{"id":2569,"date":"2017-09-08T02:21:24","date_gmt":"2017-09-08T02:21:24","guid":{"rendered":"https:\/\/www.ndss-symposium.org\/?page_id=2569"},"modified":"2024-03-07T09:56:25","modified_gmt":"2024-03-07T09:56:25","slug":"automated-whitebox-fuzz-testing","status":"publish","type":"page","link":"https:\/\/www.ndss-symposium.org\/ndss2008\/automated-whitebox-fuzz-testing\/","title":{"rendered":"Automated Whitebox Fuzz Testing"},"content":{"rendered":"\n<p><strong>Patrice Godefroid (Microsoft, Research), Michael Y. Levin (Microsoft, CSE), and David Molnar (UC Berkley)<\/strong><\/p>\n\n\n\n<p>Fuzz testing is an effective technique for finding security vulnerabilities in software. Traditionally, fuzz testing tools apply random mutations to well-formed inputs of a program and test the resulting values. We present an alternative whitebox fuzz testing approach inspired by recent advances in symbolic execution and dynamic test generation. Our approach records an actual run of the program under test on a well-formed input, symbolically evaluates the recorded trace, and gathers constraints on inputs capturing how the program uses these. The collected constraints are then negated one by one and solved with a constraint solver, producing new inputs that exercise different control paths in the program. This process is repeated with the help of a code-coverage maximizing heuristic designed to find defects as fast as possible. We have implemented this algorithm in SAGE (Scalable, Automated, Guided Execution), a new tool employing x86 instruction-level tracing and emulation for whitebox fuzzing of arbitrary file-reading Windows applications. We describe key optimizations needed to make dynamic test generation scale to large input files and long execution traces with hundreds of millions of instructions. We then present detailed experiments with several Windows applications. Notably, without any format-specific knowledge, SAGE detects the MS07-017 ANI vulnerability, which was missed by extensive blackbox fuzzing and static analysis tools. Furthermore, while still in an early stage of development, SAGE has already discovered 30+ new bugs in large shipped Windows applications including image processors, media players, and file decoders. Several of these bugs are potentially exploitable memory access violations.<\/p>\n\n\n\n<div class=\"wp-block-buttons is-layout-flex wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button\"><a class=\"wp-block-button__link has-white-color has-text-color has-link-color wp-element-button\" href=\"https:\/\/www.ndss-symposium.org\/wp-content\/uploads\/2017\/09\/Automated-Whitebox-Fuzz-Testing-paper-Patrice-Godefroid.pdf\">Paper<\/a><\/div>\n\n\n\n<div class=\"wp-block-button\"><a class=\"wp-block-button__link has-white-color has-text-color has-link-color wp-element-button\" href=\"https:\/\/www.ndss-symposium.org\/wp-content\/uploads\/2017\/09\/Automated-Whitebox-Fuzz-Testing-slides-Patrice-Goderfoid.pdf\">Slides<\/a><\/div>\n<\/div>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><strong>Date: <\/strong>8 Feb 2008<\/p>\n\n\n\n<p><strong>Associated Event: <\/strong><a href=\"http:\/\/www.ndss-symposium.org\/ndss2008\">NDSS Symposium 2008<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Patrice Godefroid (Microsoft, Research), Michael Y. Levin (Microsoft, CSE), and David Molnar (UC Berkley) Fuzz testing is an effective technique for finding security vulnerabilities in software. Traditionally, fuzz testing tools apply random mutations to well-formed inputs of a program and test the resulting values. We present an alternative whitebox fuzz testing approach inspired by recent &hellip; <a href=\"https:\/\/www.ndss-symposium.org\/ndss2008\/automated-whitebox-fuzz-testing\/\">Continued<\/a><\/p>\n","protected":false},"author":237,"featured_media":0,"parent":1242,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"advgb_blocks_editor_width":"","advgb_blocks_columns_visual_guide":"","footnotes":""},"categories":[],"tags":[92],"class_list":["post-2569","page","type-page","status-publish","hentry","tag-ndss-2008-papers"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.0 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Automated Whitebox Fuzz Testing - NDSS Symposium<\/title>\n<meta name=\"description\" content=\"We present an alternative whitebox fuzz testing approach inspired by recent advances in symbolic execution and dynamic test generation.