Awesome Fuzzing

Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. Typically, fuzzers are used to test programs that take structured inputs.

A curated list of references to awesome Fuzzing for security testing. Additionally there is a collection of freely available academic papers, tools and so on.

Your favorite tool or your own paper is not listed? Fork and create a Pull Request to add it!

Contents

• Books
• Papers
• Tools
• Platform

Books

• Fuzzing-101
• The Fuzzing Book (2019)
• The Art, Science, and Engineering of Fuzzing: A Survey (2019) - Actually, this document is a paper, but it contains more important and essential content than any other book.
• Fuzzing for Software Security Testing and Quality Assurance, 2nd Edition (2018)
• Fuzzing: Brute Force Vulnerability Discovery, 1st Edition (2007)
• Open Source Fuzzing Tools, 1st Edition (2007)

Talks

• Fuzzing Labs - Patrick Ventuzelo, Youtube
• Effective File Format Fuzzing, Black Hat Europe 2016
• Adventures in Fuzzing, NYU Talk 2018
• Fuzzing with AFL, NDC Conferences 2018

Papers

To achieve a well-defined scope, I have chosen to include publications on fuzzing in the last proceedings of 4 top major security conferences and others from Jan 2008 to Jul 2019. It includes (i) Network and Distributed System Security Symposium (NDSS), (ii) IEEE Symposium on Security and Privacy (S&P), (iii) USENIX Security Symposium (USEC), and (iv) ACM Conference on Computer and Communications Security (CCS).

The Network and Distributed System Security Symposium (NDSS)

• Semantic-Informed Driver Fuzzing Without Both the Hardware Devices and the Emulators, 2022
• MobFuzz: Adaptive Multi-objective Optimization in Gray-box Fuzzing, 2022
• Context-Sensitive and Directional Concurrency Fuzzing for Data-Race Detection, 2022
• EMS: History-Driven Mutation for Coverage-based Fuzzing, 2022
• WINNIE : Fuzzing Windows Applications with Harness Synthesis and Fast Cloning, 2021
• Reinforcement Learning-based Hierarchical Seed Scheduling for Greybox Fuzzing, 2021
• PGFUZZ: Policy-Guided Fuzzing for Robotic Vehicles, 2021
• Favocado: Fuzzing Binding Code of JavaScript Engines Using Semantically Correct Test Cases, 2021
• HFL: Hybrid Fuzzing on the Linux Kernel, 2020
• HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Guided Micro-Fuzzing, 2020
• HYPER-CUBE: High-Dimensional Hypervisor Fuzzing, 2020
• Not All Coverage Measurements Are Equal: Fuzzing by Coverage Accounting for Input Prioritization, 2020
• CodeAlchemist: Semantics-Aware Code Generation to Find Vulnerabilities in JavaScript Engines, 2019
• PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary, 2019
• REDQUEEN: Fuzzing with Input-to-State Correspondence, 2019
• Send Hardest Problems My Way: Probabilistic Path Prioritization for Hybrid Fuzzing, 2019
• Life after Speech Recognition: Fuzzing Semantic Misinterpretation for Voice Assistant Applications, 2019