Skip to main content
SpringerLink
Log in

Learn to Accelerate Identifying New Test Cases in Fuzzing

  • Conference paper
  • First Online:
Security, Privacy, and Anonymity in Computation, Communication, and Storage (SpaCCS 2017)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 10656))

Abstract

Fuzzing is an efficient testing technique to catch bugs early, before they turn into vulnerabilities. Without complex program analysis, it can generates interesting test cases by slightly changing input and find potential bugs in programs. However, previous fuzzers either are unable to explore deeper bugs, or some of them suffer from dramatic time complexity, thus we cannot depend on them in real world applications. In this paper, we focus on reducing time complexity in fuzzing by combining practical and light-weight deep learning methods, which fundamentally accelerate the process of identifying new test cases and finding bugs. In order to achieve expected fuzzing coverage, we implement our method by extending stage-of-the-art fuzzer AFL with deep learning methods and evaluate it on several wide-used and open source executable programs. On all of these programs, efficiency of our method is witnessed and significantly better outcomes are generated.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Stephens, N., Grosen, J., Salls, C., Dutcher, A., Wang, R., Corbetta, J., Shoshitaishvili, Y., Kruegel, C., Vigna, G.: Driller: augmenting fuzzing through selective symbolic execution. In: Proceedings of the Network and Distributed System Security Symposium (2016)

    Google Scholar 

  2. Cadar, C., Dunbar, D., Engler, D.R., et al.: KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: OSDI, vol. 8, pp. 209–224 (2008)

    Google Scholar 

  3. Böhme, M., Pham, V.-T., Roychoudhury, A.: Coverage-based greybox fuzzing as markov chain. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1032–1043. ACM (2016)

    Google Scholar 

  4. Cadar, C., Ganesh, V., Pawlowski, P.M., Dill, D.L., Engler, D.R.: EXE: automatically generating inputs of death. ACM Trans. Inf. Syst. Secur. (TISSEC) 12(2), 10 (2008)

    Article  Google Scholar 

  5. Godefroid, P.: Compositional dynamic test generation. In: ACM SIGPLAN Notices, vol. 42, pp. 47–54. ACM (2007)

    Google Scholar 

  6. Godefroid, P., Peleg, H., Singh, R.: Learn&fuzz: machine learning for input fuzzing. arXiv preprint arXiv:1701.07232 (2017)

  7. Zalewski, M.: Symbolic execution in vulnerability research (2016)

    Google Scholar 

  8. Boonstoppel, P., Cadar, C., Engler, D.: RWset: attacking path explosion in constraint-based test generation. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 351–366. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78800-3_27

    Chapter  Google Scholar 

  9. Zalewski, M.: American fuzzy lop (AFL) fuzzer-technical details (2016)

    Google Scholar 

  10. Böhme, M., Paul, S.: A probabilistic analysis of the efficiency of automated software testing. IEEE Trans. Softw. Eng. 42(4), 345–360 (2016)

    Article  Google Scholar 

  11. Zalewski, M.: American fuzzy lop (AFL) fuzzer (2016)

    Google Scholar 

  12. Khan, M.E.: Different forms of software testing techniques for finding errors. Int. J. Comput. Sci. Issues 7(3), 11–16 (2010)

    Google Scholar 

  13. Sutton, M., Greene, A., Amini, P.: Fuzzing: Brute Force Vulnerability Discovery. Pearson Education, London (2007)

    Google Scholar 

  14. Godefroid, P., Levin, M.Y., Molnar, D.A., et al.: Automated whitebox fuzz testing. In: NDSS, vol. 8, pp. 151–166 (2008)

    Google Scholar 

  15. Khan, M.E., Khan, F., et al.: A comparative study of white box, black box and grey box testing techniques. Int. J. Adv. Comput. Sci. Appl. (IJACSA), 3(6) (2012)

    Google Scholar 

  16. Khan, M.E.: Different approaches to black box testing technique for finding errors. Int. J. Softw. Eng. Appl. 2(4), 31 (2011)

