Abstract

Fuzz testing has emerged as the preeminent automated security analysis technique in the real world. To keep up with the shifting security landscape, researchers have innovated the fuzzing process to identify more and more complex vulnerabilities. One innovation is an approach inspired by genetic programming: the fuzzer generates test-cases, evaluates the quality of the test-case, and uses this evaluation to select test-cases for further iterations of the process. While this innovation has impressive results: without a formal, scientific model on which to base these improvements, the field of fuzzing has been explored in an ad hoc way. As a result, it is difficult to understand the relative merit of different techniques. In this paper, we formalize the input evaluation and selection components of fuzzing, borrowing concepts from the field of static analysis, and providing a base for future expansion of and research into fuzzing techniques. In building this formalism, we observed that the impact of different abstraction functions in modern fuzzing techniques is under-explored in prior research. Without a formal base on which to reason about their contributions, researchers of fuzzing techniques have missed the potential for improvements to this critical component of fuzzing approaches. We explore the implications of our formalization-derived observation on the effectiveness of evolutionary fuzzing techniques in the second half of the paper, showing that the application of different abstraction functions, and the use of multiple abstraction functions in tandem, improves state-of-the-art fuzzing techniques.

Original languageEnglish (US)
Title of host publication2020 IEEE Conference on Communications and Network Security, CNS 2020
PublisherInstitute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)9781728147604
DOIs
StatePublished - Jun 2020
Event2020 IEEE Conference on Communications and Network Security, CNS 2020 - Virtual, Online, France
Duration: Jun 29 2020Jul 1 2020

Publication series

Name2020 IEEE Conference on Communications and Network Security, CNS 2020

Conference

Conference2020 IEEE Conference on Communications and Network Security, CNS 2020
CountryFrance
CityVirtual, Online
Period6/29/207/1/20

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Information Systems and Management
  • Safety, Risk, Reliability and Quality
  • Control and Optimization

Fingerprint Dive into the research topics of 'Exploring Abstraction Functions in Fuzzing'. Together they form a unique fingerprint.

Cite this