The blog post contains classic fuzzing books, papers about fuzzing at information security top conferences over the years, commonly used fuzzing tools, and blogs that can quickly learn fuzzing tools.
- The Fuzzing Book (2019):This book is based on principles + code exercises, combined with practical exercises, to complete a fuzzing test framework from 0 to 1. If you want to write your own fuzzing framework, you can refer to this book.
- Fuzzing for Software Security Testing and Quality Assurance (2018):This book introduces the idea of fuzzing into the software development life cycle. In fact, many efficient fuzzing tests are often considered in the development stage. The book discusses the development of fuzz tools, including not only some emerging open source tools, but also many commercial ones. How to choose the right fuzzer for software development projects is also one of the themes of this book.
This chapter contains top-level information security and classic papers in some journals. We just want to select some of them with relatively high technical value or relatively novel articles to facilitate subsequent learning.
- The Art, Science, and Engineering of Fuzzing: A Survey (2019)
- Fuzzing: a survey (2018)
- Evaluating Fuzz Testing, 2018
- Fuzzing: Art, Science, and Engineering, 2018
- Fuzzing: State of the art, 2018
- Source-and-Fuzzing (2019)
- CoLaFUZE: Coverage-Guided and Layout-Aware Fuzzing for Android Drivers (2021)
- Better Pay Attention Whilst Fuzzing (2022)
- Effective File Format Fuzzing – Thoughts, Techniques and Results
- MobFuzz: Adaptive Multi-objective Optimization in Gray-box Fuzzing (2022)
- FirmWire: Transparent Dynamic Analysis for Cellular Baseband Firmware (2022)
- EMS: History-Driven Mutation for Coverage-based Fuzzing (2022)
- Context-Sensitive and Directional Concurrency Fuzzing for Data-Race Detection (2022)
- datAFLow: Towards a Data-Flow-Guided Fuzzer (2022)
- Favocado: Fuzzing the Binding Code of JavaScript Engines Using Semantically Correct Test Cases (2021)
- WINNIE : Fuzzing Windows Applications with Harness Synthesis and Fast Cloning, 2021
- PGFUZZ: Policy-Guided Fuzzing for Robotic Vehicles (2021)
- Reinforcement Learning-based Hierarchical Seed Scheduling for Greybox Fuzzing (2021)
- HFL: Hybrid Fuzzing on the Linux Kernel (2020)
- HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Guided Micro-Fuzzing (2020)
- Not All Coverage Measurements Are Equal: Fuzzing by Coverage Accounting for Input Prioritization (2020)
- PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary (2019)
- INSTRIM: Lightweight Instrumentation for Coverage-guided Fuzzing (2018)
- What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices
- Enhancing Memory Error Detection for Large-Scale Applications and Fuzz Testing (2018)
- DELTA: A Security Assessment Framework for Software-Defined Networks (2017)
- SyzScope: Revealing High-Risk Security Impacts of Fuzzer-Exposed Bugs inLinux kernel, 2022
- Constraint-guided Directed Greybox Fuzzing, 2021
- UNIFUZZ: A Holistic and Pragmatic Metrics-Driven Platform for Evaluating Fuzzers, 2021
- Nyx: Greybox Hypervisor Fuzzing using Fast Snapshots and Affine Types, 2021
- Breaking Through Binaries: Compiler-quality Instrumentation for Better Binary-only Fuzzing, 2021
- The Use of Likely Invariants as Feedback for Fuzzers, 2021
- Analysis of DTLS Implementations Using Protocol State Fuzzing
- EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit (2020)
- FANS: Fuzzing Android Native System Services via Automated Interface Analysis (2020)
- Fuzzing Error Handling Code using Context-Sensitive Software Fault Injection (2020)
- FuzzGen: Automatic Fuzzer Generation, 2020
- GREYONE: Data Flow Sensitive Fuzzing, 2020
- Fuzzification: Anti-Fuzzing Techniques, 2019
- AntiFuzz: Impeding Fuzzing Audits of Binary Executables, 2019
- MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation, 2018
- QSYM : A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing, 2018
- OSS-Fuzz - Google's continuous fuzzing service for open source software, 2017
- kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels, 2017
- BEACON: Directed Grey-Box Fuzzing with Provable Path Pruning, 2022
- DiFuzzRTL: Differential Fuzz Testing to Find CPU Bugs, 2021
- StochFuzz: Sound and Cost-effective Fuzzing of Stripped Binaries by Incremental and Stochastic Rewriting, 2021
- NtFuzz: Enabling Type-Aware Kernel Fuzzing on Windows with Static Binary Analysis, 2021
- Diane: Identifying Fuzzing Triggers in Apps to Generate Under-constrained Inputs for IoT Devices, 2021
- One Engine to Fuzz 'em All: Generic Language Processor Testing with Semantic Validation, 2021
- IJON: Exploring Deep State Spaces via Fuzzing, 2020
- Krace: Data Race Fuzzing for Kernel File Systems, 2020
- Pangolin:Incremental Hybrid Fuzzing with Polyhedral Path Abstraction, 2020
