Presenter: Charalambos Mitropoulos
Date: 20 September 2023

We introduce Fuzzol, the first syntax-aware mutation fuzzer for systematically testing the security and reliability of solc, the standard Solidity compiler. Fuzzol addresses a challenge of existing fuzzers when dealing with structured inputs: the generation of inputs that get past the parser checks of the system under test. To do so, Fuzzol introduces a novel syntax-aware mutation that breaks into three strategies, each of them making different kind of changes in the inputs. Moreover, to explore new paths in the compiler’s codebase faster, we introduce a mutation strategy prioritization algorithm that allows Fuzzol to identify and apply only those mutation strategies that are most effective in exercising new inter- esting paths. To evaluate Fuzzol, we test 33 of the latest solc stable re- leases, and compare fuzzol with (1) Superion, a grammar-aware fuzzer, (2) AFL-compiler-fuzzer, a text-mutation fuzzer and (3) two grammar-blind fuzzers with advanced test input generation schedules: AFLFast and MOpt-AFL. fuzzol identified 19 bugs in total (7 of which were previously unknown to Solidity developers), while the other fuzzers missed half of these bugs.

This work has been accepted at ESORICS '23 and will be presented in September 2023.