Demystify the Fuzzing Methods: A Comprehensive Survey

Massive software applications possess complex data structures or parse complex data structures; in such cases, vulnerabilities in the software become inevitable. The vulnerabilities are the source of cyber-security threats, and discovering this before the software deployment is challenging. Fuzzing...

Full description

Saved in:
Bibliographic Details
Published inACM computing surveys Vol. 56; no. 3; pp. 1 - 38
Main Authors Mallissery, Sanoop, Wu, Yu-Sung
Format Journal Article
LanguageEnglish
Published New York, NY ACM 31.03.2024
Association for Computing Machinery
Subjects
Applications programs
Computer science
Cybersecurity
Data structures
Distributed programming languages
Distributed systems security
Information flow control
Parsers
Security and privacy
Semantics
Software
Software and its engineering
Software reverse engineering
Software security engineering
Software testing
State (computer science)
fuzzing
vulnerability discovery
code inspection
Automated testing
Online AccessGet full text

Cover

More Information
Summary:Massive software applications possess complex data structures or parse complex data structures; in such cases, vulnerabilities in the software become inevitable. The vulnerabilities are the source of cyber-security threats, and discovering this before the software deployment is challenging. Fuzzing is a vulnerability discovery solution that resonates with random-mutation, feedback-driven, coverage-guided, constraint-guided, seed-scheduling, and target-oriented strategies. Each technique is wrapped beneath the black-, white-, and grey-box fuzzers to uncover diverse vulnerabilities. It consists of methods such as identifying structural information about the test cases to detect security vulnerabilities, symbolic and concrete program states to explore the unexplored locations, and full semantics of code coverage to create new test cases. We methodically examine each kind of fuzzers and contemporary fuzzers with a profound observation that addresses various research questions and systematically reviews and analyze the gaps and their solutions. Our survey comprised the recent related works on fuzzing techniques to demystify the fuzzing methods concerning the application domains and the target that, in turn, achieves higher code coverage and sound vulnerability detection.
Bibliography:ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ISSN:0360-0300
1557-7341
DOI:10.1145/3623375