News
Help us tailoring automated debugging to your needsWritten on 16.09.21 by Andreas Zeller Dear former course participants, Thank you for your interest in software testing and debugging! We're developing Alhazen, a tool that automatically finds out when and why your program fails. We are heavily relying on your opinion as professional developers. Please take part in our user study to… Read more Dear former course participants, Thank you for your interest in software testing and debugging! We're developing Alhazen, a tool that automatically finds out when and why your program fails. We are heavily relying on your opinion as professional developers. Please take part in our user study to help us tie our approach to your needs: https://tinyurl.com/debuggingstudy Thanks a lot! Andreas Zeller + Team |
General Feedback for Project 3Written on 13.03.20 by Andreas Zeller Dear all, For those of you who want more details on project 3, here are some general remarks. We provided individual feedback for each of you, but here are some points that we think could benefit most of you: * Some projects featured either really precise models of the input (grammars, ...)… Read more Dear all, For those of you who want more details on project 3, here are some general remarks. We provided individual feedback for each of you, but here are some points that we think could benefit most of you: * Some projects featured either really precise models of the input (grammars, ...) without mutations or really specific mutations (introducing a specific character in the input, ...). The risk with these approaches is that the fuzzer will generate inputs that are actually quite similar and more likely to trigger the same bugs over and over. One strength of fuzzing is the large coverage of the input space of the program. * Seed prioritization is not limited to coverage-based power schedules. There are actually many reasons for keeping, prioritizing or discarding an input. For example, you might want to discard a seed that found a bug, because it is likely that it will only trigger the same bug again; or to favor seeds that were considered valid by the program; or to favor seeds that you did not mutate many times before; ... The best prioritization method to use depends on your goal, the distribution of bugs that you expect (clustered together, dependent, or spread randomly through the program), etc. * Most of the projects recognized that the target is stateful and therefore decided to have an entire BSMTP session as input. However very few projects also took into account that the state could also persist between sessions and until the server is restarted. While this did not have a big impact for this project, it would have been a good idea to discuss when and why it makes sense to restart the server. * Submitting clean code is never a waste of time. The code you submit is not only read by the Python interpreter, but also by you and by reviewers of your project. Structuring you code in a way that makes your intent clear is a great way to improve your grade, as it makes it more likely that your reviewers focus on the relevant parts of your code. Keep up the good work, and hope to see you soon again, Andreas Zeller, Rahul Gopinath, and Michael Mera |
Grades for project 3 and final grades are outWritten on 13.03.20 by Andreas Zeller Dear all, the grades for project 3 and your final grades are out. You can find everything on the CMS site at https://cms.cispa.saarland/fuzzing1920/ All in all, you have worked hard for this course, and we are very impressed by your performance. The final grades reflect this… Read more Dear all, the grades for project 3 and your final grades are out. You can find everything on the CMS site at https://cms.cispa.saarland/fuzzing1920/ All in all, you have worked hard for this course, and we are very impressed by your performance. The final grades reflect this assessment. Many of you have told us how much you liked the course and its contents, and we'll be happy to let you know about further events: * We will offer a seminar on advanced testing and debugging in the Summer semester. In this seminar, we will go beyond the course material to discuss recent exciting approaches in automated testing and debugging, including some hands-on exercises with (you guessed it) Jupyter notebooks. This will likely be held online, which should be an interesting experience. * We plan to offer a new course on automated debugging this fall. This course will have a similar format as Generating Software Tests – that is, inverted classroom, notebooks, and projects to work on. Stay tuned! * We also offer a number of MSc and BSc theses in these areas. Our research typically applies and combines several techniques including dynamic analysis, static analysis, specification mining, test generation, natural language processing, machine learning, and formal languages. If you're eager to contribute, here's some details on the process: https://andreas-zeller.info/Theses.html That's all for now. We hope to see you soon again! Andreas Zeller, Rahul Gopinath, and Michael Mera |
Slots available for CISPA's Young Researcher Security Convention, March 30-April 3Written on 05.02.20 by Andreas Zeller Dear all, we have a few slots left for BSc and MSc students who want to dive into hot topics in the area of IT security - machine learning, provable security, cyber-physical security, and (of course) fuzzing. This is a great event that should not be missed: Dear all, we have a few slots left for BSc and MSc students who want to dive into hot topics in the area of IT security - machine learning, provable security, cyber-physical security, and (of course) fuzzing. This is a great event that should not be missed: https://cispa.saarland/secon/ In your application, be sure to use the magical words "I am a student of 'Generating Software Tests'" :-) Best wishes, Andreas Zeller |
Project 3 - Partial Deadline ExtensionWritten on 05.02.20 by Michael Mera Dear Students,
Given that several of you have reported conflicting exams around the deadline period for project 3, we have decided to give you a partial extension. What this means is that you still have to submit the notebook containing your answers to the design questions by the 11th of… Read more Dear Students,
Given that several of you have reported conflicting exams around the deadline period for project 3, we have decided to give you a partial extension. What this means is that you still have to submit the notebook containing your answers to the design questions by the 11th of February midnight. But you have two additional weeks to finish and submit your implementation. So you must submit your fuzzer before the 25th of February midnight.
