Fast and Effective Fuzz Testing (Facebook TAV 2019)

1
Fast and Effective Fuzz Testing
Andreas Zeller 
CISPA Helmholtz Center for Information Security 
 
zeller@cispa.saarland • @AndreasZeller

Software Testing
2
Program under test
Test inputs

Fuzzing
3
Program under test
Test inputs
Fuzzer
[;x1-GPZ+wcckc];,N9J+?#6^6e?]9lu2_%'4GX"0VUB[E/r
~fApu6b8<{%siq8Zh.6{V,hr?;{Ti.r3PIxMMMv6{xS^+'Hq!
AxB"YXRS@!Kd6;wtAMefFWM(`|J_<1~o}z3K(CCzRH
JIIvHz>_*.>JrlU32~eGP?lR=bF3+;y$3lodQ<B89!
5"W2fK*vE7v{')KC-i,c{<[~m!]o;{.'}Gj(X}
EtYetrpbY@aGZ1{P!AZU7x#4(Rtn!q4nCwqol^y6}0|
Ko=*JK~;zMKV=9Nai:wxu{J&UV#HaU)*BiC<),`+t*gk

Fuzzing
4
Program under test
Test inputs
Fuzzer
Syntax error
[;x1-GPZ+wcckc];,N9J+?#6^6e?]9lu2_%'4GX"0VUB[E/r
~fApu6b8<{%siq8Zh.6{V,hr?;{Ti.r3PIxMMMv6{xS^+'Hq!
AxB"YXRS@!Kd6;wtAMefFWM(`|J_<1~o}z3K(CCzRH
JIIvHz>_*.>JrlU32~eGP?lR=bF3+;y$3lodQ<B89!
5"W2fK*vE7v{')KC-i,c{<[~m!]o;{.'}Gj(X}
EtYetrpbY@aGZ1{P!AZU7x#4(Rtn!q4nCwqol^y6}0|
Ko=*JK~;zMKV=9Nai:wxu{J&UV#HaU)*BiC<),`+t*gk
?

Grammar-based Testing
5
Program under test
Fuzzer
Grammar
If Statement
IfStatementfull ⇒
   if ParenthesizedExpression Statementfull
|  if ParenthesizedExpression StatementnoShortIf else Statementfull
IfStatementnoShortIf ⇒ if ParenthesizedExpression StatementnoShortIf else StatementnoShortIf
Switch Statement
SwitchStatement ⇒
   switch ParenthesizedExpression { }
|  switch ParenthesizedExpression { CaseGroups LastCaseGroup }
CaseGroups ⇒
   «empty»
|  CaseGroups CaseGroup
CaseGroup ⇒ CaseGuards BlockStatementsPrefix
LastCaseGroup ⇒ CaseGuards BlockStatements
CaseGuards ⇒
   CaseGuard |  CaseGuards CaseGuard

6
Program under test
Fuzzer
Grammar
If Statement
IfStatementfull ⇒
Switch Statement
SwitchStatement ⇒
CaseGroups ⇒
   «empty»
CaseGuards ⇒
If Statement
IfStatementfull ⇒
Switch Statement
SwitchStatement ⇒
CaseGroups ⇒
   «empty»
CaseGuards ⇒
If Statement
IfStatementfull ⇒
Switch Statement
SwitchStatement ⇒
CaseGroups ⇒
   «empty»
CaseGuards ⇒
If Statement
IfStatementfull ⇒
Switch Statement
SwitchStatement ⇒
CaseGroups ⇒
   «empty»
CaseGuards ⇒

7
Program under test
Fuzzer
Grammar
If Statement
IfStatementfull ⇒
Switch Statement
SwitchStatement ⇒
CaseGroups ⇒
   «empty»
CaseGuards ⇒
53,000$ bug bounties
In four weeks!
Holler, Herzig, Zeller: "Fuzzing with Code Fragments", USENIX 2012

If Statement
IfStatementfull ⇒
Switch Statement
SwitchStatement ⇒
CaseGroups ⇒
   «empty»
CaseGuards ⇒
Fast Fuzzing
8
Producer
Generator
Fuzzer
Program under test
Millions of
Test inputs
ProducerGrammar
Gopinath, Zeller: "Building Fast Fuzzers", arXiv:1911.07707 (2019)
https://github.com/vrthra/F1

