Table of Contents Author Guidelines Submit a Manuscript
Security and Communication Networks
Volume 2017, Article ID 7819590, 11 pages
https://doi.org/10.1155/2017/7819590
Research Article

Automatic Test Pattern Generator for Fuzzing Based on Finite State Machine

Department of Electrical Engineering, National Taiwan University, Taipei City, Taiwan

Correspondence should be addressed to Chin-Laung Lei; wt.ude.utn@iellc

Received 5 April 2017; Revised 14 August 2017; Accepted 10 October 2017; Published 13 November 2017

Academic Editor: Emanuele Maiorana

Copyright © 2017 Ming-Hung Wang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Linked References

  1. S. Son and V. Shmatikov, “The postman always rings twice: attacking and defending postmessage,” in Proceedings of the 20th Annual Network and Distributed System Security Symposium (NDSS '13).
  2. W. West and S. M. Pulimood, “Analysis of privacy and security in html5 web storage,” Journal of Computing Sciences in Colleges, vol. 27, no. 3, pp. 80–87, 2012. View at Google Scholar
  3. M. Heiderich, T. Frosch, M. Jensen, and T. Holz, “Crouching tiger—hidden payload: security risks of scalable vectors graphics,” in Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS '11), pp. 239–250, ACM, October 2011. View at Publisher · View at Google Scholar · View at Scopus
  4. S. Mansfield-Devine, “Divide and conquer: the threats posed by hybrid apps and HTML 5,” Network Security, vol. 2010, no. 3, pp. 4–6, 2010. View at Publisher · View at Google Scholar · View at Scopus
  5. Y. Demchenko, L. Gommans, C. De Laat, and B. Oudenaarde, “Web services and grid security vulnerabilities and threats analysis and model,” in Proceedings of the 6th IEEE/ACM International Workshop on Grid Computing, pp. 262–267, IEEE Computer Society, November 2005. View at Publisher · View at Google Scholar · View at Scopus
  6. D. Hoffman, H.-Y. Wang, M. Chang, and D. Ly-Gagnon, “Grammar based testing of HTML injection vulnerabilities in RSS feeds,” in Proceedings of the Testing: Academic and Industrial Conference—Practice and Research Techniques (TAIC PART '09), pp. 105–110, IEEE, September 2009.
  7. P. Kumar, “The multi-tier architecture for developing secure website with detection and prevention of sql-injection attacks,” International Journal of Computer Applications, vol. 62, no. 9, pp. 30–36, 2013. View at Publisher · View at Google Scholar
  8. X. Jin, X. Hu, K. Ying, W. Du, H. Yin, and G. N. Peri, “Code injection attacks on HTML5-based mobile apps: characterization, detection and mitigation,” in Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, pp. 66–77, ACM, November 2014. View at Scopus
  9. S. Gupta and B. B. Gupta, “JS-SAN: defense mechanism for HTML5-based web applications against javascript code injection vulnerabilities,” Security and Communication Networks, vol. 9, no. 11, pp. 1477–1495, 2016. View at Publisher · View at Google Scholar · View at Scopus
  10. Fuzzing—owasp, https://www.owasp.org/index.php/Fuzzing.
  11. B. P. Miller, L. Fredriksen, and B. So, “An empirical study of the Reliability of UNIX Utilities,” Communications of the ACM, vol. 33, no. 12, pp. 32–44, 1990. View at Publisher · View at Google Scholar · View at Scopus
  12. M. Sutton, A. Greene, and P. Amini, Fuzzing: Brute Force Vulnerability Discovery, Pearson Education, 2007.
  13. A. Takanen, J. D. Demott, and C. Miller, Fuzzing for Software Security Testing and Quality Assurance, Artech House, 2008.
  14. N. Jovanovic, C. Kruegel, and E. Kirda, “Precise alias analysis for static detection of web application vulnerabilities,” in Proceedings of the Workshop on Programming Languages and Analysis for Security, pp. 27–36, ACM, June 2006.
  15. P. Godefroid, A. Kiezun, and M. Y. Levin, “Grammar-based whitebox fuzzing,” ACM SIGPLAN Notices, vol. 43, no. 6, pp. 206–215, 2008. View at Publisher · View at Google Scholar · View at Scopus
  16. C. Holler, K. Herzig, and A. Zeller, “Fuzzing with code fragments,” in Proceedings of the 21st USENIX Security Symposium, pp. 445–458, 2012.
  17. J. Botella, B. Legeard, F. Peureux, and A. Vernotte, “Risk-based vulnerability testing using security test patterns,” in Proceedings of the International Symposium on Leveraging Applications of Formal Methods, Verification and Validation, pp. 337–352, Springer, 2014.
  18. B. P. Miller, D. Koski, C. P. Lee et al., “Fuzz revisited: a re-examination of the reliability of unix utilities and services,” Tech. Rep., 1995. View at Google Scholar
  19. C. Miller and Z. N. Peterson, “Analysis of mutation and generation-based fuzzing,” 2007.
