In English

Escaping the Fuzz - Evaluating Fuzzing Techniques and Fooling them with Anti-Fuzzing

Emil Edholm ; David Göransson
Göteborg : Chalmers tekniska högskola, 2016. 64 s.
[Examensarbete på avancerad nivå]

Fuzzing is used to find vulnerabilities in applications by sending garbled data as input and then monitoring the application for crashes. Over the years, this simple technique has evolved to an advanced testing technique that has been used to find serious vulnerabilities in a wide range of applications. This thesis sets out to evaluate two state-of-the-art fuzzers and pinpoint their weaknesses. The thesis also investigates anti-fuzzing: a technique that masks crashes from fuzzers. By not detecting crashes, fuzzers become useless when it comes to detecting vulnerabilities in software. The fuzzers are tested against a test suite of security vulnerability challenges from the DARPA Cyber Grand Challenge and then against the same test suite when anti-fuzzing capabilities have been incorporated. Our results show that it is relatively easy to implement and apply anti-fuzzing techniques that are able to completely mask crashes and, by extension, vulnerabilities from fuzzers.

Nyckelord: security, fuzzing, fuzzer, anti-fuzzing, fuzz-testing

Publikationen registrerades 2016-06-29. Den ändrades senast 2016-06-29

CPL ID: 238600

Detta är en tjänst från Chalmers bibliotek