Fuzzing consists of repeatedly testing an application with modified, orfuzzed, inputs with the goal of finding security vulnerabilities ininput-parsing code. In this paper, we show how to automate the generation of aninput grammar suitable for input fuzzing using sample inputs andneural-network-based statistical machine-learning techniques. We present adetailed case study with a complex input format, namely PDF, and a largecomplex security-critical parser for this format, namely, the PDF parserembedded in Microsoft's new Edge browser. We discuss (and measure) the tensionbetween conflicting learning and fuzzing goals: learning wants to capture thestructure of well-formed inputs, while fuzzing wants to break that structure inorder to cover unexpected code paths and find bugs. We also present a newalgorithm for this learn&fuzz challenge which uses a learnt input probabilitydistribution to intelligently guide where to fuzz inputs.
展开▼
