TY - JOUR
T1 - Automatic and lightweight grammar generation for fuzz testing
AU - Kim, Su Yong
AU - Cha, Sungdeok
AU - Bae, Doo Hwan
N1 - Funding Information:
This work was supported by the Engineering Research Center of Excellence Program of Korea Ministry of Education, Science and Technology (MEST)/ National Research Foundation of Korea (NRF) (Grant 2012-0000473 ). This work was supported by the DGIST MIREBrian (Operation of CPS Global Center) of the Ministry of Education, Science and Technology of Korea.
PY - 2013
Y1 - 2013
N2 - Blackbox fuzz testing can only test a small portion of code when rigorously checking the well-formedness of input values. To overcome this problem, blackbox fuzz testing is performed using a grammar that delineates the format information of input values. However, it is almost impossible to manually construct a grammar if the input specifications are not known. We propose an alternative technique: the automatic generation of fuzzing grammars using API-level concolic testing. API-level concolic testing collects constraints at the library function level rather than the instruction level. While API-level concolic testing may be less accurate than instruction-level concolic testing, it is highly useful for speedily generating fuzzing grammars that enhance code coverage for real-world programs. To verify the feasibility of the proposed concept, we implemented the system for generating ActiveX control fuzzing grammars, named YMIR. The experiment results showed that the YMIR system was capable of generating fuzzing grammars that can raise branch coverage for ActiveX control using highly-structured input string by 15-50%. In addition, the YMIR system discovered two new vulnerabilities revealed only when input values are well-formed. Automatic fuzzing grammar generation through API-level concolic testing is not restricted to the testing of ActiveX controls; it should also be applicable to other string processing program whose source code is unavailable.
AB - Blackbox fuzz testing can only test a small portion of code when rigorously checking the well-formedness of input values. To overcome this problem, blackbox fuzz testing is performed using a grammar that delineates the format information of input values. However, it is almost impossible to manually construct a grammar if the input specifications are not known. We propose an alternative technique: the automatic generation of fuzzing grammars using API-level concolic testing. API-level concolic testing collects constraints at the library function level rather than the instruction level. While API-level concolic testing may be less accurate than instruction-level concolic testing, it is highly useful for speedily generating fuzzing grammars that enhance code coverage for real-world programs. To verify the feasibility of the proposed concept, we implemented the system for generating ActiveX control fuzzing grammars, named YMIR. The experiment results showed that the YMIR system was capable of generating fuzzing grammars that can raise branch coverage for ActiveX control using highly-structured input string by 15-50%. In addition, the YMIR system discovered two new vulnerabilities revealed only when input values are well-formed. Automatic fuzzing grammar generation through API-level concolic testing is not restricted to the testing of ActiveX controls; it should also be applicable to other string processing program whose source code is unavailable.
KW - ActiveX control
KW - Blackbox fuzz testing
KW - Grammar-based fuzzer
KW - Hybrid fuzz testing
KW - Whitebox fuzz testing
UR - http://www.scopus.com/inward/record.url?scp=84875148672&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84875148672&partnerID=8YFLogxK
U2 - 10.1016/j.cose.2013.02.001
DO - 10.1016/j.cose.2013.02.001
M3 - Article
AN - SCOPUS:84875148672
VL - 36
SP - 1
EP - 11
JO - Computers and Security
JF - Computers and Security
SN - 0167-4048
ER -