IFuzzer: An Evolutionary Interpreter Fuzzer Using Genetic Programming

  • Spandan VeggalamEmail author
  • Sanjay Rawat
  • Istvan Haller
  • Herbert Bos
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9878)


We present an automated evolutionary fuzzing technique to find bugs in JavaScript interpreters. Fuzzing is an automated black box testing technique used for finding security vulnerabilities in the software by providing random data as input. However, in the case of an interpreter, fuzzing is challenging because the inputs are piece of codes that should be syntactically/semantically valid to pass the interpreter’s elementary checks. On the other hand, the fuzzed input should also be uncommon enough to trigger exceptional behavior in the interpreter, such as crashes, memory leaks and failing assertions. In our approach, we use evolutionary computing techniques, specifically genetic programming, to guide the fuzzer in generating uncommon input code fragments that may trigger exceptional behavior in the interpreter. We implement a prototype named IFuzzer to evaluate our technique on real-world examples. IFuzzer uses the language grammar to generate valid inputs. We applied IFuzzer first on an older version of the JavaScript interpreter of Mozilla (to allow for a fair comparison to existing work) and found 40 bugs, of which 12 were exploitable. On subsequently targeting the latest builds of the interpreter, IFuzzer found 17 bugs, of which four were security bugs.


Fuzzing System security Vulnerability Genetic programming Evolutionary computing 



This work was partially supported by Netherlands Organisation for Scientific Research through the NWO 639.023.309 VICI “Dowsing” project.

We would like to thank Mozilla Security Team and conference reviewers for their useful suggestions to improve the paper.


