QuickFuzz: an automatic random fuzzer for common file formats

GriecoGustavo,; Ceresa, Martín; BuirasPablo,

doi:10.1145/3241625.2976017

Cited by 13 publications

(8 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Skyfire [53] and Orthrus [49] propose to improve the initial seed selection by running an up-front analysis on the program to bootstrap information both for creating the corpus and assisting the mutators. QuickFuzz [20,21] allows seed generation through the use of grammars that specify the structure of valid, or interesting, inputs. DIFUZE performs an up-front static analysis to identify the structure of inputs to device drivers prior to fuzzing [13].…”

Section: Recent Advances In Fuzzingmentioning

confidence: 99%

“…In Table 1, we can see that 12 out of the 15 papers that did consider multiple trials did not characterize the performance variance (they have a blank box in the variance column). Instead, each of them compared the "average" performance (we assume: arithmetic mean) of A and B when drawing conclusions, except for Dowser [22] that reported median, and two [20,59] that did not mention how the "average" was calculated.…”

Section: Statistically Sound Comparisonsmentioning

confidence: 99%

See 1 more Smart Citation

Evaluating Fuzz Testing

Klees

Ruef

Cooper

et al. 2018

Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

452

278

View full text Add to dashboard Cite

Fuzz testing has enjoyed great success at discovering security critical bugs in real software. Recently, researchers have devoted significant effort to devising new fuzzing techniques, strategies, and algorithms. Such new ideas are primarily evaluated experimentally so an important question is: What experimental setup is needed to produce trustworthy results? We surveyed the recent research literature and assessed the experimental evaluations carried out by 32 fuzzing papers. We found problems in every evaluation we considered. We then performed our own extensive experimental evaluation using an existing fuzzer. Our results showed that the general problems we found in existing experimental evaluations can indeed translate to actual wrong or misleading assessments. We conclude with some guidelines that we hope will help improve experimental evaluations of fuzz testing algorithms, making reported results more robust. CCS CONCEPTS• Security and privacy → Software and application security;A fuzz tester (or fuzzer) is a tool that iteratively and randomly generates inputs with which it tests a target program. Despite appearing "naive" when compared to more sophisticated tools involving SMT solvers, symbolic execution, and static analysis, fuzzers are surprisingly effective. For example, the popular fuzzer AFL has been used to find hundreds of bugs in popular programs [1]. Comparing AFL head-to-head with the symbolic executor angr, AFL found 76% more bugs (68 vs. 16) in the same corpus over a 24-hour period [50]. The success of fuzzers has made them a popular topic of research.

show abstract

Section: Recent Advances In Fuzzingmentioning

confidence: 99%

Section: Statistically Sound Comparisonsmentioning

confidence: 99%

Evaluating Fuzz Testing

Klees

Ruef

Cooper

et al. 2018

Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

452

278

View full text Add to dashboard Cite

show abstract

“…The second approach we will discuss is the one taken by MegaDeTH , a meta-programming tool used intensively by QuickFuzz [14,15]. Firstly, MegaDeTH derives random generators for ADTs as well as all of its nested types-a useful feature not supported by derive.…”

Section: Megadethmentioning

confidence: 99%

“…Fuzzers are tools to tests programs against randomly generated unexpected inputs. QuickFuzz [14,15] is a tool that synthesizes data with rich structure, that is, well-typed files which can be used as initial "seeds" for state-of-the-art fuzzers-a work flow which discovered many unknown vulnerabilities. Our work could help to improve the variation of the generated initial seeds, by varying the distribution of QuickFuzz generators-an interesting direction for future work.…”

Section: Related Workmentioning

confidence: 99%

“…As a result, generated random values are well-typed and preserve the structure described by the ADT. Rather than manually writing generators, libraries derive [24] and MegaDeTH [14,15] automatically synthesize generators for a given user-defined ADT. The library derive provides no guarantees that the generation process terminates, while MegaDeTH pays almost no attention to the distribution of values.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Branching processes for QuickCheck generators

Mista

Russo

Hughes

2018

Proceedings of the 11th ACM SIGPLAN International Symposium on Haskell

View full text Add to dashboard Cite

In QuickCheck (or, more generally, random testing), it is challenging to control random data generators' distributionsspecially when it comes to user-defined algebraic data types (ADT). In this paper, we adapt results from an area of mathematics known as branching processes, and show how they help to analytically predict (at compile-time) the expected number of generated constructors, even in the presence of mutually recursive or composite ADTs. Using our probabilistic formulas, we design heuristics capable of automatically adjusting probabilities in order to synthesize generators which distributions are aligned with users' demands. We provide a Haskell implementation of our mechanism in a tool called and perform case studies with real-world applications. When generating random values, our synthesized QuickCheck generators show improvements in code coverage when compared with those automatically derived by state-of-the-art tools.CCS Concepts • Software and its engineering → Software testing and debugging;

show abstract