research-article

Semi-valid input coverage for fuzz testing

Authors:
Petar Tsankov

ETH Zurich, Switzerland

ETH Zurich, Switzerland
View Profile

,
Mohammad Torabi Dashti

ETH Zurich, Switzerland

ETH Zurich, Switzerland
View Profile

,
David Basin

ETH Zurich, Switzerland

ETH Zurich, Switzerland
View Profile

ISSTA 2013: Proceedings of the 2013 International Symposium on Software Testing and AnalysisJuly 2013Pages 56–66https://doi.org/10.1145/2483760.2483787

Published:15 July 2013Publication History

ISSTA 2013: Proceedings of the 2013 International Symposium on Software Testing and Analysis

Pages 56–66

ABSTRACT

We define semi-valid input coverage (SVCov), the first coverage criterion for fuzz testing. Our criterion is applicable whenever the valid inputs can be defined by a finite set of constraints. SVCov measures to what extent the tests cover the domain of semi-valid inputs, where an input is semi-valid if and only if it satisfies all the constraints but one.

We demonstrate SVCov's practical value in a case study on fuzz testing the Internet Key Exchange protocol (IKE). Our study shows that it is feasible to precisely define and efficiently measure SVCov. Moreover, SVCov provides essential information for improving the effectiveness of fuzz testing and enhancing fuzz-testing tools and libraries. In particular, by increasing coverage under SVCov, we have discovered a previously unknown vulnerability in a mature IKE implementation.

References

T. Alrahem, A. Chen, N. DiGiuseppe, J. Gee, S.-P. Hsiao, S. Mattox, T. Park, and I. Harris. INTERSTATE: A Stateful Protocol Fuzzer for SIP. In Defcon 15, pages 1–5, August 2007.Google Scholar
T. Alrahem and I. Harris. Achieving Domain Coverage with Directed Fuzz Testing. Technical report, University of California, Irvine, CA, USA, June 2007.Google Scholar
G. Banks, M. Cova, V. Felmetsger, K. C. Almeroth, R. A. Kemmerer, and G. Vigna. SNOOZE: Toward a Stateful NetwOrk prOtocol fuzZEr. In ISC, pages 343–358, 2006. Google ScholarDigital Library
S. Becker, H. Abdelnur, J. L. Obes, R. State, and O. Festor. Improving Fuzz Testing Using Game Theory. In Proceedings of the 2010 Fourth International Conference on Network and System Security, NSS ’10, pages 263–268, Washington, DC, USA, 2010. IEEE Computer Society. Google ScholarDigital Library
E. Bouwers, J. Visser, and A. van Deursen. Getting What You Measure. Commun. ACM, 55(7):54–59, July 2012. Google ScholarDigital Library
C. Cadar, D. Dunbar, and D. Engler. KLEE: Unassisted and Automatic Generation of High-coverage Tests for Complex Systems Programs. In Proceedings of the 8th USENIX conference on Operating systems design and implementation, OSDI’08, pages 209–224, Berkeley, CA, USA, 2008. USENIX Association. Google ScholarDigital Library
L. A. Clarke, A. Podgurski, D. J. Richardson, and S. J. Zeil. A Formal Evaluation of Data Flow Path Selection Criteria. IEEE Trans. Softw. Eng., 15(11):1318–1332, Nov. 1989. Google ScholarDigital Library
W. Drewry and T. Ormandy. Flayer: Exposing Application Internals. In Proceedings of the first USENIX workshop on Offensive Technologies, WOOT ’07, pages 1–9, Berkeley, CA, USA, 2007. USENIX Association. Google ScholarDigital Library
V. Ganesh, T. Leek, and M. Rinard. Taint-based Directed Whitebox Fuzzing. In Proceedings of the 31st International Conference on Software Engineering, ICSE ’09, pages 474–484, Washington, DC, USA, 2009. IEEE Computer Society. Google ScholarDigital Library
P. Godefroid, A. Kiezun, and M. Y. Levin. Grammar-based Whitebox Fuzzing. In Proceedings of the 2008 ACM SIGPLAN conference on Programming language design and implementation, PLDI ’08, pages 206–215, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
P. Godefroid, N. Klarlund, and K. Sen. DART: Directed Automated Random Testing. In Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation, PLDI ’05, pages 213–223, New York, NY, USA, 2005. ACM. Google ScholarDigital Library
P. Godefroid, M. Y. Levin, and D. Molnar. SAGE: Whitebox Fuzzing for Security Testing. Queue, 10(1):20:20–20:27, Jan. 2012. Google ScholarDigital Library
D. Harkins and D. Carrel. The Internet Key Exchange (IKE). RFC 2409 (Proposed Standard), Nov. 1998. Obsoleted by RFC 4306, updated by RFC 4109. Google ScholarDigital Library
IEEE Standards Board. IEEE standard glossary of software engineering terminology, September 1990. Std 610.12-1990.Google Scholar
R. Kaksonen. Test Coverage in Model-based Fuzz Testing, 2012. Presented at Model-based User Conference, Tallinn, Estonia.Google Scholar
R. Kaksonen, M. Laakso, and A. Takanen. System Security Assessment through Specification Mutations and Fault Injection. In Proceedings of the IFIP TC6/TC11 International Conference on Communications and Multimedia Security Issues of the New Century, pages 27–, Deventer, The Netherlands, 2001. Kluwer, B.V. Google ScholarDigital Library
D. Maughan, M. Schertler, M. Schneider, and J. Turner. Internet Security Association and Key Management Protocol (ISAKMP). RFC 2408 (Proposed Standard), Nov. 1998. Obsoleted by RFC 4306. Google ScholarDigital Library
Memcheck: A Memory Error Detector. http://valgrind.org.Google Scholar
B. P. Miller, L. Fredriksen, and B. So. An Empirical Study of the Reliability of UNIX Utilities. Commun. ACM, 33:32–44, December 1990. Google ScholarDigital Library
G. Myers, C. Sandler, and T. Badgett. The Art of Software Testing. ITPro collection. Wiley, 2011. Google ScholarDigital Library
N. Nethercote and J. Seward. Valgrind: A Framework for Heavyweight Dynamic Binary Instrumentation. ACM Sigplan Notices, 42(6):89–100, 2007. Google ScholarDigital Library
P. Oehlert. Violating Assumptions with Fuzzing. IEEE Security and Privacy, 3(2):58–62, Mar. 2005. Google ScholarDigital Library
OpenSwan. https://www.openswan.org.Google Scholar
L. Opstad, J. Shirk, and D. Weinstein. Fuzzed Enough? When It’s OK to Put the Shears Down, 2008. Presented at BlueHat v8, Redmond, WA, USA.Google Scholar
D. Piper. The Internet IP Security Domain of Interpretation for ISAKMP. RFC 2407 (Proposed Standard), Nov. 1998. Obsoleted by RFC 4306. Google ScholarDigital Library
RTCA/DO-178B. Software Considerations in Airborne Systems and Equipment Certification, December 1992.Google Scholar
J. Rushby. Automated Test Generation and Verified Software. In B. Meyer and J. Woodcock, editors, Verified Software: Theories, Tools, Experiments, pages 161–172. Springer-Verlag, Berlin, Heidelberg, 2008. Google ScholarDigital Library
Scapy. http://www.secdev.org/projects/scapy/.Google Scholar
L. Shan and H. Zhu. Generating Structurally Complex Test Cases By Data Mutation: A Case Study Of Testing An Automated Modelling Tool. Comput. J., 52(5):571–588, 2009. Google ScholarDigital Library
M. Staats, G. Gay, M. Whalen, and M. Heimdahl. On the Danger of Coverage Directed Test Case Generation. In Proceedings of the 15th international conference on Fundamental Approaches to Software Engineering, FASE’12, pages 409–424, Berlin, Heidelberg, 2012. Springer-Verlag. Google ScholarDigital Library
M. Sutton, A. Greene, and P. Amini. Fuzzing: Brute Force Vulnerability Discovery. Addison-Wesley, 1 edition, July 2007. Google ScholarDigital Library
A. Takanen, J. DeMott, and C. Miller. Fuzzing for Software Security Testing and Quality Assurance. Artech House, Inc., Norwood, MA, USA, 1 edition, 2008. Google ScholarDigital Library
The MITRE Corporation. CWE-List (2.1), Sept. 2011.Google Scholar
P. Tsankov, M. Torabi Dashti, and D. Basin. SecFuzz: Fuzz-testing Security Protocols. In 7th International Workshop on Automation of Software Test (AST ’12), pages 1–7. IEEE, June 2012.Google Scholar
E. J. Weyuker. Axiomatizing Software Test Data Adequacy. IEEE Trans. Softw. Eng., 12(12):1128–1138, Dec. 1986. Google ScholarDigital Library
H. Zhu, P. A. V. Hall, and J. H. R. May. Software Unit Test Coverage and Adequacy. ACM Comput. Surv., 29(4):366–427, Dec. 1997. Google ScholarDigital Library

