Leveraging Markov chain and optimal mutation strategy for smart fuzzing

Fuzz testing is an important way of vulnerability discovery, however, the existing fuzzers based on symbolic execution and others have inherent shortcomings like needing more computing resource, in-depth analysis and so on. To solve above problems, this paper presents a smart fuzzing method based on Markov chain. Firstly, this method optimizes the testing input sample to get the minimal sample set. Secondly, this method records program execution information by using instrument, and makes a Markov model about state. Finally, this method uses Markov chain to detect the change of execution path, and leads tester to choose better samples to mutate. Meanwhile, we analyse mutation strategies in depth for better triggering exception. Experimental data shows that the presented method can help fuzzer to generate effective test samples. We discovers 51 vulnerabilities in software like WPS, along with the code coverage increases of nearly 49% comparing with zzuf and the average exception discovery rate increase nearly 9 times comparing with MiniFuzz.