Fuzzing with Code Fragments @USENIX Security 2012

Fuzz testing is an automated technique providing random data as input to a software system in the hope to expose a vulnerability. In order to be effective, the fuzzed input must be common enough to pass elementary consistency checks; a JavaScript interpreter, for instance, would only accept a semantically valid program. On the other hand, the fuzzed input must be uncommon enough to trigger exceptional behavior, such as a crash of the interpreter. The LangFuzz approach resolves this conflict by using a grammar to randomly generate valid programs; the code fragments, however, partially stem from programs known to have caused invalid behavior before. Lang- Fuzz is an effective tool for security testing. Applied on the Mozilla JavaScript interpreter, it discovered a total of 105 new severe vulnerabilities within three months of operation (and thus became one of the top security bug bounty collectors within this period); applied on the PHP interpreter, it discovered 18 new defects causing crashes.

  • [PDF] C. Holler, K. Herzig, and A. Zeller, “Fuzzing with code fragments,” in Proceedings of the 21st usenix conference on security symposium, Berkeley, CA, USA, 2012, p. 38–38.
    title = {Fuzzing with Code Fragments},
    author={Christian Holler and Kim Herzig and Andreas Zeller},
    series = {Security'12},
    year = {2012},
    location = {Bellevue, WA},
    pages = {38--38},
    numpages = {1},
    month = {August},
    booktitle = {Proceedings of the 21st USENIX Conference on Security Symposium},
    acmid = {2362831},
    publisher = {USENIX Association},
    address = {Berkeley, CA, USA}

View the talk online