based directed whitebox fuzzing. Abstract We present a new automated white box fuzzing technique and a tool, BuzzFuzz , that implements this technique. ... Acknowledgements We are grateful to Pedram Amini and Adam Kiezun for providing us with a large number of Flash and PDF files, respectivley, for testing purposes. ...

doi:10.1109/icse.2009.5070546 dblp:conf/icse/GaneshLR09 fatcat:a663gcshr5cw5h3jxa44362mhu

This is done both proactively (using software verification techniques) and reactively (using software hardening techniques). ... This deliverable describes the definition of the UNICORE security and safety primitives, which allow UNICORE applications to minimize the attack and failure surface in production. ... Greybox fuzzers typically start from a blackbox fuzzing baseline (sending random inputs to the target program) and progressively mutate the input to improve testing coverage. ...

doi:10.5281/zenodo.3518279 fatcat:wdiiucvwtzfojlo6oc3lpn2jhy

Open Access

Learning Inputs in Greybox Fuzzing [article]

Preserved Fulltext

ct-fuzz: Fuzzing for Timing Leaks [article]

Preserved Fulltext

Harvey: A Greybox Fuzzer for Smart Contracts [article]

Preserved Fulltext

Program State Abstraction for Feedback-Driven Fuzz Testing using Likely Invariants [article]

Preserved Fulltext

Model-Based Grey-Box Fuzzing of Network Protocols

Preserved Fulltext

Carving Parameterized Unit Tests [article]

Preserved Fulltext

MUZZ: Thread-aware Grey-box Fuzzing for Effective Bug Hunting in Multithreaded Programs [article]

Preserved Fulltext

IC-Cut: A Compositional Search Strategy for Dynamic Test Generation [chapter]

Preserved Fulltext

Symbolic Security Predicates: Hunt Program Weaknesses [article]

Preserved Fulltext

Other Versions

Symbolic execution for software testing in practice

Preserved Fulltext

SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis

Preserved Fulltext

From proof-of-concept to exploitable

Preserved Fulltext

Automated Software Test Generation: Some Challenges, Solutions, and Recent Advances [chapter]

Preserved Fulltext

Taint-based directed whitebox fuzzing

Preserved Fulltext

D3.2 Security, Safety and Validation Support Definition

Preserved Fulltext