Meddle: Framework for piggy-back fuzzing tool development Geoff McDonald
defcon-22-geoff-mcdonald-meddle-framework-updated.pdf [pdf]

Power In Pairs: How one fuzzing template revealed over 100 IE UAF vulnerabilities Bo Qu & Royce Lu
eu-14-lu-the-power-of-pair-one-template-that-reveals-100-plus-uaf-ie-vulnerabilities.pdf [pdf]

Optimizing Seed Selection For Fuzzing Multiple Authors
sec14-paper-rebert.pdf [pdf]


Fuzzing for fun and for $$$ S. Bekrar & Fabien Duchene
A high-level discussion of the end-to-end fuzzing process with reasonably up to date and detailed ideas for common/typical fuzzing
Fuzzing_for_evil_and_for_profit-for_publication [pdf]

MBFuzzer – MITM Fuzzing for Mobile Applications Fatih Özavcı
A Man-in-the-Middle fuzzer for testing web-service based mobile communications
mbfuzzer-1-0-pre.pdf [pdf]

Taming Compiler Fuzzers Yang Chen, Alex Groce, Chaoqiang Zhang, et al
A study of ideas for effective management of bugs discovered by compiler/runtime fuzzers; most importantly, discovering the bugs of most interest out of a large set.
pldi13.pdf [pdf]

Online Model-Based Behavioral Fuzzing Martin Schneider, Jurgen Großmann, Ina Schieferdecker, Andrej Pietschker
A study of generating model-based behavioral test-cases at execution time with allowance for feedback loops from previous case execution


Hybrid Fuzz Testing: Discovering Software Bugs via Fuzzing and Symbolic Execution Brian S. Pak
Using Symbolic Execution to generate random fuzzing inputs that exercise the discovered code paths within a piece of software.
CMU-CS-12-116.pdf [pdf]

Everyone Has His or Her Own Fuzzer Beist
Introduction to fuzzing that touches on IL, Symbolic Exection, more ‘intelligent’ fuzzing, crash binning, and tips for beginners.
2012_6th_codeengn_beist_everyone_has_his_or_her_own_fuzzer [pdf]

Windows kernel fuzzing for beginners Ben Nagy
An introduction to getting started fuzzing modern windows based usermode-to-kernel interfaces
nagy-kernel [pdf]

Fuzzing: The state of the art Richard McNally, Ken Yiu, Duncan Grove and Damien Garhardy (Australian DoD)
A study of recent advances in fuzzing, surveying the current state of technologies and concepts in use today.

GDI Font Fuzzing in Windows Kernel for Fun Lee Ling Chuan & Chan Lee Yee
Fuzzing the GDI TrueType & GDI Bitmap fonts on the windows platform

SAGE: Whitebox Fuzzing for Security Testing Patrice Godefroid & Michael Y. Levin & David Molnar
An article in Communications magazine introducing Microsoft’s highly regarded SAGE fuzzer.

Fuzzing With Code FragmentsChristian Holler, Kim Herzig, Andreas Zeller

A discussion of LangFuzz, an implementation of a language fuzzer proven to discover bugs in interpreters
sec12-final73 [pdf]

Fuzz Testing: Improving Medical Device Quality & Safety MDISS & Codenomicon
Warning: Sales-oriented. A high-level overview of applying fuzzing to medical devices.
codenomicon-mdiss-fuzz-framework-16 [pdf]


Fuzz Testing for Dummies Art Manion & Michael Orlando
Introduction to the basics of fuzzing, discussion of CERT fuzzing tools (BFF/FOE) and results/vulns discovered
ag_16b_ICSJWG_Spring_2011_Conf_Manion_Orlando [pdf]

Showing how security has (and hasn’t) improved, after ten years of trying Dan Kaminsky & Michael Eddington & Adam Checchitti
A case study of using fuzzing to attempt to analyse whether the general state of software security has improved over the last ten years
Showing How Security Has Improved [pdf]