  1. 1.
    Anupam, V., Mayer, A.J.: Security of web browser scripting languages: vulnerabilities, attacks, and remedies. In: Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, USA, 26–29 January (1998)Google Scholar
  2. 2.
    Hallaraker, O., Vigna, G.: Detecting malicious javascript code in mozilla. In: Proceedings of the 10th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS 2005), pp. 85–94 (2005)Google Scholar
  3. 3.
    Holler, C., Herzig, K., Zeller, A.: Fuzzing with code fragments. In: Proceedings of the 21th USENIX Security Symposium, pp. 445–458, August 2012Google Scholar
  4. 4.
    Guang-Hong, L., Gang, W., Tao, Z., Jian-Mei, S., Zhuo-Chun, T.: Vulnerability analysis for x86 executables using genetic algorithm and fuzzing. In: Third International Conference on Convergence and Hybrid Information Technology (ICCIT 2008), pp. 491–497, November 2008Google Scholar
  5. 5.
    Rawat, S., Mounier, L.: An evolutionary computing approach for hunting buffer overflow vulnerabilities: a case of aiming in dim light. In: Proceedings of the European Conference on Computer Network Defense (EC2ND 2010), pp. 37–45 (2010)Google Scholar
  6. 6.
    Sparks, S., Embleton, S., Cunningham, R., Zou, C.: Automated vulnerability analysis: leveraging control flow for evolutionary input crafting. In: Twenty-Third Annual Computer Security Applications Conference (ACSAC), pp. 477–486 (2007)Google Scholar
  7. 7.
    DelGrosso, C., Antoniol, G., Merlo, E., Galinier, P.: Detecting buffer overflow via automatic test input data generation. Comput. Oper. Res. 35, 3125–3143 (2008)CrossRefGoogle Scholar
  8. 8.
    Alba, E., Chicano, J.F.: Software testing with evolutionary strategies. In: Guelfi, N., Savidis, A. (eds.) RISE 2005. LNCS, vol. 3943, pp. 50–65. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  9. 9.
    Zalewski, M.: American fuzzy lop.
  10. 10.
    DeMott, J., Enbody, R., Punch, W.F.: Revolutionizing the field of grey-box attack surface testing with evolutionary fuzzing (2007)Google Scholar
  11. 11.
    Weimer, W., Nguyen, T., LeGoues, C., Forrest, S.: Automatically finding patches using genetic programming. In: Proceedings of the 31st International Conference on Software Engineering (ICSE 2009), Washington, DC, USA, pp. 364–374. IEEE Computer Society (2009)Google Scholar
  12. 12.
    Kim, D., Nam, J., Song, J., Kim, S.: Automatic patch generation learned from human-written patches. In: Proceedings of the International Conference on Software Engineering (ICSE 2013), Piscataway, NJ, USA, pp. 802–811. IEEE Press (2013)Google Scholar
  13. 13.
    Fraser, G., Arcuri, A.: Whole test suite generation. IEEE Trans. Softw. Eng. 39(2), 276–291 (2013)CrossRefGoogle Scholar
  14. 14.
    McKay, R.I., Hoai, N.X., Whigham, P.A., Shan, Y., O’Neill, M.: Grammar-based genetic programming: a survey. Genet. Program Evolvable Mach. 11, 365–396 (2010)CrossRefGoogle Scholar
  15. 15.
    Pargas, R.P., Harrold, M.J., Peck, R.R.: Test-data generation using genetic algorithms. Softw. Test. Verification Reliab. 9(4), 263–282 (1999)CrossRefGoogle Scholar
  16. 16.
    Poli, R., Langdon, W.B., McPhee, N.F., Koza, J.R.: A Field Guide to Genetic Programming (2008)Google Scholar
  17. 17.
    Soule, T., Foster, J.A., Dickinson, J.: Code growth in genetic programming. In: Proceedings of the First Annual Conference Genetic Programming, pp. 215–223, May 1996Google Scholar
  18. 18.
    Langdon, W.B., Poli, R.: Fitness causes bloat: mutation. In: Banzhaf, W., Poli, R., Schoenauer, M., Fogarty, T.C. (eds.) EuroGP 1998. LNCS, vol. 1391, p. 37. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  19. 19.
    Parr, T.: The Definitive ANTLR 4 Reference, 2nd edn. Pragmatic Bookshelf, Dallas (2013)Google Scholar
  20. 20.
    Luke, S., Panait, L.: A comparison of bloat control methods for genetic programming. Evol. Comput. 14, 309–344 (2006)CrossRefGoogle Scholar
  21. 21.
    Soule, T., Foster, J.A.: Effects of code growth and parsimony pressure on populations in genetic programming. Evol. Comput. 6, 293–309 (1998)CrossRefGoogle Scholar
  22. 22.
    Zhang, B.-T., Mhlenbein, H.: Balancing accuracy and parsimony in genetic programming. Evol. Comput. 3(1), 17–38 (1995)CrossRefGoogle Scholar
  23. 23.
    Poli, R., McPhee, N.F.: Covariant Parsimony Pressure in Genetic Programming. Citeseer (2008)Google Scholar
  24. 24.
    McPeak, S., Wilkerson, D.S.: The delta tool.
  25. 25.
    Javascript delta tool.
  26. 26.
    Zeller, A., Hildebrandt, R.: Simplifying and isolating failure-inducing input. IEEE Trans. Software Eng. 28(2), 183–200 (2002)CrossRefGoogle Scholar
  27. 27.
    McCabe, T.: A complexity measure. IEEE Trans. Softw. Eng. SE–2, 308–320 (1976)MathSciNetCrossRefzbMATHGoogle Scholar
  28. 28.
    Mitchell, R.J.: Managing complexity in software engineering. No.17 in IEE Computing series, P. Peregrinus Ltd. on behalf of the Institution of Electrical Engineers (1990)Google Scholar
  29. 29.
    Gosling, J., Joy, B., Steele, G., Bracha, G., Buckley, A.: The Java Language Specification: Java SE 8 EditionGoogle Scholar
  30. 30.
    ECMA International, Standard ECMA-262 - ECMAScript Language Specification. 5.1st edn., June 2011Google Scholar
  31. 31.
  32. 32.
  33. 33.
  34. 34.
  35. 35.
    Miller, B.P., Fredriksen, L., So, B.: An empirical study of the reliability of UNIX utilities. Commun. ACM 33, 32–44 (1990)CrossRefGoogle Scholar
  36. 36.
    Clarke, T.: Fuzzing for software vulnerability discovery. Department of Mathematic, Royal Holloway, University of London, Technical report RHUL-MA-2009-4 (2009)Google Scholar
  37. 37.
    Miller, C.: How smart is intelligent fuzzing-or-how stupid is dumb fuzzing, August 2007Google Scholar
  38. 38.
    Kaksonen, R., Laakso, M., Takanen, A.: Software security assessment through specification mutations and fault injection. In: Steinmetz, R., Dittman, J., Steinebach, M. (eds.) Communications and Multimedia Security Issues of the New Century. IFIP—the International Federation for Information Processing, vol. 64, pp. 173–183. Springer, New York (2001)CrossRefGoogle Scholar
  39. 39.
    Yang, X., Chen, Y., Eide, E., Regehr, J.: Finding and understanding bugs in C compilers. In: Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 283–294, June 2011Google Scholar
  40. 40.
    Zalewski, M.: Announcing ref_fuzz a 2 year old fuzzer.
  41. 41.
    Zalewski, M.: Announcing cross_fuzz a potential 0-day in circulation and more.
  42. 42.
    Rudersman, J.: Introducing jsfunfuzz.
  43. 43.
    Arya, A., Neckar, C.: Fuzzing for security.
  44. 44.
    Afzal, W., Torkar, R., Feldt, R.: A systematic review of search-based testing for non-functional system properties. Inf. Softw. Technol. 51(6), 957–976 (2009)CrossRefGoogle Scholar
  45. 45.
    McMinn, P.: Search-based software test data generation: a survey. Softw. Test. Verification Reliab. 14(2), 105–156 (2004)CrossRefGoogle Scholar
  46. 46.
    Kifetew, F.M., Tiella, R., Tonella, P.: Combining stochastic grammars and genetic programming for coverage testing at the system level. In: Goues, C., Yoo, S. (eds.) SSBSE 2014. LNCS, vol. 8636, pp. 138–152. Springer, Heidelberg (2014)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Spandan Veggalam
    • 1
    Email author
  • Sanjay Rawat
    • 2
    • 3
  • Istvan Haller
    • 2
    • 3
  • Herbert Bos
    • 2
    • 3
  1. 1.International Institute of Information TechnologyHyderabadIndia
  2. 2.Computer Science InstituteVrije Universiteit AmsterdamAmsterdamThe Netherlands
  3. 3.Department of InformaticsVrije Universiteit AmsterdamAmsterdamThe Netherlands

Personalised recommendations