pith. machine review for the scientific record. sign in

arxiv: 1701.07232 · v1 · submitted 2017-01-25 · 💻 cs.AI · cs.CR· cs.LG· cs.PL· cs.SE

Recognition: unknown

Learn&Fuzz: Machine Learning for Input Fuzzing

Patrice Godefroid , Hila Peleg , Rishabh Singh
Authors on Pith no claims yet
classification 💻 cs.AI cs.CRcs.LGcs.PLcs.SE
keywords fuzzinginputinputsfuzzlearningcodecomplexformat
0
0 comments X
read the original abstract

Fuzzing consists of repeatedly testing an application with modified, or fuzzed, inputs with the goal of finding security vulnerabilities in input-parsing code. In this paper, we show how to automate the generation of an input grammar suitable for input fuzzing using sample inputs and neural-network-based statistical machine-learning techniques. We present a detailed case study with a complex input format, namely PDF, and a large complex security-critical parser for this format, namely, the PDF parser embedded in Microsoft's new Edge browser. We discuss (and measure) the tension between conflicting learning and fuzzing goals: learning wants to capture the structure of well-formed inputs, while fuzzing wants to break that structure in order to cover unexpected code paths and find bugs. We also present a new algorithm for this learn&fuzz challenge which uses a learnt input probability distribution to intelligently guide where to fuzz inputs.

This paper has not been read by Pith yet.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 1 Pith paper

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Capturing Monetarily Exploitable Vulnerability in Smart Contracts via Auditor Knowledge-Learning Fuzzing

    cs.CR 2026-04 unverdicted novelty 5.0

    FAUDITOR is a specialized fuzzer that detected 220 zero-day monetarily exploitable vulnerabilities in smart contracts by combining finance-interface targeting, NLP from auditor reports, and self-learning.