Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
So Many Fuzzers, So Little Time: Experience from Evaluating Fuzzers on the Contiki-NG Network (Hay)Stack
Uppsala University,Sweden.ORCID iD: 0000-0002-3165-634X
Uppsala University, Sweden; National Technical University of Athens, Greece.ORCID iD: 0000-0001-9657-0179
RISE Research Institutes of Sweden, Digital Systems, Data Science. KTH Royal Institute of Technology, Sweden. (Connected Intelligence)ORCID iD: 0000-0003-3139-2564
2022 (English)Conference paper, Published paper (Refereed)
Abstract [en]

Fuzz testing (“fuzzing”) is a widely-used and effective dynamic technique to discover crashes and security vulnerabilities in software, supported by numerous tools, which keep improving in terms of their detection capabilities and speed of execution. In this paper, we report our findings from using state-of-the-art mutation-based and hybrid fuzzers (AFL, Angora, Honggfuzz, Intriguer, MOpt-AFL, QSym, and SymCC) on a non-trivial code base, that of Contiki-NG, to expose and fix serious vulnerabilities in various layers of its network stack, during a period of more than three years. As a by-product, we provide a Git-based platform which allowed us to create and apply a new, quite challenging, open-source bug suite for evaluating fuzzers on real-world software vulnerabilities. Using this bug suite, we present an impartial and extensive evaluation of the effectiveness of these fuzzers, and measure the impact that sanitizers have on it. Finally, we offer our experiences and opinions on how fuzzing tools should be used and evaluated in the future.

Place, publisher, year, edition, pages
2022.
Keywords [en]
Software security, security testing, fuzz testing, coverage-guided fuzzing, hybrid fuzzing, IoT, Contiki-NG
National Category
Software Engineering Computer Sciences
Identifiers
URN: urn:nbn:se:ri:diva-61138DOI: 10.1145/3551349.3556946OAI: oai:DiVA.org:ri-61138DiVA, id: diva2:1710060
Conference
37th IEEE/ACM International Conference on Automated Software Engineering
Funder
Swedish Foundation for Strategic Research, RIT17-0038Available from: 2022-11-10 Created: 2022-11-10 Last updated: 2023-05-26Bibliographically approved

Open Access in DiVA

So-Many-Fuzzers@ASE-22.pdf(668 kB)163 downloads
File information
File name FULLTEXT01.pdfFile size 668 kBChecksum SHA-512
94d82f0f2ed315ff708c776c43bd9c2c638b31ede3e23bc6427ce5d84b466282595be989e35a9fec2f431ee35d2ad01b39aa433ce2b69be9b03ed85f1461fe69
Type fulltextMimetype application/pdf

Other links

Publisher's full text

Authority records

Tsiftes, Nicolas

Search in DiVA

By author/editor
Poncelet, ClémentSagonas, KonstantinosTsiftes, Nicolas
By organisation
Data Science
Software EngineeringComputer Sciences

Search outside of DiVA

GoogleGoogle Scholar
Total: 163 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 299 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf