Coverage-guided fuzz testing has gained prominence as a highly effective method of finding security vulnerabilities such as buffer overflows in programs that parse binary data. Recently, researchers have introduced various specializations to the coverage-guided fuzzing algorithm for different domain-specific testing goals, such as finding performance bottlenecks, generating valid inputs, handling magic-byte comparisons, etc. Each such solution can require non-trivial implementation effort and produces a distinct variant of a fuzzing tool. We observe that many of these domain-specific solutions follow a common solution pattern.
In this paper, we present FuzzFactory, a framework for developing domain-specific fuzzing applications without requiring changes to mutation and search heuristics. FuzzFactory allows users to specify the collection of dynamic domain-specific feedback during test execution, as well as how such feedback should be aggregated. FuzzFactory uses this information to selectively save intermediate inputs, called waypoints, to augment coverage-guided fuzzing. Such waypoints always make progress towards domain-specific multi-dimensional objectives. We instantiate six domain-specific fuzzing applications using FuzzFactory: three re-implementations of prior work and three novel solutions, and evaluate their effectiveness on benchmarks from Google's fuzzer test suite. We also show how multiple domains can be composed to perform better than the sum of their parts. For example, we combine domain-specific feedback about strict equality comparisons and dynamic memory allocations, to enable the automatic generation of LZ4 bombs and PNG bombs.
Fri 25 OctDisplayed time zone: Beirut change
11:00 - 12:30
|CLOTHO: Directed Test Generation for Weakly Consistent Database Systems|
Kia Rahmani Purdue University, Kartik Nagar Purdue University, Benjamin Delaware Purdue University, Suresh Jagannathan Purdue UniversityDOI Pre-print
|Coverage Guided, Property Based Testing|
Leonidas Lampropoulos University of Pennsylvania, University of Maryland, Michael Hicks University of Maryland, Benjamin C. Pierce University of PennsylvaniaDOI
|FuzzFactory: Domain-Specific Fuzzing with Waypoints|
Rohan Padhye University of California, Berkeley, Caroline Lemieux University of California, Berkeley, Koushik Sen University of California, Berkeley, Laurent Simon Samsung Research America, Hayawardh Vijayakumar Samsung Research AmericaDOI Pre-print
|Compiler Fuzzing: How Much Does It Matter?|
Michaël Marcozzi Imperial College London, Qiyi Tang Imperial College London, Alastair F. Donaldson Imperial College London, Cristian Cadar Imperial College LondonLink to publication DOI Pre-print Media Attached File Attached