SlideShare a Scribd company logo

A Quantitative Comparison of Coverage-Based Greybox Fuzzers

Download as PPTX, PDF
Norihiro Yoshida
Norihiro Yoshida

slides for the paper "A Quantitative Comparison of Coverage-Based Greybox Fuzzers", Proceedings of the 1st IEEE/ACM International Conference on Automation of Software Test (AST 2020), pp.89-92, Seoul, South Korea, July 2020.

1 of 12
A Quantitative Comparison of Coverage-Based Greybox Fuzzers Natsuki Tsuzuki, Nagoya University, Japan Norihiro Yoshida, Nagoya University, Japan Koji Toda, Fukuoka Institute of Technology, Japan Kenji Fujiwara, National Institute of Technology, Toyota College , Japan Ryota Yamamoto, Nagoya University, Japan Hiroaki Takada, Nagoya University, Japan 1
Many Coverage-Based Greybox Fuzzers • AFL (originally developed by Zalewski in ‘13) • AFLFast (Böhme et al., CCS ‘16, TSE ‘19) • AFLGo (Böhme et al., CCS’ 17) • FairFuzz (Lemieux & Sen, ASE ‘18) https://www.pikrepo.com/ 2
Questions - The newest fuzzer is always better than the others? - How each fuzzer works better than the use of default test suite? 3
Fuzzers are evaluated by different criteria Fuzzers Fuzzing targets Criteria AFLFast - Binutils 2.26 (c++filt, nm, objdump, readelf, size, strings) - Coreutils 8.25 - # unique crashes - ground truth - line coverage AFLGo - Binutils (detailed information is not found) - Diffutils - libPNG - basic block coverage - ground truth FairFuzz - Binutils 2.28 (c++filt, nm,objdump, readelf ) - tcpdump - xmllint - mutool draw - djpeg - readpng - basic block translations covered - # occurrences of specific sequences It is difficult to compare the experimental results in these papers. 4
Research Overview We prepared a unified collection of fuzzing targets and then compared the existing fuzzers. Evaluation measures: - The number of executed paths - Branch coverage 5
Research Questions RQ1 Is a newer AFL-based fuzzer able to execute significantly a larger number of paths? RQ2 Does an AFL-based fuzzer improve branch coverage? RQ3 Does a newer AFL-based fuzzer always achieve higher coverage? 6
Fuzzers and Fuzzing Targets - AFL 1.94b - AFL 2.40b - AFL 2.49b - AFL 2.51b - AFL 2.52b - AFLFast - AFLGo - FairFuzz - Binutils 2.26 (c++filt, nm, objdump, readelf) - Binutils 2.28 (c++filt, nm, objdump, readelf) - Binutils 2.32 (c++filt, nm, objdump, readelf) Each execution of a fuzzer is terminated after 6 hours. 7
Significance test (# paths) We used Steel-Dwass test for judging the significance. AFL 1.94b AFL 2.40b AFL 2.49b AFL 2.51b AFL 2.52b AFLFast AFLGo FairFuzz AFL 1.94b - ✓ AFL 2.40b - ✓ AFL 2.49b - ✓ AFL 2.51b - ✓ AFL 2.52b - ✓ AFLFast - AFLGo - ✓ FairFuzz ✓ ✓ ✓ ✓ ✓ ✓ - Answer to RQ1: In most cases, the newest fuzzer FairFuzz executes significantly larger number of paths. 8
Branch coverage in the non-use and use of fuzzers Answer to RQ2: The fuzzers can improve branch coverage. 9
Significance test (branch coverage) We used Steel-Dwass test for judging the significance. AFL 1.94b AFL 2.40b AFL 2.49b AFL 2.51b AFL 2.52b AFLFast AFLGo FairFuzz AFL 1.94b - AFL 2.40b - AFL 2.49b - AFL 2.51b - AFL 2.52b - AFLFast - AFLGo - FairFuzz - Answer to RQ3: The newer fuzzer does not always achieve higher branch coverage. 10
Discussion The results are different between the number of paths and branch coverage. Newer fuzzers are unoptimized for quality assurance process based on branch coverage. The use of fuzzers can improve branch coverage. 11
Thank you for listening! E-mail: yoshida AT ertl.jp 12

Recommended

One plus 5t architecture
One plus 5t architectureOne plus 5t architecture
One plus 5t architecture
Muhammad Osama Khalid
 
Ceph majority commit
Ceph majority commitCeph majority commit
Ceph majority commit
Fei (James) Liu
 
