Article

Taint-based directed whitebox fuzzing

Authors:

Martin RinardAuthors Info & Claims

ICSE '09: Proceedings of the 31st International Conference on Software Engineering

Pages 474 - 484

https://doi.org/10.1109/ICSE.2009.5070546

Published: 16 May 2009 Publication History

Abstract

We present a new automated white box fuzzing technique and a tool, BuzzFuzz, that implements this technique. Unlike standard fuzzing techniques, which randomly change parts of the input file with little or no information about the underlying syntactic structure of the file, BuzzFuzz uses dynamic taint tracing to automatically locate regions of original seed input files that influence values used at key program attack points (points where the program may contain an error). BuzzFuzz then automatically generates new fuzzed test input files by fuzzing these identified regions of the original seed input files. Because these new test files typically preserve the underlying syntactic structure of the original seed input files, they tend to make it past the initial input parsing components to exercise code deep within the semantic core of the computation. We have used BuzzFuzz to automatically find errors in two open-source applications: Swfdec (an Adobe Flash player) and MuPDF (a PDF viewer). Our results indicate that our new directed fuzzing technique can effectively expose errors located deep within large programs. Because the directed fuzzing technique uses taint to automatically discover and exploit information about the input file format, it is especially appropriate for testing programs that have complex, highly structured input file formats.

References

[1]

Adobe macromedia shockwave flash file format. http://en.wikipedia.org/wiki/ Adobe_Flash.

[2]

Gnome and freedesktop enviroments. http: //en.wikipedia.org/wiki/Freedesktop. org.

[3]

Wikipedia entry on fuzzing. http://en. wikipedia.org/wiki/Fuzz_testing.

[4]

T. Andersson. Mupdf: A pdf viewer. http:// ccxvii.net/fitz/.

[5]

P. Boonstoppel, C. Cadar, and D. R. Engler. Rwset: Attacking path explosion in constraint-based test generation. In TACAS, pages 351-366, 2008.

Digital Library

[6]

J. Caballero, H. Yin, Z. Liang, and D. Song. Polyglot: automatic extraction of protocol message format using dynamic binary analysis. In CCS '07: Proceedings of the 14th ACM conference on Computer and communications security, pages 317- 329, New York, NY, USA, 2007. ACM.

Digital Library

[7]

C. Cadar, V. Ganesh, P. Pawlowski, D. Dill, and D. Engler. EXE: Automatically generating inputs of death. In Proceedings of the 13th ACM Conference on Computer and Communications Security, October-November 2006.

Digital Library

[8]

J. DeMott. The evolving art of fuzzing. http://www.vdalabs.com/tools/The_ Evolving_Art_of_Fuzzing.pdf, 2006.

[9]

P. Godefroid, A. Kiezun, and M. Y. Levin. Grammar-based whitebox fuzzing. In PLDI, pages 206-215, 2008.

Digital Library

[10]

P. Godefroid, N. Klarlund, and K. Sen. Dart: directed automated random testing. In PLDI '05: Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation , pages 213-223, New York, NY, USA, 2005. ACM.

Digital Library

[11]

P. Godefroid, M. Y. Levin, and D. Molnar. Automated whitebox fuzz testing. In Network and Distributed Systems Security Symposium, 2008.

[12]

R. Kaksonen. A functional method for assessing protocol implementation security. Technical Report 448, VTT Electronics, 2001.

[13]

E. Larson and T. Austin. High coverage detection of input-related security facults. In SSYM'03: Proceedings of the 12th conference on USENIX Security Symposium, pages 9-9, Berkeley, CA, USA, 2003. USENIX Association.

Digital Library

[14]

T. Leek, G. Baker, R. Brown, M. Zhivich, and R. Lippmann. Coverage maximization using dynamic taint tracing. Technical Report TR-1112, MIT Lincoln Laboratory, 2007.

[15]

Z. Lin and X. Zhang. Deriving input syntactic structure from execution. In Proceedings of the 16th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE'08), Atlanta, GA, USA, November 2008.

Digital Library

[16]

B. Miller. Fuzzing website. http://pages.cs. wisc.edu/~bart/fuzz/fuzz.html, 2008.

[17]

B. P. Miller, L. Fredriksen, and B. So. An empirical study of the reliability of unix utilities. Commun. ACM, 33(12):32-44, 1990.

Digital Library

[18]

D. Molnar and D. Wagner. Catchconv: Symbolic execution and run-time type inference for integer conversion errors. Technical Report UCB/EECS- 2007-23, University of California, Berkeley, CA, Feb 2007.

[19]

J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on comnodity software. In NDSS, 2005.

[20]

A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In IFIP Security, 2005.

[21]

B. Otte and D. Schleef. Swfdec: A flash animation player. http://swfdec.freedesktop.org/ wiki/.

[22]

K. Sen, D. Marinov, and G. Agha. Cute: a concolic unit testing engine for c. SIGSOFT Softw. Eng. Notes, 30(5):263-272, 2005.

Digital Library

[23]

M. Sutton, A. Greene, and P. Amini. Fuzzing: Brute Force Vulnerability Discovery. Addison-Wesley Professional, 1 edition, July 2007.

