Home   >   CSC-OpenAccess Library   >    Manuscript Information
A Review on Grammar-Based Fuzzing Techniques
Hamad Ali Al Salem, Jia Song
Pages - 114 - 123     |    Revised - 31-05-2019     |    Published - 01-06-2019
Volume - 13   Issue - 3    |    Publication Date - June 2019  Table of Contents
Fuzzing, Grammar-based, Generation, Mutation, Techniques, File Input Quality.
Fuzzing has become the most interesting software testing technique because it can find different types of bugs and vulnerabilities in many target programs. Grammar-based fuzzing tools have been shown effectiveness in finding bugs and generating good fuzzing files. Fuzzing techniques are usually guided by different methods to improve their effectiveness. However, they have limitation as well. In this paper, we present an overview of grammar-based fuzzing tools and techniques that are used to guide them which include mutation, machine learning, and evolutionary computing. Few studies are conducted on this approach and show the effectiveness and quality in exploring new vulnerabilities in a program. Here we summarize the studied fuzzing tools and explain each one method, input format, strengths and limitations. Some experiments are conducted on two of the fuzzing tools and comparing between them based on the quality of generated fuzzing files.
1 Google Scholar 
2 refSeek 
3 BibSonomy 
4 Doc Player 
5 Scribd 
6 SlideShare 
Darwin, C. (2004). On the origin of species, 1859. Routledge.
Eiben, A. E., & Smith, J. E. (2003). Introduction to Evolutionary Computing. Natural Computing Series. doi:10.1007/978-3-662-05094-1.
Godefroid, P., Kiezun, A., & Levin, M. (2008). Grammar-based Whitebox Fuzzing. ACM Sigplan Notices, (pp. 206-2015).
Godefroid, P., Peleg, H., & Singh, R. (2017). Learn&Fuzz: Machine Learning for Input Fuzzing. Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering.
Grieco, G., Ceresa, M., & Buiras, P. (2016). QuickFuzz: An Automatic Random Fuzzer for Common File Formats. Proceedings of the 9th International Symposium on Haskell.
Guo, T., Zhang, P., Wang, X., & Wei, Q. (2013). GramFuzz: Fuzzing Testing of Web Browsers Based on Grammar Analysis and structural mutation. Second International Conference on Informatics & Applications (ICIA).
Hodován, R., Kiss, Á., & Gyimóthy, T. (2018). Grammarinator: A grammar-based open source fuzzer. Proceedings of the 9th ACM SIGSOFT International Workshop on Automating TEST Case Design, Selection, and Evaluation.
Holler, C., Herzig, K., & Zeller, A. (2012). Fuzzing with Code Fragments. Presented as part of the 21st {USENIX} Security Symposium .
Hu, Z., Shi, J., Huang, Y., Xiong, J., & Bu, X. (2018). GANFuzz: a GAN-based industrial network protocol fuzzing framework. Proceedings of the 15th ACM International Conference on Computing Frontiers.
Kim, S. Y., Cha, S., & Bae, D. H. (2013). Automatic and lightweight grammar generation for fuzz testing. Computers & Security, 36, 1-11.
Liang, H., Pei, X., Jia, X., Shen, W., & Zhang, J. (Sep. 2018). Fuzzing: State of the Art. IEEE Transactions on Reliability, 67, 1199-1218.
Miller, C., & Peterson Z. (2007). Analysis of mutation and generation-based fuzzing. Independent Security Evaluators, Tech. Rep.
Oehlert, P. (2005). Violating Assumptions with Fuzzing. IEEE Security & Privacy, 3, 58-62.
Sargsyan, S., Kurmangaleev, S., Mehrabyan, M., Mishechkin, M., Ghukasyan, T., & Asryan, S. (2018). Grammar-based Fuzzing. Ivannikov Memorial Workshop (IVMEM).
Stephens, N., Grosen, J., Salls, C., Dutcher, A., Wang, R., Corbetta, J., Shoshitaishvili, Y., Kruegel, C., & Vigna, G. (2016). Driller: Augmenting Fuzzing Through Selective Symbolic Execution. NDSS.
Veggalam, S., Rawat, S., Haller, I., & Bos, H. (2016). IFuzzer: An evolutionary interpreter fuzzer using genetic programming. European Symposium on Research in Computer Security, (pp. 581-601).
Wang, J., Chen, B., Wei, L., & Liu, Y. (2017). Skyfire: Data-Driven Seed Generation for Fuzzing. IEEE Symposium on Security and Privacy (pp. 579-594). IEEE.
Yang, D., Zhang, Y., & Liu, Q. (2012). BlendFuzz: A Model-Based Framework for Fuzz Testing Programs with grammatical inputs. IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications, (pp. 1070-1076).
Mr. Hamad Ali Al Salem
Computer Science Department University of Idaho Moscow, ID, 83844 - United States of America
Dr. Jia Song
Computer Science Department University of Idaho Moscow, ID, 83844 - United States of America

View all special issues >>