SHF: Small: Xsmith, A Configurable Generator of Highly Effective Fuzz Testers

SHF：小型：Xsmith，高效模糊测试器的可配置生成器

• 批准号: 1527638
• 负责人: Eric Eide
• 金额: $ 50万
• 依托单位: University of Utah
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2015
• 资助国家: 美国
• 起止时间: 2015-09-01 至 2020-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1527638&HistoricalAwards=false
• 关键词: SHF; Small; Xsmith; Configurable; Generator

This project is developing new techniques for the creation of highly effectivefuzz testers, also known as "fuzzers," for programming language compilers andinterpreters. Fuzz testing is an automatic and low-cost technique for findingdefects in software systems. A fuzzer randomly creates test inputs for asoftware system; a fuzzer is effective if it can continually create test casesthat reveal defects throughout the system under test. It is difficult tocreate effective fuzzers for programming language compilers and interpretersbecause these systems have highly structured inputs, but it is important thatsuch fuzzers exist. Programming language implementations are critical softwareinfrastructure: defects in compilers and interpreters can potentially havegreat costs in terms of software correctness and reliability, humanproductivity, and computer security. This project seeks to reduce the time andhuman effort needed to create sophisticated fuzzers for programming languageimplementations. In so doing, this project is expected to advance the state ofthe art in random software testing, improve the quality of several programminglanguage implementations selected for study, and produce new open-sourcesoftware tools that programmers can use to develop new and more effective fuzztesters.The techniques developed by this project will be embodied in a new generator offuzz testers, called Xsmith. Xsmith will generate language fuzzers fromspecifications and thus reduce the time and effort required to create fuzzers.More importantly, Xsmith will inject sophisticated program-generationtechniques into the language fuzzers it creates. This project will investigatethree techniques in particular. This first is generation-time analysis,intended to allow Xsmith-derived fuzzers to create output that is both complexand meaningful. The second is feature subsetting, intended to increase thelikelihood that Xsmith-derived fuzzers will output bug-triggering testprograms. The third is iterative refinement, intended to further diversify theoutputs from Xsmith-derived fuzzers. The project participants will use Xsmithto create fuzz testers for a varied set of programming languages. Wherepossible, the bug-finding power of Xsmith-derived fuzzers will be compared tothat of existing fuzzers: quantitatively, in terms of the number ofidentifiably unique defects found within a fixed test-time budget, andqualitatively, in terms of the kinds of defects uncovered. This evaluationwill allow the investigators to assess the impact of the techniques embodied inXsmith, both individually and collectively, over a range of programminglanguage implementations. Xsmith will be successful if it permits highlyeffective fuzz testers to be constructed with significantly less ad hoc code,and thus significantly less effort, than if they had been constructed fromscratch.

这个项目正在开发新的技术，用于创建高效的模糊测试器，也被称为“fuzzers”，用于编程语言编译器和解释器。模糊测试是一种自动的、低成本的发现软件系统缺陷的技术。模糊器随机为软件系统创建测试输入；如果fuzzer能够持续地创建测试用例，从而揭示整个被测系统的缺陷，那么它就是有效的。很难为编程语言编译器和解释器创建有效的模糊器，因为这些系统具有高度结构化的输入，但重要的是存在这样的模糊器。编程语言实现是关键的软件基础设施：编译器和解释器中的缺陷可能会在软件正确性和可靠性、人类生产力和计算机安全性方面造成巨大损失。该项目旨在减少为编程语言实现创建复杂的模糊器所需的时间和人力。在这样做的过程中，这个项目被期望推进随机软件测试的艺术状态，提高选择用于研究的几种编程语言实现的质量，并产生新的开源软件工具，程序员可以使用这些工具来开发新的更有效的模糊测试器。这个项目开发的技术将体现在一个名为Xsmith的新的绒毛测试器中。Xsmith将从规范中生成语言模糊器，从而减少创建模糊器所需的时间和精力。更重要的是，Xsmith将把复杂的程序生成技术注入到它所创建的语言模糊器中。这个项目将特别研究三种技术。第一个是代时间分析，旨在允许xsmith派生的模糊器创建既复杂又有意义的输出。第二个是特征子集，旨在增加xsmith衍生的fuzzers输出触发bug的测试程序的可能性。第三是迭代改进，旨在进一步使xsmith衍生的模糊器的输出多样化。项目参与者将使用xsmith为各种编程语言创建模糊测试器。在可能的情况下，xsmith衍生的fuzzers的bug发现能力将与现有的fuzzers进行比较：定量地，根据在固定的测试时间预算内发现的可识别的唯一缺陷的数量，定性地，根据发现的缺陷的种类。这种评估将允许研究人员评估xsmith中包含的技术的影响，无论是单独的还是集体的，在一系列编程语言实现上。如果Xsmith允许用更少的临时代码构建高效的模糊测试器，那么它就会比从头开始构建时要成功，从而大大减少了工作量。