research-article

Turning programs against each other: high coverage fuzz-testing using binary-code mutation and dynamic slicing

Authors:
Ulf Kargén

Linköping University, Sweden

Linköping University, Sweden
View Profile

,
Nahid Shahmehri

Linköping University, Sweden

Linköping University, Sweden
View Profile

ESEC/FSE 2015: Proceedings of the 2015 10th Joint Meeting on Foundations of Software EngineeringAugust 2015Pages 782–792https://doi.org/10.1145/2786805.2786844

Published:30 August 2015Publication History

ESEC/FSE 2015: Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering

Pages 782–792

ABSTRACT

Mutation-based fuzzing is a popular and widely employed black-box testing technique for finding security and robustness bugs in software. It owes much of its success to its simplicity; a well-formed seed input is mutated, e.g. through random bit-flipping, to produce test inputs. While reducing the need for human effort, and enabling security testing even of closed-source programs with undocumented input formats, the simplicity of mutation-based fuzzing comes at the cost of poor code coverage. Often millions of iterations are needed, and the results are highly dependent on configuration parameters and the choice of seed inputs. In this paper we propose a novel method for automated generation of high-coverage test cases for robustness testing. Our method is based on the observation that, even for closed-source programs with proprietary input formats, an implementation that can generate well-formed inputs to the program is typically available. By systematically mutating the program code of such generating programs, we leverage information about the input format encoded in the generating program to produce high-coverage test inputs, capable of reaching deep states in the program under test. Our method works entirely at the machine-code level, enabling use-cases similar to traditional black-box fuzzing. We have implemented the method in our tool MutaGen, and evaluated it on 7 popular Linux programs. We found that, for most programs, our method improves code coverage by one order of magnitude or more, compared to two well-known mutation-based fuzzers. We also found a total of 8 unique bugs.

References

Chrome reward program rules. http://www.google. com/about/appsecurity/chrome-rewards/.Google Scholar
A crash course to radamsa. https://code.google.com/p/ouspg/wiki/Radamsa.Google Scholar
Immunity inc - resources. http: //www.immunityinc.com/resources/index.html.Google Scholar
Microsoft bounty programs. https://technet. microsoft.com/en-us/library/dn425036.aspx.Google Scholar
Sdl process: Verification. http://www.microsoft. com/security/sdl/process/verification.aspx.Google Scholar
zzuf - multi-purpose fuzzer. http://caca.zoy.org/wiki/zzuf.Google Scholar
B. Arkin. Adobe reader and acrobat security initiative. http://blogs.adobe.com/security/2009/ 05/adobe_reader_and_acrobat_secur.html, 2009.Google Scholar
J. Caballero, H. Yin, Z. Liang, and D. Song. Polyglot: Automatic extraction of protocol message format using dynamic binary analysis. In Proceedings of the 14th ACM Conference on Computer and Communications Security, pages 317–329, 2007. Google ScholarDigital Library
S. K. Cha, T. Avgerinos, A. Rebert, and D. Brumley. Unleashing mayhem on binary code. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, pages 380–394, 2012. Google ScholarDigital Library
P. Comparetti, G. Wondracek, C. Kruegel, and E. Kirda. Prospex: Protocol specification extraction. In Proceedings of the 2009 30th IEEE Symposium on Security and Privacy, pages 110–125, 2009. Google ScholarDigital Library
W. Cui, M. Peinado, K. Chen, H. J. Wang, and L. Irun-Briz. Tupni: Automatic reverse engineering of input formats. In Proceedings of the 15th ACM Conference on Computer and Communications Security, pages 391–402, 2008. Google ScholarDigital Library
C. Evans, M. Moore, and T. Ormandy. Google online security blog – fuzzing at scale. http://googleonlinesecurity.blogspot.se/2011/ 08/fuzzing-at-scale.html, 2011.Google Scholar
M. Finifter, D. Akhawe, and D. Wagner. An empirical study of vulnerability rewards programs. In Proceedings of the 22nd USENIX Security Symposium, pages 273–288, 2013. Google ScholarDigital Library
P. Godefroid, M. Y. Levin, and D. A. Molnar. Automated whitebox fuzz testing. In Proceedings of the Network and Distributed System Security Symposium, 2008.Google Scholar
C. Holler, K. Herzig, and A. Zeller. Fuzzing with code fragments. In Proceedings of the 21st USENIX Security Symposium, 2012. Google ScholarDigital Library
A. D. Householder and J. M. Foote. Probability-based parameter selection for black-box fuzz testing. Technical report, CERT, 2012.Google Scholar
Y. Jia and M. Harman. An analysis and survey of the development of mutation testing. IEEE Transactions on Software Engineering, 37(5):649–678, 2011. Google ScholarDigital Library
U. Kargén and N. Shahmehri. Efficient utilization of secondary storage for scalable dynamic slicing. In Proceedings of the 2014 IEEE 14th International Working Conference on Source Code Analysis and Manipulation, pages 155–164, 2014. Google ScholarDigital Library
C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood. Pin: Building customized program analysis tools with dynamic instrumentation. In Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 190–200, 2005. Google ScholarDigital Library
B. P. Miller, L. Fredriksen, and B. So. An empirical study of the reliability of unix utilities. Commun. ACM, 33(12):32–44, Dec. 1990. Google ScholarDigital Library
B. P. Miller, D. Koski, C. P. Lee, V. Maganty, R. Murthy, A. Natarajan, and J. Steidl. Fuzz revisited: A re-examination of the reliability of unix utilities and services. Technical report, University of Wisconsin-Madison, Computer Sciences Department, 1995.Google Scholar
C. Miller. Babysitting an army of monkeys. CanSecWest, 2010.Google Scholar
C. Miller and Z. N. Peterson. Analysis of mutation and generation-based fuzzing. Technical report, Independent Security Evaluators, 2007.Google Scholar
D. Molnar and L. Opstad. Effective fuzzing strategies. CERT vulnerability discovery workshop, 2010.Google Scholar
N. Nethercote and J. Seward. How to shadow every byte of memory used by a program. In Proceedings of the 3rd International Conference on Virtual Execution Environments, pages 65–74, 2007. Google ScholarDigital Library
N. Nethercote and J. Seward. Valgrind: A framework for heavyweight dynamic binary instrumentation. In Proceedings of the 2007 ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 89–100, 2007. Google ScholarDigital Library
A. J. Offutt, A. Lee, G. Rothermel, R. H. Untch, and C. Zapf. An experimental determination of sufficient mutant operators. ACM Trans. Softw. Eng. Methodol., 5(2):99–118, 1996. Google ScholarDigital Library
A. Rebert, S. K. Cha, T. Avgerinos, J. Foote, D. Warren, G. Grieco, and D. Brumley. Optimizing seed selection for fuzzing. In Proceedings of the 23rd USENIX Security Symposium, pages 861–875, 2014. Google ScholarDigital Library
A. Slowinska and H. Bos. Pointless tainting?: Evaluating the practicality of pointer tainting. In Proceedings of the 4th ACM European Conference on Computer Systems, pages 61–74, 2009. Google ScholarDigital Library
M. Sutton, A. Greene, and P. Amini. Fuzzing: brute force vulnerability discovery. Pearson Education, 2007. Google ScholarDigital Library
T. Wang, T. Wei, G. Gu, and W. Zou. Taintscope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection. In Proceedings of the 2010 IEEE Symposium on Security and Privacy, pages 497–512, 2010. Google ScholarDigital Library
M. Woo, S. K. Cha, S. Gottlieb, and D. Brumley. Scheduling black-box mutational fuzzing. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pages 511–522, 2013. Google ScholarDigital Library
X. Yang, Y. Chen, E. Eide, and J. Regehr. Finding and understanding bugs in c compilers. In Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 283–294, 2011. Google ScholarDigital Library