Offset-Aware Mutation Based Fuzzing for Buffer Overflow Vulnerabilities: Few Preliminary Results Sanjay Rawat & Laurent Mounier
Using taint analysis to modify specific byte offsets in the original seed files to hunt down and execute dangerous code paths
offset-aware [pdf]


Industrial Bug Mining Ben Nagy
A high-level view of the end-to-end fuzzing process, focussing on bug triage, scaling, binary instrumentation
BlackHat-USA-2010-Nagy-Industrial-Bug-Mining-slides [pdf]

Zero-Knowledge fuzzing Vincenzo Iozzo
Building and applying a fuzzer without the need to have an in-depth understanding of the protocol/format/input being manipulated
0knowledge_fuzzing_paper [pdf]

Crash analysis with bitblaze Charlie Miller & UC Berkeley
Introduction to ‘bitblaze’ – a tool to determine exploitability and priority of crashes post-fuzzing

Introduction to Fuzzing Dan Guido
A university-level introduction to major fuzzing topics

Prospecting for rootite Ben Nagy & The Grugq
Overview of obtaining seed files and solving the Set Cover Problem, for maximum fuzzer code coverage

In Memory Fuzzing sinn3r
Introduction and how to use a new in-memory fuzzing tool

Fuzzing: The SMB Case Laurent Gaffie
Introduction to SMB, how to approach fuzzing using a library of packet captures, case-study of bugs found

Letting your fuzzer know about target’s internals Rodrigo Rubira Branco
Using feedback from debuggers and taint analysis to direct fuzzing efforts

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang & Tao Wei & Guaofe Gu & Wei Zou
Defeating the common problem of invalid checksums by using taint analysis

Fuzzing in the cloud (Microsoft position statement) Patrice Godefroid & David Molnar
A statement released by Microsoft suggesting that “the cloud” will revolutionise fuzzing, and why.
fuzzing_in_the_cloud [pdf]

How to FAIL at Fuzzing Ben Nagy
A high-level run-through of Ben’s Kiwicon talk, offering some insightful but rarely discussed ideas
ben_nagy_how_to_fail_at_fuzzing [pdf]

Babysitting an army of monkeys Charlie Miller
Fuzzing 4 products (Acrobat Reader PDF, OS X Preview PDF, OpenOffice PPT, MS Office PPT)  with 5 lines of python
cmiller-CSW-2010 [pdf – file has been messed up. does anyone have a better copy?] 


Fuzzgrind: an automatic fuzzing tool Gabriel Campana
Using taint analysis to ensure a fuzzer reaches all possible code paths. Uses STP and Valgrind

Fuzzing the phone in your phone Charlie Miller & Collin Mulliner
Searching for phone-application specific vulnerabilities in smartphones
BHUSA09-Miller-FuzzingPhone-PAPER [pdf]

Demystifying Fuzzers Michael Eddington
The process of applying fuzzers to find security flaws, and fuzzers involvement in the SDL
BHUSA09-Eddington-DemystFuzzers-PAPER [pdf]

Fuzzing for security flaws John Heasman
University-level introduction to the main concepts behind fuzzing and fuzzers
04-fuzzing [pdf]

Deep Fuzzing MS Word / Office (With Ruby) Ben Nagy
Massively parallelized high-speed fuzzing of MS Office documents
A New Fuzzing Framework [pptx]

Taint-based Directed Whitebox Fuzzing Vijay Ganesh & Tim Leek & Martin Rinard
Using taint analysis as feedback into the mutation process to get more coverage when fuzzing

Making software dumber Tavis Ormandy
Feedback-directed fuzzing using taint analysis to explore an applications internals. Introduction to google tool Flayer

Fusil the fuzzer Victor Stinner
Presenting Fusil: a python fuzzing framework that has claimed bugs in a variety common applications.
fosdem_2009 [pdf]


zzuf – multiple purpose fuzzer Sam Hocevar
Introduction to using the zzuf multi-purpose input fuzzer
Zzuf [pdf]

Fuzz By Number – More Data About Fuzzing Than You Ever Wanted To Know Charlie Miller
A showdown between GPF, Taof, ProxyFuzz, Mu-4000, Codenomicon, beSTORM, and some application specific fuzzers.

