Write a Blog >>
Sun 20 - Fri 25 October 2019 Athens, Greece
Fri 25 Oct 2019 11:45 - 12:07 at Attica - Test Generation Chair(s): Sasa Misailovic

Coverage-guided fuzz testing has gained prominence as a highly effective method of finding security vulnerabilities such as buffer overflows in programs that parse binary data. Recently, researchers have introduced various specializations to the coverage-guided fuzzing algorithm for different domain-specific testing goals, such as finding performance bottlenecks, generating valid inputs, handling magic-byte comparisons, etc. Each such solution can require non-trivial implementation effort and produces a distinct variant of a fuzzing tool. We observe that many of these domain-specific solutions follow a common solution pattern.

In this paper, we present FuzzFactory, a framework for developing domain-specific fuzzing applications without requiring changes to mutation and search heuristics. FuzzFactory allows users to specify the collection of dynamic domain-specific feedback during test execution, as well as how such feedback should be aggregated. FuzzFactory uses this information to selectively save intermediate inputs, called waypoints, to augment coverage-guided fuzzing. Such waypoints always make progress towards domain-specific multi-dimensional objectives. We instantiate six domain-specific fuzzing applications using FuzzFactory: three re-implementations of prior work and three novel solutions, and evaluate their effectiveness on benchmarks from Google's fuzzer test suite. We also show how multiple domains can be composed to perform better than the sum of their parts. For example, we combine domain-specific feedback about strict equality comparisons and dynamic memory allocations, to enable the automatic generation of LZ4 bombs and PNG bombs.

Fri 25 Oct
Times are displayed in time zone: Beirut change

11:00 - 12:30: Test GenerationOOPSLA at Attica
Chair(s): Sasa MisailovicUniversity of Illinois at Urbana-Champaign
11:00 - 11:22
CLOTHO: Directed Test Generation for Weakly Consistent Database Systems
Kia RahmaniPurdue University, Kartik NagarPurdue University, Benjamin DelawarePurdue University, Suresh JagannathanPurdue University
DOI Pre-print
11:22 - 11:45
Coverage Guided, Property Based Testing
Leonidas LampropoulosUniversity of Pennsylvania, University of Maryland, Michael HicksUniversity of Maryland, Benjamin C. PierceUniversity of Pennsylvania
11:45 - 12:07
FuzzFactory: Domain-Specific Fuzzing with Waypoints
Rohan PadhyeUniversity of California, Berkeley, Caroline LemieuxUniversity of California, Berkeley, Koushik SenUniversity of California, Berkeley, Laurent SimonSamsung Research America, Hayawardh VijayakumarSamsung Research America
DOI Pre-print
12:07 - 12:30
Compiler Fuzzing: How Much Does It Matter?
Michaƫl MarcozziImperial College London, Qiyi TangImperial College London, Alastair DonaldsonImperial College London, Cristian CadarImperial College London
Link to publication DOI Pre-print Media Attached File Attached