TY - GEN
T1 - Empirical analysis and modeling of black-box mutational fuzzing
AU - Zhao, Mingyi
AU - Liu, Peng
N1 - Funding Information:
We sincerely thank our shepherd and the anonymous reviewers for their valuable comments and suggestions on early versions of this paper. This work was supported by ARO W911NF-13-1-0421 (MURI), NSF CCF-1320605, NSF CNS-1422594, NSF CNS-1505664, ARO W911NF-15-1-0576, and NIETP CAE Cybersecurity Grant.
Publisher Copyright:
© Springer International Publishing Switzerland 2016.
PY - 2016
Y1 - 2016
N2 - Black-box mutational fuzzing is a simple yet effective method for finding software vulnerabilities. In this work, we collect and analyze fuzzing campaign data of 60,000 fuzzing runs, 4,000 crashes and 363 unique bugs, from multiple Linux programs using CERT Basic Fuzzing Framework. Motivated by the results of empirical analysis, we propose a stochastic model that captures the long-tail distribution of bug discovery probability and exploitability. This model sheds light on practical questions such as what is the expected number of bugs discovered in a fuzzing campaign within a given time, why improving software security is hard, and why different parties (e.g., software vendors, white hats, and black hats) are likely to find different vulnerabilities. We also discuss potential generalization of this model to other vulnerability discovery approaches, such as recently emerged bug bounty programs.
AB - Black-box mutational fuzzing is a simple yet effective method for finding software vulnerabilities. In this work, we collect and analyze fuzzing campaign data of 60,000 fuzzing runs, 4,000 crashes and 363 unique bugs, from multiple Linux programs using CERT Basic Fuzzing Framework. Motivated by the results of empirical analysis, we propose a stochastic model that captures the long-tail distribution of bug discovery probability and exploitability. This model sheds light on practical questions such as what is the expected number of bugs discovered in a fuzzing campaign within a given time, why improving software security is hard, and why different parties (e.g., software vendors, white hats, and black hats) are likely to find different vulnerabilities. We also discuss potential generalization of this model to other vulnerability discovery approaches, such as recently emerged bug bounty programs.
UR - http://www.scopus.com/inward/record.url?scp=84962425379&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84962425379&partnerID=8YFLogxK
U2 - 10.1007/978-3-319-30806-7_11
DO - 10.1007/978-3-319-30806-7_11
M3 - Conference contribution
AN - SCOPUS:84962425379
SN - 9783319308050
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 173
EP - 189
BT - Engineering Secure Software and Systems - 8th International Symposium, ESSoS 2016, Proceedings
A2 - Bodden, Eric
A2 - Caballero, Juan
A2 - Athanasopoulos, Elias
PB - Springer Verlag
T2 - 8th International Symposium on Engineering Secure Software and Systems, ESSoS 2016
Y2 - 6 April 2016 through 8 April 2016
ER -