Fuzzy States : State Discovery with AFL

Abstract: Fuzzing is a test method used to automatically generate test case inputs and to executea system under test (SUT) with those inputs. The method is traditionally used to discovercrash-inducing bugs in software. Fuzzing can generate thousands of inputs per secondand many implementations use smart techniques to reach deeply into the code. Fewfuzz testing implementations, however, have the ability to explore and retain informationof state in stateful applications. We develop an extension of the fuzzer American Fuzzy Lop (AFL), building on the workof the Ijon project, and utilize its fuzzing capabilities to discover states in SUT; inparticular, applications built as finite state machines. The extension successfullyharnesses AFL’s input generation to explore the SUT’s state space. We then implement functionality that allows for the SUT to return state information tothe fuzzer, including the state path and path length. Furthermore, functionality is addedthat allows the test operator to specify the expected number of states in the SUT, andGUI extensions that provide real-time information of state discovery during fuzzing. The state information retained after a completed fuzzing session is automaticallysummarized in a structured format. We further demonstrate that the summarizedinformation can be used to generate test cases for a test operator to verify the SUT.