Comparative Evaluation of Security Fuzzing Approaches

Al Sardy L, Neubaum A, Saglietti F, Rudrich D (2019)

Publication Language: English

Publication Type: Conference contribution, Conference Contribution

Publication year: 2019

Publisher: Springer

City/Town: Cham

Pages Range: 49-61

Conference Proceedings Title: Computer Safety, Reliability, and Security SAFECOMP 2019 Workshops, ASSURE, DECSoS, SASSUR, STRIVE, and WAISE

Event location: Abo Akademi, Turku (Finnland)

ISBN: 978-3-030-26249-5

URI: https://link.springer.com/chapter/10.1007/978-3-030-26250-1_4

DOI: 10.1007/978-3-030-26250-1_4

Abstract

This article compares security fuzzing approaches with respect to different characteristics commenting on their pro and cons concerning both their potential for exposing vulnerabilities and the expected effort required to do so. These preliminary considerations based on abstract reasoning and engineering judgement are subsequently confronted with experimental evaluations based on the application of three different fuzzing tools characterized by diverse data generation strategies on examples known to contain exploitable buffer overflows. Finally, an example inspired by a real world application illustrates the importance of combining different fuzzing concepts in order to generate data in case fuzzing requires the generation of a plausible sequence of meaningful messages to be sent over a network to a software-based controller as well as the exploitation of a hidden vulnerability by its execution.

Authors with CRIS profile

Loui Al Sardy Lehrstuhl für Informatik 11 (Software-Engineering) Andreas Neubaum Lehrstuhl für Informatik 11 (Software-Engineering) Francesca Saglietti Lehrstuhl für Informatik 11 (Software-Engineering)

Related research project(s)

Model-based testing strategies (SMARTEST-FAU-SWE) SMARTEST: Evaluierung von Verfahren zum Testen der Informationssicherheit in der nuklearen Leittechnik durch smarte Testfallgenerierung July 1, 2015 - Dec. 31, 2018

How to cite

APA:

Al Sardy, L., Neubaum, A., Saglietti, F., & Rudrich, D. (2019). Comparative Evaluation of Security Fuzzing Approaches. In Alexander Romanovsky, Elena Troubitsyna, Ilir Gashi, Erwin Schoitsch, Friedemann Bitsch für European Workshop on Industrial Computer Systems, Technical Committee on Safety, Reliability and Security (EWICS TC7) (Eds.), Computer Safety, Reliability, and Security SAFECOMP 2019 Workshops, ASSURE, DECSoS, SASSUR, STRIVE, and WAISE (pp. 49-61). Abo Akademi, Turku (Finnland): Cham: Springer.

MLA:

Al Sardy, Loui, et al. "Comparative Evaluation of Security Fuzzing Approaches." Proceedings of the SAFECOMP 2019, Abo Akademi, Turku (Finnland) Ed. Alexander Romanovsky, Elena Troubitsyna, Ilir Gashi, Erwin Schoitsch, Friedemann Bitsch für European Workshop on Industrial Computer Systems, Technical Committee on Safety, Reliability and Security (EWICS TC7), Cham: Springer, 2019. 49-61.

BibTeX: Download