Fuzzing with Code Fragments @USENIX Security 2012

Fuzz testing is an automated technique providing random data as input to a software system in the hope to expose a vulnerability. In order to be effective, the fuzzed input must be common enough to pass elementary consistency checks; a JavaScript interpreter, for instance, would only accept a semantically valid program. On the other hand, the fuzzed input must be uncommon enough to trigger exceptional behavior, such as a crash of the interpreter. The LangFuzz approach resolves this conflict by using a grammar to randomly generate valid programs; the code fragments, however, partially stem from programs known to have caused invalid behavior before. Lang- Fuzz is an effective tool for security testing. Applied on the Mozilla JavaScript interpreter, it discovered a total of 105 new severe vulnerabilities within three months of operation (and thus became one of the top security bug bounty collectors within this period); applied on the PHP interpreter, it discovered 18 new defects causing crashes.

  • [PDF] C. Holler, K. Herzig, and A. Zeller, “Fuzzing with code fragments,” in Proceedings of the 21st usenix conference on security symposium, Berkeley, CA, USA, 2012, p. 38–38.
    [Bibtex]
    @inproceedings{holler-usenix-2012,
    title = {Fuzzing with Code Fragments},
    author={Christian Holler and Kim Herzig and Andreas Zeller},
    series = {Security'12},
    year = {2012},
    location = {Bellevue, WA},
    pages = {38--38},
    numpages = {1},
    month = {August},
    booktitle = {Proceedings of the 21st USENIX Conference on Security Symposium},
    link={http://www.kim-herzig.de/2012/04/27/fuzzing-with-code-fragments-usenix-security-2012/},
    pdf={http://www.kim-herzig.de/wp-content/uploads/2012/08/usenix-2012.pdf},
    acmid = {2362831},
    publisher = {USENIX Association},
    address = {Berkeley, CA, USA}
    }

View the talk online

https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/holler