Name
Abstract | ||
|---|---|---|
Fuzzing consists of repeatedly testing an application with modified, or fuzzed, inputs with the goal of finding security vulnerabilities in input-parsing code. In this paper, we show how to automate the generation of an input grammar suitable for input fuzzing using sample inputs and neural-network-based statistical machine-learning techniques. We present a detailed case study with a complex input format, namely PDF, and a large complex security-critical parser for this format, namely, the PDF parser embedded in Microsoft's new Edge browser. We discuss and measure the tension between conflicting learning and fuzzing goals: learning wants to capture the structure of well-formed inputs, while fuzzing wants to break that structure in order to cover unexpected code paths and find bugs. We also present a new algorithm for this learn&fuzz challenge which uses a learnt input probability distribution to intelligently guide where to fuzz inputs.
|
Year | DOI | Venue |
|---|---|---|
2017 | 10.1109/ASE.2017.8115618 | ASE |
Keywords | DocType | Volume |
Fuzzing, Deep Learning, Grammar-based Fuzzing, Grammar Learning | Conference | abs/1701.07232 |
ISSN | ISBN | Citations |
1527-1366 | 978-1-5386-2684-9 | 41 |
PageRank | References | Authors |
1.55 | 16 | 3 |
Name | Order | Citations | PageRank |
|---|---|---|---|
| Patrice Godefroid | 1 | 3622 | 275.78 |
| Hila Peleg | 2 | 47 | 5.04 |
| Rishabh Singh | 3 | 684 | 48.19 |