Scheduling black-box mutational fuzzing

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2013, Pages 511-522

  Woo, Maverick ^a   Cha, Sang Kil ^a   Gottlieb, Samantha ^a   Brumley, David ^a  

^a CARNEGIE MELLON UNIVERSITY   (United States)

Author keywords

fuzz configuration scheduling; software security

Indexed keywords

BLACK BOXES; CONFIGURATION SCHEDULING; MULTI ARMED BANDIT; ONLINE SCHEDULING ALGORITHM; SOFTWARE SECURITY;

MATHEMATICAL MODELS; PROGRAM DEBUGGING; SCHEDULING ALGORITHMS;

SECURITY OF DATA;

EID: 84888993874     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2508859.2516736     Document Type: Conference Paper

References (22)

1. A. Arcuri, M. Z. Iqbal, and L. Briand. Formal Analysis of the Effectiveness and Predictability of Random Testing. In International Symposium on Software Testing and Analysis, pages 219-229, 2010.
2. P. Auer, N. Cesa-Bianchi, Y. Freund, and R. E. Schapire. The Nonstochastic Multiarmed Bandit Problem. Journal on Computing, 32(1):48-77, 2002.
3. P. Auer, N. Cesa-Bianchi, and F. Paul. Finite-time Analysis of the Multiarmed Bandit Problem. Machine Learning, 47(2-3):235-256, 2002.
4. T. Avgerinos, S. K. Cha, B. T. H. Lim, and D. Brumley. AEG: Automatic Exploit Generation. In Proceedings of the Network and Distributed Systems Security Symposium, 2011.
5. D. A. Berry and B. Fristedt. Bandit Problems: Sequential Allocation of Experiments. Chapman and Hall, 1985.
6. A. Bertolino. Software testing research: Achievements, challenges, dreams. In Future of Software Engineering, pages 85-103, 2007.
7. E. Bounimova, P. Godefroid, and D. Molnar. Billions and Billions of Constraints: Whitebox Fuzz Testing in Production. In Proceedings of the International Conference on Software Engineering, pages 122-131, 2013.
8. C. Cadar, D. Dunbar, and D. Engler. KLEE: Unassisted and Automatic Generation of High-coverage Tests for Complex Systems Programs. In Proceedings of the USENIX Symposium on Operating System Design and Implementation, pages 209-224, 2008.
9. S. K. Cha, T. Avgerinos, A. Rebert, and D. Brumley. Unleashing Mayhem on Binary Code. In Proceedings of the IEEE Symposium on Security and Privacy, pages 380-394, 2012.
10. D. Engler, D. Chen, S. Hallem, A. Chou, and B. Chelf. Bugs as Deviant Behavior: A General Approach to Inferring Errors in Systems Code. In Proceedings of the ACM Symposium on Operating System Principles, pages 57-72, 2001.
11. P. Godefroid, M. Y. Levin, and D. Molnar. SAGE: Whitebox Fuzzing for Security. Communications of the ACM, 55(3):40-44, 2012.
12. A. L. Goel. Software Reliability Models: Assumptions, Limitations, and Applicability. IEEE Transactions on Software Engineering, 11(12):1411-1423, 1985.
13. N. Gupta, A. P. Mathur, and M. L. Soffa. Automated Test Data Generation Using An Iterative Relaxation Method. In Proceedings of the ACM SIGSOFT International Symposium on Foundations of Software Engineering, pages 231-244, 1998.
14. A. D. Householder and J. M. Foote. Probability-Based Parameter Selection for Black-Box Fuzz Testing. Technical Report August, CERT, 2012.
15. B. D. Jovanovic and P. S. Levy. A Look at the Rule of Three. The American Statistician, 51(2):137-139, 1997.
16. C. Labs. zzuf: multi-purpose fuzzer. http://caca.zoy.org/wiki/zzuf.
17. R. McNally, K. Yiu, D. Grove, and D. Gerhardy. Fuzzing: The State of the Art. Technical Report DSTO-TN-1043, Defence Science and Technology Organisation, 2012.
18. B. P. Miller, L. Fredriksen, and B. So. An Empirical Study of the Reliability of UNIX Utilities. Communications of the ACM, 33(12):32-44, 1990.
19. D. Molnar, X. Li, and D. Wagner. Dynamic Test Generation To Find Integer Bugs in x86 Binary Linux Programs. In Proceedings of the USENIX Security Symposium, pages 67-82, 2009.
20. C. Pacheco, S. K. Lahiri, M. D. Ernst, and T. Ball. Feedback-Directed Random Test Generation. In Proceedings of the International Conference on Software Engineering, pages 75-84, 2007.
21. D. Wagner, J. S. Foster, E. A. Brewer, and A. Aiken. A First Step towards Automated Detection of Buffer Overrun Vulnerabilities. In Proceedings of the Network and Distributed Systems Security Symposium, pages 3-17, 2000.
22. D. Wolpert and W. Macready. No free lunch theorems for optimization. IEEE Transactions on Evolutionary Computation, 1(1):67-82, 1997.