SLF: Fuzzing without Valid Seed Inputs

Wei You, Xuwei Liu, Shiqing Ma, David Perry, Xiangyu Zhang, Bin Liang

Research output: Chapter in Book/Report/Conference proceedingConference contribution

37 Scopus citations

Abstract

Fuzzing is an important technique to detect software bugs and vulnerabilities. It works by mutating a small set of seed inputs to generate a large number of new inputs. Fuzzers' performance often substantially degrades when valid seed inputs are not available. Although existing techniques such as symbolic execution can generate seed inputs from scratch, they have various limitations hindering their applications in real-world complex software. In this paper, we propose a novel fuzzing technique that features the capability of generating valid seed inputs. It piggy-backs on AFL to identify input validity checks and the input fields that have impact on such checks. It further classifies these checks according to their relations to the input. Such classes include arithmetic relation, object offset, data structure length and so on. A multi-goal search algorithm is developed to apply class-specific mutations in order to satisfy inter-dependent checks all together. We evaluate our technique on 20 popular benchmark programs collected from other fuzzing projects and the Google fuzzer test suite, and compare it with existing fuzzers AFL and AFLFast, symbolic execution engines KLEE and S2E, and a hybrid tool Driller that combines fuzzing with symbolic execution. The results show that our technique is highly effective and efficient, out-performing the other tools.

Original languageEnglish (US)
Title of host publicationProceedings - 2019 IEEE/ACM 41st International Conference on Software Engineering, ICSE 2019
PublisherIEEE Computer Society
Pages712-723
Number of pages12
ISBN (Electronic)9781728108698
DOIs
StatePublished - May 2019
Externally publishedYes
Event41st IEEE/ACM International Conference on Software Engineering, ICSE 2019 - Montreal, Canada
Duration: May 25 2019May 31 2019

Publication series

NameProceedings - International Conference on Software Engineering
Volume2019-May
ISSN (Print)0270-5257

Conference

Conference41st IEEE/ACM International Conference on Software Engineering, ICSE 2019
Country/TerritoryCanada
CityMontreal
Period5/25/195/31/19

All Science Journal Classification (ASJC) codes

  • Software

Keywords

  • fuzzing
  • seed inputs

Fingerprint

Dive into the research topics of 'SLF: Fuzzing without Valid Seed Inputs'. Together they form a unique fingerprint.

Cite this