Automated Whitebox Fuzz Testing

Automated Whitebox Fuzz Testing
Patrice Godefroid, Michael Y. Levin, David A Molnar

Citation
Patrice Godefroid, Michael Y. Levin, David A Molnar. "Automated Whitebox Fuzz Testing". Network Distributed Security Symposium (NDSS), Internet Society, 2008.

Abstract
We present an alternative whitebox fuzz testing approach inspired by recent advances in symbolic execution and dynamic test generation. Our approach records an actual run of a program under test on a well-formed input, symbolically evaluates the recorded trace, and generates constraints capturing how the program uses its inputs. We have implemented this algorithm in SAGE (Scalable, Automated, Guided Execution), a new tool employing x86 instruction-level tracing and emulation for whitebox fuzzing of arbitrary file-reading Windows applications. We describe key optimizations needed to make dynamic test generation scale to large input files and long execution traces with hundreds of millions of instructions. While still in an early stage of development, SAGE has already discovered 30+ new bugs in large shipped Windows applications including image processors, media players, and file decoders.

Electronic downloads

ftp://ftp.research.microsoft.com/pub/tr/TR-2007-58.pdf

Citation formats

HTML

Patrice Godefroid, Michael Y. Levin, David A Molnar. <a
href="http://www.truststc.org/pubs/499.html"
>Automated Whitebox Fuzz Testing</a>, Network
Distributed Security Symposium (NDSS), Internet Society,
2008.

Plain text

Patrice Godefroid, Michael Y. Levin, David A Molnar.
"Automated Whitebox Fuzz Testing". Network
Distributed Security Symposium (NDSS), Internet Society,
2008.

BibTeX

@inproceedings{GodefroidLevinMolnar08_AutomatedWhiteboxFuzzTesting,
    author = {Patrice Godefroid and Michael Y. Levin and David A
              Molnar},
    title = {Automated Whitebox Fuzz Testing},
    booktitle = {Network Distributed Security Symposium (NDSS)},
    organization = {Internet Society},
    year = {2008},
    abstract = {We present an alternative whitebox fuzz testing
              approach inspired by recent advances in symbolic
              execution and dynamic test generation. Our
              approach records an actual run of a program under
              test on a well-formed input, symbolically
              evaluates the recorded trace, and generates
              constraints capturing how the program uses its
              inputs. We have implemented this algorithm in SAGE
              (Scalable, Automated, Guided Execution), a new
              tool employing x86 instruction-level tracing and
              emulation for whitebox fuzzing of arbitrary
              file-reading Windows applications. We describe key
              optimizations needed to make dynamic test
              generation scale to large input files and long
              execution traces with hundreds of millions of
              instructions. While still in an early stage of
              development, SAGE has already discovered 30+ new
              bugs in large shipped Windows applications
              including image processors, media players, and
              file decoders. },
    URL = {http://www.truststc.org/pubs/499.html}
}

Posted by David A Molnar on 28 Jan 2009.
Groups: trust
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.