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Maksim Shudrak
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
Felipe Prado
 
Filesystem Showdown: What a Difference a Decade Makes
Filesystem Showdown: What a Difference a Decade MakesFilesystem Showdown: What a Difference a Decade Makes
Filesystem Showdown: What a Difference a Decade Makes
Perforce
 
BKK16-308 The tool called Auto-Tuned Optimization System (ATOS)
BKK16-308 The tool called Auto-Tuned Optimization System (ATOS)BKK16-308 The tool called Auto-Tuned Optimization System (ATOS)
BKK16-308 The tool called Auto-Tuned Optimization System (ATOS)
Linaro
 
Creating a SNP calling pipeline
Creating a SNP calling pipelineCreating a SNP calling pipeline
Creating a SNP calling pipeline
Dan Bolser
 
Design for Test [DFT]-1 (1).pdf DESIGN DFT
Design for Test [DFT]-1 (1).pdf DESIGN DFTDesign for Test [DFT]-1 (1).pdf DESIGN DFT
Design for Test [DFT]-1 (1).pdf DESIGN DFT
jayasreenimmakuri777
 

Recommended

One plus 5t architecture
One plus 5t architectureOne plus 5t architecture
One plus 5t architecture
Muhammad Osama Khalid
 
Ceph majority commit
Ceph majority commitCeph majority commit
Ceph majority commit
Fei (James) Liu
 
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Maksim Shudrak
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
Felipe Prado
 
Filesystem Showdown: What a Difference a Decade Makes
Filesystem Showdown: What a Difference a Decade MakesFilesystem Showdown: What a Difference a Decade Makes
Filesystem Showdown: What a Difference a Decade Makes
Perforce
 
BKK16-308 The tool called Auto-Tuned Optimization System (ATOS)
BKK16-308 The tool called Auto-Tuned Optimization System (ATOS)BKK16-308 The tool called Auto-Tuned Optimization System (ATOS)
BKK16-308 The tool called Auto-Tuned Optimization System (ATOS)
Linaro
 
Creating a SNP calling pipeline
Creating a SNP calling pipelineCreating a SNP calling pipeline
Creating a SNP calling pipeline
Dan Bolser
 
Design for Test [DFT]-1 (1).pdf DESIGN DFT
Design for Test [DFT]-1 (1).pdf DESIGN DFTDesign for Test [DFT]-1 (1).pdf DESIGN DFT
Design for Test [DFT]-1 (1).pdf DESIGN DFT
jayasreenimmakuri777
 
2.6 latifs 17 dramix pisos sobre pilotes
2.6 latifs 17 dramix pisos sobre pilotes 2.6 latifs 17 dramix pisos sobre pilotes
2.6 latifs 17 dramix pisos sobre pilotes
Latifs Chile
 
Jain-DeCO-FCCM-2016
Jain-DeCO-FCCM-2016Jain-DeCO-FCCM-2016
Jain-DeCO-FCCM-2016
Abhishek Jain
 
OIF CEI 56-G-FOE-April2015
OIF CEI 56-G-FOE-April2015OIF CEI 56-G-FOE-April2015
OIF CEI 56-G-FOE-April2015
Deborah Porchivina
 
MAKER2
MAKER2MAKER2
MAKER2
Shaojun Xie
 
JGI_HMMER.pptx
JGI_HMMER.pptxJGI_HMMER.pptx
JGI_HMMER.pptx
William Arndt
 
Porting and Optimization of Numerical Libraries for ARM SVE
Porting and Optimization of Numerical Libraries for ARM SVEPorting and Optimization of Numerical Libraries for ARM SVE
Porting and Optimization of Numerical Libraries for ARM SVE
Linaro
 
Low Overhead System Tracing with eBPF
Low Overhead System Tracing with eBPFLow Overhead System Tracing with eBPF
Low Overhead System Tracing with eBPF
Akshay Kapoor
 
Hands-on Experience with IPv6 Routing and Services
Hands-on Experience with IPv6 Routing and ServicesHands-on Experience with IPv6 Routing and Services
Hands-on Experience with IPv6 Routing and Services
Cisco Canada
 
自律移動ロボット向けハード・ソフト協調のためのコンポーネント設計支援ツール
自律移動ロボット向けハード・ソフト協調のためのコンポーネント設計支援ツール自律移動ロボット向けハード・ソフト協調のためのコンポーネント設計支援ツール
自律移動ロボット向けハード・ソフト協調のためのコンポーネント設計支援ツール
Kazushi Yamashina
 
