Turning programs against each other: high coverage fuzz-testing using binary-code mutation and dynamic slicing
2015 (English)In: 2015 10TH JOINT MEETING OF THE EUROPEAN SOFTWARE ENGINEERING CONFERENCE AND THE ACM SIGSOFT SYMPOSIUM ON THE FOUNDATIONS OF SOFTWARE ENGINEERING (ESEC/FSE 2015) PROCEEDINGS, New York, NY, USA: Association for Computing Machinery (ACM), 2015, 782-792 p.Conference paper (Refereed)
Mutation-based fuzzing is a popular and widely employed black-box testing technique for finding security and robustness bugs in software. It owes much of its success to its simplicity; a well-formed seed input is mutated, e.g. through random bit-flipping, to produce test inputs. While reducing the need for human effort, and enabling security testing even of closed-source programs with undocumented input formats, the simplicity of mutation-based fuzzing comes at the cost of poor code coverage. Often millions of iterations are needed, and the results are highly dependent on configuration parameters and the choice of seed inputs. In this paper we propose a novel method for automated generation of high-coverage test cases for robustness testing. Our method is based on the observation that, even for closed-source programs with proprietary input formats, an implementation that can generate well-formed inputs to the program is typically available. By systematically mutating the program code of such generating programs, we leverage information about the input format encoded in the generating program to produce high-coverage test inputs, capable of reaching deep states in the program under test. Our method works entirely at the machine-code level, enabling use-cases similar to traditional black-box fuzzing. We have implemented the method in our tool MutaGen, and evaluated it on 7 popular Linux programs. We found that, for most programs, our method improves code coverage by one order of magnitude or more, compared to two well-known mutation-based fuzzers. We also found a total of 8 unique bugs.
Place, publisher, year, edition, pages
New York, NY, USA: Association for Computing Machinery (ACM), 2015. 782-792 p.
Fuzz testing, fuzzing, black-box, dynamic slicing, program mutation
IdentifiersURN: urn:nbn:se:liu:diva-128810DOI: 10.1145/2786805.2786844ISI: 000382568700067ISBN: 978-1-4503-3675-8OAI: oai:DiVA.org:liu-128810DiVA: diva2:932169
10th Joint Meeting on Foundations of Software Engineering