papers

[2013]

Fuzzing for fun and for $$$ S. Bekrar & Fabien Duchene
A high-level discussion of the end-to-end fuzzing process with reasonably up to date and detailed ideas for common/typical fuzzing
Fuzzing_for_evil_and_for_profit-for_publication [pdf]

MBFuzzer – MITM Fuzzing for Mobile Applications Fatih Özavcı
A Man-in-the-Middle fuzzer for testing web-service based mobile communications
mbfuzzer-1-0-pre.pdf [pdf]

Taming Compiler Fuzzers Yang Chen, Alex Groce, Chaoqiang Zhang, et al
A study of ideas for effective management of bugs discovered by compiler/runtime fuzzers; most importantly, discovering the bugs of most interest out of a large set.
pldi13.pdf [pdf]

Online Model-Based Behavioral Fuzzing Martin Schneider, Jurgen Großmann, Ina Schieferdecker, Andrej Pietschker
A study of generating model-based behavioral test-cases at execution time with allowance for feedback loops from previous case execution
sectest2013_submission_9.pdf

[2012]

Hybrid Fuzz Testing: Discovering Software Bugs via Fuzzing and Symbolic Execution Brian S. Pak
Using Symbolic Execution to generate random fuzzing inputs that exercise the discovered code paths within a piece of software.
CMU-CS-12-116.pdf [pdf]

Everyone Has His or Her Own Fuzzer Beist
Introduction to fuzzing that touches on IL, Symbolic Exection, more ‘intelligent’ fuzzing, crash binning, and tips for beginners.
2012_6th_codeengn_beist_everyone_has_his_or_her_own_fuzzer [pdf]

Windows kernel fuzzing for beginners Ben Nagy
An introduction to getting started fuzzing modern windows based usermode-to-kernel interfaces
nagy-kernel [pdf]

Fuzzing: The state of the art Richard McNally, Ken Yiu, Duncan Grove and Damien Garhardy (Australian DoD)
A study of recent advances in fuzzing, surveying the current state of technologies and concepts in use today.
DSTO-TN-1043 PR
 [pdf]

GDI Font Fuzzing in Windows Kernel for Fun Lee Ling Chuan & Chan Lee Yee
Fuzzing the GDI TrueType & GDI Bitmap fonts on the windows platform
bh-eu-12-Lee-GDI_Font_Fuzzing-WP
 [pdf]

SAGE: Whitebox Fuzzing for Security Testing Patrice Godefroid & Michael Y. Levin & David Molnar
An article in Communications magazine introducing Microsoft’s highly regarded SAGE fuzzer.
cacm2012
 [pdf]

Fuzzing With Code FragmentsChristian Holler, Kim Herzig, Andreas Zeller

A discussion of LangFuzz, an implementation of a language fuzzer proven to discover bugs in interpreters
sec12-final73 [pdf]

Fuzz Testing: Improving Medical Device Quality & Safety MDISS & Codenomicon
Warning: Sales-oriented. A high-level overview of applying fuzzing to medical devices.
codenomicon-mdiss-fuzz-framework-16 [pdf]

[2011]

Fuzz Testing for Dummies Art Manion & Michael Orlando
Introduction to the basics of fuzzing, discussion of CERT fuzzing tools (BFF/FOE) and results/vulns discovered
ag_16b_ICSJWG_Spring_2011_Conf_Manion_Orlando [pdf]

Showing how security has (and hasn’t) improved, after ten years of trying Dan Kaminsky & Michael Eddington & Adam Checchitti
A case study of using fuzzing to attempt to analyse whether the general state of software security has improved over the last ten years
Showing How Security Has Improved [pdf]

Offset-Aware Mutation Based Fuzzing for Buffer Overflow Vulnerabilities: Few Preliminary Results Sanjay Rawat & Laurent Mounier
Using taint analysis to modify specific byte offsets in the original seed files to hunt down and execute dangerous code paths
offset-aware [pdf]

[2010]

Industrial Bug Mining Ben Nagy
A high-level view of the end-to-end fuzzing process, focussing on bug triage, scaling, binary instrumentation
BlackHat-USA-2010-Nagy-Industrial-Bug-Mining-slides [pdf]

Zero-Knowledge fuzzing Vincenzo Iozzo
Building and applying a fuzzer without the need to have an in-depth understanding of the protocol/format/input being manipulated
0knowledge_fuzzing_paper [pdf]

