idw – Informationsdienst Wissenschaft
Nachrichten, Termine, Experten
Nachrichten, Termine, Experten
The principle of the survival of the fittest, described by Charles Darwin in the 19th century,
has now been applied to software testing: FANDANGO, a new open-source fuzzing tool,
uses an evolutionary algorithm to automatically generate myriads of high-quality test
inputs that satisfy defined constraints. Advancing language-based testing by a decisive
step, FANDANGO employs an iterative procedure that is modeled on biological evolution,
yielding customized inputs that cover both semantics and syntax. Now available in its 1.0
release, FANDANGO has been developed by researchers at the CISPA Helmholtz Center
for Information Security.
Over the past decade, fuzzers have become the most widely used tools to test software
security and robustness. Generating random inputs and feeding them to an application, they
help detect undesired program behavior such as bugs and vulnerabilities. With FANDANGO,
CISPA-researchers José Antonio Zamudio Amaya and Professor Dr. Andreas Zeller have
introduced a bio-inspired algorithm to software fuzzing. In an emulation of biological
evolution, their algorithm performs a process of mutation and selection to produce inputs that closely correspond to the tester’s conditions. Zamudio explains: “The evolutionary algorithm is pretty straightforward. We start with a population of inputs that come from the specifications of a program. And then we do two things: first, mutate those inputs to trigger different changes and second, cross these inputs, which means combining parts of two inputs to produce offspring. We repeat this process and with every iteration, we evaluate the quality of the inputs in terms of meeting the constraints imposed by the tester.” This process results in valid test inputs that are customized to specifically explore particular parts of the program that is being tested.
FANDANGO offers complete control over test inputs
While not the first fuzzing tool to automate test generation, FANDANGO is the first tool that gives software testers complete control over the characteristics of the inputs they generate. As Zeller explains: “In contrast to a normal fuzzer, Fandango produces inputs which are under the control of the tester, because we assume that the testers a) know what a typical input looks like and b) tend to have an idea where typical bugs might be. They are the ones with the domain knowledge and we want them to be able to use that domain knowledge when testing a program.” FANDANGO enables testers not only to specify the syntax of the input, i.e. the structure they want it to have, but also to define the semantics of the input, i.e. its meaning and specific properties.
To illustrate FANDANGO’s benefits for software testing, Zeller uses the example of an online shop for custom-made furniture, where customers are required to enter individual values for height, length and depth that taken together determine the size of a piece of furniture. “In this case,” Zeller explains, “it would be interesting to see what the program does when I say, for instance, ‘this piece of furniture should have a length of less than zero or a seating surface of one square kilometer’. Using our evolutionary algorithm, FANDANGO could automatically compute values for all these individual fields – height, length, depth – that would precisely satisfy the condition of this immense surface of one square kilometer.”
Feedback invited: FANDANGO is available on GitHub
To let software testers and programmers benefit from their research, Zamudio and Zeller have made FANDANGO available on GitHub. The program is open-source and comes in the form of a simple command-line tool, accompanied by tutorials and extensive documentation. The CISPA researchers are also openly inviting feedback with the aim of improving their fuzzer even further. “I can’t wait to see how people are using FANDANGO and what they suggest we implement further. I’ve already been talking to people at various companies. The idea of being in control over what should be tested and the idea of being able to check the results of a computation is a real boon to them”, Zeller says. The CISPA research on FANDANGO will be presented at the International Symposium on Software Testing and Analysis (ISSTA) in Trondheim, Norway on June 27, 2025.
Prof. Dr. Andreas Zeller and José Antonio Zamudio Amaya
CISPA Helmholtz Center for Information Security
Stuhlsatzenhaus 5
66123 Saarbrücken, Germany
zeller@cispa.de / jose.zamudio@cispa.de
José Antonio Zamudio Amaya, Marius Smytzek, and Andreas Zeller. 2025. FANDANGO:
Evolving Language-Based Testing. DOI: https://dl.acm.org/doi/10.1145/3728915
https://fandango-fuzzer.github.io/ The FANDANGO 1.0 release is available on GitHub.
CISPA-researchers Prof. Dr. Andreas Zeller (right) and José Antonio Zamudio Amaya (third from right) ...
Copyright: CISPA
Merkmale dieser Pressemitteilung:
Journalisten, Studierende, Wissenschaftler
Informationstechnik
überregional
Forschungsergebnisse, Wissenschaftliche Publikationen
Englisch
CISPA-researchers Prof. Dr. Andreas Zeller (right) and José Antonio Zamudio Amaya (third from right) ...
Copyright: CISPA
Sie können Suchbegriffe mit und, oder und / oder nicht verknüpfen, z. B. Philo nicht logie.
Verknüpfungen können Sie mit Klammern voneinander trennen, z. B. (Philo nicht logie) oder (Psycho und logie).
Zusammenhängende Worte werden als Wortgruppe gesucht, wenn Sie sie in Anführungsstriche setzen, z. B. „Bundesrepublik Deutschland“.
Die Erweiterte Suche können Sie auch nutzen, ohne Suchbegriffe einzugeben. Sie orientiert sich dann an den Kriterien, die Sie ausgewählt haben (z. B. nach dem Land oder dem Sachgebiet).
Haben Sie in einer Kategorie kein Kriterium ausgewählt, wird die gesamte Kategorie durchsucht (z.B. alle Sachgebiete oder alle Länder).
