Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

Digital Library

Javascript is currently disabled for your browser. For an optimal search experience, please enable javascript.

Advanced Search

Basic Search

Content Type

Topics

Publication Date

Technical Note

Probability-Based Parameter Selection for Black-Box Fuzz Testing

  • August 2012
  • By Allen D. Householder, Jonathan M. Foote
  • In this report, the authors describe an algorithm for automating the selection of seed files and other parameters used in black-box fuzz testing.
  • Vulnerability Analysis
  • Publisher: Software Engineering Institute
    CMU/SEI Report Number: CMU/SEI-2012-TN-019
  • Abstract

    Dynamic, randomized-input functional testing, or black-box fuzz testing, is an effective technique for finding security vulnerabilities in software applications. Parameters for an invocation of black-box fuzz testing generally include known-good input to use as a basis for randomization (i.e., a seed file) and a specification of how much of the seed file to randomize (i.e., the range). This report describes an algorithm that applies basic statistical theory to the parameter selection problem and automates selection of seed files and ranges. This algorithm was implemented in an open-source, file-interface testing tool and was used to find and mitigate vulnerabilities in several software applications. This report generalizes the parameter selection problem, explains the algorithm, and analyzes empirical data collected from the implementation. Results of using the algorithm show a marked improvement in the efficiency of discovering unique application errors over basic parameter selection techniques.

  • Download

Cite This Report

SEI

Householder, Allen; & Foote, Jonathan. Probability-Based Parameter Selection for Black-Box Fuzz Testing. CMU/SEI-2012-TN-019. Software Engineering Institute, Carnegie Mellon University. 2012. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=28047

IEEE

Householder. Allen, and Foote. Jonathan, "Probability-Based Parameter Selection for Black-Box Fuzz Testing," Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania, Technical Note CMU/SEI-2012-TN-019, 2012. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=28047

APA

Householder, Allen., & Foote, Jonathan. (2012). Probability-Based Parameter Selection for Black-Box Fuzz Testing (CMU/SEI-2012-TN-019). Retrieved October 19, 2017, from the Software Engineering Institute, Carnegie Mellon University website: http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=28047

CHI

Allen Householder, & Jonathan Foote. Probability-Based Parameter Selection for Black-Box Fuzz Testing (CMU/SEI-2012-TN-019). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2012. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=28047

MLA

Householder, Allen., & Foote, Jonathan. 2012. Probability-Based Parameter Selection for Black-Box Fuzz Testing (Technical Report CMU/SEI-2012-TN-019). Pittsburgh: Software Engineering Institute, Carnegie Mellon University. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=28047

BibTex

@techreport{HouseholderProbabilityBasedParameter2012,
title={Probability-Based Parameter Selection for Black-Box Fuzz Testing},
author={Allen Householder and Jonathan Foote},
year={2012},
number={CMU/SEI-2012-TN-019},
institution={Software Engineering Institute, Carnegie Mellon University},
address={Pittsburgh, PA},
url={http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=28047} }