Be careful however that the grade will take into account the conformity of your answers to the design question with your actual implementation. So when submitting your design questions you commit to submitting the corresponding implementation two weeks later. |
Talk by Rohan Padhye Thursday 10:30 "Bending Fuzzers to One's Own Will"Written on 04.02.20 by Andreas Zeller Dear all, as promised, here is the second of two talks highly recommended for fuzzing enthusiasts. (You will understand that in the light of these excellent speakers, we did not want to add our own lecture to the set.) This Thursday 10:30-12:00, Rohan Padhye (U Berkeley) will give a talk on… Read more Dear all, as promised, here is the second of two talks highly recommended for fuzzing enthusiasts. (You will understand that in the light of these excellent speakers, we did not want to add our own lecture to the set.) This Thursday 10:30-12:00, Rohan Padhye (U Berkeley) will give a talk on "Bending Fuzzers to One's Own Will" (CISPA lecture hall). Rohan works on highly relevant fuzzing techniques that not only are extremely innovative, but also in daily use in companies like Netflix and Samsung. Very much recommended! Looking forward to see you, Andreas - - cut here - - You are cordially invited to a talk by Rohan Padhye. |
Talk by Marcel Böhme Monday 10:00 "Software Testing as Species Discovery"Written on 04.02.20 by Andreas Zeller Dear all, as promised, here is the first of two talks highly recommended for fuzzing enthusiasts: Next Monday at 10:00, Marcel Böhme (Monash U) will give a talk on "Software Testing as Species Discovery" (MPI-SWS E1 5 room 029). This is actually the very Marcel Böhme who wrote the chapter on… Read more Dear all, as promised, here is the first of two talks highly recommended for fuzzing enthusiasts: Next Monday at 10:00, Marcel Böhme (Monash U) will give a talk on "Software Testing as Species Discovery" (MPI-SWS E1 5 room 029). This is actually the very Marcel Böhme who wrote the chapter on "When to stop fuzzing", so here's your opportunity to ask him about anything! I have attended several of Marcel's talks, and his vision is mind-blowing. If you can, join us! Looking forward to see you, Andreas
- - cut here - - Dear all, You are cordially invited to an institute colloquium on: Software Testing as Species Discovery by Marcel Böhme from Monash University, Australia. hosted by Catalin Hritcu on Monday the 10th of February, 2020 in SB E 1 5 room 029, videocast to KL room 111 (VMR6312). Abstract: In this talk, I establish an unexpected connection with the otherwise unrelated scientific field of ecology, and introduce a statistical framework that models Software Testing and Analysis as Discovery of Species (STADS). For instance, in order to study the species diversity of arthropods in a tropical rain forest, ecologists would first sample a large number of individuals from that forest, determine their species, and extrapolate from the properties observed in the sample to properties of the whole forest. The estimation (i) of the total number of species, (ii) of the additional sampling effort required to discover 10% more species, or (iii) of the probability to discover a new species are classical problems in ecology. The STADS framework draws from over three decades of research in ecological biostatistics to address the fundamental extrapolation challenge for automated test generation. Our preliminary empirical study demonstrates a good estimator performance even for a fuzzer with adaptive sampling bias—AFL, a state-of-the-art vulnerability detection tool. The STADS framework provides statistical correctness guarantees with quantifiable accuracy. Bio: Marcel Böhme is 2019 ARC DECRA Fellow and Lecturer (Asst Prof) at the Faculty of IT at Monash University, Australia. He completed his PhD at the National University of Singapore advised by Prof Abhik Roychoudhury in 2014. It followed a postdoctoral stint at the CISPA-Helmholtz Zentrum Saarbrücken with Prof. Andreas Zeller and a role as senior research fellow at the TSUNAMi Security Research Centre in Singapore. Marcel's research is focused on automated vulnerability discovery, program analysis, testing, debugging, and repair of large software systems, where he investigates practical topics such as efficiency, scalability, and reliability of automated techniques via theoretical and empirical analysis. His high-performance fuzzers have discovered 100+ bugs in widely used software systems, more than 60 of which are security-critical vulnerabilities that are registered as CVEs at the US National Vulnerability Database.
