Abstract
Fuzzing is a technique that involves testing programs using invalid or erroneous inputs. Most fuzzers require a set of valid inputs as a starting point, in which mutations are then introduced. QuickFuzz is a fuzzer that leverages QuickCheck-style random test-case generationto automatically test programs that manipulate common file formats by fuzzing. We rely on existing Haskell implementations of file-format-handling libraries found on Hackage, the community-driven Haskell code repository. We have tried QuickFuzz in the wild and found that the approach is effective in discovering vulnerabilities in real-world implementations of browsers, image processing utilities and file compressors among others. In addition, we introduce a mechanism to automatically derive random generators for the types representing these formats. QuickFuzz handles most well-known image and media formats, and can be used to test programs and libraries written in any language.
- Bitflip. Sulley: a pure-python fully automated and unattended fuzzing framework. https://github.com/OpenRCE/ sulley, 2011.Google Scholar
- CACA Labs. zzuf - multi-purpose fuzzer. http://caca. zoy.org/wiki/zzuf, 2010.Google Scholar
- S. K. Cha, T. Avgerinos, A. Rebert, and D. Brumley. Unleashing Mayhem on Binary Code. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP ’12. IEEE Computer Society, 2012. Google ScholarDigital Library
- K. Claessen and J. Hughes. QuickCheck: a lightweight tool for random testing of Haskell programs. Acm sigplan notices, 46(4):53–64, 2011. Google ScholarDigital Library
- K. Claessen, J. Dureg˚ard, and M. H. Pałka. Generating Constrained RandomData withUniformDistribution, pages 18– 34. Springer International Publishing, Cham, 2014. ISBN 978-3-319-07151-0.Google Scholar
- P. Godefroid, A. Kiezun, and M. Y. Levin. Grammar-based Whitebox Fuzzing. SIGPLAN Not., 2008. Google ScholarDigital Library
- Google. honggfuzz: a general-purpose, easy-to-use fuzzer with interesting analysis options. https://github.com/ aoh/radamsa, 2010.Google Scholar
- Michal Zalewski. American Fuzzy Lop: a security-oriented fuzzer. http://lcamtuf.coredump.cx/afl/, 2010.Google Scholar
- B. P. Miller, L. Fredriksen, and B. So. An Empirical Study of the Reliability of UNIX Utilities. Commun. ACM, 33(12): 32–44, Dec. 1990. ISSN 0001-0782. Google ScholarDigital Library
- Mozilla. Dharma: a generation-based, context-free grammar fuzzer. https://github.com/MozillaSecurity/ dharma, 2015.Google Scholar
- Neil Mitchell. Data.Derive is a library and a tool for deriving instances for Haskell programs. http://hackage. haskell.org/package/derive, 2006.Google Scholar
- N. Nethercote and J. Seward. Valgrind: A Framework for Heavyweight Dynamic Binary Instrumentation. SIGPLAN Not., 42(6):89–100, 2007. Google ScholarDigital Library
- Oulu University Secure Programming Group. A Crash Course to Radamsa. https://github.com/aoh/radamsa, 2010.Google Scholar
- M. H. Pałka, K. Claessen, A. Russo, and J. Hughes. Testing an Optimising Compiler by Generating Random Lambda Terms. In Proceedings of the 6th International Workshop on Automation of Software Test, AST ’11, pages 91–97, New York, NY, USA, 2011. ACM. ISBN 978-1-4503-0592-1. Google ScholarDigital Library
- K. Serebryany, D. Bruening, A. Potapenko, and D. Vyukov. Addresssanitizer: A fast address sanity checker. USENIX ATC’12, pages 28–28, 2012. Google ScholarDigital Library
- T. Sheard and S. P. Jones. Template Meta-programming for Haskell. SIGPLAN Not., 37(12):60–75, Dec. 2002. ISSN 0362-1340. Google ScholarDigital Library
- doi: 10.1145/636517.636528.Google Scholar
- M. Sutton, A. Greene, and P. Amini. Fuzzing: Brute Force Vulnerability Discovery. Addison-Wesley Professional, 2007. Google ScholarDigital Library
- Vincent Berthoux. Juicy.Pixels: Haskell library to load & save pictures. https://hackage.haskell.org/package/ JuicyPixels, 2012.Google Scholar
- X. Yang, Y. Chen, E. Eide, and J. Regehr. Finding and Understanding Bugs in C Compilers. In Proceedings of the 32Nd ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI ’11, pages 283–294, New York, NY, USA, 2011. ACM. ISBN 978-1-4503-0663-8. Google ScholarDigital Library
- A. Zeller and R. Hildebrandt. Simplifying and Isolating Failure-Inducing Input. IEEE Trans. Softw. Eng., 28(2):183– 200, 2002. Google ScholarDigital Library
Index Terms
- QuickFuzz: an automatic random fuzzer for common file formats
Recommendations
QuickFuzz: an automatic random fuzzer for common file formats
Haskell 2016: Proceedings of the 9th International Symposium on HaskellFuzzing is a technique that involves testing programs using invalid or erroneous inputs. Most fuzzers require a set of valid inputs as a starting point, in which mutations are then introduced. QuickFuzz is a fuzzer that leverages QuickCheck-style ...
QuickFuzz testing for fun and profit
It presents QuickFuzz, an open source tool for input generation and testing.It shows how to generate random test cases using types as lightweight specifications.It shows a list of security-related bugs discovered complex real-world applications. Fuzzing ...
Automatic generation of test models and properties from UML models with OCL constraints
OCL '12: Proceedings of the 12th Workshop on OCL and Textual ModellingModel-Based Testing and Property-Based Testing are two testing methodologies that usually facilitate the automation of the generation of test cases, using either models or properties as basis to derive complete test suites. In doing so, they also ...
Comments