SANER 2018

2018 IEEE 25th International Conference on Software Analysis, Evolution, and Reengineering (SANER), March 20-23, 2018, Campobasso, Italy

Desktop Layout

Development and Testing
Industry Track
Room 2
Fuzz Testing in Practice: Obstacles and Solutions
Jie Liang, Mingzhe Wang, Yuanliang Chen, Yu Jiang, and Renwei Zhang
(Tsinghua University, China; Huawei, China)
Abstract: Fuzz testing has helped security researchers and organizations discover a large number of vulnerabilities. Although it is efficient and widely used in industry, hardly any empirical studies and experience exist on the customization of fuzzers to real industrial projects. In this paper, collaborating with the engineers from Huawei, we present the practice of adapting fuzz testing to a proprietary message middleware named libmsg, which is responsible for the message transfer of the entire distributed system department. We present the main obstacles coming across in applying an efficient fuzzer to libmsg, including system configuration inconsistency, system build complexity, fuzzing driver absence. The solutions for those typical obstacles are also provided. For example, for the most difficult and expensive obstacle of writing fuzzing drivers, we present a low-cost approach by converting existing sample code snippets into fuzzing drivers. After overcoming those obstacles, we can effectively identify software bugs, and report 9 previously unknown vulnerabilities, including flaws that lead to denial of service or system crash.

Authors:


Time stamp: 2019-09-16T08:27:33+02:00