|
Today's lecture is cancelled; solidarity march for Bernd Finkbeiner today at 16:00Written on 04.02.20 by Andreas Zeller Dear all, Professor Bernd Finkbeiner has gotten an offer for a professorship at LMU Munich. The student's union (Fachschaft) has called all CS students to show that they'd like to keep Bernd Finkbeiner at Saarbrücken by participating in a march (Fackelzug) starting today 16:00 at Platz der… Read more Dear all, Professor Bernd Finkbeiner has gotten an offer for a professorship at LMU Munich. The student's union (Fachschaft) has called all CS students to show that they'd like to keep Bernd Finkbeiner at Saarbrücken by participating in a march (Fackelzug) starting today 16:00 at Platz der Informatik and ending with a Schwenker barbecue in E1.1, Room 407. To enable students of the "Generating Software Tests" course to participate in today's march, today's lecture (and quiz) are *cancelled,* and we hope to see you at the student's march today. We realize that this may be disappointing for all of you who wanted to learn more about fuzzing. But we have two exciting visitors coming up instead, who represent some of the very best research done in fuzzing in test generation. See our talk announcements later today! And finally, we will be offering a seminar on "advanced testing and debugging" in the next semester, expanding on the techniques from this lecture. For all of you interested in fuzzing and test generation - see you at the talks and (maybe) in the seminar; and for all of you who want to keep Bernd Finkbeiner with us, see you today at 16:00 at Platz der Informatik! Best wishes, Andreas Zeller |
Project 3 - Rev2 InstallationWritten on 02.02.20 by Michael Mera If you want to install the new version of the project 3 on the server, you can simply replace the file bsmtp/bsmtp.py with the one present in the new version. It is not necessary to overwrite the entire project.
As always be careful not to overwrite your work. |
Project 3 - Small fix and Important RemarksWritten on 02.02.20 by Michael Mera Dear students,
A new version of project 3 is available. It mainly fixes an erroneous SMTP response when several FRIEND commands are sent with different names during the same session.
I would like to take this opportunity to make a few remarks on questions that come up… Read more Dear students,
A new version of project 3 is available. It mainly fixes an erroneous SMTP response when several FRIEND commands are sent with different names during the same session.
I would like to take this opportunity to make a few remarks on questions that come up frequently:
I hope this helps to clarify the questions you have, and as always if you are in doubt you can send me an email or post a question on the Askbot. |
Project 2 - ResultsWritten on 29.01.20 by Michael Mera Dear students, Results for Project 2 have been published. If you have any questions or require feedback for your grade, you can send me an email. |
Project 3Written on 14.01.20 by Michael Mera Hi all, Project 3 is out!
Hi all, Project 3 is out!
The project is available for download in the Materials section of the CMS. If you want to work locally on your personal machine, you can download it and use the scripts provided to build and run a Docker image suitable for the project (see the README.md file for details). Alternatively, the server https://fuzzingbook.cispa.saarland has been updated to provide the project pre-configured.
You need to submit two files on the CMS for this project: the notebook where you answer questions about your implementation and the script of your fuzzer. Details are given in the notebook file of the project. The deadline for submitting is the 11th of February at midnight (local time).
More instructions on how to solve the project are in the notebook. If you have any doubt, just send us a question on the course Askbot.
|
Recommended talk: Today 11:00 by Thorsten Holz on "Fuzzing Hypervisors and Complex Interpreters"Written on 10.01.20 by Andreas Zeller Dear student of "Generating Software Tests", Are you interested to learn how fuzzing techniques are used by security researchers? As part of CISPA’s Distinguished Lecture Series, we are pleased to Dear student of "Generating Software Tests", Are you interested to learn how fuzzing techniques are used by security researchers? As part of CISPA’s Distinguished Lecture Series, we are pleased to Abstract: In recent years, randomized fuzz-testing (“fuzzing”) has Looking forward to see you, and best wishes,
Andreas Zeller
|
Project 1 - ResultsWritten on 19.12.19 by Michael Mera Dear students, Results for Project 1 have been published. If you have any questions or require feedback for your grade, you can send me an email. |
Project 2 - A Note on Project Freezes/CrashesWritten on 12.12.19 by Michael Mera Dear students, Several of you reported having problems with the notebook crashing/freezing for some unknown reason, with a project code that does not seem to be at fault. Jupyter notebooks can "sometimes be a bit unreliable", and I cannot provide you with a good explanation on why this is… Read more Dear students, Several of you reported having problems with the notebook crashing/freezing for some unknown reason, with a project code that does not seem to be at fault. Jupyter notebooks can "sometimes be a bit unreliable", and I cannot provide you with a good explanation on why this is happening. For this reason, if you encounter this kind of problem, I advise you to export your project as Python code (File > Download as > Python) and run it as a script, as I explained here. If the problems disappear, the cause is probably the notebook and not your code. I will grade you using this method, which means that if you are convinced that the problem does not come from your code, you should not worry about failing because of that. |
Project 2 - Even More Deadline ExtensionsWritten on 11.12.19 by Michael Mera Dear Students, There will be a downtime of the CISPA infrastructure which might start on Thursday midnight and ends on Friday morning 10am (official previsions). This includes our fuzzingbook.cispa.saarland server. Therefore you just gained a new deadline extension for project 2, which brings you… Read more Dear Students, There will be a downtime of the CISPA infrastructure which might start on Thursday midnight and ends on Friday morning 10am (official previsions). This includes our fuzzingbook.cispa.saarland server. Therefore you just gained a new deadline extension for project 2, which brings you to Monday (16th of December) midnight. I advise you to save your work outside of the server before Thursday evening, just to be on the safe side, and also to work locally in the meantime if you feel so inclined. |
Project 2 - Summary of What Was Discussed TodayWritten on 10.12.19 by Michael Mera Dear Students, I want to summarize the main points that were discussed during the lecture today regarding part II of project 2, to make it (hopefully) clear for everyone what you are allowed to do or not. The fragments mutator:
Dear Students, I want to summarize the main points that were discussed during the lecture today regarding part II of project 2, to make it (hopefully) clear for everyone what you are allowed to do or not. The fragments mutator:
The characters/bytes mutator:
Of course if you think you have a wonderful idea leveraging a static dictionary of keywords, you can also go for that. In that case, do not forget to include an explanation of why you think this is a great idea. In each part of the project you have the opportunity to explain in a paragraph (or a bit more) why you think your approach is interesting! If after this it is still not clear for you if you can do something or not, do not hesitate to ask questions. |
Project 2 - Deadline Extension and Some HintsWritten on 10.12.19 by Michael Mera Dear Students, Given that lots of you seem to have problems reaching the target coverage for Part II, we have decided to extend the deadline to Friday (13th of December) midnight. I think some of you might be confused by the format of the lecture, so I want to restate some of the organizational… Read more Dear Students, Given that lots of you seem to have problems reaching the target coverage for Part II, we have decided to extend the deadline to Friday (13th of December) midnight. I think some of you might be confused by the format of the lecture, so I want to restate some of the organizational principles: The lecture's evaluation is project based. Unlike exercises, the projects are not designed to make you simply apply the basic notions presented in the lecture but rather to make you think more in depth about them. As such, projects can be more difficult and this is why I expect you to ask questions and discuss the project with me if you encounter difficulties or if you are unsure how to solve a particular task. I have been here at the lectures, on Askbot and answering emails for this very purpose. Our goal if to help you succeed and learn more about fuzzing, not grow frustrated because you cannot achieve a target coverage. As a matter of fact, this project is a simplified version of the original one and the difficulty was considered appropriate for a project lasting over three weeks. Feedback on the difficulty level and the problems you encounter would have been appreciated well before yesterday.