Crash analysis with bitblaze Charlie Miller & UC Berkeley
Introduction to ‘bitblaze’ – a tool to determine exploitability and priority of crashes post-fuzzing
CrashAnalysis
 [pdf]

Introduction to Fuzzing Dan Guido
A university-level introduction to major fuzzing topics
FuzzingIntro_fall2010
 [pdf]

Prospecting for rootite Ben Nagy & The Grugq
Overview of obtaining seed files and solving the Set Cover Problem, for maximum fuzzer code coverage
ben-nagy.prospecting-for-rootite.2010
 [pdf]

In Memory Fuzzing sinn3r
Introduction and how to use a new in-memory fuzzing tool
memory-fuzzing
 [pdf]

Fuzzing: The SMB Case Laurent Gaffie
Introduction to SMB, how to approach fuzzing using a library of packet captures, case-study of bugs found
stratsec—HackitoErgoSum-2010—Fuzzing-the-SMB-Case
 [pdf]

Letting your fuzzer know about target’s internals Rodrigo Rubira Branco
Using feedback from debuggers and taint analysis to direct fuzzing efforts
troopers_fuzzer
 [pdf]

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang & Tao Wei & Guaofe Gu & Wei Zou
Defeating the common problem of invalid checksums by using taint analysis
taintscope-oakland
 [pdf]

Fuzzing in the cloud (Microsoft position statement) Patrice Godefroid & David Molnar
A statement released by Microsoft suggesting that “the cloud” will revolutionise fuzzing, and why.
fuzzing_in_the_cloud [pdf]

How to FAIL at Fuzzing Ben Nagy
A high-level run-through of Ben’s Kiwicon talk, offering some insightful but rarely discussed ideas
ben_nagy_how_to_fail_at_fuzzing [pdf]

Babysitting an army of monkeys Charlie Miller
Fuzzing 4 products (Acrobat Reader PDF, OS X Preview PDF, OpenOffice PPT, MS Office PPT)  with 5 lines of python
cmiller-CSW-2010 [pdf - file has been messed up. does anyone have a better copy?] 

[2009]

Fuzzgrind: an automatic fuzzing tool Gabriel Campana
Using taint analysis to ensure a fuzzer reaches all possible code paths. Uses STP and Valgrind
09-hacklu-fuzzgrind
 [pdf]

Fuzzing the phone in your phone Charlie Miller & Collin Mulliner
Searching for phone-application specific vulnerabilities in smartphones
BHUSA09-Miller-FuzzingPhone-PAPER [pdf]

Demystifying Fuzzers Michael Eddington
The process of applying fuzzers to find security flaws, and fuzzers involvement in the SDL
BHUSA09-Eddington-DemystFuzzers-PAPER [pdf]

Fuzzing for security flaws John Heasman
University-level introduction to the main concepts behind fuzzing and fuzzers
04-fuzzing [pdf]

Deep Fuzzing MS Word / Office (With Ruby) Ben Nagy
Massively parallelized high-speed fuzzing of MS Office documents
A New Fuzzing Framework [pptx]

Taint-based Directed Whitebox Fuzzing Vijay Ganesh & Tim Leek & Martin Rinard
Using taint analysis as feedback into the mutation process to get more coverage when fuzzing
icse09
 [pdf]

Making software dumber Tavis Ormandy
Feedback-directed fuzzing using taint analysis to explore an applications internals. Introduction to google tool Flayer
making_software_dumber
 [pdf]

Fusil the fuzzer Victor Stinner
Presenting Fusil: a python fuzzing framework that has claimed bugs in a variety common applications.
fosdem_2009 [pdf]

[2008]

zzuf – multiple purpose fuzzer Sam Hocevar
Introduction to using the zzuf multi-purpose input fuzzer
Zzuf [pdf]

Fuzz By Number – More Data About Fuzzing Than You Ever Wanted To Know Charlie Miller
A showdown between GPF, Taof, ProxyFuzz, Mu-4000, Codenomicon, beSTORM, and some application specific fuzzers.
cmiller_cansecwest2008
 [pdf]

Fuzzing 101 Mike Zusman
A two-part NYU/Poly.edu introduction to fuzzing – history, the process, ActiveX fuzzing, Protocol fuzzing with Spike
fuzzing-1  fuzzing-2 [pdf]

