SlideShare a Scribd company logo

lFuzzer - Learning Input Tokens for Effective Fuzzing

Björn Mathis
Björn Mathis

This document discusses techniques for effective fuzzing, including learning input tokens, handling complex input structures through syntactic fuzzing, surviving the parsing stage using tokenization, and looking into programs using dynamic tainting. It provides examples of a fuzzer testing a parser by feeding it increasingly complex valid and invalid inputs like "X + 0", "X @", and tagging tokens like numbers and variables to track their usage in the program.

Science
1 of 86
Download to read offline
LEARNING INPUT TOKENS FOR EFFECTIVE FUZZING BJÖRN MATHIS, RAHUL GOPINATH, ANDREAS ZELLER
FUZZING - THE ART OF AUTOMATIC BUG FINDING 2 PROGRAM UNDER TESTFUZZER
FUZZING - THE ART OF AUTOMATIC BUG FINDING 2 PROGRAM UNDER TEST 7245 FUZZER
FUZZING - THE ART OF AUTOMATIC BUG FINDING 2 PROGRAM UNDER TEST 7245 FUZZER
FUZZING - THE ART OF AUTOMATIC BUG FINDING 2 PROGRAM UNDER TEST 7245 FUZZER
FUZZING - THE ART OF AUTOMATIC BUG FINDING 2 PROGRAM UNDER TESTFUZZER
FUZZING - THE ART OF AUTOMATIC BUG FINDING 2 PROGRAM UNDER TEST C4tscs FUZZER
FUZZING - THE ART OF AUTOMATIC BUG FINDING 2 PROGRAM UNDER TEST C4tscs FUZZER
FUZZING - THE ART OF AUTOMATIC BUG FINDING 2 PROGRAM UNDER TEST C4tscs FUZZER
PROGRAM UNDER TEST FUZZING - THE ART OF AUTOMATIC BUG FINDING 3 FUZZER
PROGRAM UNDER TEST FUZZING - THE ART OF AUTOMATIC BUG FINDING 3 FUZZER
PROGRAM UNDER TEST FUZZING - THE ART OF AUTOMATIC BUG FINDING 3 FUZZER
PROGRAM UNDER TEST FUZZING - THE ART OF AUTOMATIC BUG FINDING 3 FUZZER C4tscs
PROGRAM UNDER TEST FUZZING - THE ART OF AUTOMATIC BUG FINDING 3 FUZZER C4tscs
PROGRAM UNDER TEST FUZZING - THE ART OF AUTOMATIC BUG FINDING 3 FUZZER
PROGRAM UNDER TEST FUZZING - THE ART OF AUTOMATIC BUG FINDING 3 FUZZER X + 0
PROGRAM UNDER TEST FUZZING - THE ART OF AUTOMATIC BUG FINDING 3 FUZZER X + 0
PROGRAM UNDER TEST FUZZING - THE ART OF AUTOMATIC BUG FINDING 3 FUZZER X + 0
PROGRAM UNDER TEST FUZZING - THE ART OF AUTOMATIC BUG FINDING 3 FUZZER X + 0 COMPLEX INPUT STRUCTURES NEED SYNTACTIC FUZZING
PFUZZER - SURVIVING THE PARSING STAGE 4 PFUZZER def parse_exp(i): c = input[i] if isDigit(c): parse_op(i + 1) elif isAlpha(c): parse_op(i + 1) def parse_op(i): c = input[i] if c == '-': parse_exp(i + 1) elif c == '+': parse_exp(i + 1) else: raise InvalidSyntax
PFUZZER - SURVIVING THE PARSING STAGE 4 PFUZZER & def parse_exp(i): c = input[i] if isDigit(c): parse_op(i + 1) elif isAlpha(c): parse_op(i + 1) def parse_op(i): c = input[i] if c == '-': parse_exp(i + 1) elif c == '+': parse_exp(i + 1) else: raise InvalidSyntax
PFUZZER - SURVIVING THE PARSING STAGE 4 PFUZZER & def parse_exp(i): c = input[i] if isDigit(c): parse_op(i + 1) elif isAlpha(c): parse_op(i + 1) def parse_op(i): c = input[i] if c == '-': parse_exp(i + 1) elif c == '+': parse_exp(i + 1) else: raise InvalidSyntax
PFUZZER - SURVIVING THE PARSING STAGE 4 PFUZZER & def parse_exp(i): c = input[i] if isDigit(c): parse_op(i + 1) elif isAlpha(c): parse_op(i + 1) def parse_op(i): c = input[i] if c == '-': parse_exp(i + 1) elif c == '+': parse_exp(i + 1) else: raise InvalidSyntax
PFUZZER - SURVIVING THE PARSING STAGE 4 PFUZZER X def parse_exp(i): c = input[i] if isDigit(c): parse_op(i + 1) elif isAlpha(c): parse_op(i + 1) def parse_op(i): c = input[i] if c == '-': parse_exp(i + 1) elif c == '+': parse_exp(i + 1) else: raise InvalidSyntax
PFUZZER - SURVIVING THE PARSING STAGE 4 PFUZZER X def parse_exp(i): c = input[i] if isDigit(c): parse_op(i + 1) elif isAlpha(c): parse_op(i + 1) def parse_op(i): c = input[i] if c == '-': parse_exp(i + 1) elif c == '+': parse_exp(i + 1) else: raise InvalidSyntax
PFUZZER - SURVIVING THE PARSING STAGE 4 PFUZZER X def parse_exp(i): c = input[i] if isDigit(c): parse_op(i + 1) elif isAlpha(c): parse_op(i + 1) def parse_op(i): c = input[i] if c == '-': parse_exp(i + 1) elif c == '+': parse_exp(i + 1) else: raise InvalidSyntax
PFUZZER - SURVIVING THE PARSING STAGE 4 PFUZZER X @ def parse_exp(i): c = input[i] if isDigit(c): parse_op(i + 1) elif isAlpha(c): parse_op(i + 1) def parse_op(i): c = input[i] if c == '-': parse_exp(i + 1) elif c == '+': parse_exp(i + 1) else: raise InvalidSyntax
PFUZZER - SURVIVING THE PARSING STAGE 4 PFUZZER X @ def parse_exp(i): c = input[i] if isDigit(c): parse_op(i + 1) elif isAlpha(c): parse_op(i + 1) def parse_op(i): c = input[i] if c == '-': parse_exp(i + 1) elif c == '+': parse_exp(i + 1) else: raise InvalidSyntax
PFUZZER - SURVIVING THE PARSING STAGE 4 PFUZZER X @ def parse_exp(i): c = input[i] if isDigit(c): parse_op(i + 1) elif isAlpha(c): parse_op(i + 1) def parse_op(i): c = input[i] if c == '-': parse_exp(i + 1) elif c == '+': parse_exp(i + 1) else: raise InvalidSyntax
PFUZZER - SURVIVING THE PARSING STAGE 4 PFUZZER X + def parse_exp(i): c = input[i] if isDigit(c): parse_op(i + 1) elif isAlpha(c): parse_op(i + 1) def parse_op(i): c = input[i] if c == '-': parse_exp(i + 1) elif c == '+': parse_exp(i + 1) else: raise InvalidSyntax
PFUZZER - SURVIVING THE PARSING STAGE 4 PFUZZER X + def parse_exp(i): c = input[i] if isDigit(c): parse_op(i + 1) elif isAlpha(c): parse_op(i + 1) def parse_op(i): c = input[i] if c == '-': parse_exp(i + 1) elif c == '+': parse_exp(i + 1) else: raise InvalidSyntax
PFUZZER - SURVIVING THE PARSING STAGE 4 PFUZZER X + 0 def parse_exp(i): c = input[i] if isDigit(c): parse_op(i + 1) elif isAlpha(c): parse_op(i + 1) def parse_op(i): c = input[i] if c == '-': parse_exp(i + 1) elif c == '+': parse_exp(i + 1) else: raise InvalidSyntax
PFUZZER - SURVIVING THE PARSING STAGE 4 PFUZZER X + 0 def parse_exp(i): c = input[i] if isDigit(c): parse_op(i + 1) elif isAlpha(c): parse_op(i + 1) def parse_op(i): c = input[i] if c == '-': parse_exp(i + 1) elif c == '+': parse_exp(i + 1) else: raise InvalidSyntax
TOKENIZATION - COMPLEX PARSERS 5
TOKENIZATION - COMPLEX PARSERS 5 X + 0
TOKENIZATION - COMPLEX PARSERS 5 X + 0 TOKENIZER
TOKENIZATION - COMPLEX PARSERS 5 X + 0 TOKENIZER T_ALPHA T_PLUS T_DIGIT
TOKENIZATION - COMPLEX PARSERS 5 X + 0 TOKENIZER T_ALPHA T_PLUS T_DIGIT PARSER
6 TOKENIZATION - COMPLEX PARSERS X + 0 TOKENIZER T_ALPHA T_PLUS T_DIGIT PARSER
6 TOKENIZATION - COMPLEX PARSERS def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax X + 0 TOKENIZER T_ALPHA T_PLUS T_DIGIT PARSER
DYNAMIC TAINTING - LOOKING INTO A PROGRAM 7 def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
DYNAMIC TAINTING - LOOKING INTO A PROGRAM 7 X + 0 def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
DYNAMIC TAINTING - LOOKING INTO A PROGRAM 7 X + 0 def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
DYNAMIC TAINTING - LOOKING INTO A PROGRAM 7 X + 0 def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
DYNAMIC TAINTING - LOOKING INTO A PROGRAM 7 X + 0 def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
DYNAMIC TAINTING - LOOKING INTO A PROGRAM 7 X + 0 def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
DYNAMIC TAINTING - LOOKING INTO A PROGRAM 7 T_DIGIT T_ALPHA X + 0 def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
DYNAMIC TAINTING - LOOKING INTO A PROGRAM 7 T_DIGIT T_ALPHA X + 0 def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
DYNAMIC TAINTING - LOOKING INTO A PROGRAM 7 T_DIGIT T_ALPHA X + 0 def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
DYNAMIC TAINTING - LOOKING INTO A PROGRAM 7 T_DIGIT T_ALPHA T_MINUS T_PLUS X + 0 def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
DYNAMIC TAINTING - LOOKING INTO A PROGRAM 7 T_DIGIT T_ALPHA T_MINUS T_PLUS X + 0 def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
DYNAMIC TAINTING - LOOKING INTO A PROGRAM 7 T_DIGIT T_ALPHA T_MINUS T_PLUS X + 0 def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
DYNAMIC TAINTING - LOOKING INTO A PROGRAM 7 T_DIGIT T_ALPHA T_MINUS T_PLUS T_DIGIT X + 0 def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
LFUZZER - SURVIVING THE TOKENIZATION AND PARSING STAGE 8 LFUZZER def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
LFUZZER - SURVIVING THE TOKENIZATION AND PARSING STAGE 8 LFUZZER & def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
LFUZZER - SURVIVING THE TOKENIZATION AND PARSING STAGE 8 LFUZZER & def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
LFUZZER - SURVIVING THE TOKENIZATION AND PARSING STAGE 8 LFUZZER & def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
LFUZZER - SURVIVING THE TOKENIZATION AND PARSING STAGE 8 LFUZZER X def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
LFUZZER - SURVIVING THE TOKENIZATION AND PARSING STAGE 8 LFUZZER X def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
LFUZZER - SURVIVING THE TOKENIZATION AND PARSING STAGE 8 LFUZZER X def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
LFUZZER - SURVIVING THE TOKENIZATION AND PARSING STAGE 8 LFUZZER X Tokenmapping String Token A .. Z, a .. z T_ALPHA 0 .. 9 T_DIGIT - T_MINUS + T_PLUS def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
LFUZZER - SURVIVING THE TOKENIZATION AND PARSING STAGE 8 LFUZZER Tokenmapping String Token A .. Z, a .. z T_ALPHA 0 .. 9 T_DIGIT - T_MINUS + T_PLUS def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
LFUZZER - SURVIVING THE TOKENIZATION AND PARSING STAGE 8 LFUZZER X 3 Tokenmapping String Token A .. Z, a .. z T_ALPHA 0 .. 9 T_DIGIT - T_MINUS + T_PLUS def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
LFUZZER - SURVIVING THE TOKENIZATION AND PARSING STAGE 8 LFUZZER X 3 Tokenmapping String Token A .. Z, a .. z T_ALPHA 0 .. 9 T_DIGIT - T_MINUS + T_PLUS def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
LFUZZER - SURVIVING THE TOKENIZATION AND PARSING STAGE 8 LFUZZER X 3 Tokenmapping String Token A .. Z, a .. z T_ALPHA 0 .. 9 T_DIGIT - T_MINUS + T_PLUS def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
LFUZZER - SURVIVING THE TOKENIZATION AND PARSING STAGE 8 LFUZZER X + Tokenmapping String Token A .. Z, a .. z T_ALPHA 0 .. 9 T_DIGIT - T_MINUS + T_PLUS def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
LFUZZER - SURVIVING THE TOKENIZATION AND PARSING STAGE 8 LFUZZER X + Tokenmapping String Token A .. Z, a .. z T_ALPHA 0 .. 9 T_DIGIT - T_MINUS + T_PLUS def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
LFUZZER - SURVIVING THE TOKENIZATION AND PARSING STAGE 8 LFUZZER X + 0 Tokenmapping String Token A .. Z, a .. z T_ALPHA 0 .. 9 T_DIGIT - T_MINUS + T_PLUS def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
LFUZZER - SURVIVING THE TOKENIZATION AND PARSING STAGE 8 LFUZZER X + 0 Tokenmapping String Token A .. Z, a .. z T_ALPHA 0 .. 9 T_DIGIT - T_MINUS + T_PLUS def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
LFUZZER - BOOSTING FUZZERS 9
LFUZZER - BOOSTING FUZZERS 9 0 .. 9 A .. Z a .. z + - TOKENS
LFUZZER - BOOSTING FUZZERS 9 0 .. 9 A .. Z a .. z + - TOKENS 0 + 5
 a + 6 SAMPLE INPUTS
LFUZZER - BOOSTING FUZZERS 9 0 .. 9 A .. Z a .. z + - TOKENS 0 + 5
 a + 6 SAMPLE INPUTS AFL
 MIMID*
 LIBFUZZER … YOURFAVORITEFUZZER FUZZER * In: "Mining Input Grammars from Dynamic Control Flow" at FSE 2020
LFUZZER - BOOSTING FUZZERS 9 0 .. 9 A .. Z a .. z + - TOKENS 0 + 5
 a + 6 SAMPLE INPUTS AFL
 MIMID*
 LIBFUZZER … YOURFAVORITEFUZZER FUZZER A - K 8 - I + P - q R + y - 6 + u … INPUTS * In: "Mining Input Grammars from Dynamic Control Flow" at FSE 2020
LFUZZER - BOOSTING FUZZERS 9 0 .. 9 A .. Z a .. z + - TOKENS 0 + 5
 a + 6 SAMPLE INPUTS AFL
 MIMID*
 LIBFUZZER … YOURFAVORITEFUZZER FUZZER A - K 8 - I + P - q R + y - 6 + u … INPUTS PROGRAM UNDER TEST * In: "Mining Input Grammars from Dynamic Control Flow" at FSE 2020
LFUZZER - BOOSTING FUZZERS 9 0 .. 9 A .. Z a .. z + - TOKENS 0 + 5
 a + 6 SAMPLE INPUTS AFL
 MIMID*
 LIBFUZZER … YOURFAVORITEFUZZER FUZZER A - K 8 - I + P - q R + y - 6 + u … INPUTS PROGRAM UNDER TEST * In: "Mining Input Grammars from Dynamic Control Flow" at FSE 2020
EVALUATION - TOKENS AND COVERAGE 10
EVALUATION - TOKENS AND COVERAGE 10 Fsv ini Fjson lisS tinyF mjs 6uEjeFt 0 20 40 60 80 TokensExtraFted 6tring ExtraFtion lFuzzer NUMBER OF VALID TOKENS EXTRACTED
EVALUATION - TOKENS AND COVERAGE 10 Fsv ini Fjson lisS tinyF mjs 6uEjeFt 0 20 40 60 80 TokensExtraFted 6tring ExtraFtion lFuzzer NUMBER OF VALID TOKENS EXTRACTED Fsv ini Fjson lisS tinyF mjs SuEjeFt 0 25 50 75 100 125 150 175 200 7okensExtraFted String ExtraFtion lFuzzer NUMBER OF INVALID TOKENS EXTRACTED
EVALUATION - TOKENS AND COVERAGE 10 Fsv ini Fjson lisS tinyF mjs 6uEjeFt 0 20 40 60 80 TokensExtraFted 6tring ExtraFtion lFuzzer NUMBER OF VALID TOKENS EXTRACTED Fsv ini Fjson lisS tinyF mjs SuEjeFt 0 25 50 75 100 125 150 175 200 7okensExtraFted String ExtraFtion lFuzzer NUMBER OF INVALID TOKENS EXTRACTED 0 4 8 12 16 20 24 TLme (h) 0 5 10 15 20 25 30 35 CoverDge(%) mjs A)L A)L_DLFt p)uzzer p)uzzer + A)L l)uzzer + A)L COVERAGE OVER TIME FOR MJS
11
11
11
11
11
11 GITHUB.COM/UDS-SE/LFUZZER

