Automatically Seed Corpus and Fuzzing Executables Generation Using Test Framework
DC Field | Value | Language |
---|---|---|
dc.contributor.author | Jeon, Sanghoon | - |
dc.contributor.author | Ryu, Minsoo | - |
dc.contributor.author | Kim, Dongyoung | - |
dc.contributor.author | Kim, Huy Kang | - |
dc.date.accessioned | 2022-10-07T02:40:36Z | - |
dc.date.available | 2022-10-07T02:40:36Z | - |
dc.date.created | 2022-10-06 | - |
dc.date.issued | 2022 | - |
dc.identifier.issn | 2169-3536 | - |
dc.identifier.uri | https://scholar.korea.ac.kr/handle/2021.sw.korea/144186 | - |
dc.description.abstract | Fuzzing is widely utilized as a practical test method to determine unknown vulnerabilities in software. Although fuzzing shows excellent results for code coverage and crash count, it is not easy to apply these effects to library fuzzing. A library cannot run independently; it is only executed by an application called a customer program. In particular, a fuzzing executable and a seed corpus are needed to execute the library code by calling a specific function sequence and passing the input of the fuzzer to reproduce the various states of the library. However, preparing the environment for library fuzzing is challenging because it relies on the human expertise and requires both an understanding of the library and fuzzing knowledge. This study proposes FuzzBuilderEx, a system that provides an automated fuzzing environment for a library by utilizing the test framework to resolve this problem. FuzzBuilderEx conducts a static/dynamic analysis of the test code to automatically generate seed corpus and fuzzing executables that enable library fuzzing. Furthermore, the automatically generated seed corpus and fuzzing executable are compatible with existing fuzzers, such as the American Fuzzy Lop (AFL). This study applied FuzzBuilderEx to nine open-source libraries for performance evaluation and confirmed the effects of an increase in code coverage by 31.2% and a unique crash count of 58.7% compared to previous studies. Notably, we detected three zero-day vulnerabilities and registered one of them in the common vulnerabilities and exposures (CVE) database. | - |
dc.language | English | - |
dc.language.iso | en | - |
dc.publisher | IEEE-INST ELECTRICAL ELECTRONICS ENGINEERS INC | - |
dc.title | Automatically Seed Corpus and Fuzzing Executables Generation Using Test Framework | - |
dc.type | Article | - |
dc.contributor.affiliatedAuthor | Kim, Huy Kang | - |
dc.identifier.doi | 10.1109/ACCESS.2022.3202005 | - |
dc.identifier.scopusid | 2-s2.0-85137572200 | - |
dc.identifier.wosid | 000850855000001 | - |
dc.identifier.bibliographicCitation | IEEE ACCESS, v.10, pp.90408 - 90428 | - |
dc.relation.isPartOf | IEEE ACCESS | - |
dc.citation.title | IEEE ACCESS | - |
dc.citation.volume | 10 | - |
dc.citation.startPage | 90408 | - |
dc.citation.endPage | 90428 | - |
dc.type.rims | ART | - |
dc.type.docType | Article | - |
dc.description.journalClass | 1 | - |
dc.description.isOpenAccess | Y | - |
dc.description.journalRegisteredClass | scie | - |
dc.description.journalRegisteredClass | scopus | - |
dc.relation.journalResearchArea | Computer Science | - |
dc.relation.journalResearchArea | Engineering | - |
dc.relation.journalResearchArea | Telecommunications | - |
dc.relation.journalWebOfScienceCategory | Computer Science, Information Systems | - |
dc.relation.journalWebOfScienceCategory | Engineering, Electrical & Electronic | - |
dc.relation.journalWebOfScienceCategory | Telecommunications | - |
dc.subject.keywordAuthor | Fuzzing | - |
dc.subject.keywordAuthor | Performance evaluation | - |
dc.subject.keywordAuthor | Codes | - |
dc.subject.keywordAuthor | Open source software | - |
dc.subject.keywordAuthor | Deep learning | - |
dc.subject.keywordAuthor | Data models | - |
dc.subject.keywordAuthor | Sequential analysis | - |
dc.subject.keywordAuthor | Computer crashes | - |
dc.subject.keywordAuthor | Data-driven security | - |
dc.subject.keywordAuthor | fuzzing | - |
dc.subject.keywordAuthor | seed generation | - |
dc.subject.keywordAuthor | vulnerability detection | - |
dc.subject.keywordAuthor | test framework | - |
Items in ScholarWorks are protected by copyright, with all rights reserved, unless otherwise indicated.
(02841) 서울특별시 성북구 안암로 14502-3290-1114
COPYRIGHT © 2021 Korea University. All Rights Reserved.
Certain data included herein are derived from the © Web of Science of Clarivate Analytics. All rights reserved.
You may not copy or re-distribute this material in whole or in part without the prior written consent of Clarivate Analytics.