Here are also a few additional hints that might help you to solve part II:
You are of course totally free to solve this differently, but these might help achieve the required coverage. |
Project 2 - New VersionWritten on 09.12.19 by Michael Mera Several students reported that the second part of project 2 behave in a widely non-deterministic manner. Be careful if you are using the power schedules from the lecture, as several of them use the numpy module as source of randomness! To make sure that every project is seeded correctly, I will… Read more Several students reported that the second part of project 2 behave in a widely non-deterministic manner. Be careful if you are using the power schedules from the lecture, as several of them use the numpy module as source of randomness! To make sure that every project is seeded correctly, I will seed numpy directly at the beginning of the evaluation, alongside the Python random module. I posted a new version of the project doing that, you can find it as usual in the Material section of the CMS. To make sure that everyone has time to test with this change, your deadline is extended to the 10th of December midnight. As always be careful not to overwrite your work when downloading/uploading the new version. |
Project 2 - Important ChangeWritten on 22.11.19 by Michael Mera Dear students, I got several questions and requests from students about changing `min_nonterminals` and `max_nonterminals` in the fuzzer of Part 1. The defaults (0 and 10) let you only produce small inputs. It is completely possible to meet the required coverage (and a lot more actually) with… Read more Dear students, I got several questions and requests from students about changing `min_nonterminals` and `max_nonterminals` in the fuzzer of Part 1. The defaults (0 and 10) let you only produce small inputs. It is completely possible to meet the required coverage (and a lot more actually) with these default values. I admit however that it makes the exercise a bit more difficult, and more importantly limits your opportunities to present interesting approaches to this problem. For these reasons, I published a new revision of the project that you can find in the Materials section of the CMS. You can now set a value for these two parameters (they should be less than 100). Please update your project with the new notebook. Those of you working on the server must still update (except if you did not start your server at all since the start of the project). |
Project 2Written on 19.11.19 (last change on 19.11.19) by Michael Mera Hi all, Project 2 is out!
The goal of this project is to make you experiment with grammar-based fuzzing and fragment-based fuzzing.
Hi all, Project 2 is out!
The goal of this project is to make you experiment with grammar-based fuzzing and fragment-based fuzzing.
The project is available for download in the Materials section of the CMS. If you want to work locally on your personal machine, you can download it and use the scripts provided to build and run a Docker image suitable for the project (see the README.md file for details). Alternatively, the server https://fuzzingbook.cispa.saarland has been updated to provide the project pre-configured.
You can develop your solution as you wish, either locally or on the server, but for submission you have to write it down in the provided notebook and upload it to the CMS. The deadline for submitting is the 10th of December at noon (local time).
More instructions on how to solve the project are in the notebook. If you have any doubt, just send us a question on the course Askbot.