Recommended

LET US C (5th EDITION) CHAPTER 2 ANSWERS
LET US C (5th EDITION) CHAPTER 2 ANSWERSLET US C (5th EDITION) CHAPTER 2 ANSWERS
LET US C (5th EDITION) CHAPTER 2 ANSWERSKavyaSharma65
 
Vcs15
Vcs15Vcs15
Vcs15Malikireddy Bramhananda Reddy
 
C
CC
CMukund Trivedi
 
Unit2 C
Unit2 CUnit2 C
Unit2 Carnold 7490
 
Hargun
HargunHargun
HargunMukund Trivedi
 
Cd practical file (1) start se
Cd practical file (1) start seCd practical file (1) start se
Cd practical file (1) start sedalipkumar64
 
12 lec 12 loop
12 lec 12 loop 12 lec 12 loop
12 lec 12 loop kapil078
 
Let us C (by yashvant Kanetkar) chapter 3 Solution
Let us C (by yashvant Kanetkar) chapter 3 SolutionLet us C (by yashvant Kanetkar) chapter 3 Solution
Let us C (by yashvant Kanetkar) chapter 3 SolutionHazrat Bilal
 

Recommended

LET US C (5th EDITION) CHAPTER 2 ANSWERS
LET US C (5th EDITION) CHAPTER 2 ANSWERSLET US C (5th EDITION) CHAPTER 2 ANSWERS
LET US C (5th EDITION) CHAPTER 2 ANSWERSKavyaSharma65
 
Vcs15
Vcs15Vcs15
Vcs15Malikireddy Bramhananda Reddy
 
C
CC
CMukund Trivedi
 
Unit2 C
Unit2 CUnit2 C
Unit2 Carnold 7490
 
Hargun
HargunHargun
HargunMukund Trivedi
 
Cd practical file (1) start se
Cd practical file (1) start seCd practical file (1) start se
Cd practical file (1) start sedalipkumar64
 
12 lec 12 loop
12 lec 12 loop 12 lec 12 loop
12 lec 12 loop kapil078
 
Let us C (by yashvant Kanetkar) chapter 3 Solution
Let us C (by yashvant Kanetkar) chapter 3 SolutionLet us C (by yashvant Kanetkar) chapter 3 Solution
Let us C (by yashvant Kanetkar) chapter 3 SolutionHazrat Bilal
 
c-programming-using-pointers
c-programming-using-pointersc-programming-using-pointers
c-programming-using-pointersSushil Mishra
 
The solution manual of c by robin
The solution manual of c by robinThe solution manual of c by robin
The solution manual of c by robinAbdullah Al Naser
 
Ansi c
Ansi cAnsi c
Ansi cdayaramjatt001
 
DataStructures notes
DataStructures notesDataStructures notes
DataStructures notesLakshmi Sarvani Videla
 
Infix to-postfix examples
Infix to-postfix examplesInfix to-postfix examples
Infix to-postfix examplesmua99
 
Datastructures asignment
Datastructures asignmentDatastructures asignment
Datastructures asignmentsreekanth3dce
 
Introduction to c part -1
Introduction to c part -1Introduction to c part -1
Introduction to c part -1baabtra.com - No. 1 supplier of quality freshers
 
Cpds lab
Cpds labCpds lab
Cpds labpraveennallavelly08
 
C programms
C programmsC programms
C programmsMukund Gandrakota
 
Data Structures Using C Practical File
Data Structures Using C Practical File Data Structures Using C Practical File
Data Structures Using C Practical File Rahul Chugh
 
C PROGRAMS
C PROGRAMSC PROGRAMS
C PROGRAMSMalikireddy Bramhananda Reddy
 
ADA FILE
ADA FILEADA FILE
ADA FILEGaurav Singh
 
C Programming
C ProgrammingC Programming
C ProgrammingSumant Diwakar
 
Simple c program
Simple c programSimple c program
Simple c programRavi Singh
 
C basics
C basicsC basics
C basicsMSc CST
 
SPL 8 | Loop Statements in C
SPL 8 | Loop Statements in CSPL 8 | Loop Statements in C
SPL 8 | Loop Statements in CMohammad Imam Hossain
 
Program flowchart
Program flowchartProgram flowchart
Program flowchartSowri Rajan
 
Stack prgs
Stack prgsStack prgs
Stack prgsSsankett Negi
 
Chapter 5 Balagurusamy Programming ANSI in c
Chapter 5 Balagurusamy Programming ANSI in cChapter 5 Balagurusamy Programming ANSI in c
Chapter 5 Balagurusamy Programming ANSI in cBUBT
 
C++ Programming - 1st Study
C++ Programming - 1st StudyC++ Programming - 1st Study
C++ Programming - 1st StudyChris Ohk
 
data structure and algorithm.pdf
data structure and algorithm.pdfdata structure and algorithm.pdf
data structure and algorithm.pdfAsrinath1
 
Applications of stack
Applications of stackApplications of stack
Applications of stackA. S. M. Shafi
 

More Related Content

What's hot

c-programming-using-pointers
c-programming-using-pointersc-programming-using-pointers
c-programming-using-pointersSushil Mishra
 
The solution manual of c by robin
The solution manual of c by robinThe solution manual of c by robin
The solution manual of c by robinAbdullah Al Naser
 
Infix to-postfix examples
Infix to-postfix examplesInfix to-postfix examples
Infix to-postfix examplesmua99
 
Datastructures asignment
Datastructures asignmentDatastructures asignment
Datastructures asignmentsreekanth3dce
 
Data Structures Using C Practical File
Data Structures Using C Practical File Data Structures Using C Practical File
Data Structures Using C Practical File Rahul Chugh
 
Simple c program
Simple c programSimple c program
Simple c programRavi Singh
 
C basics
C basicsC basics
C basicsMSc CST
 
Program flowchart
Program flowchartProgram flowchart
Program flowchartSowri Rajan
 
Chapter 5 Balagurusamy Programming ANSI in c
Chapter 5 Balagurusamy Programming ANSI in cChapter 5 Balagurusamy Programming ANSI in c
Chapter 5 Balagurusamy Programming ANSI in cBUBT
 
C++ Programming - 1st Study
C++ Programming - 1st StudyC++ Programming - 1st Study
C++ Programming - 1st StudyChris Ohk
 

What's hot (20)

c-programming-using-pointers
c-programming-using-pointersc-programming-using-pointers
c-programming-using-pointers
 
The solution manual of c by robin
The solution manual of c by robinThe solution manual of c by robin
The solution manual of c by robin
 
Ansi c
Ansi cAnsi c
Ansi c
 
DataStructures notes
DataStructures notesDataStructures notes
DataStructures notes
 
Infix to-postfix examples
Infix to-postfix examplesInfix to-postfix examples
Infix to-postfix examples
 
Datastructures asignment
Datastructures asignmentDatastructures asignment
Datastructures asignment
 
Introduction to c part -1
Introduction to c part -1Introduction to c part -1
Introduction to c part -1
 
Cpds lab
Cpds labCpds lab
Cpds lab
 
C programms
C programmsC programms
C programms
 
Data Structures Using C Practical File
Data Structures Using C Practical File Data Structures Using C Practical File
Data Structures Using C Practical File
 
C PROGRAMS
C PROGRAMSC PROGRAMS
C PROGRAMS
 
ADA FILE
ADA FILEADA FILE
ADA FILE
 
C Programming
C ProgrammingC Programming
C Programming
 
Simple c program
Simple c programSimple c program
Simple c program
 
C basics
C basicsC basics
C basics
 
SPL 8 | Loop Statements in C
SPL 8 | Loop Statements in CSPL 8 | Loop Statements in C
SPL 8 | Loop Statements in C
 
Program flowchart
Program flowchartProgram flowchart
Program flowchart
 
Stack prgs
Stack prgsStack prgs
Stack prgs
 
Chapter 5 Balagurusamy Programming ANSI in c
Chapter 5 Balagurusamy Programming ANSI in cChapter 5 Balagurusamy Programming ANSI in c
Chapter 5 Balagurusamy Programming ANSI in c
 
C++ Programming - 1st Study
C++ Programming - 1st StudyC++ Programming - 1st Study
C++ Programming - 1st Study
 

Similar to lFuzzer - Learning Input Tokens for Effective Fuzzing

data structure and algorithm.pdf
data structure and algorithm.pdfdata structure and algorithm.pdf
data structure and algorithm.pdfAsrinath1
 
Assignment on Numerical Method C Code
Assignment on Numerical Method C CodeAssignment on Numerical Method C Code
Assignment on Numerical Method C CodeSyed Ahmed Zaki
 
Please need help on C++ language.Infix to Postfix) Write a program.pdf
Please need help on C++ language.Infix to Postfix) Write a program.pdfPlease need help on C++ language.Infix to Postfix) Write a program.pdf
Please need help on C++ language.Infix to Postfix) Write a program.pdfpristiegee
 
Write a program to check a given number is prime or not
Write a program to check a given number is prime or notWrite a program to check a given number is prime or not
Write a program to check a given number is prime or notaluavi
 
Naive application of Machine Learning to Software Development
Naive application of Machine Learning to Software DevelopmentNaive application of Machine Learning to Software Development
Naive application of Machine Learning to Software DevelopmentAndriy Khavryuchenko
 
openFrameworks、サウンド機能・音響合成、ofxMaxim, ofxOsc, ofxPd, ofxSuperCollider
openFrameworks、サウンド機能・音響合成、ofxMaxim, ofxOsc, ofxPd, ofxSuperCollideropenFrameworks、サウンド機能・音響合成、ofxMaxim, ofxOsc, ofxPd, ofxSuperCollider
openFrameworks、サウンド機能・音響合成、ofxMaxim, ofxOsc, ofxPd, ofxSuperColliderAtsushi Tadokoro
 
Functional programming in Python
Functional programming in PythonFunctional programming in Python
Functional programming in PythonColin Su
 
C Code and the Art of Obfuscation
C Code and the Art of ObfuscationC Code and the Art of Obfuscation
C Code and the Art of Obfuscationguest9006ab
 
Solutionsfor co2 C Programs for data structures
Solutionsfor co2 C Programs for data structuresSolutionsfor co2 C Programs for data structures
Solutionsfor co2 C Programs for data structuresLakshmi Sarvani Videla
 
design and analysis of algorithm Lab files
design and analysis of algorithm Lab filesdesign and analysis of algorithm Lab files
design and analysis of algorithm Lab filesNitesh Dubey
 
Pratt Parser in Python
Pratt Parser in PythonPratt Parser in Python
Pratt Parser in PythonPercolate
 
Data structure and algorithm.(dsa)
Data structure and algorithm.(dsa)Data structure and algorithm.(dsa)
Data structure and algorithm.(dsa)mailmerk
 
Bti1022 lab sheet 8
Bti1022 lab sheet 8Bti1022 lab sheet 8
Bti1022 lab sheet 8alish sha
 
Bti1022 lab sheet 8
Bti1022 lab sheet 8Bti1022 lab sheet 8
Bti1022 lab sheet 8alish sha
 

Similar to lFuzzer - Learning Input Tokens for Effective Fuzzing (20)

data structure and algorithm.pdf
data structure and algorithm.pdfdata structure and algorithm.pdf
data structure and algorithm.pdf
 
Applications of stack
Applications of stackApplications of stack
Applications of stack
 
Assignment on Numerical Method C Code
Assignment on Numerical Method C CodeAssignment on Numerical Method C Code
Assignment on Numerical Method C Code
 
VTU Data Structures Lab Manual
VTU Data Structures Lab ManualVTU Data Structures Lab Manual
VTU Data Structures Lab Manual
 
Please need help on C++ language.Infix to Postfix) Write a program.pdf
Please need help on C++ language.Infix to Postfix) Write a program.pdfPlease need help on C++ language.Infix to Postfix) Write a program.pdf
Please need help on C++ language.Infix to Postfix) Write a program.pdf
 
Write a program to check a given number is prime or not
Write a program to check a given number is prime or notWrite a program to check a given number is prime or not
Write a program to check a given number is prime or not
 
Ada file
Ada fileAda file
Ada file
 
Naive application of Machine Learning to Software Development
Naive application of Machine Learning to Software DevelopmentNaive application of Machine Learning to Software Development
Naive application of Machine Learning to Software Development
 
openFrameworks、サウンド機能・音響合成、ofxMaxim, ofxOsc, ofxPd, ofxSuperCollider
openFrameworks、サウンド機能・音響合成、ofxMaxim, ofxOsc, ofxPd, ofxSuperCollideropenFrameworks、サウンド機能・音響合成、ofxMaxim, ofxOsc, ofxPd, ofxSuperCollider
openFrameworks、サウンド機能・音響合成、ofxMaxim, ofxOsc, ofxPd, ofxSuperCollider
 
Functional programming in Python
Functional programming in PythonFunctional programming in Python
Functional programming in Python
 
Stack and queue
Stack and queueStack and queue
Stack and queue
 
pointers 1
pointers 1pointers 1
pointers 1
 
C Code and the Art of Obfuscation
C Code and the Art of ObfuscationC Code and the Art of Obfuscation
C Code and the Art of Obfuscation
 
Solutionsfor co2 C Programs for data structures
Solutionsfor co2 C Programs for data structuresSolutionsfor co2 C Programs for data structures
Solutionsfor co2 C Programs for data structures
 
Swift School #1
Swift School #1Swift School #1
Swift School #1
 
design and analysis of algorithm Lab files
design and analysis of algorithm Lab filesdesign and analysis of algorithm Lab files
design and analysis of algorithm Lab files
 
Pratt Parser in Python
Pratt Parser in PythonPratt Parser in Python
Pratt Parser in Python
 
Data structure and algorithm.(dsa)
Data structure and algorithm.(dsa)Data structure and algorithm.(dsa)
Data structure and algorithm.(dsa)
 
Bti1022 lab sheet 8
Bti1022 lab sheet 8Bti1022 lab sheet 8
Bti1022 lab sheet 8
 
Bti1022 lab sheet 8
Bti1022 lab sheet 8Bti1022 lab sheet 8
Bti1022 lab sheet 8
 

Recently uploaded

Call Girls in Mayapuri Delhi 💯Call Us 🔝9953322196🔝 💯Escort.
Call Girls in Mayapuri Delhi 💯Call Us 🔝9953322196🔝 💯Escort.Call Girls in Mayapuri Delhi 💯Call Us 🔝9953322196🔝 💯Escort.
Call Girls in Mayapuri Delhi 💯Call Us 🔝9953322196🔝 💯Escort.aasikanpl
 
Speech, hearing, noise, intelligibility.pptx
Speech, hearing, noise, intelligibility.pptxSpeech, hearing, noise, intelligibility.pptx
Speech, hearing, noise, intelligibility.pptxpriyankatabhane
 
BIOETHICS IN RECOMBINANT DNA TECHNOLOGY.
BIOETHICS IN RECOMBINANT DNA TECHNOLOGY.BIOETHICS IN RECOMBINANT DNA TECHNOLOGY.
BIOETHICS IN RECOMBINANT DNA TECHNOLOGY.PraveenaKalaiselvan1
 
Cytokinin, mechanism and its application.pptx
Cytokinin, mechanism and its application.pptxCytokinin, mechanism and its application.pptx
Cytokinin, mechanism and its application.pptxVarshiniMK
 
LIGHT-PHENOMENA-BY-CABUALDIONALDOPANOGANCADIENTE-CONDEZA (1).pptx
LIGHT-PHENOMENA-BY-CABUALDIONALDOPANOGANCADIENTE-CONDEZA (1).pptxLIGHT-PHENOMENA-BY-CABUALDIONALDOPANOGANCADIENTE-CONDEZA (1).pptx
LIGHT-PHENOMENA-BY-CABUALDIONALDOPANOGANCADIENTE-CONDEZA (1).pptxmalonesandreagweneth
 
SOLUBLE PATTERN RECOGNITION RECEPTORS.pptx
SOLUBLE PATTERN RECOGNITION RECEPTORS.pptxSOLUBLE PATTERN RECOGNITION RECEPTORS.pptx
SOLUBLE PATTERN RECOGNITION RECEPTORS.pptxkessiyaTpeter
 
Is RISC-V ready for HPC workload? Maybe?
Is RISC-V ready for HPC workload? Maybe?Is RISC-V ready for HPC workload? Maybe?
Is RISC-V ready for HPC workload? Maybe?Patrick Diehl
 
Heredity: Inheritance and Variation of Traits
Heredity: Inheritance and Variation of TraitsHeredity: Inheritance and Variation of Traits
Heredity: Inheritance and Variation of TraitsCharlene Llagas
 
insect anatomy and insect body wall and their physiology
insect anatomy and insect body wall and their physiologyinsect anatomy and insect body wall and their physiology
insect anatomy and insect body wall and their physiologyDrAnita Sharma
 
Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |
Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |
Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |aasikanpl
 
Microphone- characteristics,carbon microphone, dynamic microphone.pptx
Microphone- characteristics,carbon microphone, dynamic microphone.pptxMicrophone- characteristics,carbon microphone, dynamic microphone.pptx
Microphone- characteristics,carbon microphone, dynamic microphone.pptxpriyankatabhane
 
Best Call Girls In Sector 29 Gurgaon❤️8860477959 EscorTs Service In 24/7 Delh...
Best Call Girls In Sector 29 Gurgaon❤️8860477959 EscorTs Service In 24/7 Delh...Best Call Girls In Sector 29 Gurgaon❤️8860477959 EscorTs Service In 24/7 Delh...
Best Call Girls In Sector 29 Gurgaon❤️8860477959 EscorTs Service In 24/7 Delh...lizamodels9
 
Twin's paradox experiment is a meassurement of the extra dimensions.pptx
Twin's paradox experiment is a meassurement of the extra dimensions.pptxTwin's paradox experiment is a meassurement of the extra dimensions.pptx
Twin's paradox experiment is a meassurement of the extra dimensions.pptxEran Akiva Sinbar
 
Call Girls In Nihal Vihar Delhi ❤️8860477959 Looking Escorts In 24/7 Delhi NCR
Call Girls In Nihal Vihar Delhi ❤️8860477959 Looking Escorts In 24/7 Delhi NCRCall Girls In Nihal Vihar Delhi ❤️8860477959 Looking Escorts In 24/7 Delhi NCR
Call Girls In Nihal Vihar Delhi ❤️8860477959 Looking Escorts In 24/7 Delhi NCRlizamodels9
 
Evidences of Evolution General Biology 2
Evidences of Evolution General Biology 2Evidences of Evolution General Biology 2
Evidences of Evolution General Biology 2John Carlo Rollon
 
Bentham & Hooker's Classification. along with the merits and demerits of the ...
Bentham & Hooker's Classification. along with the merits and demerits of the ...Bentham & Hooker's Classification. along with the merits and demerits of the ...
Bentham & Hooker's Classification. along with the merits and demerits of the ...Nistarini College, Purulia (W.B) India
 
Behavioral Disorder: Schizophrenia & it's Case Study.pdf
Behavioral Disorder: Schizophrenia & it's Case Study.pdfBehavioral Disorder: Schizophrenia & it's Case Study.pdf
Behavioral Disorder: Schizophrenia & it's Case Study.pdfSELF-EXPLANATORY
 

Recently uploaded (20)

Hot Sexy call girls in Moti Nagar,🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Moti Nagar,🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Moti Nagar,🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Moti Nagar,🔝 9953056974 🔝 escort Service
 
Call Girls in Mayapuri Delhi 💯Call Us 🔝9953322196🔝 💯Escort.
Call Girls in Mayapuri Delhi 💯Call Us 🔝9953322196🔝 💯Escort.Call Girls in Mayapuri Delhi 💯Call Us 🔝9953322196🔝 💯Escort.
Call Girls in Mayapuri Delhi 💯Call Us 🔝9953322196🔝 💯Escort.
 
Speech, hearing, noise, intelligibility.pptx
Speech, hearing, noise, intelligibility.pptxSpeech, hearing, noise, intelligibility.pptx
Speech, hearing, noise, intelligibility.pptx
 
Volatile Oils Pharmacognosy And Phytochemistry -I
Volatile Oils Pharmacognosy And Phytochemistry -IVolatile Oils Pharmacognosy And Phytochemistry -I
Volatile Oils Pharmacognosy And Phytochemistry -I
 
BIOETHICS IN RECOMBINANT DNA TECHNOLOGY.
BIOETHICS IN RECOMBINANT DNA TECHNOLOGY.BIOETHICS IN RECOMBINANT DNA TECHNOLOGY.
BIOETHICS IN RECOMBINANT DNA TECHNOLOGY.
 
Cytokinin, mechanism and its application.pptx
Cytokinin, mechanism and its application.pptxCytokinin, mechanism and its application.pptx
Cytokinin, mechanism and its application.pptx
 
LIGHT-PHENOMENA-BY-CABUALDIONALDOPANOGANCADIENTE-CONDEZA (1).pptx
LIGHT-PHENOMENA-BY-CABUALDIONALDOPANOGANCADIENTE-CONDEZA (1).pptxLIGHT-PHENOMENA-BY-CABUALDIONALDOPANOGANCADIENTE-CONDEZA (1).pptx
LIGHT-PHENOMENA-BY-CABUALDIONALDOPANOGANCADIENTE-CONDEZA (1).pptx
 
SOLUBLE PATTERN RECOGNITION RECEPTORS.pptx
SOLUBLE PATTERN RECOGNITION RECEPTORS.pptxSOLUBLE PATTERN RECOGNITION RECEPTORS.pptx
SOLUBLE PATTERN RECOGNITION RECEPTORS.pptx
 
Is RISC-V ready for HPC workload? Maybe?
Is RISC-V ready for HPC workload? Maybe?Is RISC-V ready for HPC workload? Maybe?
Is RISC-V ready for HPC workload? Maybe?
 
Engler and Prantl system of classification in plant taxonomy
Engler and Prantl system of classification in plant taxonomyEngler and Prantl system of classification in plant taxonomy
Engler and Prantl system of classification in plant taxonomy
 
Heredity: Inheritance and Variation of Traits
Heredity: Inheritance and Variation of TraitsHeredity: Inheritance and Variation of Traits
Heredity: Inheritance and Variation of Traits
 
insect anatomy and insect body wall and their physiology
insect anatomy and insect body wall and their physiologyinsect anatomy and insect body wall and their physiology
insect anatomy and insect body wall and their physiology
 
Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |
Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |
Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |
 
Microphone- characteristics,carbon microphone, dynamic microphone.pptx
Microphone- characteristics,carbon microphone, dynamic microphone.pptxMicrophone- characteristics,carbon microphone, dynamic microphone.pptx
Microphone- characteristics,carbon microphone, dynamic microphone.pptx
 
Best Call Girls In Sector 29 Gurgaon❤️8860477959 EscorTs Service In 24/7 Delh...
Best Call Girls In Sector 29 Gurgaon❤️8860477959 EscorTs Service In 24/7 Delh...Best Call Girls In Sector 29 Gurgaon❤️8860477959 EscorTs Service In 24/7 Delh...
Best Call Girls In Sector 29 Gurgaon❤️8860477959 EscorTs Service In 24/7 Delh...
 
Twin's paradox experiment is a meassurement of the extra dimensions.pptx
Twin's paradox experiment is a meassurement of the extra dimensions.pptxTwin's paradox experiment is a meassurement of the extra dimensions.pptx
Twin's paradox experiment is a meassurement of the extra dimensions.pptx
 
Call Girls In Nihal Vihar Delhi ❤️8860477959 Looking Escorts In 24/7 Delhi NCR
Call Girls In Nihal Vihar Delhi ❤️8860477959 Looking Escorts In 24/7 Delhi NCRCall Girls In Nihal Vihar Delhi ❤️8860477959 Looking Escorts In 24/7 Delhi NCR
Call Girls In Nihal Vihar Delhi ❤️8860477959 Looking Escorts In 24/7 Delhi NCR
 
Evidences of Evolution General Biology 2
Evidences of Evolution General Biology 2Evidences of Evolution General Biology 2
Evidences of Evolution General Biology 2
 
Bentham & Hooker's Classification. along with the merits and demerits of the ...
Bentham & Hooker's Classification. along with the merits and demerits of the ...Bentham & Hooker's Classification. along with the merits and demerits of the ...
Bentham & Hooker's Classification. along with the merits and demerits of the ...
 
Behavioral Disorder: Schizophrenia & it's Case Study.pdf
Behavioral Disorder: Schizophrenia & it's Case Study.pdfBehavioral Disorder: Schizophrenia & it's Case Study.pdf
Behavioral Disorder: Schizophrenia & it's Case Study.pdf
 

