QuickFuzz: an automatic random fuzzer for common file formats

MARTÍN CERESA; GUSTAVO GRIECO; PABLO BUIRAS

Nara

Simposio; International Symposium on Haskell; 2016

Fuzzing is a technique that involves testing programs using invalidor erroneous inputs. Most fuzzers require a set of valid inputs as astarting point, in which mutations are then introduced. QuickFuzzis a fuzzer that leverages QuickCheck-style random test-case gen-eration to automatically test programs that manipulate common fileformats by fuzzing. We rely on existing Haskell implementations offile-format-handling libraries found on Hackage, the community-driven Haskell code repository. We have tried QuickFuzz in thewild and found that the approach is effective in discovering vul-nerabilities in real-world implementations of browsers, image pro-cessing utilities and file compressors among others. In addition, weintroduce a mechanism to automatically derive random generatorsfor the types representing these formats. QuickFuzz handles mostwell-known image and media formats, and can be used to test pro-grams and libraries written in any language.