Usage, Performance and Future Of PL1 at NRB Benoit Ebner
Usage, Performance and Future Of PL1 at NRB Benoit EbnerUsage, Performance and Future Of PL1 at NRB Benoit Ebner
Usage, Performance and Future Of PL1 at NRB Benoit Ebner
NRB
 
Fuzzing for CPS Mutation Testing
Fuzzing for CPS Mutation TestingFuzzing for CPS Mutation Testing
Fuzzing for CPS Mutation Testing
Lionel Briand
 
New features in Ruby 2.5
New features in Ruby 2.5New features in Ruby 2.5
New features in Ruby 2.5
Ireneusz Skrobiś
 
Odoo Performance Limits
Odoo Performance LimitsOdoo Performance Limits
Odoo Performance Limits
Odoo
 
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPFDynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
Maximilan Wilhelm
 
ファジングツールAFLの利用を支援するツールFuzz4Bによるファジング教育の試み
ファジングツールAFLの利用を支援するツールFuzz4Bによるファジング教育の試みファジングツールAFLの利用を支援するツールFuzz4Bによるファジング教育の試み
ファジングツールAFLの利用を支援するツールFuzz4Bによるファジング教育の試み
Norihiro Yoshida
 
Extracting a Micro State Transition Table Using KLEE
Extracting a Micro State Transition Table Using KLEEExtracting a Micro State Transition Table Using KLEE
Extracting a Micro State Transition Table Using KLEE
Norihiro Yoshida
 
ソフトウェア開発における産学協創フォーラム オープニング資料
ソフトウェア開発における産学協創フォーラム オープニング資料ソフトウェア開発における産学協創フォーラム オープニング資料
ソフトウェア開発における産学協創フォーラム オープニング資料
Norihiro Yoshida
 
コードクローン 検出・変更管理ツール群の開発
コードクローン 検出・変更管理ツール群の開発コードクローン 検出・変更管理ツール群の開発
コードクローン 検出・変更管理ツール群の開発
Norihiro Yoshida
 
Proactive Clone Recommendation System for Extract Method Refactoring
Proactive Clone Recommendation System for Extract Method Refactoring Proactive Clone Recommendation System for Extract Method Refactoring
Proactive Clone Recommendation System for Extract Method Refactoring
Norihiro Yoshida
 
Code Search Based on Deep Neural Network and Code Mutation
Code Search Based on Deep Neural Network and Code MutationCode Search Based on Deep Neural Network and Code Mutation
Code Search Based on Deep Neural Network and Code Mutation
Norihiro Yoshida
 
機械学習システムにおける技術的負債について
機械学習システムにおける技術的負債について機械学習システムにおける技術的負債について
機械学習システムにおける技術的負債について
Norihiro Yoshida
 
When, why and for whom do practitioners detect technical debts?: An experienc...
When, why and for whom do practitioners detect technical debts?: An experienc...When, why and for whom do practitioners detect technical debts?: An experienc...
When, why and for whom do practitioners detect technical debts?: An experienc...
Norihiro Yoshida
 

More Related Content

Similar to A Quantitative Comparison of Coverage-Based Greybox Fuzzers

2.6 latifs 17 dramix pisos sobre pilotes
2.6 latifs 17 dramix pisos sobre pilotes 2.6 latifs 17 dramix pisos sobre pilotes
2.6 latifs 17 dramix pisos sobre pilotes
Latifs Chile
 
Jain-DeCO-FCCM-2016
Jain-DeCO-FCCM-2016Jain-DeCO-FCCM-2016
Jain-DeCO-FCCM-2016
Abhishek Jain
 
OIF CEI 56-G-FOE-April2015
OIF CEI 56-G-FOE-April2015OIF CEI 56-G-FOE-April2015
OIF CEI 56-G-FOE-April2015
Deborah Porchivina
 
MAKER2
MAKER2MAKER2
MAKER2
Shaojun Xie
 
JGI_HMMER.pptx
JGI_HMMER.pptxJGI_HMMER.pptx
JGI_HMMER.pptx
William Arndt
 
Porting and Optimization of Numerical Libraries for ARM SVE
Porting and Optimization of Numerical Libraries for ARM SVEPorting and Optimization of Numerical Libraries for ARM SVE
Porting and Optimization of Numerical Libraries for ARM SVE
Linaro
 
Low Overhead System Tracing with eBPF
Low Overhead System Tracing with eBPFLow Overhead System Tracing with eBPF
Low Overhead System Tracing with eBPF
Akshay Kapoor
 