Fast Fuzzing
9
Producer
Generator
Fuzzer
Program under test
Millions of
Test inputs
Millions of test cases / sec
"World's fastest fuzzer"
Producer
1 produce_member_0: {
2 ++returnp;
3 *returnp = &&return__0__0__member;
4 val = map(2);
5 goto *produce_ws[val];
6 return__0__0__member:;
8 val = map(1);
9 goto *produce_string[val];
12 val = map(2);
13 goto *produce_ws[val];
15 *out_region++ = ’:’;
17 val = map(1);
18 goto *produce_element[val];
20 --returnp;
21 goto **returnp;
22 }
1 gen_member_0:
2 val = map(2)
3 call *gen_ws[val]
4 val = map(1)
5 call *gen_string[val]
6 val = map(2)
7 call *gen_ws[val]
8 *out_region = ’:’
9 incr out_region
10 val = map(1)
11 call *gen_element[val]
12 ret
Figure 9: A fragment of the
grammar VM that generates
9.2 Context Threaded VM
One of the problems with dire
https://github.com/vrthra/F1
Gopinath, Zeller: "Building Fast Fuzzers", arXiv:1911.07707 (2019)

Writing grammars
10
Producer
Generator
Fuzzer
Program under test
Millions of
Test inputs
Grammar Producer

Mining Grammars
11
Grammar
Miner
Producer
Generator
Fuzzer
Program under test
Sample
Inputs
Grammar Producer
Millions of
Test inputs
Gopinath, Zeller: “Inferring Input Grammars from Dynamic Control Flow", 2019
Control and data flow
Höschele, Zeller: “Mining Input Grammars from Dynamic Taints", ASE 2016

Mining and Testing
12
Parser-Directed
Test Generator
Grammar
Miner
Producer
Generator
Fuzzer
Program under test
Sample
Inputs
Grammar Producer
Millions of
Test inputs
Input
Comparisons
Mathis, Gopinath, Zeller: “Parser-Directed Fuzzing“, PLDI 2019
Comprehensive + massive test generation
with a minimum of assumptions

Why not just any test generator?
13
Some great Test Generator
Program under test
Test inputsProgram 
Feedback
?

Mining and Testing
14
Parser-Directed
Test Generator
Grammar
Miner
Producer
Generator
Fuzzer
Program under test
Sample
Inputs
Grammar Producer
Millions of
Test inputs
Input
Comparisons

Mining Grammars
15
Grammar
Miner
Sample
Inputs
Grammar
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
Inferring Input Grammars from Dynamic Control Flow
Anonymous Author(s)
ABSTRACT
A program is characterized by its input model, and a formal input
model can be of use in diverse areas including vulnerability analysis,
reverse engineering, fuzzing and software testing, clone detection
and refactoring. Unfortunately, input models for typical programs
are often unavailable or out of date. While there exist algorithms
that can mine the syntactical structure of program inputs, they ei-
ther produce unwieldy and incomprehensible grammars, or require
heuristics that target specic parsing patterns.
In this paper, we present a general algorithm that takes a pro-
gram and a small set of sample inputs and automatically infers a
readable context-free grammar capturing the input language of
the program. We infer the syntactic input structure only by ob-
serving comparisons of input characters at dierent locations of
the input parser. This works on all program stack based recursive
descent input parsers, including PEG and parser combinators, and
can do entirely without program specic heuristics. Our Mimid
prototype produced accurate and readable grammars for a variety
of evaluation subjects, including expr, URLparse, and microJSON.
CCS CONCEPTS
• Software and its engineering → Dynamic analysis; • The-
hSTARTi ::= hjson_rawi
hjson_rawi ::= ‘ ’ hjson_string0i | ‘[’ hjson_list0i | ‘{’ hjson_dict0i
| hjson_number0i | ‘true’ | ‘false’ | ‘null’
hjson_number0i ::= hjson_numberi+
| hjson_numberi+ ‘e’ hjson_numberi+
hjson_numberi ::= ‘+’ | ‘-’ | ‘.’ | [0-9] | ‘E’ | ‘e’
hjson_string0i ::= hjson_stringi* ‘ ’
hjson_list0i ::= ‘]’
| hjson_rawi (‘,’ hjson_rawi )* ‘]’
| ( ‘,’ hjson_rawi )+ (‘,’ hjson_rawi )* ‘]’
hjson_dict0i ::= ‘}’
| ( ‘ ’ hjson_string0i ‘:’ hjson_rawi ‘,’ )*
‘ ’ hjson_string0i ‘:’ hjson_rawi ‘}’
hjson_stringi ::= ‘ ’ | ‘!’ | ‘#’ | ‘$’ | ‘%’ | ‘’ | ‘’’
| ‘*’ | ‘+’ | ‘-’ | ‘,’ | ‘.’ | ‘/’ | ‘:’ | ‘;’
| ‘’ | ‘=’ | ‘’ | ‘?’ | ‘@’ | ‘[’ | ‘]’ | ‘^’ | ’_’, ’‘’,
| ‘{’ | ‘|’ | ‘}’ | ‘~’
| ‘[A-Za-z0-9]’
| ‘’ ‘decode_escape’
hdecode_escapei ::= ‘ ’ | ‘/’ | ‘b’ | ‘f’ | ‘n’ | ‘r’ | ‘t’
Figure 1: JSON grammar extracted from microjson.py.
Parser-Directed
Test Generator

