Fuzz Testing
• Fuzzing
• Automated software testing technique
• bug
fi
nding
• Fuzzer
• Repeatedly provides randomly generated inputs to the program and
checks the execution result.
Slide 10
Slide 10 text
Fuzz Testing
run with program
execution result
crash
Found bugs!
crash PoC
inputs
Slide 11
Slide 11 text
Fuzz Testing
• Black-box
• binary only
• Grey-box
• utilize some program information to guide fuzzing
• White-box
• get a full picture of program
• e.g., symbolic execution
Slide 12
Slide 12 text
Fuzz Testing
• Black-box
• binary only
• Grey-box
• utilize some program information to guide fuzzing
• White-box
• get a full picture of program
• e.g., symbolic execution
Slide 13
Slide 13 text
Coverage-Guided Fuzzing
Slide 14
Slide 14 text
Coverage-Guided Fuzzing
• coverage metric
• compute from program information
• utilize coverage information to guide fuzzer increasing coverage
percentage
Slide 15
Slide 15 text
Coverage-Guided Fuzzing
seed pool
select a seed mutation
mutated seed
run with
instrumented binary
execution result
crash
Found bugs!
crash PoC
exit normally
new coverage?
Yes
save to seed pool
No
Slide 16
Slide 16 text
Coverage-Guided Fuzzing
seed pool
select a seed mutation
mutated seed
run with
instrumented binary
execution result
crash
Found bugs!
crash PoC
exit normally
new coverage?
Yes
save to seed pool
No
Slide 17
Slide 17 text
Coverage-Guided Fuzzing
seed pool
select a seed mutation
mutated seed
run with
instrumented binary
execution result
crash
Found bugs!
crash PoC
exit normally
new coverage?
Yes
save to seed pool
No
Coverage-Guided Fuzzing
seed pool
select a seed mutation
mutated seed
run with
instrumented binary
execution result
crash
Found bugs!
crash PoC
exit normally
new coverage?
Yes
save to seed pool
No
AFL++
• https://github.com/AFLplusplus/AFLplusplus
• AFL++ is a superior fork to Google's AFL - more speed, more and better
mutations, more and better instrumentation, custom module support,
etc.
• cmplog: REDQUEEN
• power schedule: AFLFast