Skip to content

Latest commit

 

History

History
261 lines (235 loc) · 34.2 KB

README_en.md

File metadata and controls

261 lines (235 loc) · 34.2 KB
layout
default

Recent Papers/Blogs/Tools Related to Fuzzing

The blog post contains classic fuzzing books, papers about fuzzing at information security top conferences over the years, commonly used fuzzing tools, and blogs that can quickly learn fuzzing tools.

1 Books

  • The Fuzzing Book (2019):This book is based on principles + code exercises, combined with practical exercises, to complete a fuzzing test framework from 0 to 1. If you want to write your own fuzzing framework, you can refer to this book.
  • Fuzzing for Software Security Testing and Quality Assurance (2018):This book introduces the idea of fuzzing into the software development life cycle. In fact, many efficient fuzzing tests are often considered in the development stage. The book discusses the development of fuzz tools, including not only some emerging open source tools, but also many commercial ones. How to choose the right fuzzer for software development projects is also one of the themes of this book.

2 Articles&Papers

This chapter contains top-level information security and classic papers in some journals. We just want to select some of them with relatively high technical value or relatively novel articles to facilitate subsequent learning.

Others

NDSS

USENIX Security

IEEE S&P

ACM CCS

3 Tools

Common and practical tools are included here, most of which have been practiced by the author and have a certain degree of universality. There are also some excellent tools that have not been maintained and updated for a long time and have very limited applicable scenarios, which are not included.

Mutator

  • Radamsa: Radamsa is a test case generator for robustness testing, a.k.a. a fuzzer. It is typically used to test how well a program can withstand malformed and potentially malicious inputs. It works by reading sample files of valid data and generating interestringly different outputs from them. The main selling points of radamsa are that it has already found a slew of bugs in programs that actually matter, it is easily scriptable and, easy to get up and running.
  • zzuf: zzuf is a transparent application input fuzzer. It works by intercepting file operations and changing random bits in the program's input. zzuf's behaviour is deterministic, making it easy to reproduce bugs.

Binary

  • afl-unicorn: Fuzzing The 'Unfuzzable' : afl-unicorn lets you fuzz any piece of binary that can be emulated by Unicorn Engine.
  • Intriguer: Intriguer is a concolic execution engine for hybrid fuzzing. The key idea of Intriguer is a field-level constraint solving, which optimizes symbolic execution with field-level information.
  • Unicorefuzz: Fuzzing the Kernel using UnicornAFL and AFL++. For details, skim through the WOOT paper or watch this talk at CCCamp19.
  • libFuzzer: LibFuzzer is in-process, coverage-guided, evolutionary fuzzing engine. LibFuzzer is linked with the library under test, and feeds fuzzed inputs to the library via a specific fuzzing entrypoint (aka “target function”); the fuzzer then tracks which areas of the code are reached, and generates mutations on the corpus of input data in order to maximize the code coverage. The code coverage information for libFuzzer is provided by LLVM’s SanitizerCoverage instrumentation.
  • Honggfuzz: A security oriented, feedback-driven, evolutionary, easy-to-use fuzzer with interesting analysis options. See the Usage document for a primer on Honggfuzz use.
  • syzkaller: syzkaller is an unsupervised coverage-guided kernel fuzzer.
  • frida-fuzzer: This experimetal fuzzer is meant to be used for API in-memory fuzzing.
  • winafl: A fork of AFL for fuzzing Windows binaries
  • trinity: Linux system call fuzzer.
  • NtCall64: Windows NT x64 syscall fuzzer .
  • kDriver-Fuzzer: A kernel driver fuzzer, based on ioctlbf.
  • FuzzBALL: Vine-based Binary Symbolic Execution.

API/Protocol

  • Sulley/Boofuzz: A fork and successor of the Sulley Fuzzing Framework
  • fuzzowski: The Network Protocol Fuzzer that we will want to use.
  • Peach: Peach is a fuzzing framework which uses a DSL for building fuzzers and an observer based architecture to execute and monitor them.
  • Defensics: Defensics is a comprehensive, versatile, automated black box fuzzer that enables organizations to efficiently and effectively discover and remediate security weaknesses in software.
  • bsSTORM: Black box Fuzz Testing is a requirement of the Verification phase of the SDL, the industry-leading software security assurance process that was created by Microsoft and proven effective since 2004.
  • API-fuzzer: API Fuzzer which allows to fuzz request attributes using common pentesting techniques and lists vulnerabilities
  • domato: A DOM fuzzer: Written and maintained by Ivan Fratric, ifratric@google.com

Firmware