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.ndss-symposium.org\/ndss2008\/automated-whitebox-fuzz-testing\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Automated Whitebox Fuzz Testing - NDSS Symposium\" \/>\n<meta property=\"og:description\" content=\"We present an alternative whitebox fuzz testing approach inspired by recent advances in symbolic execution and dynamic test generation.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.ndss-symposium.org\/ndss2008\/automated-whitebox-fuzz-testing\/\" \/>\n<meta property=\"og:site_name\" content=\"NDSS Symposium\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/NDSSSymposium\/\" \/>\n<meta property=\"article:modified_time\" content=\"2024-03-07T09:56:25+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.ndss-symposium.org\/wp-content\/uploads\/NDSS_Logo_RGB.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"815\" \/>\n\t<meta property=\"og:image:height\" content=\"345\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@NDSSSymposium\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.ndss-symposium.org\/ndss2008\/automated-whitebox-fuzz-testing\/\",\"url\":\"https:\/\/www.ndss-symposium.org\/ndss2008\/automated-whitebox-fuzz-testing\/\",\"name\":\"Automated Whitebox Fuzz Testing - NDSS Symposium\",\"isPartOf\":{\"@id\":\"https:\/\/www.ndss-symposium.org\/#website\"},\"datePublished\":\"2017-09-08T02:21:24+00:00\",\"dateModified\":\"2024-03-07T09:56:25+00:00\",\"description\":\"We present an alternative whitebox fuzz testing approach inspired by recent advances in symbolic execution and dynamic test generation.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.ndss-symposium.org\/ndss2008\/automated-whitebox-fuzz-testing\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.ndss-symposium.org\/ndss2008\/automated-whitebox-fuzz-testing\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.ndss-symposium.org\/ndss2008\/automated-whitebox-fuzz-testing\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.ndss-symposium.org\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"NDSS Symposium 2008\",\"item\":\"https:\/\/www.ndss-symposium.org\/ndss2008\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Automated Whitebox Fuzz Testing\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.ndss-symposium.org\/#website\",\"url\":\"https:\/\/www.ndss-symposium.org\/\",\"name\":\"NDSS Symposium\",\"description\":\"The Network and Distributed System Security (NDSS) Symposium\",\"publisher\":{\"@id\":\"https:\/\/www.ndss-symposium.org\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.ndss-symposium.org\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.ndss-symposium.org\/#organization\",\"name\":\"NDSS Symposium\",\"url\":\"https:\/\/www.ndss-symposium.org\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.ndss-symposium.org\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.ndss-symposium.org\/wp-content\/uploads\/NDSS_Logo_RGB.jpg\",\"contentUrl\":\"https:\/\/www.ndss-symposium.org\/wp-content\/uploads\/NDSS_Logo_RGB.jpg\",\"width\":815,\"height\":345,\"caption\":\"NDSS Symposium\"},\"image\":{\"@id\":\"https:\/\/www.ndss-symposium.org\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/NDSSSymposium\/\",\"https:\/\/x.com\/NDSSSymposium\",\"https:\/\/www.linkedin.com\/company\/network-and-distributed-system-symposium-ndss-\/\",\"https:\/\/www.youtube.com\/ndsssymposium\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Automated Whitebox Fuzz Testing - NDSS Symposium","description":"We present an alternative whitebox fuzz testing approach inspired by recent advances in symbolic execution and dynamic test generation.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.ndss-symposium.org\/ndss2008\/automated-whitebox-fuzz-testing\/","og_locale":"en_US","og_type":"article","og_title":"Automated Whitebox Fuzz Testing - NDSS Symposium","og_description":"We present an alternative whitebox fuzz testing approach inspired by recent advances in symbolic execution and dynamic test generation.","og_url":"https:\/\/www.ndss-symposium.org\/ndss2008\/automated-whitebox-fuzz-testing\/","og_site_name":"NDSS Symposium","article_publisher":"https:\/\/www.facebook.com\/NDSSSymposium\/","article_modified_time":"2024-03-07T09:56:25+00:00","og_image":[{"width":815,"height":345,"url":"https:\/\/www.ndss-symposium.org\/wp-content\/uploads\/NDSS_Logo_RGB.