poster

Public Access

POSTER: AFL-based Fuzzing for Java with Kelinci

Authors:

Rody Kersten,

Kasper Luckow,

Corina S. PăsăreanuAuthors Info & Claims

CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

Pages 2511 - 2513

https://doi.org/10.1145/3133956.3138820

Published: 30 October 2017 Publication History

PDF eReader

Abstract

Grey-box fuzzing is a random testing technique that has been shown to be effective at finding security vulnerabilities in software. The technique leverages program instrumentation to gather information about the program with the goal of increasing the code coverage during fuzzing, which makes gray-box fuzzers extremely efficient vulnerability detection tools. One such tool is AFL, a grey-box fuzzer for C programs that has been used successfully to find security vulnerabilities and other critical defects in countless software products. We present Kelinci, a tool that interfaces AFL with instrumented Java programs. The tool does not require modifications to AFL and is easily parallelizable. Applying AFL-type fuzzing to Java programs opens up the possibility of testing Java based applications using this powerful technique. We show the effectiveness of Kelinci by applying it on the image processing library Apache Commons Imaging, in which it identified a bug within one hour.

References

[1]

ASM 2017. http://asm.ow2.org/. (2017). shownoteAccessed August 11, 2017.

Google Scholar

[2]

S. K. Cha, T. Avgerinos, A. Rebert, and D. Brumley. 2012. Unleashing Mayhem on Binary Code. In 2012 IEEE Symposium on Security and Privacy. 380--394.

Digital Library

Google Scholar

Cited By

View all

Han JZhang ZDu YWang WChen X(2024)ESFuzzer: An Efficient Way to Fuzz WebAssembly InterpreterElectronics10.3390/electronics1308149813:8(1498)Online publication date: 15-Apr-2024
https://doi.org/10.3390/electronics13081498
Daniele CAndarzian SPoll E(2024)Fuzzers for Stateful Systems: Survey and Research DirectionsACM Computing Surveys10.1145/364846856:9(1-23)Online publication date: 25-Apr-2024
https://dl.acm.org/doi/10.1145/3648468
Nilizadeh ALeavens GPăsăreanu CLe XCok D(2024)Does Going Beyond Branch Coverage Make Program Repair Tools More Reliable?2024 IEEE Conference on Software Testing, Verification and Validation (ICST)10.1109/ICST60714.2024.00033(281-292)Online publication date: 27-May-2024
https://doi.org/10.1109/ICST60714.2024.00033
Show More Cited By

Index Terms

POSTER: AFL-based Fuzzing for Java with Kelinci
1. Security and privacy
  1. Software and application security
2. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging
  2. Software organization and properties
    1. Software functional properties
      1. Formal methods
        Dynamic analysis

Recommendations

ArbitCheck: A Highly Automated Property-Based Testing Tool for Java
ICSTW '14: Proceedings of the 2014 IEEE International Conference on Software Testing, Verification, and Validation Workshops

Lightweight property-based testing tools are becoming popular these days. With property-based testing, developers can test properties of the system under test against large varieties of randomly generated inputs without writing test cases. Despite the ...
Speeding Up Bug Finding using Focused Fuzzing
ARES '18: Proceedings of the 13th International Conference on Availability, Reliability and Security

Greybox fuzzing has recently emerged as a scalable and practical approach to finding security bugs in software. For example, AFL ---the current state-of-the-art greybox fuzzer --- has found hundreds of vulnerabilities in popular software since its ...
JCrasher: an automatic robustness tester for Java

JCrasher is an automatic robustness testing tool for Java code. JCrasher examines the type information of a set of Java classes and constructs code fragments that will create instances of different types to test the behavior of public methods under ...