lFuzzer - Learning Input Tokens for Effective Fuzzing

  • 1. LEARNING INPUT TOKENS FOR EFFECTIVE FUZZING BJÖRN MATHIS, RAHUL GOPINATH, ANDREAS ZELLER
  • 2. FUZZING - THE ART OF AUTOMATIC BUG FINDING 2 PROGRAM UNDER TESTFUZZER
  • 3. FUZZING - THE ART OF AUTOMATIC BUG FINDING 2 PROGRAM UNDER TEST 7245 FUZZER
  • 4. FUZZING - THE ART OF AUTOMATIC BUG FINDING 2 PROGRAM UNDER TEST 7245 FUZZER
  • 5. FUZZING - THE ART OF AUTOMATIC BUG FINDING 2 PROGRAM UNDER TEST 7245 FUZZER
  • 6. FUZZING - THE ART OF AUTOMATIC BUG FINDING 2 PROGRAM UNDER TESTFUZZER
  • 7. FUZZING - THE ART OF AUTOMATIC BUG FINDING 2 PROGRAM UNDER TEST C4tscs FUZZER
  • 8. FUZZING - THE ART OF AUTOMATIC BUG FINDING 2 PROGRAM UNDER TEST C4tscs FUZZER
  • 9. FUZZING - THE ART OF AUTOMATIC BUG FINDING 2 PROGRAM UNDER TEST C4tscs FUZZER
  • 10. PROGRAM UNDER TEST FUZZING - THE ART OF AUTOMATIC BUG FINDING 3 FUZZER
  • 11. PROGRAM UNDER TEST FUZZING - THE ART OF AUTOMATIC BUG FINDING 3 FUZZER
  • 12. PROGRAM UNDER TEST FUZZING - THE ART OF AUTOMATIC BUG FINDING 3 FUZZER
  • 13. PROGRAM UNDER TEST FUZZING - THE ART OF AUTOMATIC BUG FINDING 3 FUZZER C4tscs
  • 14. PROGRAM UNDER TEST FUZZING - THE ART OF AUTOMATIC BUG FINDING 3 FUZZER C4tscs
  • 15. PROGRAM UNDER TEST FUZZING - THE ART OF AUTOMATIC BUG FINDING 3 FUZZER
  • 16. PROGRAM UNDER TEST FUZZING - THE ART OF AUTOMATIC BUG FINDING 3 FUZZER X + 0
  • 17. PROGRAM UNDER TEST FUZZING - THE ART OF AUTOMATIC BUG FINDING 3 FUZZER X + 0
  • 18. PROGRAM UNDER TEST FUZZING - THE ART OF AUTOMATIC BUG FINDING 3 FUZZER X + 0
  • 19. PROGRAM UNDER TEST FUZZING - THE ART OF AUTOMATIC BUG FINDING 3 FUZZER X + 0 COMPLEX INPUT STRUCTURES NEED SYNTACTIC FUZZING
  • 20. PFUZZER - SURVIVING THE PARSING STAGE 4 PFUZZER def parse_exp(i): c = input[i] if isDigit(c): parse_op(i + 1) elif isAlpha(c): parse_op(i + 1) def parse_op(i): c = input[i] if c == '-': parse_exp(i + 1) elif c == '+': parse_exp(i + 1) else: raise InvalidSyntax
  • 21. PFUZZER - SURVIVING THE PARSING STAGE 4 PFUZZER & def parse_exp(i): c = input[i] if isDigit(c): parse_op(i + 1) elif isAlpha(c): parse_op(i + 1) def parse_op(i): c = input[i] if c == '-': parse_exp(i + 1) elif c == '+': parse_exp(i + 1) else: raise InvalidSyntax
  • 22. PFUZZER - SURVIVING THE PARSING STAGE 4 PFUZZER & def parse_exp(i): c = input[i] if isDigit(c): parse_op(i + 1) elif isAlpha(c): parse_op(i + 1) def parse_op(i): c = input[i] if c == '-': parse_exp(i + 1) elif c == '+': parse_exp(i + 1) else: raise InvalidSyntax
  • 23. PFUZZER - SURVIVING THE PARSING STAGE 4 PFUZZER & def parse_exp(i): c = input[i] if isDigit(c): parse_op(i + 1) elif isAlpha(c): parse_op(i + 1) def parse_op(i): c = input[i] if c == '-': parse_exp(i + 1) elif c == '+': parse_exp(i + 1) else: raise InvalidSyntax
  • 24. PFUZZER - SURVIVING THE PARSING STAGE 4 PFUZZER X def parse_exp(i): c = input[i] if isDigit(c): parse_op(i + 1) elif isAlpha(c): parse_op(i + 1) def parse_op(i): c = input[i] if c == '-': parse_exp(i + 1) elif c == '+': parse_exp(i + 1) else: raise InvalidSyntax
  • 25. PFUZZER - SURVIVING THE PARSING STAGE 4 PFUZZER X def parse_exp(i): c = input[i] if isDigit(c): parse_op(i + 1) elif isAlpha(c): parse_op(i + 1) def parse_op(i): c = input[i] if c == '-': parse_exp(i + 1) elif c == '+': parse_exp(i + 1) else: raise InvalidSyntax
  • 26. PFUZZER - SURVIVING THE PARSING STAGE 4 PFUZZER X def parse_exp(i): c = input[i] if isDigit(c): parse_op(i + 1) elif isAlpha(c): parse_op(i + 1) def parse_op(i): c = input[i] if c == '-': parse_exp(i + 1) elif c == '+': parse_exp(i + 1) else: raise InvalidSyntax
  • 27. PFUZZER - SURVIVING THE PARSING STAGE 4 PFUZZER X @ def parse_exp(i): c = input[i] if isDigit(c): parse_op(i + 1) elif isAlpha(c): parse_op(i + 1) def parse_op(i): c = input[i] if c == '-': parse_exp(i + 1) elif c == '+': parse_exp(i + 1) else: raise InvalidSyntax
  • 28. PFUZZER - SURVIVING THE PARSING STAGE 4 PFUZZER X @ def parse_exp(i): c = input[i] if isDigit(c): parse_op(i + 1) elif isAlpha(c): parse_op(i + 1) def parse_op(i): c = input[i] if c == '-': parse_exp(i + 1) elif c == '+': parse_exp(i + 1) else: raise InvalidSyntax
  • 29. PFUZZER - SURVIVING THE PARSING STAGE 4 PFUZZER X @ def parse_exp(i): c = input[i] if isDigit(c): parse_op(i + 1) elif isAlpha(c): parse_op(i + 1) def parse_op(i): c = input[i] if c == '-': parse_exp(i + 1) elif c == '+': parse_exp(i + 1) else: raise InvalidSyntax
  • 30. PFUZZER - SURVIVING THE PARSING STAGE 4 PFUZZER X + def parse_exp(i): c = input[i] if isDigit(c): parse_op(i + 1) elif isAlpha(c): parse_op(i + 1) def parse_op(i): c = input[i] if c == '-': parse_exp(i + 1) elif c == '+': parse_exp(i + 1) else: raise InvalidSyntax
  • 31. PFUZZER - SURVIVING THE PARSING STAGE 4 PFUZZER X + def parse_exp(i): c = input[i] if isDigit(c): parse_op(i + 1) elif isAlpha(c): parse_op(i + 1) def parse_op(i): c = input[i] if c == '-': parse_exp(i + 1) elif c == '+': parse_exp(i + 1) else: raise InvalidSyntax
  • 32. PFUZZER - SURVIVING THE PARSING STAGE 4 PFUZZER X + 0 def parse_exp(i): c = input[i] if isDigit(c): parse_op(i + 1) elif isAlpha(c): parse_op(i + 1) def parse_op(i): c = input[i] if c == '-': parse_exp(i + 1) elif c == '+': parse_exp(i + 1) else: raise InvalidSyntax
  • 33. PFUZZER - SURVIVING THE PARSING STAGE 4 PFUZZER X + 0 def parse_exp(i): c = input[i] if isDigit(c): parse_op(i + 1) elif isAlpha(c): parse_op(i + 1) def parse_op(i): c = input[i] if c == '-': parse_exp(i + 1) elif c == '+': parse_exp(i + 1) else: raise InvalidSyntax
  • 35. TOKENIZATION - COMPLEX PARSERS 5 X + 0
  • 36. TOKENIZATION - COMPLEX PARSERS 5 X + 0 TOKENIZER
  • 37. TOKENIZATION - COMPLEX PARSERS 5 X + 0 TOKENIZER T_ALPHA T_PLUS T_DIGIT
  • 38. TOKENIZATION - COMPLEX PARSERS 5 X + 0 TOKENIZER T_ALPHA T_PLUS T_DIGIT PARSER
  • 39. 6 TOKENIZATION - COMPLEX PARSERS X + 0 TOKENIZER T_ALPHA T_PLUS T_DIGIT PARSER
  • 40. 6 TOKENIZATION - COMPLEX PARSERS def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax X + 0 TOKENIZER T_ALPHA T_PLUS T_DIGIT PARSER
  • 41. DYNAMIC TAINTING - LOOKING INTO A PROGRAM 7 def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
  • 42. DYNAMIC TAINTING - LOOKING INTO A PROGRAM 7 X + 0 def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
  • 43. DYNAMIC TAINTING - LOOKING INTO A PROGRAM 7 X + 0 def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
  • 44. DYNAMIC TAINTING - LOOKING INTO A PROGRAM 7 X + 0 def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
  • 45. DYNAMIC TAINTING - LOOKING INTO A PROGRAM 7 X + 0 def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