Mining Grammars
16
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
Anonymous Author(s)
ABSTRACT
CCS CONCEPTS
hjson_numberi ::= ‘+’ | ‘-’ | ‘.’ | [0-9] | ‘E’ | ‘e’
hjson_stringi ::= ‘ ’ | ‘!’ | ‘#’ | ‘$’ | ‘%’ | ‘’ | ‘’’
| ‘*’ | ‘+’ | ‘-’ | ‘,’ | ‘.’ | ‘/’ | ‘:’ | ‘;’
| ‘’ | ‘=’ | ‘’ | ‘?’ | ‘@’ | ‘[’ | ‘]’ | ‘^’ | ’_’, ’‘’,
| ‘{’ | ‘|’ | ‘}’ | ‘~’
| ‘[A-Za-z0-9]’
Testers can control 
what to test 
and how to test
▪ Assign probabilities to
productions + elements
▪ Add special inputs for
logins / passwords /
security testing
▪ Complete grammar with
hard-to-infer features
▪ Testers can do this – or
use full automatic mode

Assigning Probabilities
17
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
Anonymous Author(s)
ABSTRACT
CCS CONCEPTS
hjson_numberi ::= ‘+’ | ‘-’ | ‘.’ | [0-9] | ‘E’ | ‘e’
hjson_stringi ::= ‘ ’ | ‘!’ | ‘#’ | ‘$’ | ‘%’ | ‘’ | ‘’’
| ‘*’ | ‘+’ | ‘-’ | ‘,’ | ‘.’ | ‘/’ | ‘:’ | ‘;’
| ‘’ | ‘=’ | ‘’ | ‘?’ | ‘@’ | ‘[’ | ‘]’ | ‘^’ | ’_’, ’‘’,
| ‘{’ | ‘|’ | ‘}’ | ‘~’
| ‘[A-Za-z0-9]’
80%
0%

Inputs from Hell
18
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
Anonymous Author(s)
ABSTRACT
CCS CONCEPTS
hjson_numberi ::= ‘+’ | ‘-’ | ‘.’ | [0-9] | ‘E’ | ‘e’
hjson_stringi ::= ‘ ’ | ‘!’ | ‘#’ | ‘$’ | ‘%’ | ‘’ | ‘’’
| ‘*’ | ‘+’ | ‘-’ | ‘,’ | ‘.’ | ‘/’ | ‘:’ | ‘;’
| ‘’ | ‘=’ | ‘’ | ‘?’ | ‘@’ | ‘[’ | ‘]’ | ‘^’ | ’_’, ’‘’,
| ‘{’ | ‘|’ | ‘}’ | ‘~’
| ‘[A-Za-z0-9]’
80%
0%
Sample
Inputs
▪ Learn probabilities from sample inputs
▪ Use same probabilities as past bugs
▪ Invert probabilities from common inputs
▪ Obtain unlikely, yet valid inputs
Soremekun, Pavese, Havrikov, Grunske, Zeller: “Inputs from Hell:
Learning Input Distributions for Grammar-Based Test Generation“, 2019

