RankFuzz: Fuzz Testing Based on Comprehensive Evaluation

Abstract

It has been proven successful that fuzz testing can successfully find security vulnerabilities in programs. However, traditional black box fuzz testing tools, which randomly mutate the input, are blind and ineffective. The white box fuzzing technology, known as the symbolic execution, is still facing the problem of low efficiency and path explosion. We present a new automated fuzzing technique based on comprehensive evaluation and a tool, Rank Fuzz, that implements this technique. By running dynamic taint analysis, we divide the input into several fields and make a rank to each of them according to the comprehensive evaluation results, in the hope that the potential vulnerability can be quickly found. We use several existing vulnerabilities to assess the reasonability of our evaluation system, finding that Rank Fuzz can effectively locate the bytes triggering the vulnerabilities and all of their ranks are on the top 30% of total fields. We also test two off-the-shelf applications within 8 hours and find 3 new vulnerabilities.