Hands-on Experience with IPv6 Routing and Services
Hands-on Experience with IPv6 Routing and ServicesHands-on Experience with IPv6 Routing and Services
Hands-on Experience with IPv6 Routing and Services
Cisco Canada
 
自律移動ロボット向けハード・ソフト協調のためのコンポーネント設計支援ツール
自律移動ロボット向けハード・ソフト協調のためのコンポーネント設計支援ツール自律移動ロボット向けハード・ソフト協調のためのコンポーネント設計支援ツール
自律移動ロボット向けハード・ソフト協調のためのコンポーネント設計支援ツール
Kazushi Yamashina
 
Usage, Performance and Future Of PL1 at NRB Benoit Ebner
Usage, Performance and Future Of PL1 at NRB Benoit EbnerUsage, Performance and Future Of PL1 at NRB Benoit Ebner
Usage, Performance and Future Of PL1 at NRB Benoit Ebner
NRB
 
Fuzzing for CPS Mutation Testing
Fuzzing for CPS Mutation TestingFuzzing for CPS Mutation Testing
Fuzzing for CPS Mutation Testing
Lionel Briand
 
New features in Ruby 2.5
New features in Ruby 2.5New features in Ruby 2.5
New features in Ruby 2.5
Ireneusz Skrobiś
 
Odoo Performance Limits
Odoo Performance LimitsOdoo Performance Limits
Odoo Performance Limits
Odoo
 
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPFDynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
Maximilan Wilhelm
 

Similar to A Quantitative Comparison of Coverage-Based Greybox Fuzzers (14)

2.6 latifs 17 dramix pisos sobre pilotes
2.6 latifs 17 dramix pisos sobre pilotes 2.6 latifs 17 dramix pisos sobre pilotes
2.6 latifs 17 dramix pisos sobre pilotes
 
Jain-DeCO-FCCM-2016
Jain-DeCO-FCCM-2016Jain-DeCO-FCCM-2016
Jain-DeCO-FCCM-2016
 
OIF CEI 56-G-FOE-April2015
OIF CEI 56-G-FOE-April2015OIF CEI 56-G-FOE-April2015
OIF CEI 56-G-FOE-April2015
 
MAKER2
MAKER2MAKER2
MAKER2
 
JGI_HMMER.pptx
JGI_HMMER.pptxJGI_HMMER.pptx
JGI_HMMER.pptx
 
Porting and Optimization of Numerical Libraries for ARM SVE
Porting and Optimization of Numerical Libraries for ARM SVEPorting and Optimization of Numerical Libraries for ARM SVE
Porting and Optimization of Numerical Libraries for ARM SVE
 
Low Overhead System Tracing with eBPF
Low Overhead System Tracing with eBPFLow Overhead System Tracing with eBPF
Low Overhead System Tracing with eBPF
 
Hands-on Experience with IPv6 Routing and Services
Hands-on Experience with IPv6 Routing and ServicesHands-on Experience with IPv6 Routing and Services
Hands-on Experience with IPv6 Routing and Services
 
自律移動ロボット向けハード・ソフト協調のためのコンポーネント設計支援ツール
自律移動ロボット向けハード・ソフト協調のためのコンポーネント設計支援ツール自律移動ロボット向けハード・ソフト協調のためのコンポーネント設計支援ツール
自律移動ロボット向けハード・ソフト協調のためのコンポーネント設計支援ツール
 
Usage, Performance and Future Of PL1 at NRB Benoit Ebner
Usage, Performance and Future Of PL1 at NRB Benoit EbnerUsage, Performance and Future Of PL1 at NRB Benoit Ebner
Usage, Performance and Future Of PL1 at NRB Benoit Ebner
 
Fuzzing for CPS Mutation Testing
Fuzzing for CPS Mutation TestingFuzzing for CPS Mutation Testing
Fuzzing for CPS Mutation Testing
 
New features in Ruby 2.5
New features in Ruby 2.5New features in Ruby 2.5
New features in Ruby 2.5
 
Odoo Performance Limits
Odoo Performance LimitsOdoo Performance Limits
Odoo Performance Limits
 
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPFDynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
 

More from Norihiro Yoshida

ファジングツールAFLの利用を支援するツールFuzz4Bによるファジング教育の試み
ファジングツールAFLの利用を支援するツールFuzz4Bによるファジング教育の試みファジングツールAFLの利用を支援するツールFuzz4Bによるファジング教育の試み
ファジングツールAFLの利用を支援するツールFuzz4Bによるファジング教育の試み
Norihiro Yoshida
 
