Fuzzing: A Survey for Roadmap-Reference-Cited by-同舟云学术

Fuzzing: A Survey for Roadmap

Published:2022-01-31 Issue:11s Volume:54 Page:1-36
ISSN:0360-0300
Container-title:ACM Computing Surveys
language:en
Short-container-title:ACM Comput. Surv.

Author:

Zhu Xiaogang¹^ORCID,Wen Sheng¹^ORCID,Camtepe Seyit²^ORCID,Xiang Yang¹^ORCID

Affiliation:

1. Swinburne University of Technology, Australia

2. CSIRO Data61, Australia

Abstract

Fuzz testing (fuzzing) has witnessed its prosperity in detecting security flaws recently. It generates a large number of test cases and monitors the executions for defects. Fuzzing has detected thousands of bugs and vulnerabilities in various applications. Although effective, there lacks systematic analysis of gaps faced by fuzzing. As a technique of defect detection, fuzzing is required to narrow down the gaps between the entire input space and the defect space. Without limitation on the generated inputs, the input space is infinite. However, defects are sparse in an application, which indicates that the defect space is much smaller than the entire input space. Besides, because fuzzing generates numerous test cases to repeatedly examine targets, it requires fuzzing to perform in an automatic manner. Due to the complexity of applications and defects, it is challenging to automatize the execution of diverse applications. In this article, we systematically review and analyze the gaps as well as their solutions, considering both breadth and depth. This survey can be a roadmap for both beginners and advanced developers to better understand fuzzing.

Publisher

Association for Computing Machinery (ACM)

Subject

General Computer Science,Theoretical Computer Science

Link

https://dl.acm.org/doi/pdf/10.1145/3512345

Reference217 articles.

1. Yousra Aafer Wei You Yi Sun Yu Shi Xiangyu Zhang and Heng Yin. 2021. Android SmartTVs vulnerability discovery via log-guided fuzzing. In 30th USENIX Security Symposium (USENIX Security’21) . 2759–2776.

2. Humberto Abdelnur, Radu State, Obes Jorge Lucangeli, and Olivier Festor. 2010. Spectral Fuzzing: Evaluation & Feedback. Technical Report. https://hal.inria.fr/inria-00452015.

3. Humberto J. Abdelnur Radu State and Olivier Festor. 2007. KiF: A stateful SIP fuzzer. In Proceedings of the 1st International Conference on Principles Systems and Applications of IP Telecommunications (Iptcomm’07) . 47–56.

4. Rahul Agarwal, Liqiang Wang, and Scott D. Stoller. 2005. Detecting potential deadlocks with static analysis and run-time monitoring. In Haifa Verification Conference. Springer, 191–207.

5. Cornelius Aschermann, Patrick Jauernig, Tommaso Frassetto, Ahmad-Reza Sadeghi, Thorsten Holz, and Daniel Teuchert. 2019. NAUTILUS: Fishing for deep bugs with grammars. In The Network and Distributed System Security Symposium (NDSS’19). 1–15.

Cited by 112 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. Survey of techniques to detect common weaknesses in program binaries;Cyber Security and Applications;2025-12

2. A survey on fuzz testing technologies for industrial control protocols;Journal of Network and Computer Applications;2024-12

3. DDGF: Dynamic Directed Greybox Fuzzing with Path Profiling;Proceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis;2024-09-11

4. Silent Taint-Style Vulnerability Fixes Identification;Proceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis;2024-09-11

5. Atlas: Automating Cross-Language Fuzzing on Android Closed-Source Libraries;Proceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis;2024-09-11