Digital Library

[24]

G. Wondracek, P. M. Comparetti, C. Kruegel, and E. Kirda. Automatic network protocol analysis. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS08), 2008.

Cited By

Neef SKleissner LSeifert JQuek TGao DZhou JCardenas A(2024)What All the PHUZZ Is About: A Coverage-guided Fuzzer for Finding Vulnerabilities in PHP Web ApplicationsProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3661137(1523-1538)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3661137
Goli MDrechsler R(2024)Early SoCs Information Flow Policies Validation Using SystemC-Based Virtual Prototypes at the ESLACM Transactions on Embedded Computing Systems10.1145/354478023:5(1-20)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.1145/3544780
Kuliamin V(2024)A Survey of Software Dynamic Analysis MethodsProgramming and Computing Software10.1134/S036176882401007950:1(90-114)Online publication date: 1-Feb-2024
https://dl.acm.org/doi/10.1134/S0361768824010079
Show More Cited By

Index Terms

Taint-based directed whitebox fuzzing
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging
2. Theory of computation
  1. Semantics and reasoning
    1. Program reasoning
      1. Program verification

Recommendations

Directed Greybox Fuzzing
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

Existing Greybox Fuzzers (GF) cannot be effectively directed, for instance, towards problematic changes or patches, towards critical system calls or dangerous locations, or towards functions in the stack-trace of a reported vulnerability that we wish to ...
Grammar-based whitebox fuzzing
PLDI '08: Proceedings of the 29th ACM SIGPLAN Conference on Programming Language Design and Implementation

Whitebox fuzzing is a form of automatic dynamic test generation, based on symbolic execution and constraint solving, designed for security testing of large applications. Unfortunately, the current effectiveness of whitebox fuzzing is limited when ...
Grammar-based whitebox fuzzing
PLDI '08

Whitebox fuzzing is a form of automatic dynamic test generation, based on symbolic execution and constraint solving, designed for security testing of large applications. Unfortunately, the current effectiveness of whitebox fuzzing is limited when ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ICSE '09: Proceedings of the 31st International Conference on Software Engineering

May 2009

643 pages

ISBN:9781424434534

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

Publisher

IEEE Computer Society

United States

Publication History

Published: 16 May 2009

Check for updates

Qualifiers

Article

Acceptance Rates

Overall Acceptance Rate 276 of 1,856 submissions, 15%

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

97
Total Citations
View Citations
1,003
Total Downloads

Downloads (Last 12 months)10
Downloads (Last 6 weeks)1

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Neef SKleissner LSeifert JQuek TGao DZhou JCardenas A(2024)What All the PHUZZ Is About: A Coverage-guided Fuzzer for Finding Vulnerabilities in PHP Web ApplicationsProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3661137(1523-1538)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3661137
Goli MDrechsler R(2024)Early SoCs Information Flow Policies Validation Using SystemC-Based Virtual Prototypes at the ESLACM Transactions on Embedded Computing Systems10.1145/354478023:5(1-20)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.1145/3544780
Kuliamin V(2024)A Survey of Software Dynamic Analysis MethodsProgramming and Computing Software10.1134/S036176882401007950:1(90-114)Online publication date: 1-Feb-2024
https://dl.acm.org/doi/10.1134/S0361768824010079
Yang HHuang YZhang ZLi FGupta BVijayaKumar P(2024)A novel generative adversarial network-based fuzzing cases generation method for industrial control system protocolsComputers and Electrical Engineering10.1016/j.compeleceng.2024.109268117:COnline publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1016/j.compeleceng.2024.109268
Zhao XQu HXu JLi XLv WWang G(2024)A systematic review of fuzzingSoft Computing - A Fusion of Foundations, Methodologies and Applications10.1007/s00500-023-09306-228:6(5493-5522)Online publication date: 1-Mar-2024
https://dl.acm.org/doi/10.1007/s00500-023-09306-2
Jonáš MStrejček JTrtík MUrban L(2024)Gray-Box Fuzzing via Gradient Descent and Boolean Expression CoverageTools and Algorithms for the Construction and Analysis of Systems10.1007/978-3-031-57256-2_5(90-109)Online publication date: 6-Apr-2024
https://dl.acm.org/doi/10.1007/978-3-031-57256-2_5
Chen YZhong RYang YHu HWu DLee WCalandrino JTroncoso C(2023)µFUZZProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620312(1325-1342)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620312
Mallissery SWu Y(2023)Demystify the Fuzzing Methods: A Comprehensive SurveyACM Computing Surveys10.1145/362337556:3(1-38)Online publication date: 5-Oct-2023
https://dl.acm.org/doi/10.1145/3623375
Humayun AKim MGulzar MChandra SBlincoe KTonella P(2023)Co-dependence Aware Fuzzing for Dataflow-Based Big Data AnalyticsProceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3611643.3616298(1050-1061)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3611643.3616298
Ackerman JCybenko GBöhme MNoller YRay BSzekeres L(2023)Large Language Models for Fuzzing Parsers (Registered Report)Proceedings of the 2nd International Fuzzing Workshop10.1145/3605157.3605173(31-38)Online publication date: 17-Jul-2023
https://dl.acm.org/doi/10.1145/3605157.3605173
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents