Blogs (1) >>
ICSE 2019
Sat 25 - Fri 31 May 2019 Montreal, QC, Canada
Fri 31 May 2019 11:00 - 11:20 at Duluth - Fuzzing Chair(s): Marcel Böhme

Fuzzing is an important technique to detect software bugs and vulnerabilities. It works by mutating a small set of seed inputs to generate a large number of new inputs. Fuzzers’ performance often substantially degrades when valid seed inputs are not available. Although existing techniques such as symbolic execution can generate seed inputs from scratch, they have various limitations hindering their applications in real-world complex software without source code. In this paper, we propose a novel fuzzing technique that features the capability of generating valid seed inputs. It piggy-backs on AFL to identify input validity checks and the input fields that have impact on such checks. It further classifies these checks according to their relations to the input. Such classes include arithmetic relation, object offset, data structure length and so on. A multi-goal search algorithm is developed to apply class specific mutations in order to satisfy inter-dependent checks all together. We evaluate our technique on 20 popular benchmark programs collected from other fuzzing projects and the Google fuzzer test suite, and compare it with existing fuzzers AFL and AFLFast, symbolic execution engines KLEE and S2E, and a hybrid tool Driller that combines fuzzing with symbolic execution. The results show that our technique is highly effective and efficient, out-performing the other tools.

Fri 31 May
Times are displayed in time zone: Eastern Time (US & Canada) change

11:00 - 12:30: FuzzingPapers / Technical Track at Duluth
Chair(s): Marcel BöhmeMonash University
11:00 - 11:20
SLF: Fuzzing without Valid Seed InputsTechnical TrackIndustry Program
Technical Track
Wei YouPurdue University, Xuwei LiuZhejiang University, Shiqing MaPurdue University, USA, David Mitchel PerryPurdue University, Xiangyu ZhangPurdue University, Bin LiangRenmin University of China, China
11:20 - 11:40
Superion: Grammar-Aware Greybox FuzzingTechnical Track
Technical Track
Junjie WangNanyang Technological University, Bihuan ChenFudan University, Lei WeiNanyang Technological University, Yang LiuNanyang Technological University, Singapore
11:40 - 12:00
Grey-box Concolic Testing on Binary CodeArtifacts AvailableTechnical TrackIndustry Program
Technical Track
Jaeseung ChoiKAIST, Joonun JangSamsung Research, Samsung Electronics, Choongwoo HanNAVER Corporation, Sang Kil ChaKAIST
12:00 - 12:20
REST-ler: Stateful REST API FuzzingTechnical TrackIndustry Program
Technical Track
Vaggelis AtlidakisColumbia University, Patrice GodefroidMicrosoft Research, Marina PolishchukMicrosoft
Link to publication
12:20 - 12:30
Discussion Period