Andreas Zeller

Personalized Fuzzing

Thursday, 12 February 2025, 3:45 p.m., Kleiner Hörsaal (CS, Geb. 10.50 Bauingenieure)

Abstract: Random test input generators (fuzzers) have become the prime detectors of vulnerabilities in software. While generic fuzzers easily adapt to arbitrary programs under test, they offer very little possibilities to control or shape the generated inputs. In this talk, I present FANDANGO, a novel language-based fuzzer that combines grammars with predicates over input elements to produce inputs that satisfy all

• input format constraints ("The field should be equal to the length of the payload")
• checksums ("The field should be a SHA-512 hash of the ")
• statistical distributions ("Across all inputs, the field must follow a Gaussian distribution, but never exceed 20 mV")
• data collections ("The field should come from the Python faker library")

and more – actually, any property that can be expressed in a Python expression. In our experiments, FANDANGO efficiently solved complex file formats and satisfied demanding predicates. This opens the door towards _personalized fuzzing_, where testers can make use of their knowledge to very effectively fuzz systems. Includes live demos!.

CV: Andreas Zeller is faculty at the CISPA Helmholtz Center for Information Security and professor for Software Engineering at Saarland University. His research on automated debugging, mining software archives, specification mining, and security testing has won several awards for its impact in academia and industry. Zeller is an ACM Fellow, holds an ACM SIGSOFT Outstanding Research Award, and has won two ERC Advanced Grants, Europe’s highest funding for individual researchers, and most recently also the ACM SIGSOFT Influential Educator Award.