Fuzzing is a commonly used technique for finding bugs and vulnerabilities in software. A popular variant of fuzzing is mutation-based fuzzing, which has been widely adopted in the industry for the detection of bugs in software. However, the algorithms used in mutation-based fuzzing are complex, making the results unpredictable. Most of the efforts to improve the technique have focused on optimising the scheduling of the initial seeds, but this approach has not consistently shown improvements in practice.
The authors of the distinguished paper from TU Darmstadt, TU Delft and Radboud University as well as University of Zagreb propose a new approach called DARWIN, which optimises mutation scheduling using an evolutionary strategy. DARWIN has been implemented in a prototype based on the popular general-purpose fuzzer AFL. In experiments, DARWIN outperformed existing mutation schedulers and the AFL baseline by finding more bugs in widely used real-world applications. The results show that DARWIN can improve the fuzzing process without requiring additional user-configurable parameters, making it accessible to a wide range of users.
Recommended external content
We have selected external content from Twitter for you and would like to show it to you right here. To do this, you must reveal it with one click. You can hide the external content at any time with another click.
Network and Distributed System Security (NDSS) Symposium is one of the premier venues in IT security and privacy. The conference took place from February 26 – March 1, 2023 in San Diego, USA.
by Patrick Jauernig (Technical University of Darmstadt), Domagoj Jakobovic (University of Zagreb, Croatia), Stjepan Picek (Radboud University and TU Delft), Emmanuel Stapf (Technical University of Darmstadt), Ahmad-Reza Sadeghi (Technical University of Darmstadt)
The work was supported by the German Federal Ministry of Education and Research in the (16KIS1417), the German Federal Ministry of Education and Research and the Hessian State Ministry for Higher Education, Research and the Arts within StartUpSecure funding program ”Sanctuary”, and by the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme ( ATHENE, grant agreement No. 952697). Project ASSURED