Testing a piece of code with a broad range of unexpected inputs typically done to find security vulnerabilities. Unlike traditional testing, it uses less human understanding of the program and is often performed by non-developers of the code.
See the surveys for more detail: godefroid:cacm:2020, manes:ieeetse:2019.
Programs are often instrumented to detect more errors (e.g., address/memory/UB/thread sanitizers, control-flow integrity, etc.).
Three types of fuzzer based on how much knowledge of the program under test they exploit.
- blackbox fuzzing
- greybox fuzzing
- coverage guided such as EFS, Randoop, AFL, VUzzer
- whitebox fuzzing
- symbolic execution such as DART verifier and KLEE verifier
- taint analysis that determines dependencies of branches on particular parts of input
- hybrid testing alternates between white- and grey-box fuzzing e.g., Driller verifier
Related concept of random test generation differs in that there may be more focus on generating inputs that are restricted in some way. For example, we might want to restrict to syntactically legal inputs. So we get concepts like
- “rejection sampling” – retry generating a value until it satisfies some predicate.
- grammar-based generation and discovering grammars
- use of dictionaries
Notes related to Fuzz testing
AFL fuzzer, Hybrid testing, Property-based testing, SAGE verifier, Search based test generation, Symbolic execution, Test-case reduction, Test generation
Papers related to Fuzz testing
- FUDGE: Fuzz driver generation at scale [babic:fse:2019]
- TestCov: Robust test-suite execution and coverage measurement [beyer:ase:2019]
- Software verification: Testing vs. model checking [beyer:hvc:2017]
- Fuzzing: On the exponential cost of vulnerability discovery [bohme2:fse:2020]
- Boosting fuzzer efficiency: An information theoretic perspective [bohme:fse:2020]
- SUSHI: A test generator for programs with complex structured inputs [braione:icse:2018]
- SAVIOR: Towards bug-driven hybrid testing [chen:sp:2020]
- QuickCheck: A lightweight tool for random testing of Haskell programs [claessen:icfp:2000]
- Study of integrating random and symbolic testing for object-oriented software [dimjasevic:ifm:2018]
- Program state abstraction for feedback-driven fuzz testing using likely invariants [fioraldi:arxiv:2020]
- Feedback-directed unit test generation for C/C++ using concolic execution [garg:icse:2013]
- Fuzzing: Hack, art, and science [godefroid:cacm:2020]
- DeepState: Symbolic unit testing for C and C++ [goodman:ndss:2018]
- Just fuzz it: Solving floating-point constraints using coverage-Guided fuzzing [liew:fse:2019]
- Fuzzing loop optimizations in compilers for C++ and data-parallel languages [livinskii:pldi:2023]
- Test-case reduction via test-case generation: Insights from the Hypothesis reducer [maciver:ecoop:2020]
- The art, science, and engineering of fuzzing: A survey [manes:ieeetse:2019]
- An empirical study of the reliability of UNIX utilities [miller:cacm:1990]
- Semantic fuzzing with Zest [padhye:issta:2019]
- FuzzFactory: Domain-specific fuzzing with waypoints [padhye:oopsla:2019]
- Deferred concretization in symbolic execution via fuzzing [pandey:issta:2019]
- Symbolic execution with SymCC: Don't interpret, compile! [poeplau:usenix:2020]
- Test-case reduction for C compiler bugs [regehr:pldi:2012]
- Towards making formal methods normal: meeting developers where they are [reid:hatra:2020]
- PG-KLEE: Trading soundness for coverage [rutledge:icse:2020]
- Driller: Augmenting fuzzing through selective symbolic execution [stephens:ndss:2016]
- COASTAL: Combining concolic and fuzzing for Java (competition contribution) [visser:tacas:2020]
- QSYM: A practical concolic execution engine tailored for hybrid fuzzing [yun:usenix:2018]