Proceedings 2019 Network and Distributed System Security Symposium 2019
DOI: 10.14722/ndss.2019.23412
|View full text |Cite
|
Sign up to set email alerts
|

NAUTILUS: Fishing for Deep Bugs with Grammars

Abstract: Fuzz testing is a well-known method for efficiently identifying bugs in programs. Unfortunately, when programs that require highly-structured inputs such as interpreters are fuzzed, many fuzzing methods struggle to pass the syntax checks: interpreters often process inputs in multiple stages, first syntactic and then semantic correctness is checked. Only if both checks are passed, the interpreted code gets executed. This prevents fuzzers from executing "deeper"-and hence potentially more interesting-code. Typic… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
3
1
1

Citation Types

2
89
0
3

Year Published

2019
2019
2024
2024

Publication Types

Select...
4
3
2

Relationship

1
8

Authors

Journals

citations
Cited by 140 publications
(94 citation statements)
references
References 24 publications
2
89
0
3
Order By: Relevance
“…This also demonstrates the advantage that a custom interpreter provides by focusing on useful interactions. This finding is inline with recent research on grammar-based fuzzing [10], [12], [29], [36], [39].…”
Section: ) Old Cvessupporting
confidence: 90%
See 1 more Smart Citation
“…This also demonstrates the advantage that a custom interpreter provides by focusing on useful interactions. This finding is inline with recent research on grammar-based fuzzing [10], [12], [29], [36], [39].…”
Section: ) Old Cvessupporting
confidence: 90%
“…Triggered by the publication and widespread success of AFL, a myriad of research projects aimed to strengthen the bug finding ability of fuzzers in various scenarios. In most cases, the algorithms used for scheduling [13]- [15], [41], [49], feedback [2], [21], [31], [33], and mutations [10], [11], [29], [36], [39] were improved. In other projects, techniques based on concolic execution [22]- [24], [28], [34], [45], [48], [53], [55] or taint tracking [17], [40] were combined with fuzzing to solve "fuzzing roadblocks" such as magic bytes.…”
Section: Related Workmentioning
confidence: 99%
“…Grammar-based fuzzers such as LangFuzz [29] and Nautilus [30] generate inputs that comply with a language grammar. LangFuzz generates valid inputs for a Javascript interpreter using a grammar.…”
Section: B Format-aware Fuzzingmentioning
confidence: 99%
“…By doing so, it improves the mutation strategy to generate semantically-valid input to find deep bugs. Recent studies [7,9,27,34] guide the fuzzer to generate highly-structured inputs by using coverage-feedback. For example, Nautilus leverages grammar specification to better generate and mutate the test inputs with coverage guidance.…”
Section: Related Workmentioning
confidence: 99%