Mining and Testing
19
Parser-Directed
Test Generator
Grammar
Miner
Producer
Generator
Fuzzer
Program under test
Sample
Inputs
Grammar Producer
Millions of
Test inputs
Input
Comparisons
Mathis, Gopinath, Zeller: “Parser-Directed Fuzzing“, PLDI 2019

start
Order Form
Terms and Conditions
click('Terms and conditions')
Thank You
ﬁll(...)
submit('submit')
click('order form') click('order form')
Modeling GUI Interaction
21
How to model both
textual and GUI input?

start
Order Form
Thank You
ﬁll(...)
submit('submit')
click('order form') cli
Embedding Finite State Models
22
start ::= order form
order form ::=
click('terms and conditions') terms and conditions
|
fill('name', Walter White)
fill('email', white@jpwynne.edu)
fill('city', Albuquerque)
fill('zip', 87101)
check('terms', True)
submit('submit') thank you
terms and conditions ::=
click('order form') order form
thank you ::=

23
click('terms and conditions')
click('order form')
fill('zip', 87101)
submit('submit')
click('order form')
...
order form ::=
|
fill('zip', 87101)
terms and conditions ::=
thank you ::=

name ::= Walter White | Jesse Pinkman | ...
24
order form ::=
|
fill('name', name)
fill('email', email)
fill('zip', zip)
check('terms', boolean)
click('terms and conditions')
click('order form')
fill('name', Jesse Pinkman)
fill('email', abc@some.network)
fill('city', '1 OR 1=1)
fill('zip', -1)
submit('submit')
click('order form')
fill('name', Duke of Orléans)
...
email ::= localpart@domain | ...
zip ::= [0-9][0-9][0-9][0-9][0-9] | -1 | '1 OR 1=1 | ϵ | 😀 | ...
terms ::= True | False

25
order form ::=
|
zip ::= [0-9][0-9][0-9][0-9][0-9] | -1 | '1 OR 1=1 | ϵ | 😀 | ...
fill('name', name)
fill('zip', zip)

zip ::= [0-9][0-9][0-9][0-9][0-9] | -1 | '1 OR 1=1 | ϵ | 😀 | ...
start
Order Form
Thank You
ﬁll(...)
submit('submit')
click('order form') click(
Achieving Grammar Coverage
26
order form ::=
|
fill('name', name)
fill('zip', zip)
✅
✅ ✅
✅
✅ ✅
✅
✅ ✅ ✅ ✅ ✅
✅
✅
✅ ✅
✅ ✅

More Current Work
27
Reverse Engineering
Input Formats
Runtime Checks
Associating Input Features 
with Program Behavior
Associating Input Features 
with Code Locations
Carving Unit Tests 
from System Tests
Detecting Anomalies 
in User Interfaces

More Current Work
28
Carving Unit Tests 
from System Tests
Detecting Anomalies 
in User Interfaces
Alexander Kampmann Konstantin Kuznetsov

Communication and Evaluation
29

30
www.fuzzingbook.org

31
www.fuzzingbook.org

32
www.fuzzingbook.org

33
www.fuzzingbook.org

34
www.fuzzingbook.org

35
www.fuzzingbook.org

36
www.fuzzingbook.org

37
www.fuzzingbook.org

Unique academic career opportunities
2
CISPA is a research center in Germany
• Solving the grand challenges in information security
• Rich base funding
• Rapidly expanding in all sub-fields
• Extensive potential for collaborations
• High quality of living
Talk to me!
www.cispa.saarland
And if you're not already at Facebook…

Fast and Effective Fuzz Testing
39
Parser-Directed
Test Generator
Grammar
Miner
Producer
Generator
Fuzzer
Program under test
Sample
Inputs
Grammar Producer
Millions of
Test inputs
Input
Comparisons
Andreas Zeller • CISPA Helmholtz Center for Information Security
zeller@cispa.saarland • @AndreasZeller

Fast and Effective Fuzz Testing (Facebook TAV 2019)

Recommended

Recommended

More Related Content

Similar to Fast and Effective Fuzz Testing (Facebook TAV 2019)

Similar to Fast and Effective Fuzz Testing (Facebook TAV 2019) (20)

More from CISPA Helmholtz Center for Information Security

More from CISPA Helmholtz Center for Information Security (18)

Recently uploaded

Recently uploaded (20)

Fast and Effective Fuzz Testing (Facebook TAV 2019)