Extracting a Micro State Transition Table Using KLEE
Extracting a Micro State Transition Table Using KLEEExtracting a Micro State Transition Table Using KLEE
Extracting a Micro State Transition Table Using KLEE
Norihiro Yoshida
 
ソフトウェア開発における産学協創フォーラム オープニング資料
ソフトウェア開発における産学協創フォーラム オープニング資料ソフトウェア開発における産学協創フォーラム オープニング資料
ソフトウェア開発における産学協創フォーラム オープニング資料
Norihiro Yoshida
 
コードクローン 検出・変更管理ツール群の開発
コードクローン 検出・変更管理ツール群の開発コードクローン 検出・変更管理ツール群の開発
コードクローン 検出・変更管理ツール群の開発
Norihiro Yoshida
 
Proactive Clone Recommendation System for Extract Method Refactoring
Proactive Clone Recommendation System for Extract Method Refactoring Proactive Clone Recommendation System for Extract Method Refactoring
Proactive Clone Recommendation System for Extract Method Refactoring
Norihiro Yoshida
 
Code Search Based on Deep Neural Network and Code Mutation
Code Search Based on Deep Neural Network and Code MutationCode Search Based on Deep Neural Network and Code Mutation
Code Search Based on Deep Neural Network and Code Mutation
Norihiro Yoshida
 
機械学習システムにおける技術的負債について
機械学習システムにおける技術的負債について機械学習システムにおける技術的負債について
機械学習システムにおける技術的負債について
Norihiro Yoshida
 
When, why and for whom do practitioners detect technical debts?: An experienc...
When, why and for whom do practitioners detect technical debts?: An experienc...When, why and for whom do practitioners detect technical debts?: An experienc...
When, why and for whom do practitioners detect technical debts?: An experienc...
Norihiro Yoshida
 
Revisiting the Relationship Between Code Smells and Refactoring
Revisiting the Relationship Between Code Smells and RefactoringRevisiting the Relationship Between Code Smells and Refactoring
Revisiting the Relationship Between Code Smells and Refactoring
Norihiro Yoshida
 
Mining the Modern Code Review Repositories: A Dataset of People, Process and ...
Mining the Modern Code Review Repositories: A Dataset of People, Process and ...Mining the Modern Code Review Repositories: A Dataset of People, Process and ...
Mining the Modern Code Review Repositories: A Dataset of People, Process and ...
Norihiro Yoshida
 
IWESEP 2013
IWESEP 2013IWESEP 2013
IWESEP 2013
Norihiro Yoshida
 
MSR2013
MSR2013MSR2013
MSR2013
Norihiro Yoshida
 

More from Norihiro Yoshida (12)

ファジングツールAFLの利用を支援するツールFuzz4Bによるファジング教育の試み
ファジングツールAFLの利用を支援するツールFuzz4Bによるファジング教育の試みファジングツールAFLの利用を支援するツールFuzz4Bによるファジング教育の試み
ファジングツールAFLの利用を支援するツールFuzz4Bによるファジング教育の試み
 
Extracting a Micro State Transition Table Using KLEE
Extracting a Micro State Transition Table Using KLEEExtracting a Micro State Transition Table Using KLEE
Extracting a Micro State Transition Table Using KLEE
 
ソフトウェア開発における産学協創フォーラム オープニング資料
ソフトウェア開発における産学協創フォーラム オープニング資料ソフトウェア開発における産学協創フォーラム オープニング資料
ソフトウェア開発における産学協創フォーラム オープニング資料
 
コードクローン 検出・変更管理ツール群の開発
コードクローン 検出・変更管理ツール群の開発コードクローン 検出・変更管理ツール群の開発
コードクローン 検出・変更管理ツール群の開発
 
Proactive Clone Recommendation System for Extract Method Refactoring
Proactive Clone Recommendation System for Extract Method Refactoring Proactive Clone Recommendation System for Extract Method Refactoring
Proactive Clone Recommendation System for Extract Method Refactoring
 
Code Search Based on Deep Neural Network and Code Mutation
Code Search Based on Deep Neural Network and Code MutationCode Search Based on Deep Neural Network and Code Mutation
Code Search Based on Deep Neural Network and Code Mutation
 
機械学習システムにおける技術的負債について
機械学習システムにおける技術的負債について機械学習システムにおける技術的負債について
機械学習システムにおける技術的負債について
 
When, why and for whom do practitioners detect technical debts?: An experienc...
When, why and for whom do practitioners detect technical debts?: An experienc...When, why and for whom do practitioners detect technical debts?: An experienc...
When, why and for whom do practitioners detect technical debts?: An experienc...
 
