Awesome Fuzzing – Massive Collection of Resources

Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. Typically, fuzzers are used to test programs that take structured inputs.

A curated list of references to awesome Fuzzing for security testing. Additionally there is a collection of freely available academic papers, tools and so on.

Contents

• Books
• Papers
• Tools
• Platform

Books

• The Fuzzing Book (2019)
• The Art, Science, and Engineering of Fuzzing: A Survey (2019) –
  Actually, this document is a paper, but it contains more important and essential content than any other book.
• Fuzzing for Software Security Testing and Quality Assurance, 2nd Edition (2018)
• Fuzzing: Brute Force Vulnerability Discovery, 1st Edition (2007)
• Open Source Fuzzing Tools, 1st Edition (2007)

Talks

• Effective File Format Fuzzing, Black Hat Europe 2016
• Adventures in Fuzzing, NYU Talk 2018
• Fuzzing with AFL, NDC Conferences 2018

Papers

To achieve a well-defined scope, I have chosen to include publications on fuzzing in the last proceedings of 4
top major security conferences and others from Jan 2008 to Jul 2019.
It includes (i) Network and Distributed System Security Symposium (NDSS), (ii) IEEE Symposium on
Security and Privacy (S&P), (iii) USENIX Security Symposium (USEC), and (iv) ACM Conference on Computer and Communications Security (CCS).

The Network and Distributed System Security Symposium (NDSS)

• HFL: Hybrid Fuzzing on the Linux Kernel, 2020
• HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Guided Micro-Fuzzing, 2020
• HYPER-CUBE: High-Dimensional Hypervisor Fuzzing, 2020
• Not All Coverage Measurements Are Equal: Fuzzing by Coverage Accounting for Input Prioritization, 2020
• CodeAlchemist: Semantics-Aware Code Generation to Find Vulnerabilities in JavaScript Engines, 2019
• PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary, 2019
• REDQUEEN: Fuzzing with Input-to-State Correspondence, 2019
• Send Hardest Problems My Way: Probabilistic Path Prioritization for Hybrid Fuzzing, 2019
• Life after Speech Recognition: Fuzzing Semantic Misinterpretation for Voice Assistant Applications, 2019
• INSTRIM: Lightweight Instrumentation for Coverage-guided Fuzzing, 2018
• IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing, 2018
• What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices, 2018
• Enhancing Memory Error Detection for Large-Scale Applications and Fuzz Testing, 2018
• Vuzzer: Application-aware evolutionary fuzzing, 2017
• DELTA: A Security Assessment Framework for Software-Defined Networks, 2017
• Driller: Augmenting Fuzzing Through Selective Symbolic Execution, 2016
• Automated Whitebox Fuzz Testing, 2008

IEEE Symposium on Security and Privacy (IEEE S&P)

• Fuzzing JavaScript Engines with Aspect-preserving Mutation, 2020
• IJON: Exploring Deep State Spaces via Fuzzing, 2020
• Krace: Data Race Fuzzing for Kernel File Systems, 2020
• Pangolin:Incremental Hybrid Fuzzing with Polyhedral Path Abstraction, 2020
• RetroWrite: Statically Instrumenting COTS Binaries for Fuzzing and Sanitization, 2020
• Full-speed Fuzzing: Reducing Fuzzing Overhead through Coverage-guided Tracing, 2019
• Fuzzing File Systems via Two-Dimensional Input Space Exploration, 2019
• NEUZZ: Efficient Fuzzing with Neural Program Smoothing, 2019
• Razzer: Finding Kernel Race Bugs through Fuzzing, 2019
• Angora: Efficient Fuzzing by Principled Search, 2018
• CollAFL: Path Sensitive Fuzzing, 2018
• T-Fuzz: fuzzing by program transformation, 2018
• Skyfire: Data-Driven Seed Generation for Fuzzing, 2017
• Program-Adaptive Mutational Fuzzing, 2015
• TaintScope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection, 2010

USENIX Security

• FANS: Fuzzing Android Native System Services via Automated Interface Analysis, 2020
• Analysis of DTLS Implementations Using Protocol State Fuzzing, 2020
• EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit, 2020
• Fuzzing Error Handling Code using Context-Sensitive Software Fault Injection, 2020
• FuzzGen: Automatic Fuzzer Generation, 2020
• ParmeSan: Sanitizer-guided Greybox Fuzzing, 2020
• SpecFuzz: Bringing Spectre-type vulnerabilities to the surface, 2020
• FuzzGuard: Filtering out Unreachable Inputs in Directed Grey-box Fuzzing through Deep Learning, 2020
• Montage: A Neural Network Language Model-Guided JavaScript Engine Fuzzer, 2020
• GREYONE: Data Flow Sensitive Fuzzing, 2020
• Fuzzification: Anti-Fuzzing Techniques, 2019
• AntiFuzz: Impeding Fuzzing Audits of Binary Executables, 2019
• Charm: Facilitating Dynamic Analysis of Device Drivers of Mobile Systems, 2018
• MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation, 2018
• QSYM : A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing, 2018
• OSS-Fuzz – Google’s continuous fuzzing service for open source software, 2017
• kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels, 2017
• Protocol State Fuzzing of TLS Implementations, 2015
• Optimizing Seed Selection for Fuzzing, 2014
• Dowsing for overflows: a guided fuzzer to find buffer boundary violations, 2013
• Fuzzing with Code Fragments, 2012

ACM Conference on Computer and Communications Security (ACM CCS)

