Part IV: Semantic Fuzzing

This part introduces test generation techniques that take the semantics of the input into account, notably the behavior of the program that processes the input.

• Fuzzing with Constraints adds semantic constraints to grammars. By solving these automatically, we can produce inputs that are syntactically and semantically valid.

• Grammar Mining shows how to extract an input grammar from a program by analyzing how individual parts of the input are processed. The resulting grammars can be directly used for fuzzing.

• Tracking Information Flow shows how to track inputs throughout the program, in order to discover information leaks and further improve analysis techniques.

• Concolic Fuzzing analyzes program code to solve path constraints in the program to cover branches and behaviors that are hard to reach.

• Symbolic Fuzzing works like concolic fuzzing, but does not require any executions at all.

• Mining Function Specifications extracts type information as well as pre- and postconditions from program executions – useful information for program analysis, testing, and verification.