Revisiting the Relationship Between Code Smells and Refactoring
Revisiting the Relationship Between Code Smells and RefactoringRevisiting the Relationship Between Code Smells and Refactoring
Revisiting the Relationship Between Code Smells and Refactoring
 
Mining the Modern Code Review Repositories: A Dataset of People, Process and ...
Mining the Modern Code Review Repositories: A Dataset of People, Process and ...Mining the Modern Code Review Repositories: A Dataset of People, Process and ...
Mining the Modern Code Review Repositories: A Dataset of People, Process and ...
 
IWESEP 2013
IWESEP 2013IWESEP 2013
IWESEP 2013
 
MSR2013
MSR2013MSR2013
MSR2013
 

Recently uploaded

DEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODEL
DEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODELDEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODEL
DEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODEL
gerogepatton
 
sieving analysis and results interpretation
sieving analysis and results interpretationsieving analysis and results interpretation
sieving analysis and results interpretation
ssuser36d3051
 
BPV-GUI-01-Guide-for-ASME-Review-Teams-(General)-10-10-2023.pdf
BPV-GUI-01-Guide-for-ASME-Review-Teams-(General)-10-10-2023.pdfBPV-GUI-01-Guide-for-ASME-Review-Teams-(General)-10-10-2023.pdf
BPV-GUI-01-Guide-for-ASME-Review-Teams-(General)-10-10-2023.pdf
MIGUELANGEL966976
 
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&BDesign and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Sreedhar Chowdam
 
New techniques for characterising damage in rock slopes.pdf
New techniques for characterising damage in rock slopes.pdfNew techniques for characterising damage in rock slopes.pdf
New techniques for characterising damage in rock slopes.pdf
wisnuprabawa3
 
22CYT12-Unit-V-E Waste and its Management.ppt
22CYT12-Unit-V-E Waste and its Management.ppt22CYT12-Unit-V-E Waste and its Management.ppt
22CYT12-Unit-V-E Waste and its Management.ppt
KrishnaveniKrishnara1
 
digital fundamental by Thomas L.floydl.pdf
digital fundamental by Thomas L.floydl.pdfdigital fundamental by Thomas L.floydl.pdf
digital fundamental by Thomas L.floydl.pdf
drwaing
 
14 Template Contractual Notice - EOT Application
14 Template Contractual Notice - EOT Application14 Template Contractual Notice - EOT Application
14 Template Contractual Notice - EOT Application
SyedAbiiAzazi1
 
[JPP-1] - (JEE 3.0) - Kinematics 1D - 14th May..pdf
[JPP-1] - (JEE 3.0) - Kinematics 1D - 14th May..pdf[JPP-1] - (JEE 3.0) - Kinematics 1D - 14th May..pdf
[JPP-1] - (JEE 3.0) - Kinematics 1D - 14th May..pdf
awadeshbabu
 
This is my Environmental physics presentation
This is my Environmental physics presentationThis is my Environmental physics presentation
This is my Environmental physics presentation
ZainabHashmi17
 
PROJECT FORMAT FOR EVS AMITY UNIVERSITY GWALIOR.ppt
PROJECT FORMAT FOR EVS AMITY UNIVERSITY GWALIOR.pptPROJECT FORMAT FOR EVS AMITY UNIVERSITY GWALIOR.ppt
PROJECT FORMAT FOR EVS AMITY UNIVERSITY GWALIOR.ppt
bhadouriyakaku
 
Technical Drawings introduction to drawing of prisms
Technical Drawings introduction to drawing of prismsTechnical Drawings introduction to drawing of prisms
Technical Drawings introduction to drawing of prisms
heavyhaig
 
Low power architecture of logic gates using adiabatic techniques
Low power architecture of logic gates using adiabatic techniquesLow power architecture of logic gates using adiabatic techniques
Low power architecture of logic gates using adiabatic techniques
nooriasukmaningtyas
 
DfMAy 2024 - key insights and contributions
DfMAy 2024 - key insights and contributionsDfMAy 2024 - key insights and contributions
DfMAy 2024 - key insights and contributions
gestioneergodomus
 
bank management system in java and mysql report1.pdf
bank management system in java and mysql report1.pdfbank management system in java and mysql report1.pdf
bank management system in java and mysql report1.pdf
Divyam548318
 