Index Terms

Turning programs against each other: high coverage fuzz-testing using binary-code mutation and dynamic slicing
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging

Recommendations

FairFuzz: a targeted mutation strategy for increasing greybox fuzz testing coverage
ASE '18: Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering

In recent years, fuzz testing has proven itself to be one of the most effective techniques for finding correctness bugs and security vulnerabilities in practice. One particular fuzz testing tool, American Fuzzy Lop (AFL), has become popular thanks to ...
Read More
Grey-box concolic testing on binary code
ICSE '19: Proceedings of the 41st International Conference on Software Engineering

We present grey-box concolic testing, a novel path-based test case generation method that combines the best of both white-box and grey-box fuzzing. At a high level, our technique systematically explores execution paths of a program under test as in ...
Read More
Semi-valid input coverage for fuzz testing
ISSTA 2013: Proceedings of the 2013 International Symposium on Software Testing and Analysis

We define semi-valid input coverage (SVCov), the first coverage criterion for fuzz testing. Our criterion is applicable whenever the valid inputs can be defined by a finite set of constraints. SVCov measures to what extent the tests cover the domain of ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ESEC/FSE 2015: Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering
August 2015
1068 pages
ISBN:9781450336758
DOI:10.1145/2786805
General Chair:
Elisabetta Di Nitto
Politecnico di Milano, Italy
,
Program Chairs:
Mark Harman
University College London, UK
,
Patrick Heymans
University of Namur, Belgium
Copyright © 2015 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 30 August 2015
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Fuzz testing
black-box
dynamic slicing
fuzzing
program mutation
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate112of543submissions,21%
Upcoming Conference
FSE '24

Sponsor:

sigsoft

32nd ACM International Conference on the Foundations of Software Engineering

July 15 - 19, 2024

Ipojuca (Pernambuco) , Brazil
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 30
  Total Citations
  View Citations
- 633
  Total Downloads
- Downloads (Last 12 months)43
- Downloads (Last 6 weeks)4
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Turning programs against each other: high coverage fuzz-testing using binary-code mutation and dynamic slicing

ESEC/FSE 2015: Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering

ABSTRACT

References

Cited By

Index Terms

Recommendations

FairFuzz: a targeted mutation strategy for increasing greybox fuzz testing coverage

Grey-box concolic testing on binary code

Semi-valid input coverage for fuzz testing

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Upcoming Conference

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

Caption

Turning programs against each other: high coverage fuzz-testing using binary-code mutation and dynamic slicing

ESEC/FSE 2015: Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering

ABSTRACT

References

Cited By

Index Terms

Recommendations

FairFuzz: a targeted mutation strategy for increasing greybox fuzz testing coverage

Grey-box concolic testing on binary code

Semi-valid input coverage for fuzz testing

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Upcoming Conference

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

Share this Publication link

Share on Social Media