GSM Protocol Fuzzing Harald Welte
Introduction to GSM, application of fuzzing to GSM
gsm_fuzzing
 [pdf]

Exposing Vulnerabilities in Media Software David Thiel
Discussion of fuzzing applied specifically to media software. Includes case studies.
iSEC-Thiel-Exposing-Vulnerabilities-Media-Software-Presentation
 [pdf]

Grammar-based Whitebox Fuzzing Patrice Godefroid & Adam Kiezun & Michael Y. Levin
In-depth paper on how to use whitebox fuzzing to test complex highly-structured input of applications using a grammar of their valid inputs.
pldi2008
 [pdf]

KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs Cristian Cadar & Daniel Dunbar & Dawson Engler
Introduction and overview of KLEE, a tool that can generate test input and achieve considerably high coverage of code within the target application
klee-osdi-2008 [pdf]

Fuzzing WTF? what fuzzing was, is, and soon will be Mikko Varpiola & Nate Kube
A discussion of the history, current situation, and future ideas for fuzzing, focusing on genetic techniques
csw08-marcus-varpiola [pdf]

[2007]

Fuzzing Sucks! Introducing the sulley fuzzing framework Pedram Amini & Aaron Portnoy
An introduction to why sulley was developed, followed by a brief discussion of it’s various components and how it works.
introducing_sulley [pdf]

Fuzzing & exploiting wireless device drivers Sylvester Keil & Clemens Kolbitsch
Fuzzing 802.11 drivers
DeepSec__Keil_Kolbitsch – Presentation Virtual_Fuzzing [pdf]

KiF – a stateful SIP fuzzer Humberto J. Abdelnur & Radu State & Olivier Festor
Analysis of fuzzing SIP and discussion of KiF, a SIP fuzzing tool, and also discusses vulnerabilities discovered.
IPTCOMM2007_presentation
 [pdf]

Fuzzing in Microsoft and Fuzzguru Framework John Neystadt
A brief overview of microsoft’s Fuzzguru framework
OWASP_IL_7_FuzzGuru
 [pdf]

Analysis of Mutation and Generation-Based Fuzzing Charlie Miller & Zachary N.J. Peterson
A discussion and research-backed comparison of generational vs mutational fuzzing against PNG files
analysisfuzzing
 [pdf]

Wi-Fi Advanced Fuzzing Laurent Butti
Fuzzing 802.11 and discussion of some discovered vulnerabilities
bh-eu-07-Butti [pdf]

Fuzzing Frameworks Pedram Amini & Aaron Portnoy
Discussion of existing fuzzing frameworks, introduction and exploration of the Sulley fuzzing framework
bh-usa-07-amini_and_portnoy-WP
 [pdf]

Fuzzing with Code Coverage Charlie Miller
Using code coverage results to improve fuzzing, find better crash testcases. Also touches on evolutionary fuzzing.
cmiller_toorcon2007
 [pdf]

Automated Whitebox Fuzz Testing Patrice Godefroid & Michael Y. Levin & David Molnar
Microsoft & UC Berkeley’s paper on whitebox fuzzing, including symbolic execution, constraint solving, and discussion of Microsofts SAGE.
TR-2007-58 [pdf]

Flayer: Exposing Application Internals Will Drewry & Tavis Ormandy
Introduction to the flayer tool; a dynamic taint analysis integrated within valgrind.
flayer_exposing_applications_internals [pdf]

[2006]

The evolving art of fuzzing Jared DeMott
An early paper covering the major aspects of fuzzing
The_Evolving_Art_of_Fuzzing_paper
 [pdf]

[2005]

The Art of File Format Fuzzing Michael Sutton & Adam Greene
The process of fuzzing file formats on multiple platforms
bh-jp-05-sutton-greene
 [pdf]

[2002]

The Advantages of Block-Based Protocol Analysis for Security Testing Dave Aitel
Breaking protocols down into logical blocks and creating models to fuzz from. Introduction to the infamous SPIKE fuzzer.
advantages_of_block_based_analysis
 [pdf]

[1990]

An empirical Study of the Reliability of UNIX Utilities Barton P Miller & Lars Fredriksen & Bryan So
The original paper studying unexpected input into unix utilities.
fuzz
 [pdf]

3 comments

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s