idw – Informationsdienst Wissenschaft
Nachrichten, Termine, Experten
Nachrichten, Termine, Experten
idw - Informationsdienst
Wissenschaft
The principle of the survival of the fittest, described by Charles Darwin in the 19th century,
has now been applied to software testing: FANDANGO, a new open-source fuzzing tool,
uses an evolutionary algorithm to automatically generate myriads of high-quality test
inputs that satisfy defined constraints. Advancing language-based testing by a decisive
step, FANDANGO employs an iterative procedure that is modeled on biological evolution,
yielding customized inputs that cover both semantics and syntax. Now available in its 1.0
release, FANDANGO has been developed by researchers at the CISPA Helmholtz Center
for Information Security.
Over the past decade, fuzzers have become the most widely used tools to test software
security and robustness. Generating random inputs and feeding them to an application, they
help detect undesired program behavior such as bugs and vulnerabilities. With FANDANGO,
CISPA-researchers José Antonio Zamudio Amaya and Professor Dr. Andreas Zeller have
introduced a bio-inspired algorithm to software fuzzing. In an emulation of biological
evolution, their algorithm performs a process of mutation and selection to produce inputs that closely correspond to the tester’s conditions. Zamudio explains: “The evolutionary algorithm is pretty straightforward. We start with a population of inputs that come from the specifications of a program. And then we do two things: first, mutate those inputs to trigger different changes and second, cross these inputs, which means combining parts of two inputs to produce offspring. We repeat this process and with every iteration, we evaluate the quality of the inputs in terms of meeting the constraints imposed by the tester.” This process results in valid test inputs that are customized to specifically explore particular parts of the program that is being tested.
FANDANGO offers complete control over test inputs
While not the first fuzzing tool to automate test generation, FANDANGO is the first tool that gives software testers complete control over the characteristics of the inputs they generate. As Zeller explains: “In contrast to a normal fuzzer, Fandango produces inputs which are under the control of the tester, because we assume that the testers a) know what a typical input looks like and b) tend to have an idea where typical bugs might be. They are the ones with the domain knowledge and we want them to be able to use that domain knowledge when testing a program.” FANDANGO enables testers not only to specify the syntax of the input, i.e. the structure they want it to have, but also to define the semantics of the input, i.e. its meaning and specific properties.
To illustrate FANDANGO’s benefits for software testing, Zeller uses the example of an online shop for custom-made furniture, where customers are required to enter individual values for height, length and depth that taken together determine the size of a piece of furniture. “In this case,” Zeller explains, “it would be interesting to see what the program does when I say, for instance, ‘this piece of furniture should have a length of less than zero or a seating surface of one square kilometer’. Using our evolutionary algorithm, FANDANGO could automatically compute values for all these individual fields – height, length, depth – that would precisely satisfy the condition of this immense surface of one square kilometer.”
Feedback invited: FANDANGO is available on GitHub
To let software testers and programmers benefit from their research, Zamudio and Zeller have made FANDANGO available on GitHub. The program is open-source and comes in the form of a simple command-line tool, accompanied by tutorials and extensive documentation. The CISPA researchers are also openly inviting feedback with the aim of improving their fuzzer even further. “I can’t wait to see how people are using FANDANGO and what they suggest we implement further. I’ve already been talking to people at various companies. The idea of being in control over what should be tested and the idea of being able to check the results of a computation is a real boon to them”, Zeller says. The CISPA research on FANDANGO will be presented at the International Symposium on Software Testing and Analysis (ISSTA) in Trondheim, Norway on June 27, 2025.
Prof. Dr. Andreas Zeller and José Antonio Zamudio Amaya
CISPA Helmholtz Center for Information Security
Stuhlsatzenhaus 5
66123 Saarbrücken, Germany
zeller@cispa.de / jose.zamudio@cispa.de
José Antonio Zamudio Amaya, Marius Smytzek, and Andreas Zeller. 2025. FANDANGO:
Evolving Language-Based Testing. DOI: https://dl.acm.org/doi/10.1145/3728915
https://fandango-fuzzer.github.io/ The FANDANGO 1.0 release is available on GitHub.
CISPA-researchers Prof. Dr. Andreas Zeller (right) and José Antonio Zamudio Amaya (third from right) ...
Copyright: CISPA
Criteria of this press release:
Journalists, Scientists and scholars, Students
Information technology
transregional, national
Research results, Scientific Publications
English
You can combine search terms with and, or and/or not, e.g. Philo not logy.
You can use brackets to separate combinations from each other, e.g. (Philo not logy) or (Psycho and logy).
Coherent groups of words will be located as complete phrases if you put them into quotation marks, e.g. “Federal Republic of Germany”.
You can also use the advanced search without entering search terms. It will then follow the criteria you have selected (e.g. country or subject area).
If you have not selected any criteria in a given category, the entire category will be searched (e.g. all subject areas or all countries).