|
Project 1 - Important fixesWritten on 10.11.19 (last change on 10.11.19) by Michael Mera Dear students, A problem in project 1 leads sometimes to infinite loops and slightly unreliable coverage results. It might be linked to this Python bug. Anyway, I published a new version of the project which should fix this issue, by force-killing any child process that remains after running the… Read more Dear students, A problem in project 1 leads sometimes to infinite loops and slightly unreliable coverage results. It might be linked to this Python bug. Anyway, I published a new version of the project which should fix this issue, by force-killing any child process that remains after running the target. You can download this new version in the Materials section of the CMS. As this might impact your results in unexpected ways, I advise you to download it, and replace your versions of `project.ipynb` and the `coverage.sh`script with the new ones. Be careful not to overwrite your work. You should ensure that the `coverage.sh` script still has executable permissions (run `!chmod +x coverage.sh`) in a cell of the notebook for example). You will need to kill any running instances of `HTML tidy` that might run in the background before running your project again. You have mainly two ways to do that:
If you still have problems after installing the fixes, you can contact me by email. The good news is, you get an extension of two days to submit your project, so that you can check that everything is working as you expected. The new deadline for the submission is Wednesday the 13th of November. |
Regarding Grades for the QuizzesWritten on 06.11.19 by Michael Mera Dear students, We understand that you might not be able to attend every single lecture, so we will drop the two worst (or non-submitted) quizzes when computing the final grades. Best, Michaël Mera |
What is allowed or not in the fuzzer from Project 1Written on 30.10.19 by Michael Mera This question came during the lecture yesterday, also on Askbot and finally again this morning, so I want to make it more clear what is actually expected from you. You can use knowledge of the HTML standard inside your fuzzer to improve the mutations. You cannot use HTML snippets, either from the… Read more This question came during the lecture yesterday, also on Askbot and finally again this morning, so I want to make it more clear what is actually expected from you. You can use knowledge of the HTML standard inside your fuzzer to improve the mutations. You cannot use HTML snippets, either from the Internet or crafted manually, regardless of the size of these snippets. Examples of allowed techniques would be: using a list of valid HTML tag names, using a list of special characters used in HTML, using html5lib to ensure you generate valid HTML markup. Examples of forbidden techniques would be: using a snippet of HTML from the internet, crafting a specific HTML snippet using html5lib. You can refer to this Askbot question for a more detailed answer on why we are asking this. When in doubt you can contact me by email (michael.mera@cispa.saarland) or on the Askbot. |
Fix for Project 1Written on 29.10.19 by Michael Mera Dear students, There is a bug in Project 1, this should be non-blocking at this point, but I updated the archive of the project in the CMS. If you already started to work locally or on the server, you should correct the following in the section "Provided Materials" of the notebook in the… Read more Dear students, There is a bug in Project 1, this should be non-blocking at this point, but I updated the archive of the project in the CMS. If you already started to work locally or on the server, you should correct the following in the section "Provided Materials" of the notebook in the definition of "TidyCoverageRunner.run()": - "if result:" should be replaced by "if result is not None:" - in the case handling timeout, you need to replace "self._coverage = []" by "self._coverage = set()" When you are updating, be careful not to overwrite your progress. |
LSF registration -- ”Generating Software Tests (Security Testing)"Written on 26.10.19 by Rahul Gopinath Dear students, when you register for the course at LSF, please be sure to choose ”Generating Software Tests (Security Testing)" as the name of the course. |
Project 1Written on 25.10.19 by Michael Mera Hi all, Project 1 is out!
The goal of this project is to fuzz a HTML linter using mutation fuzzing techniques.
Hi all, Project 1 is out!
The goal of this project is to fuzz a HTML linter using mutation fuzzing techniques.
The project is available for download in the Materials section of the CMS. If you want to work locally on your personal machine, you can download it and use the scripts provided to build and run a Docker image suitable for the project (see the README.md file for details).
Alternatively, the project notebook is available, already configured, at https://fuzzingbook.cispa.saarland. To access the server you need to email me your Github username so that I can give you access to the system. Please think that there is quite a number of students, so to avoid overloading the server try to work locally when possible.
You can develop your solution as you wish, either locally or on the server, but for submission you have to write it down in the provided notebook and upload it to the CMS. You have two weeks to complete the project, starting from Monday (28/10).
More instructions on how to solve the project are in the notebook. If you have any doubt, just send us a question on the course Askbot.
|
LSF registration last date - 29.10.2019Written on 24.10.19 by Rahul Gopinath For the students who have to register at LSF, please do so by Tuesday 29.10.2019. |
Course starts on October 15Written on 14.10.19 by Andreas Zeller The first lecture in this course takes place on Tuesday, October 15, 16:15 in CISPA, Lecture Hall 005. |