Generative AI leverages algorithms to create various forms of content
Generative AI leverages algorithms to create various forms of contentGenerative AI leverages algorithms to create various forms of content
Generative AI leverages algorithms to create various forms of content
Hitesh Mohapatra
 
Harnessing WebAssembly for Real-time Stateless Streaming Pipelines
Harnessing WebAssembly for Real-time Stateless Streaming PipelinesHarnessing WebAssembly for Real-time Stateless Streaming Pipelines
Harnessing WebAssembly for Real-time Stateless Streaming Pipelines
Christina Lin
 
Exception Handling notes in java exception
Exception Handling notes in java exceptionException Handling notes in java exception
Exception Handling notes in java exception
Ratnakar Mikkili
 
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
thanhdowork
 
Understanding Inductive Bias in Machine Learning
Understanding Inductive Bias in Machine LearningUnderstanding Inductive Bias in Machine Learning
Understanding Inductive Bias in Machine Learning
SUTEJAS
 

Recently uploaded (20)

DEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODEL
DEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODELDEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODEL
DEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODEL
 
sieving analysis and results interpretation
sieving analysis and results interpretationsieving analysis and results interpretation
sieving analysis and results interpretation
 
BPV-GUI-01-Guide-for-ASME-Review-Teams-(General)-10-10-2023.pdf
BPV-GUI-01-Guide-for-ASME-Review-Teams-(General)-10-10-2023.pdfBPV-GUI-01-Guide-for-ASME-Review-Teams-(General)-10-10-2023.pdf
BPV-GUI-01-Guide-for-ASME-Review-Teams-(General)-10-10-2023.pdf
 
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&BDesign and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
 
New techniques for characterising damage in rock slopes.pdf
New techniques for characterising damage in rock slopes.pdfNew techniques for characterising damage in rock slopes.pdf
New techniques for characterising damage in rock slopes.pdf
 
22CYT12-Unit-V-E Waste and its Management.ppt
22CYT12-Unit-V-E Waste and its Management.ppt22CYT12-Unit-V-E Waste and its Management.ppt
22CYT12-Unit-V-E Waste and its Management.ppt
 
digital fundamental by Thomas L.floydl.pdf
digital fundamental by Thomas L.floydl.pdfdigital fundamental by Thomas L.floydl.pdf
digital fundamental by Thomas L.floydl.pdf
 
14 Template Contractual Notice - EOT Application
14 Template Contractual Notice - EOT Application14 Template Contractual Notice - EOT Application
14 Template Contractual Notice - EOT Application
 
[JPP-1] - (JEE 3.0) - Kinematics 1D - 14th May..pdf
[JPP-1] - (JEE 3.0) - Kinematics 1D - 14th May..pdf[JPP-1] - (JEE 3.0) - Kinematics 1D - 14th May..pdf
[JPP-1] - (JEE 3.0) - Kinematics 1D - 14th May..pdf
 
This is my Environmental physics presentation
This is my Environmental physics presentationThis is my Environmental physics presentation
This is my Environmental physics presentation
 
PROJECT FORMAT FOR EVS AMITY UNIVERSITY GWALIOR.ppt
PROJECT FORMAT FOR EVS AMITY UNIVERSITY GWALIOR.pptPROJECT FORMAT FOR EVS AMITY UNIVERSITY GWALIOR.ppt
PROJECT FORMAT FOR EVS AMITY UNIVERSITY GWALIOR.ppt
 
Technical Drawings introduction to drawing of prisms
Technical Drawings introduction to drawing of prismsTechnical Drawings introduction to drawing of prisms
Technical Drawings introduction to drawing of prisms
 
Low power architecture of logic gates using adiabatic techniques
Low power architecture of logic gates using adiabatic techniquesLow power architecture of logic gates using adiabatic techniques
Low power architecture of logic gates using adiabatic techniques
 
DfMAy 2024 - key insights and contributions
DfMAy 2024 - key insights and contributionsDfMAy 2024 - key insights and contributions
DfMAy 2024 - key insights and contributions
 
bank management system in java and mysql report1.pdf
bank management system in java and mysql report1.pdfbank management system in java and mysql report1.pdf
bank management system in java and mysql report1.pdf
 
Generative AI leverages algorithms to create various forms of content
Generative AI leverages algorithms to create various forms of contentGenerative AI leverages algorithms to create various forms of content
Generative AI leverages algorithms to create various forms of content
 