• Intriguer: Field-Level Constraint Solving for Hybrid Fuzzing, 2019
• Learning to Fuzz from Symbolic Execution with Application to Smart Contracts, 2019
• Matryoshka: fuzzing deeply nested branches, 2019
• Evaluating Fuzz Testing, 2018
• Hawkeye: Towards a Desired Directed Grey-box Fuzzer, 2018
• IMF: Inferred Model-based Fuzzer, 2017
• SemFuzz: Semantics-based Automatic Generation of Proof-of-Concept Exploits, 2017
• AFL-based Fuzzing for Java with Kelinci, 2017
• Designing New Operating Primitives to Improve Fuzzing Performance, 2017
• Directed Greybox Fuzzing, 2017
• SlowFuzz: Automated Domain-Independent Detection of Algorithmic Complexity Vulnerabilities, 2017
• DIFUZE: Interface Aware Fuzzing for Kernel Drivers, 2017
• Systematic Fuzzing and Testing of TLS Libraries, 2016
• Coverage-based Greybox Fuzzing as Markov Chain, 2016
• eFuzz: A Fuzzer for DLMS/COSEM Electricity Meters, 2016
• Scheduling Black-box Mutational Fuzzing, 2013
• Taming compiler fuzzers, 2013
• SAGE: whitebox fuzzing for security testing, 2012
• Grammar-based whitebox fuzzing, 2008
• Taint-based directed whitebox fuzzing, 2009

ArXiv (Fuzzing with Artificial Intelligence & Machine Learning)

• MEUZZ: Smart Seed Scheduling for Hybrid Fuzzing, 2020
• A Review of Machine Learning Applications in Fuzzing, 2019
• Evolutionary Fuzzing of Android OS Vendor System Services, 2019
• MoonLight: Effective Fuzzing with Near-Optimal Corpus Distillation, 2019
• Coverage-Guided Fuzzing for Deep Neural Networks, 2018
• DLFuzz: Differential Fuzzing Testing of Deep Learning Systems, 2018
• TensorFuzz: Debugging Neural Networks with Coverage-Guided Fuzzing, 2018
• NEUZZ: Efficient Fuzzing with Neural Program Learning, 2018
• EnFuzz: From Ensemble Learning to Ensemble Fuzzing, 2018
• REST-ler: Automatic Intelligent REST API Fuzzing, 2018
• Deep Reinforcement Fuzzing, 2018
• Not all bytes are equal: Neural byte sieve for fuzzing, 2017
• Faster Fuzzing: Reinitialization with Deep Neural Models, 2017
• Learn&Fuzz: Machine Learning for Input Fuzzing, 2017
• Complementing Model Learning with Mutation-Based Fuzzing, 2016

The others

• Ifuzzer: An evolutionary interpreter fuzzer using genetic programming, 2016
• Hybrid fuzz testing: Discovering software bugs via fuzzing and symbolic execution, 2012
• Call-Flow Aware API Fuzz Testing for Security of Windows Systems, 2008
• Feedback-directed random test generation, 2007

Tools

Information about the various open source tools you can use to leverage fuzz testing.

General-purpose

• radamsa – A general-purpose fuzzer.
• zzuf – A transparent application input fuzzer.

Binary

• American fuzzy lop – A security-oriented fuzzer that employs a novel type of compile-time instrumentation and genetic algorithms to automatically discover clean, interesting test cases that trigger new internal states in the targeted binary.
• WinAFL – A fork of AFL for fuzzing Windows binaries.
• libFuzzer – A library for coverage-guided fuzz testing. Tutorial from Google.
• Driller – An implementation of the driller paper. This implementation was built on top of AFL with angr being used as a symbolic tracer.
• shellphish fuzzer – A Python interface to AFL, allowing for easy injection of testcases and other functionality.
• Eclipser – A binary-based fuzz testing tool that improves upon classic coverage-based fuzzing by leveraging a novel technique called grey-box concolic testing.

Web, JavaScript

• jsfunfuzz – JavaScript engine fuzzers.
• IFuzzer – An Evolutionary Interpreter Fuzzer Using Genetic Programming.
• domato – DOM fuzzer from Google Project Zero. Blog Post.
• fuzzilli – A (coverage-)guided Javascript engine fuzzer, written by Samuel Groß.
• CodeAlchemist – JavaScript engine fuzzer, written by KAIST SoftSec Lab.
• test-each – Repeat tests using different inputs.
• gremlins.js – gremlins.js is a monkey testing library written in JavaScript.

Network protocol

• dtls-fuzzer – A Java tool which performs protocol state fuzzing of DTLS servers.
• T-Fuzz – T-Fuzz leverages a coverage guided fuzzer to generate inputs.
• TLS-Attacker – A Java-based framework for analyzing TLS libraries.
• DELTA – SDN Security evaluation framework.
• boofuzz – Network Protocol Fuzzing for Humans. Documentation is available at http://boofuzz.readthedocs.io/, including nifty quickstart guides.
• LL-Fuzzer – An automated NFC fuzzing framework for Android devices.
• tlsfuzzer – A SSL and TLS protocol test suite and fuzzer.
• TumbleRF – A framework that orchestrates the application of fuzzing techniques to RF systems.
• PULSAR – A method for stateful black-box fuzzing of proprietary network protocols.
• SPIKE – A fuzzer development framework like sulley, a predecessor of sulley.
• PROTOS – Security testing of protocol implementations.

Driver

• Charm – A system solution that facilitates dynamic analysis of device drivers of mobile systems.

Platform

• certfuzz – It contains the source code for the CMU CERT Basic Fuzzing Framework (BFF) and the CERT Failure Observation Engine (FOE).
• Peach Fuzzer Platform – An automated security testing platform that prevents zero day attacks by finding vulnerabilities in hardware and software systems.
• Blackhat USA 2018 AFL workshop training materials – From @wrauner at Samsung Research.