Eureka! Institutional Repository

The discovery of exploitable software vulnerabilities is a time consuming and demanding task. Fuzz testing (or fuzzing) is a collection of technologies and techniques that provide random (and carefully constructed random) data to applications as inputs with the goal of triggering not intended behavior and ultimately to the discovery of bugs. The objective of this thesis is the design and implementation of an infrastructure that aids in the deployment of distributed fuzzing campaigns and the centralized storage of results and statistics. By automating phases of the fuzzing process we aim to reduce the administrative overhead. Moreover, our modular architecture allows for the continuous improvement and targeted customization of the fuzzing phases for each particular application under investigation. The thesis is structured as follows. Chapter 1 introduces the concepts of software vulnerabilities and how can their exploitation lead to the violation of trust boundaries. Existing vulnerability discovery methods are also presented therein. Fuzzing, a method of vulnerability discovery, is thoroughly examined, in Chapter 2. The concepts presented in this chapter are further assisted by showcasing stateof- the art tools. Chapter 3 presents the distributed fuzzing infrastructure that we have designed, implemented and deployed. A hands-on example on the use of our system is given at Chapter 4. The process of setting up a distributed fuzzing campaign is practically presented, in relation to the theoretical concepts presented at Chapter 2. We conclude with the strengths and shortcomings of our developed distributed fuzzing infrastructure and the future plans regarding its improvements.