An empirical study of the reliability of UNIX utilities
Communications of the ACM
ANTLR: a predicated-LL(k) parser generator
Software—Practice & Experience
Violating Assumptions with Fuzzing
IEEE Security and Privacy
Virtual Machines: Versatile Platforms for Systems and Processes (The Morgan Kaufmann Series in Computer Architecture and Design)
Fuzzing: Brute Force Vulnerability Discovery
Fuzzing: Brute Force Vulnerability Discovery
Grammar-based whitebox fuzzing
Proceedings of the 2008 ACM SIGPLAN conference on Programming language design and implementation
Detecting Communication Protocol Security Flaws by Formal Fuzz Testing and Machine Learning
FORTE '08 Proceedings of the 28th IFIP WG 6.1 international conference on Formal Techniques for Networked and Distributed Systems
WOOT'10 Proceedings of the 4th USENIX conference on Offensive technologies
Finding and understanding bugs in C compilers
Proceedings of the 32nd ACM SIGPLAN conference on Programming language design and implementation
BlendFuzz: A Model-Based Framework for Fuzz Testing Programs with Grammatical Inputs
TRUSTCOM '12 Proceedings of the 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Hi-index | 0.00 |
Fuzz testing is an automated testing technique where random data is used as an input to software systems in order to reveal security bugs/vulnerabilities. Fuzzed inputs must be binaries embedded with compiled bytecodes when testing against ActionScript virtual machines (AVMs). The current fuzzing method for JavaScript-like virtual machines is very limited when applied to compiler-involved AVMs. The complete source code should be both grammatically and semantically valid to allow execution by first passing through the compiler. In this paper, we present ScriptGene, an algorithmic approach to overcome the additional complexity of generating valid ActionScript programs. First, nearly-valid code snippets are randomly generated, with some controls on instruction flow. Second, we present a novel mutation method where the former code snippets are lexically analyzed and mutated with runtime information of the AVM, which helps us to build context for undefined behaviours against compiler-check and produce a high code coverage. Accordingly, we have implemented and evaluated ScriptGene on three different versions of Adobe AVMs. Results demonstrate that ScriptGene not only covers almost all the blocks of the official test suite (Tamarin), but also is capable of nearly twice the code coverage. The discovery of six bugs missed by the official test suite demonstrates the effectiveness, validity and novelty of ScriptGene.