Fuzzing Slot Machine

Fuzzing Slot Machine

To find an unlocked car it is often enough to test several doors of cars parked in a car park. Cybercriminals take a similar approach by indiscriminately sending a program strings of letters, figures and special characters, hoping to find a security bug. To preempt these activities, computer scientists at the CISPA Helmholtz Center (i.G.), are developing software that does this more efficiently. Within minutes the software learns the input format and produces millions of valid program entries, automatically extracting the necessary knowledge from the programs. The researchers are presenting their latest tools at the CEBIT computer expo from 11 June in Hanover, stand F68 in hall 27.

“Modern programs can very quickly generate a huge number of tests. But the wheat is separated from the chaff when it comes to generating valid entries that penetrate deeply into the target program”, explains Professor Andreas Zeller, who teaches software engineering at Saarland University and carries out research at the CISPA Helmholtz Center.

He has therefore developed the “Autogram” program together with his PhD students. This automatically identifies the rules that must apply to inputs to ensure they are accepted as being valid. The computer scientists refer to these rules collectively as “context-free grammar”. These are in turn processed by “tribble”, another piece of software produced by the computer scientists at Saarbrücken, and thus millions of random, but valid, inputs are generated for the software system under investigation. “This allows us to check the software system down to the very last detail”, explains Zeller. The large number of tested entries considerably reduces the probability of overlooking a security bug. In a global first, the test system from Saarbrücken only requires the program being tested in order to perform its work, while the competition is dependent upon comprehensive example entries.

“Our Autogram and tribble tools point to a future in which fully automated testing for security bugs is possible for every program that processes input data”, says Zeller. In 2012, Zeller’s group had already presented the grammar-based “Langfuzz” test generator for the JavaScript programming language. He is engaged on a daily basis with companies such as Mozilla and Google and has uncovered several thousand errors and security bugs in the Firefox and Chrome web browsers.

Background Information

Saarland Informatics Campus (SIC)

1,700 students from 81 nations are studying 15 computer-science-related courses in three established faculties at the Saarland Informatics Campus (SIC) of the University of Saarland. At two graduate schools and six globally respected research institutes more than 800 scientists are researching the entire spectrum of computer science related subjects and furthering progress, particularly in IT security, artificial intelligence, visual computing, bioinformatics and the semantic web – from the fundamentals right through to innovative applications. The SIC cooperates with international groups such as Google, Microsoft and Facebook, promotes a large number of business start-ups with its IT incubator (ITI) and acts as a driver for further developments through industrial, research and development laboratories. The overall potential of the site is leveraged in order to take advantage of scientific publications, prizes, patent applications and technological innovations. Thanks to the excellent levels of expertise and competitiveness, joint success at the Saarland Informatics Campus is guaranteed.

Press Release

Contact for Questions

Andreas Zeller
 +49 681 302 70971
 +49 681 302-70972
 Campus E9 1 | 66123 Saarbrücken