  20. M. Widl, “Test case generation by grammar-based fuzzing for model-driven engineering,” in Proceedings of the Haifa Verification Conference, pp. 278-279, Springer, 2013. View at Google Scholar
  21. S. Rawat and L. Mounier, “Offset-aware mutation based fuzzing for buffer overflow vulnerabilities: few preliminary results,” in Proceedings of the 4th IEEE International Conference on Software Testing, Verification, and Validation Workshops (ICSTW '11), pp. 531–533, IEEE, March 2011. View at Publisher · View at Google Scholar · View at Scopus
  22. P. M. Maurer, “Generating test data with enhanced context-free grammars,” IEEE Software, vol. 7, no. 4, pp. 50–55, 1990. View at Publisher · View at Google Scholar · View at Scopus
  23. D. Coppit and J. Lian, “Yagg: An easy-to-use generator for structured test inputs,” in Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, pp. 356–359, ACM, November 2005. View at Scopus
  24. B. A. Malloy and J. F. Power, “An interpretation of purdom’s algorithm for automatic generation of test cases,” 2001.
  25. R. Lämmel and W. Schulte, “Controllable Combinatorial Coverage in Grammar-Based Testing,” in Proceedings of the IFIP International Conference on Testing of Communicating Systems, pp. 19–38, Springer, 2006. View at Google Scholar
  26. S. Y. Kim, S. Cha, and D.-H. Bae, “Automatic and lightweight grammar generation for fuzz testing,” Computers & Security, vol. 36, pp. 1–11, 2013. View at Publisher · View at Google Scholar · View at Scopus
  27. M. Islam and C. Csallner, “Generating test cases for programs that are coded against interfaces and annotations,” ACM Transactions on Software Engineering and Methodology, vol. 23, no. 3, pp. 21:1–21:38, 2014. View at Google Scholar
  28. T. S. Chow, “Testing software design modeled by finite-state machines,” IEEE Transactions on Software Engineering, vol. 4, no. 3, pp. 178–187, 1978. View at Publisher · View at Google Scholar · View at Scopus
  29. P. Ammann and J. Offutt, Introduction to Software Testing, Cambridge University Press, 2016.
  30. D. Lee and M. Yannakakis, “Principles and methods of testing finite state machines—a survey,” Proceedings of the IEEE, vol. 84, no. 8, pp. 1090–1123, 1996. View at Publisher · View at Google Scholar · View at Scopus
  31. R. Dssouli, K. Saleh, E. Aboulhamid, A. En-Nouaary, and C. Bourhfir, “Test development for communication protocols: Towards automation,” Computer Networks, vol. 31, no. 17, pp. 1835–1872, 1999. View at Publisher · View at Google Scholar · View at Scopus
  32. G. V. Bochmann and A. Petrenko, “Protocol testing: review of methods and relevance for software testing,” in Proceedings of the ACM SIGSOFT International Symposium on Software Testing and Analysis, pp. 109–124, ACM, August 1994.
  33. K. Sabnani and A. Dahbura, “A protocol test generation procedure,” Computer Networks, vol. 15, no. 4, pp. 285–297, 1988. View at Publisher · View at Google Scholar · View at Scopus
  34. Y. G. Kim, H. S. Hong, D. H. Bae, and S. D. Cha, “Test cases generation from UML state diagrams,” IEE Proceedings Software, vol. 146, no. 4, pp. 187–192, 1999. View at Publisher · View at Google Scholar · View at Scopus
  35. F. Belli, “Finite state testing and analysis of graphical user interfaces,” in Proceedings of the 12th International Symposium on Software Reliability Engineering (ISSRE '01), pp. 34–43, IEEE, 2001.
  36. N. Li, T. Xie, N. Tillmann, J. De Halleux, and W. Schulte, “Reggae: automated test generation for programs using complex regular expressions,” in Proceedings of the 24th IEEE/ACM International Conference on Automated Software Engineering (ASE '09), pp. 515–519, IEEE, November 2009. View at Publisher · View at Google Scholar · View at Scopus
  37. V. I. Levenshtein, “Binary codes capable of correcting deletions, insertions, and reversals,” Soviet Physics—Doklady, vol. 10, no. 8, pp. 707–710, 1966. View at Google Scholar · View at MathSciNet
  38. G. Berry and R. Sethi, “From regular expressions to deterministic automata,” Theoretical Computer Science, vol. 48, no. 1, pp. 117–126, 1986. View at Publisher · View at Google Scholar · View at MathSciNet · View at Scopus
  39. R. E. Tarjan, “Depth-first search and linear graph algorithms,” SIAM Journal on Computing, vol. 1, no. 2, pp. 146–160, 1972. View at Publisher · View at Google Scholar · View at MathSciNet
  40. I. Hickson, S. Pfeiffer, T. O’Connor et al., “HTML5,” W3C, W3C Recommendation, October 2014, https://www.w3.org/TR/2014/REC-html5-20141028/.