- RetroWrite: Statically Instrumenting COTS Binaries for Fuzzing and Sanitization, 2020
- Full-speed Fuzzing: Reducing Fuzzing Overhead through Coverage-guided Tracing, 2019
- Fuzzing File Systems via Two-Dimensional Input Space Exploration, 2019
- NEUZZ: Efficient Fuzzing with Neural Program Smoothing, 2019
- Razzer: Finding Kernel Race Bugs through Fuzzing, 2019
- Angora: Efficient Fuzzing by Principled Search, 2018
- CollAFL: Path Sensitive Fuzzing, 2018
- T-Fuzz: fuzzing by program transformation, 2018
- Skyfire: Data-Driven Seed Generation for Fuzzing, 2017
- Favocado: Fuzzing the Binding Code of JavaScript Engines Using Semantically Correct Test Cases, 2021
- WINNIE : Fuzzing Windows Applications with Harness Synthesis and Fast Cloning, 2021
- PGFUZZ: Policy-Guided Fuzzing for Robotic Vehicles, 2021
- Reinforcement Learning-based Hierarchical Seed Scheduling for Greybox Fuzzing, 2021
- DIFUZE: Interface Aware Fuzzing for Kernel Drivers, 2017
- Learning to Fuzz from Symbolic Execution with Application to Smart Contracts, 2019
- Matryoshka: fuzzing deeply nested branches, 2019
- Hawkeye: Towards a Desired Directed Grey-box Fuzzer, 2018
- IMF: Inferred Model-based Fuzzer, 2017
- SemFuzz: Semantics-based Automatic Generation of Proof-of-Concept Exploits, 2017
- Directed Greybox Fuzzing, 2017
- SlowFuzz: Automated Domain-Independent Detection of Algorithmic Complexity Vulnerabilities, 2017
- DIFUZE: Interface Aware Fuzzing for Kernel Drivers, 2017
Common and practical tools are included here, most of which have been practiced by the author and have a certain degree of universality. There are also some excellent tools that have not been maintained and updated for a long time and have very limited applicable scenarios, which are not included.
- Radamsa: Radamsa is a test case generator for robustness testing, a.k.a. a fuzzer. It is typically used to test how well a program can withstand malformed and potentially malicious inputs. It works by reading sample files of valid data and generating interestringly different outputs from them. The main selling points of radamsa are that it has already found a slew of bugs in programs that actually matter, it is easily scriptable and, easy to get up and running.
- zzuf: zzuf is a transparent application input fuzzer. It works by intercepting file operations and changing random bits in the program's input. zzuf's behaviour is deterministic, making it easy to reproduce bugs.
- afl-unicorn: Fuzzing The 'Unfuzzable' : afl-unicorn lets you fuzz any piece of binary that can be emulated by Unicorn Engine.
- Intriguer: Intriguer is a concolic execution engine for hybrid fuzzing. The key idea of Intriguer is a field-level constraint solving, which optimizes symbolic execution with field-level information.
- Unicorefuzz: Fuzzing the Kernel using UnicornAFL and AFL++. For details, skim through the WOOT paper or watch this talk at CCCamp19.
- libFuzzer: LibFuzzer is in-process, coverage-guided, evolutionary fuzzing engine. LibFuzzer is linked with the library under test, and feeds fuzzed inputs to the library via a specific fuzzing entrypoint (aka “target function”); the fuzzer then tracks which areas of the code are reached, and generates mutations on the corpus of input data in order to maximize the code coverage. The code coverage information for libFuzzer is provided by LLVM’s SanitizerCoverage instrumentation.
- Honggfuzz: A security oriented, feedback-driven, evolutionary, easy-to-use fuzzer with interesting analysis options. See the Usage document for a primer on Honggfuzz use.
- syzkaller: syzkaller is an unsupervised coverage-guided kernel fuzzer.
- frida-fuzzer: This experimetal fuzzer is meant to be used for API in-memory fuzzing.
- winafl: A fork of AFL for fuzzing Windows binaries
- trinity: Linux system call fuzzer.
- NtCall64: Windows NT x64 syscall fuzzer .
- kDriver-Fuzzer: A kernel driver fuzzer, based on ioctlbf.
- FuzzBALL: Vine-based Binary Symbolic Execution.
- Sulley/Boofuzz: A fork and successor of the Sulley Fuzzing Framework
- fuzzowski: The Network Protocol Fuzzer that we will want to use.
- Peach: Peach is a fuzzing framework which uses a DSL for building fuzzers and an observer based architecture to execute and monitor them.
- Defensics: Defensics is a comprehensive, versatile, automated black box fuzzer that enables organizations to efficiently and effectively discover and remediate security weaknesses in software.
- bsSTORM: Black box Fuzz Testing is a requirement of the Verification phase of the SDL, the industry-leading software security assurance process that was created by Microsoft and proven effective since 2004.
- API-fuzzer: API Fuzzer which allows to fuzz request attributes using common pentesting techniques and lists vulnerabilities
- domato: A DOM fuzzer: Written and maintained by Ivan Fratric, ifratric@google.com