Home   >   CSC-OpenAccess Library   >    Manuscript Information
Full Text Available

(610.28KB)
This is an Open Access publication published under CSC-OpenAccess Policy.
Publications from CSC-OpenAccess Library are being accessed from over 74 countries worldwide.
A Review on Grammar-Based Fuzzing Techniques
Hamad Ali Al Salem, Jia Song
Pages - 114 - 123     |    Revised - 31-05-2019     |    Published - 01-06-2019
Volume - 13   Issue - 3    |    Publication Date - June 2019  Table of Contents
MORE INFORMATION
KEYWORDS
Fuzzing, Grammar-based, Generation, Mutation, Techniques, File Input Quality.
ABSTRACT
Fuzzing has become the most interesting software testing technique because it can find different types of bugs and vulnerabilities in many target programs. Grammar-based fuzzing tools have been shown effectiveness in finding bugs and generating good fuzzing files. Fuzzing techniques are usually guided by different methods to improve their effectiveness. However, they have limitation as well. In this paper, we present an overview of grammar-based fuzzing tools and techniques that are used to guide them which include mutation, machine learning, and evolutionary computing. Few studies are conducted on this approach and show the effectiveness and quality in exploring new vulnerabilities in a program. Here we summarize the studied fuzzing tools and explain each one method, input format, strengths and limitations. Some experiments are conducted on two of the fuzzing tools and comparing between them based on the quality of generated fuzzing files.
1 Google Scholar 
2 refSeek 
3 BibSonomy 
4 Doc Player 
5 Scribd 
6 SlideShare 
1 Eiben, A. E., & Smith, J. E. (2003). Introduction to Evolutionary Computing. Natural Computing Series. doi:10.1007/978-3-662-05094-1.
2 Holler, C., Herzig, K., & Zeller, A. (2012). Fuzzing with Code Fragments. Presented as part of the 21st {USENIX} Security Symposium .
3 Miller, C., & Peterson Z. (2007). Analysis of mutation and generation-based fuzzing. Independent Security Evaluators, Tech. Rep.
4 Yang, D., Zhang, Y., & Liu, Q. (2012). BlendFuzz: A Model-Based Framework for Fuzz Testing Programs with grammatical inputs. IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications, (pp. 1070-1076).
5 Darwin, C. (2004). On the origin of species, 1859. Routledge.
6 Grieco, G., Ceresa, M., & Buiras, P. (2016). QuickFuzz: An Automatic Random Fuzzer for Common File Formats. Proceedings of the 9th International Symposium on Haskell.
7 Liang, H., Pei, X., Jia, X., Shen, W., & Zhang, J. (Sep. 2018). Fuzzing: State of the Art. IEEE Transactions on Reliability, 67, 1199-1218.
8 Wang, J., Chen, B., Wei, L., & Liu, Y. (2017). Skyfire: Data-Driven Seed Generation for Fuzzing. IEEE Symposium on Security and Privacy (pp. 579-594). IEEE.
9 Kim, S. Y., Cha, S., & Bae, D. H. (2013). Automatic and lightweight grammar generation for fuzz testing. Computers & Security, 36, 1-11.
10 Stephens, N., Grosen, J., Salls, C., Dutcher, A., Wang, R., Corbetta, J., Shoshitaishvili, Y., Kruegel, C., & Vigna, G. (2016). Driller: Augmenting Fuzzing Through Selective Symbolic Execution. NDSS.
11 Oehlert, P. (2005). Violating Assumptions with Fuzzing. IEEE Security & Privacy, 3, 58-62.
12 Godefroid, P., Kiezun, A., & Levin, M. (2008). Grammar-based Whitebox Fuzzing. ACM Sigplan Notices, (pp. 206-2015).
13 Godefroid, P., Peleg, H., & Singh, R. (2017). Learn&Fuzz: Machine Learning for Input Fuzzing. Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering.
14 Hodován, R., Kiss, Á., & Gyimóthy, T. (2018). Grammarinator: A grammar-based open source fuzzer. Proceedings of the 9th ACM SIGSOFT International Workshop on Automating TEST Case Design, Selection, and Evaluation.
15 Sargsyan, S., Kurmangaleev, S., Mehrabyan, M., Mishechkin, M., Ghukasyan, T., & Asryan, S. (2018). Grammar-based Fuzzing. Ivannikov Memorial Workshop (IVMEM).
16 Veggalam, S., Rawat, S., Haller, I., & Bos, H. (2016). IFuzzer: An evolutionary interpreter fuzzer using genetic programming. European Symposium on Research in Computer Security, (pp. 581-601).
17 Guo, T., Zhang, P., Wang, X., & Wei, Q. (2013). GramFuzz: Fuzzing Testing of Web Browsers Based on Grammar Analysis and structural mutation. Second International Conference on Informatics & Applications (ICIA).
18 Hu, Z., Shi, J., Huang, Y., Xiong, J., & Bu, X. (2018). GANFuzz: a GAN-based industrial network protocol fuzzing framework. Proceedings of the 15th ACM International Conference on Computing Frontiers.
Mr. Hamad Ali Al Salem
Computer Science Department University of Idaho Moscow, ID, 83844 - United States of America
halsalem@hotmail.com
Dr. Jia Song
Computer Science Department University of Idaho Moscow, ID, 83844 - United States of America