Fuzzing 101 Mike Zusman
A two-part NYU/ introduction to fuzzing – history, the process, ActiveX fuzzing, Protocol fuzzing with Spike
fuzzing-1  fuzzing-2 [pdf]

GSM Protocol Fuzzing Harald Welte
Introduction to GSM, application of fuzzing to GSM

Exposing Vulnerabilities in Media Software David Thiel
Discussion of fuzzing applied specifically to media software. Includes case studies.

Grammar-based Whitebox Fuzzing Patrice Godefroid & Adam Kiezun & Michael Y. Levin
In-depth paper on how to use whitebox fuzzing to test complex highly-structured input of applications using a grammar of their valid inputs.

KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs Cristian Cadar & Daniel Dunbar & Dawson Engler
Introduction and overview of KLEE, a tool that can generate test input and achieve considerably high coverage of code within the target application
klee-osdi-2008 [pdf]

Fuzzing WTF? what fuzzing was, is, and soon will be Mikko Varpiola & Nate Kube
A discussion of the history, current situation, and future ideas for fuzzing, focusing on genetic techniques
csw08-marcus-varpiola [pdf]


Fuzzing Sucks! Introducing the sulley fuzzing framework Pedram Amini & Aaron Portnoy
An introduction to why sulley was developed, followed by a brief discussion of it’s various components and how it works.
introducing_sulley [pdf]

Fuzzing & exploiting wireless device drivers Sylvester Keil & Clemens Kolbitsch
Fuzzing 802.11 drivers
DeepSec__Keil_Kolbitsch – Presentation Virtual_Fuzzing [pdf]

KiF – a stateful SIP fuzzer Humberto J. Abdelnur & Radu State & Olivier Festor
Analysis of fuzzing SIP and discussion of KiF, a SIP fuzzing tool, and also discusses vulnerabilities discovered.

Fuzzing in Microsoft and Fuzzguru Framework John Neystadt
A brief overview of microsoft’s Fuzzguru framework

Analysis of Mutation and Generation-Based Fuzzing Charlie Miller & Zachary N.J. Peterson
A discussion and research-backed comparison of generational vs mutational fuzzing against PNG files

Wi-Fi Advanced Fuzzing Laurent Butti
Fuzzing 802.11 and discussion of some discovered vulnerabilities
bh-eu-07-Butti [pdf]

Fuzzing Frameworks Pedram Amini & Aaron Portnoy
Discussion of existing fuzzing frameworks, introduction and exploration of the Sulley fuzzing framework

Fuzzing with Code Coverage Charlie Miller
Using code coverage results to improve fuzzing, find better crash testcases. Also touches on evolutionary fuzzing.

Automated Whitebox Fuzz Testing Patrice Godefroid & Michael Y. Levin & David Molnar
Microsoft & UC Berkeley’s paper on whitebox fuzzing, including symbolic execution, constraint solving, and discussion of Microsofts SAGE.
TR-2007-58 [pdf]

Flayer: Exposing Application Internals Will Drewry & Tavis Ormandy
Introduction to the flayer tool; a dynamic taint analysis integrated within valgrind.
flayer_exposing_applications_internals [pdf]


The evolving art of fuzzing Jared DeMott
An early paper covering the major aspects of fuzzing


The Art of File Format Fuzzing Michael Sutton & Adam Greene
The process of fuzzing file formats on multiple platforms


The Advantages of Block-Based Protocol Analysis for Security Testing Dave Aitel
Breaking protocols down into logical blocks and creating models to fuzz from. Introduction to the infamous SPIKE fuzzer.


An empirical Study of the Reliability of UNIX Utilities Barton P Miller & Lars Fredriksen & Bryan So
The original paper studying unexpected input into unix utilities.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s