Rahul Gopinath, Post-doctoral Researcher, CISPA Helmholtz Center for Information Security, Germany
Efficient and effective fuzzing requires the availability of the input specification for the program under test. However, such specifications are typically unavailable, obsolete, incomplete, or inaccurate, limiting the reach of fuzzers. This has led to a proliferation of hacky recipes by different fuzzers to get past the input parsing stage, with each recipe working on some but not all programs. That is, fuzzing most resembles alchemy than science at this point. In this talk, I show how to transform fuzzing to a science. I present an end-to-end framework for recovering precise input specifications of programs. Such mined specifications can immediately be used for effective exploration of the program input space as well as the space of the program behavior, leading to the identification of failure-inducing inputs. Next, given any failure-inducing input, I show how to generalize such inputs into abstract patterns, precisely identifying the failure causing parts of the input. Any number of such abstract patterns can then be combined using the full set of logical connectives — to produce specialized grammars that can be used by any grammar fuzzer for precise control of produced inputs.