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_site":"@NDSSSymposium","twitter_misc":{"Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.ndss-symposium.org\/ndss2008\/automated-whitebox-fuzz-testing\/","url":"https:\/\/www.ndss-symposium.org\/ndss2008\/automated-whitebox-fuzz-testing\/","name":"Automated Whitebox Fuzz Testing - NDSS Symposium","isPartOf":{"@id":"https:\/\/www.ndss-symposium.org\/#website"},"datePublished":"2017-09-08T02:21:24+00:00","dateModified":"2024-03-07T09:56:25+00:00","description":"We present an alternative whitebox fuzz testing approach inspired by recent advances in symbolic execution and dynamic test generation.","breadcrumb":{"@id":"https:\/\/www.ndss-symposium.org\/ndss2008\/automated-whitebox-fuzz-testing\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.ndss-symposium.org\/ndss2008\/automated-whitebox-fuzz-testing\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.ndss-symposium.org\/ndss2008\/automated-whitebox-fuzz-testing\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.ndss-symposium.org\/"},{"@type":"ListItem","position":2,"name":"NDSS Symposium 2008","item":"https:\/\/www.ndss-symposium.org\/ndss2008\/"},{"@type":"ListItem","position":3,"name":"Automated Whitebox Fuzz Testing"}]},{"@type":"WebSite","@id":"https:\/\/www.ndss-symposium.org\/#website","url":"https:\/\/www.ndss-symposium.org\/","name":"NDSS Symposium","description":"The Network and Distributed System Security (NDSS) Symposium","publisher":{"@id":"https:\/\/www.ndss-symposium.org\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.ndss-symposium.org\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.ndss-symposium.org\/#organization","name":"NDSS Symposium","url":"https:\/\/www.ndss-symposium.org\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.ndss-symposium.org\/#\/schema\/logo\/image\/","url":"https:\/\/www.ndss-symposium.org\/wp-content\/uploads\/NDSS_Logo_RGB.jpg","contentUrl":"https:\/\/www.ndss-symposium.org\/wp-content\/uploads\/NDSS_Logo_RGB.jpg","width":815,"height":345,"caption":"NDSS Symposium"},"image":{"@id":"https:\/\/www.ndss-symposium.org\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/NDSSSymposium\/","https:\/\/x.com\/NDSSSymposium","https:\/\/www.linkedin.com\/company\/network-and-distributed-system-symposium-ndss-\/","https:\/\/www.youtube.com\/ndsssymposium"]}]}},"coauthors":[],"author_meta":{"author_link":"https:\/\/www.ndss-symposium.org\/author\/strinekatrbovic\/","display_name":"Ivana Trbovic"},"relative_dates":{"created":"Posted 8 years ago","modified":"Updated 2 years ago"},"absolute_dates":{"created":"Posted on 8 September 2017","modified":"Updated on 7 March 2024"},"absolute_dates_time":{"created":"Posted on 8 September 2017 2:21 am","modified":"Updated on 7 March 2024 9:56 am"},"featured_img_caption":"","featured_img":false,"series_order":"","_links":{"self":[{"href":"https:\/\/www.ndss-symposium.org\/wp-json\/wp\/v2\/pages\/2569","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ndss-symposium.org\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.ndss-symposium.org\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.ndss-symposium.org\/wp-json\/wp\/v2\/users\/237"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ndss-symposium.org\/wp-json\/wp\/v2\/comments?post=2569"}],"version-history":[{"count":0,"href":"https:\/\/www.ndss-symposium.org\/wp-json\/wp\/v2\/pages\/2569\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/www.ndss-symposium.org\/wp-json\/wp\/v2\/pages\/1242"}],"wp:attachment":[{"href":"https:\/\/www.ndss-symposium.org\/wp-json\/wp\/v2\/media?parent=2569"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ndss-symposium.org\/wp-json\/wp\/v2\/categories?post=2569"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ndss-symposium.org\/wp-json\/wp\/v2\/tags?post=2569"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}