Software Open Access

FuzzFactory: Domain-Specific Fuzzing with Waypoints (Replication Package)

Padhye, Rohan; Lemieux, Caroline


Citation Style Language JSON Export

{
  "publisher": "Zenodo", 
  "DOI": "10.5281/zenodo.3364086", 
  "title": "FuzzFactory: Domain-Specific Fuzzing with Waypoints (Replication Package)", 
  "issued": {
    "date-parts": [
      [
        2019, 
        8, 
        8
      ]
    ]
  }, 
  "abstract": "<p>This artifact accompanies the paper &quot;FuzzFactory: Domain-Specific Fuzzing with Waypoints&quot;, submitted to OOPSLA 2019.</p>\n\n<p><strong>Paper abstract</strong>:</p>\n\n<p>Coverage-guided fuzz testing has gained prominence as a highly effective method of finding security vulnerabilities such as buffer overflows in programs that parse binary data. Recently, researchers have introduced various specializations to the coverage-guided fuzzing algorithm for different domain-specific testing goals, such as finding performance bottlenecks, generating valid inputs, handling magic-byte comparisons, etc. Each such solution can require weeks of development effort and produces a distinct variant of a fuzzing tool. We observe that many of these domain-specific solutions follow a common solution pattern. In this paper, we present FuzzFactory, a framework for rapid prototyping of domain-specific fuzzing applications. FuzzFactory allows users to specify the collection of dynamic domain-specific feedback during test execution. FuzzFactory uses a domain-specific fuzzing algorithm that incorporates such custom feedback to selectively save intermediate inputs, called waypoints, to augment coverage-guided fuzzing. We use FuzzFactory to implement six domain-specific fuzzing applications: three re-implementations of prior work and three novel solutions, and evaluate their effectiveness on benchmarks from Google&#39;s fuzzer test suite. We also show how domain-specific feedback can be composed to produce composite applications, which perform better than the sum of their parts. For example, we combine domain-specific feedback about strict equality comparisons and dynamic memory allocations, to enable the automatic generation of ZIP bombs and PNG bombs. We also discover a previously unknown memory leak in libarchive.</p>", 
  "author": [
    {
      "family": "Padhye, Rohan"
    }, 
    {
      "family": "Lemieux, Caroline"
    }
  ], 
  "version": "1.0", 
  "type": "article", 
  "id": "3364086"
}
157
61
views
downloads
All versions This version
Views 157158
Downloads 6161
Data volume 24.4 GB24.4 GB
Unique views 140141
Unique downloads 3535

Share

Cite as