You are here
Deep Reinforcement Fuzzing
Thursday, 8 February, 2018 - 16:00
Böttinger, Konstantin, Patrice Godefroid, and Rishabh Singh. "Deep Reinforcement Fuzzing." arXiv preprint arXiv:1801.04589 (2018).
Abstract: Fuzzing is the process of finding security vulnerabilities in input-processing code by repeatedly testing the code with modified inputs. In this paper, we formalize fuzzing as a reinforcement learning problem using the concept of Markov decision processes. This in turn allows us to apply state-of-the-art deep Q-learning algorithms that optimize rewards, which we define from runtime properties of the program under test. By observing the rewards caused by mutating with a specific set of actions performed on an initial program input, the fuzzing agent learns a policy that can next generate new higher-reward inputs. We have implemented this new approach, and preliminary empirical evidence shows that reinforcement fuzzing can outperform baseline random fuzzing.