Index Terms

Semi-valid input coverage for fuzz testing
1. General and reference
  1. Cross-computing tools and techniques
    1. Metrics
2. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging

Recommendations

FairFuzz: a targeted mutation strategy for increasing greybox fuzz testing coverage
ASE '18: Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering

In recent years, fuzz testing has proven itself to be one of the most effective techniques for finding correctness bugs and security vulnerabilities in practice. One particular fuzz testing tool, American Fuzzy Lop (AFL), has become popular thanks to ...
Read More
Turning programs against each other: high coverage fuzz-testing using binary-code mutation and dynamic slicing
ESEC/FSE 2015: Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering

Mutation-based fuzzing is a popular and widely employed black-box testing technique for finding security and robustness bugs in software. It owes much of its success to its simplicity; a well-formed seed input is mutated, e.g. through random bit-...
Read More
A Negative Input Space Complexity Metric as Selection Criterion for Fuzz Testing
ICTSS 2015: Proceedings of the 27th IFIP WG 6.1 International Conference on Testing Software and Systems - Volume 9447

Fuzz testing is an established technique in order to find zero-day-vulnerabilities by stimulating a system under test with invalid or unexpected input data. However, fuzzing techniques still generate far more test cases than can be executed. Therefore, ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ISSTA 2013: Proceedings of the 2013 International Symposium on Software Testing and Analysis
July 2013
381 pages
ISBN:9781450321594
DOI:10.1145/2483760
General Chair:
Mauro Pezzè,
Program Chair:
Mark Harman
Copyright © 2013 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 15 July 2013
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
coverage criteria
fuzz testing
security testing
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate16of69submissions,23%
Upcoming Conference
ISSTA '24

Sponsor:

sigsoft

33rd ACM SIGSOFT International Symposium on Software Testing and Analysis

September 16 - 20, 2024

Vienna , Austria
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 14
  Total Citations
  View Citations
- 422
  Total Downloads
- Downloads (Last 12 months)29
- Downloads (Last 6 weeks)4
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Semi-valid input coverage for fuzz testing

ISSTA 2013: Proceedings of the 2013 International Symposium on Software Testing and Analysis

ABSTRACT

References

Cited By

Index Terms

Recommendations

FairFuzz: a targeted mutation strategy for increasing greybox fuzz testing coverage

Turning programs against each other: high coverage fuzz-testing using binary-code mutation and dynamic slicing

A Negative Input Space Complexity Metric as Selection Criterion for Fuzz Testing