Harnessing WebAssembly for Real-time Stateless Streaming Pipelines
Harnessing WebAssembly for Real-time Stateless Streaming PipelinesHarnessing WebAssembly for Real-time Stateless Streaming Pipelines
Harnessing WebAssembly for Real-time Stateless Streaming Pipelines
 
Exception Handling notes in java exception
Exception Handling notes in java exceptionException Handling notes in java exception
Exception Handling notes in java exception
 
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
 
Understanding Inductive Bias in Machine Learning
Understanding Inductive Bias in Machine LearningUnderstanding Inductive Bias in Machine Learning
Understanding Inductive Bias in Machine Learning
 

A Quantitative Comparison of Coverage-Based Greybox Fuzzers

  • 1. A Quantitative Comparison of Coverage-Based Greybox Fuzzers Natsuki Tsuzuki, Nagoya University, Japan Norihiro Yoshida, Nagoya University, Japan Koji Toda, Fukuoka Institute of Technology, Japan Kenji Fujiwara, National Institute of Technology, Toyota College , Japan Ryota Yamamoto, Nagoya University, Japan Hiroaki Takada, Nagoya University, Japan 1
  • 2. Many Coverage-Based Greybox Fuzzers • AFL (originally developed by Zalewski in ‘13) • AFLFast (Böhme et al., CCS ‘16, TSE ‘19) • AFLGo (Böhme et al., CCS’ 17) • FairFuzz (Lemieux & Sen, ASE ‘18) https://www.pikrepo.com/ 2
  • 3. Questions - The newest fuzzer is always better than the others? - How each fuzzer works better than the use of default test suite? 3
  • 4. Fuzzers are evaluated by different criteria Fuzzers Fuzzing targets Criteria AFLFast - Binutils 2.26 (c++filt, nm, objdump, readelf, size, strings) - Coreutils 8.25 - # unique crashes - ground truth - line coverage AFLGo - Binutils (detailed information is not found) - Diffutils - libPNG - basic block coverage - ground truth FairFuzz - Binutils 2.28 (c++filt, nm,objdump, readelf ) - tcpdump - xmllint - mutool draw - djpeg - readpng - basic block translations covered - # occurrences of specific sequences It is difficult to compare the experimental results in these papers. 4
  • 5. Research Overview We prepared a unified collection of fuzzing targets and then compared the existing fuzzers. Evaluation measures: - The number of executed paths - Branch coverage 5
  • 6. Research Questions RQ1 Is a newer AFL-based fuzzer able to execute significantly a larger number of paths? RQ2 Does an AFL-based fuzzer improve branch coverage? RQ3 Does a newer AFL-based fuzzer always achieve higher coverage? 6
  • 7. Fuzzers and Fuzzing Targets - AFL 1.94b - AFL 2.40b - AFL 2.49b - AFL 2.51b - AFL 2.52b - AFLFast - AFLGo - FairFuzz - Binutils 2.26 (c++filt, nm, objdump, readelf) - Binutils 2.28 (c++filt, nm, objdump, readelf) - Binutils 2.32 (c++filt, nm, objdump, readelf) Each execution of a fuzzer is terminated after 6 hours. 7
  • 8. Significance test (# paths) We used Steel-Dwass test for judging the significance. AFL 1.94b AFL 2.40b AFL 2.49b AFL 2.51b AFL 2.52b AFLFast AFLGo FairFuzz AFL 1.94b - ✓ AFL 2.40b - ✓ AFL 2.49b - ✓ AFL 2.51b - ✓ AFL 2.52b - ✓ AFLFast - AFLGo - ✓ FairFuzz ✓ ✓ ✓ ✓ ✓ ✓ - Answer to RQ1: In most cases, the newest fuzzer FairFuzz executes significantly larger number of paths. 8
  • 9. Branch coverage in the non-use and use of fuzzers Answer to RQ2: The fuzzers can improve branch coverage. 9
  • 10. Significance test (branch coverage) We used Steel-Dwass test for judging the significance. AFL 1.94b AFL 2.40b AFL 2.49b AFL 2.51b AFL 2.52b AFLFast AFLGo FairFuzz AFL 1.94b - AFL 2.40b - AFL 2.49b - AFL 2.51b - AFL 2.52b - AFLFast - AFLGo - FairFuzz - Answer to RQ3: The newer fuzzer does not always achieve higher branch coverage. 10
  • 11. Discussion The results are different between the number of paths and branch coverage. Newer fuzzers are unoptimized for quality assurance process based on branch coverage. The use of fuzzers can improve branch coverage. 11
  • 12. Thank you for listening! E-mail: yoshida AT ertl.jp 12