  • 46. DYNAMIC TAINTING - LOOKING INTO A PROGRAM 7 X + 0 def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
  • 47. DYNAMIC TAINTING - LOOKING INTO A PROGRAM 7 T_DIGIT T_ALPHA X + 0 def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
  • 48. DYNAMIC TAINTING - LOOKING INTO A PROGRAM 7 T_DIGIT T_ALPHA X + 0 def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
  • 49. DYNAMIC TAINTING - LOOKING INTO A PROGRAM 7 T_DIGIT T_ALPHA X + 0 def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
  • 50. DYNAMIC TAINTING - LOOKING INTO A PROGRAM 7 T_DIGIT T_ALPHA T_MINUS T_PLUS X + 0 def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
  • 51. DYNAMIC TAINTING - LOOKING INTO A PROGRAM 7 T_DIGIT T_ALPHA T_MINUS T_PLUS X + 0 def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
  • 52. DYNAMIC TAINTING - LOOKING INTO A PROGRAM 7 T_DIGIT T_ALPHA T_MINUS T_PLUS X + 0 def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
  • 53. DYNAMIC TAINTING - LOOKING INTO A PROGRAM 7 T_DIGIT T_ALPHA T_MINUS T_PLUS T_DIGIT X + 0 def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
  • 54. LFUZZER - SURVIVING THE TOKENIZATION AND PARSING STAGE 8 LFUZZER def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
  • 55. LFUZZER - SURVIVING THE TOKENIZATION AND PARSING STAGE 8 LFUZZER & def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
  • 56. LFUZZER - SURVIVING THE TOKENIZATION AND PARSING STAGE 8 LFUZZER & def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
  • 57. LFUZZER - SURVIVING THE TOKENIZATION AND PARSING STAGE 8 LFUZZER & def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
  • 58. LFUZZER - SURVIVING THE TOKENIZATION AND PARSING STAGE 8 LFUZZER X def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
  • 59. LFUZZER - SURVIVING THE TOKENIZATION AND PARSING STAGE 8 LFUZZER X def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
  • 60. LFUZZER - SURVIVING THE TOKENIZATION AND PARSING STAGE 8 LFUZZER X def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
  • 61. LFUZZER - SURVIVING THE TOKENIZATION AND PARSING STAGE 8 LFUZZER X Tokenmapping String Token A .. Z, a .. z T_ALPHA 0 .. 9 T_DIGIT - T_MINUS + T_PLUS def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
  • 62. LFUZZER - SURVIVING THE TOKENIZATION AND PARSING STAGE 8 LFUZZER Tokenmapping String Token A .. Z, a .. z T_ALPHA 0 .. 9 T_DIGIT - T_MINUS + T_PLUS def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
  • 63. LFUZZER - SURVIVING THE TOKENIZATION AND PARSING STAGE 8 LFUZZER X 3 Tokenmapping String Token A .. Z, a .. z T_ALPHA 0 .. 9 T_DIGIT - T_MINUS + T_PLUS def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
  • 64. LFUZZER - SURVIVING THE TOKENIZATION AND PARSING STAGE 8 LFUZZER X 3 Tokenmapping String Token A .. Z, a .. z T_ALPHA 0 .. 9 T_DIGIT - T_MINUS + T_PLUS def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
  • 65. LFUZZER - SURVIVING THE TOKENIZATION AND PARSING STAGE 8 LFUZZER X 3 Tokenmapping String Token A .. Z, a .. z T_ALPHA 0 .. 9 T_DIGIT - T_MINUS + T_PLUS def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
  • 66. LFUZZER - SURVIVING THE TOKENIZATION AND PARSING STAGE 8 LFUZZER X + Tokenmapping String Token A .. Z, a .. z T_ALPHA 0 .. 9 T_DIGIT - T_MINUS + T_PLUS def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
  • 67. LFUZZER - SURVIVING THE TOKENIZATION AND PARSING STAGE 8 LFUZZER X + Tokenmapping String Token A .. Z, a .. z T_ALPHA 0 .. 9 T_DIGIT - T_MINUS + T_PLUS def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
  • 68. LFUZZER - SURVIVING THE TOKENIZATION AND PARSING STAGE 8 LFUZZER X + 0 Tokenmapping String Token A .. Z, a .. z T_ALPHA 0 .. 9 T_DIGIT - T_MINUS + T_PLUS def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
  • 69. LFUZZER - SURVIVING THE TOKENIZATION AND PARSING STAGE 8 LFUZZER X + 0 Tokenmapping String Token A .. Z, a .. z T_ALPHA 0 .. 9 T_DIGIT - T_MINUS + T_PLUS def parse_exp(i): c = input[i] token = tokenize(c) if token == T_DIGIT: parse_op(i + 1) elif token == T_ALPHA: parse_op(i + 1) def parse_op(i): c = input[i] token = tokenize(c) if token == T_MINUS: parse_exp(i + 1) elif token == T_PLUS: parse_exp(i + 1) else: raise InvalidSyntax def tokenize(c): if isDigit(c): return T_DIGIT elif isAlpha(c): return T_ALPHA elif c == '-': return T_MINUS elif c == '+': return T_PLUS else: raise InvalidToken
  • 70. LFUZZER - BOOSTING FUZZERS 9
  • 71. LFUZZER - BOOSTING FUZZERS 9 0 .. 9 A .. Z a .. z + - TOKENS
  • 72. LFUZZER - BOOSTING FUZZERS 9 0 .. 9 A .. Z a .. z + - TOKENS 0 + 5
 a + 6 SAMPLE INPUTS
  • 73. LFUZZER - BOOSTING FUZZERS 9 0 .. 9 A .. Z a .. z + - TOKENS 0 + 5
 a + 6 SAMPLE INPUTS AFL
 MIMID*
 LIBFUZZER … YOURFAVORITEFUZZER FUZZER * In: "Mining Input Grammars from Dynamic Control Flow" at FSE 2020
  • 74. LFUZZER - BOOSTING FUZZERS 9 0 .. 9 A .. Z a .. z + - TOKENS 0 + 5
 a + 6 SAMPLE INPUTS AFL
 MIMID*
 LIBFUZZER … YOURFAVORITEFUZZER FUZZER A - K 8 - I + P - q R + y - 6 + u … INPUTS * In: "Mining Input Grammars from Dynamic Control Flow" at FSE 2020
  • 75. LFUZZER - BOOSTING FUZZERS 9 0 .. 9 A .. Z a .. z + - TOKENS 0 + 5
 a + 6 SAMPLE INPUTS AFL
 MIMID*
 LIBFUZZER … YOURFAVORITEFUZZER FUZZER A - K 8 - I + P - q R + y - 6 + u … INPUTS PROGRAM UNDER TEST * In: "Mining Input Grammars from Dynamic Control Flow" at FSE 2020
  • 76. LFUZZER - BOOSTING FUZZERS 9 0 .. 9 A .. Z a .. z + - TOKENS 0 + 5
 a + 6 SAMPLE INPUTS AFL
 MIMID*
 LIBFUZZER … YOURFAVORITEFUZZER FUZZER A - K 8 - I + P - q R + y - 6 + u … INPUTS PROGRAM UNDER TEST * In: "Mining Input Grammars from Dynamic Control Flow" at FSE 2020
  • 77. EVALUATION - TOKENS AND COVERAGE 10
  • 78. EVALUATION - TOKENS AND COVERAGE 10 Fsv ini Fjson lisS tinyF mjs 6uEjeFt 0 20 40 60 80 TokensExtraFted 6tring ExtraFtion lFuzzer NUMBER OF VALID TOKENS EXTRACTED
  • 79. EVALUATION - TOKENS AND COVERAGE 10 Fsv ini Fjson lisS tinyF mjs 6uEjeFt 0 20 40 60 80 TokensExtraFted 6tring ExtraFtion lFuzzer NUMBER OF VALID TOKENS EXTRACTED Fsv ini Fjson lisS tinyF mjs SuEjeFt 0 25 50 75 100 125 150 175 200 7okensExtraFted String ExtraFtion lFuzzer NUMBER OF INVALID TOKENS EXTRACTED
  • 80. EVALUATION - TOKENS AND COVERAGE 10 Fsv ini Fjson lisS tinyF mjs 6uEjeFt 0 20 40 60 80 TokensExtraFted 6tring ExtraFtion lFuzzer NUMBER OF VALID TOKENS EXTRACTED Fsv ini Fjson lisS tinyF mjs SuEjeFt 0 25 50 75 100 125 150 175 200 7okensExtraFted String ExtraFtion lFuzzer NUMBER OF INVALID TOKENS EXTRACTED 0 4 8 12 16 20 24 TLme (h) 0 5 10 15 20 25 30 35 CoverDge(%) mjs A)L A)L_DLFt p)uzzer p)uzzer + A)L l)uzzer + A)L COVERAGE OVER TIME FOR MJS
  • 81. 11
  • 82. 11
  • 83. 11
  • 84. 11
  • 85. 11