Comments

Information & Contributors

Information

Published In

CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

October 2017

2682 pages

ISBN:9781450349468

DOI:10.1145/3133956

General Chair:
Bhavani Thuraisingham
The University of Texas at Dallas, USA
,
Program Chairs:
David Evans
University of Virginia
,
Tal Malkin
Columbia University
,
Dongyan Xu
Purdue University

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 October 2017

Check for updates

Author Tags

Qualifiers

Poster

Funding Sources

Defense Advanced Research Projects Agency

Conference

CCS '17

Sponsor:

SIGSAC

CCS '17: 2017 ACM SIGSAC Conference on Computer and Communications Security

October 30 - November 3, 2017

Texas, Dallas, USA

Acceptance Rates

CCS '17 Paper Acceptance Rate 151 of 836 submissions, 18%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

36
Total Citations
View Citations
1,675
Total Downloads

Downloads (Last 12 months)209
Downloads (Last 6 weeks)28

Reflects downloads up to 23 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Han JZhang ZDu YWang WChen X(2024)ESFuzzer: An Efficient Way to Fuzz WebAssembly InterpreterElectronics10.3390/electronics1308149813:8(1498)Online publication date: 15-Apr-2024
https://doi.org/10.3390/electronics13081498
Daniele CAndarzian SPoll E(2024)Fuzzers for Stateful Systems: Survey and Research DirectionsACM Computing Surveys10.1145/364846856:9(1-23)Online publication date: 25-Apr-2024
https://dl.acm.org/doi/10.1145/3648468
Nilizadeh ALeavens GPăsăreanu CLe XCok D(2024)Does Going Beyond Branch Coverage Make Program Repair Tools More Reliable?2024 IEEE Conference on Software Testing, Verification and Validation (ICST)10.1109/ICST60714.2024.00033(281-292)Online publication date: 27-May-2024
https://doi.org/10.1109/ICST60714.2024.00033
Li WRuan JYi GCheng LLuo XCai HCalandrino JTroncoso C(2023)POLYFUZZProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620315(1379-1396)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620315
Ji RXu M(2023)Finding Specification Blind Spots via Fuzz Testing2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179438(2708-2725)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179438
Mista ARusso A(2023)MUTAGEN: Reliable Coverage-Guided, Property-Based Testing using Exhaustive Mutations2023 IEEE Conference on Software Testing, Verification and Validation (ICST)10.1109/ICST57152.2023.00025(176-187)Online publication date: Apr-2023
https://doi.org/10.1109/ICST57152.2023.00025
Guo SWan XYou WLiang BShi WZhang YHuang JZhang JGrundy JPollock LPenta M(2023)Operand-Variation-Oriented Differential Analysis for Fuzzing Binding Calls in PDF ReadersProceedings of the 45th International Conference on Software Engineering10.1109/ICSE48619.2023.00020(95-107)Online publication date: 14-May-2023
https://dl.acm.org/doi/10.1109/ICSE48619.2023.00020
Zhou JChen T(2023)WASMODIET Blockchain10.1049/blc2.120293:4(172-181)Online publication date: 15-May-2023
https://dl.acm.org/doi/10.1049/blc2.12029
Lima RFerreira JMendes ACarreira C(2023)DifFuzzAR: automatic repair of timing side-channel vulnerabilities via refactoringAutomated Software Engineering10.1007/s10515-023-00398-631:1Online publication date: 18-Oct-2023
https://dl.acm.org/doi/10.1007/s10515-023-00398-6
Dakhama AEven-Mendoza KLangdon WMenendez HPetke J(2023)SearchGEM5: Towards Reliable Gem5 with Search Based Software Testing and Large Language ModelsSearch-Based Software Engineering10.1007/978-3-031-48796-5_14(160-166)Online publication date: 8-Dec-2023
https://dl.acm.org/doi/10.1007/978-3-031-48796-5_14
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

ArbitCheck: A Highly Automated Property-Based Testing Tool for Java

Speeding Up Bug Finding using Focused Fuzzing

JCrasher: an automatic robustness tester for Java

Comments

Published In

Sponsors

Publisher

Publication History

Check for updates

Author Tags

Qualifiers

Funding Sources

Conference

Acceptance Rates

Upcoming Conference

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF

eReader

Login options

Full Access

Abstract

References

Cited By

Index Terms

Recommendations

ArbitCheck: A Highly Automated Property-Based Testing Tool for Java

Speeding Up Bug Finding using Focused Fuzzing

JCrasher: an automatic robustness tester for Java

Comments

Information

Published In

Sponsors

Publisher

Publication History

Check for updates

Author Tags

Qualifiers

Funding Sources

Conference

Acceptance Rates

Upcoming Conference

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

PDF

eReader

Get Access

Login options

Full Access

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations