Abstract
Fuzzing is a proven testing method to find previously unknown vulnerabilities and errorsin programs. By randomly generating test data, unexpected program reactions can
be triggered and potential errors and security vulnerabilities can be detected. Fuzz
testing methods use grammars to generate syntactically correct test data to improve
the test coverage compared to random data generation. Generating syntactically correct
test data is particularly relevant for complex input formats, for example when testing
compilers. There are programs that require not only syntactically, but also semantically
correct input to be able to reach the program functionality behind the input validation
during testing. Complex semantic properties, which are rarely fulfilled randomly during
generation, prevent such programs from being tested efficiently. For this reason, fuzzers
exist that can generate semantically correct test data.
The aim of this thesis is to create a prototypical fuzzer that extends a grammarbased method by integrating semantic aspects. Using attributed grammars, semantically
correct test data should be generated to improve the test coverage compared to a purely
grammar-based approach.
In the course of this work, a fuzzer was implemented that uses the specification
language of the compiler generator Coco/R to read in specifications for generating test
data. Semantic actions can be inserted into the specifications, which are considered
when generating data. Based on the specification, a tree structure is built on which an
SMT solver is applied. By considering the semantic actions and selecting the required
tree nodes, the SMT solver can generate semantically correct test data. Including the
semantic constraints enables the data generated by the fuzzer to achieve a higher source
code coverage in 5 of 13 example executions compared to purely random grammar
fuzzing.
| Date of Award | 2025 |
|---|---|
| Original language | German (Austria) |
| Supervisor | Josef Pichler (Supervisor) |
Studyprogram
- Software Engineering