    Google Scholar 

  17. Khan, M.E.: Different approaches to white box testing technique for finding errors (2011)

    Google Scholar 

  18. Bird, D.L., Munoz, C.U.: Automatic generation of random self-checking test cases. IBM Syst. J. 22(3), 229–245 (1983)

    Article  Google Scholar 

  19. Forrester, J.E., Miller, B.P.: An empirical study of the robustness of windows NT applications using random testing. In: Proceedings of the 4th USENIX Windows System Symposium, Seattle, pp. 59–68 (2000)

    Google Scholar 

  20. Offutt, A.J., Hayes, J.H.: A semantic model of program faults. In: ACM SIGSOFT Software Engineering Notes, vol. 21, pp. 195–200. ACM (1996)

    Google Scholar 

  21. Clark, S., Frei, S., Blaze, M., Smith, J.: Familiarity breeds contempt: the honeymoon effect and the role of legacy code in zero-day vulnerabilities. In: Proceedings of the 26th Annual Computer Security Applications Conference, pp. 251–260. ACM (2010)

    Google Scholar 

  22. Dolan-Gavitt, B., Hulin, P., Kirda, E., Leek, T., Mambretti, A., Robertson, W., Ulrich, F., Whelan, R.: LAVA: large-scale automated vulnerability addition. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 110–121. IEEE (2016)

    Google Scholar 

  23. Rawat, S., Jain, V., Kumar, A., Cojocar, L., Giuffrida, C., Bos, H.: Vuzzer: application-aware evolutionary fuzzing (2017)

    Google Scholar 

  24. Zalewski, M.: American fuzzy lop (AFL) fuzzer-readme (2016)

    Google Scholar 

  25. Sutskever, I., Martens, J., Dahl, G.E., Hinton, G.E.: On the importance of initialization and momentum in deep learning. ICML 3(28), 1139–1147 (2013)

    Google Scholar 

  26. Schmidhuber, J.: Deep learning in neural networks: an overview. Neural Netw. 61, 85–117 (2015)

    Article  Google Scholar 

  27. LeCun, Y., Bengio, Y., Hinton, G.: Deep learning. Nature 521(7553), 436–444 (2015)

    Article  Google Scholar 

  28. Orponen, P.: Neural networks and complexity theory. Math. Found. Comput. Sci. 1992, 50–61 (1992)

    MathSciNet  Google Scholar 

  29. Welles, M., Warmerdam, F., Kiselev, A., Kelly, D.: Tag image file format. http://www.libtiff.org/

  30. GNU. GNU binutils. http://www.gnu.org/software/binutils/

  31. Raymond, E.S.: GIFs to PNGs. http://www.catb.org/esr/gif2png/

  32. sklearn. sklearn.neural_network.mlpclassifier. http://scikit-learn.org/stable/modules/generated/sklearn.neural_network.MLPClassifier.html

Download references

Acknowledgments

The work is supported by The National Key Research and Development Program of China (No. 2016YFB0200401).

Author information

Authors and Affiliations

  1. School of Computer, National University of Defense Technology, Changsha, 410073, China

    Weiwei Gong, Gen Zhang & Xu Zhou

Authors
  1. Weiwei Gong
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Gen Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Xu Zhou
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Weiwei Gong .

Editor information

Editors and Affiliations

  1. Guangzhou University , Guangzhou, China

    Guojun Wang

  2. Edith Kinney Gaylord Presidential Professor, University of Oklahoma, Norman, Oklahoma, USA

    Mohammed Atiquzzaman

  3. Aalto University, Espoo, Finland

    Zheng Yan

  4. University of Texas at San Antonio, San Antonio, Texas, USA

    Kim-Kwang Raymond Choo

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Gong, W., Zhang, G., Zhou, X. (2017). Learn to Accelerate Identifying New Test Cases in Fuzzing. In: Wang, G., Atiquzzaman, M., Yan, Z., Choo, KK. (eds) Security, Privacy, and Anonymity in Computation, Communication, and Storage. SpaCCS 2017. Lecture Notes in Computer Science(), vol 10656. Springer, Cham. https://doi.org/10.1007/978-3-319-72389-1_24

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-72389-1_24

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-72388-4

  • Online ISBN: 978-3-319-72389-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation