ShellFuzzer: Grammar-based Fuzzing of Shell Interpreters

TL;DR

ShellFuzzer is a novel grammar-based fuzzing tool that automatically generates diverse shell scripts to detect faults and vulnerabilities in Unix shell interpreters, leading to the discovery of previously unknown issues.

Contribution

It introduces a new automated testing technique combining grammar-based generation with mutations for shell interpreters, addressing a research gap in this area.

Findings

Discovered 8 previously unknown issues in mksh shell

7 issues confirmed and fixed by maintainers

Demonstrated effectiveness of grammar-based fuzzing for shells

Abstract

Despite its long-standing popularity and fundamental role in an operating system, the Unix shell has rarely been a subject of academic research. In particular, regardless of the significant progress in compiler testing, there has been hardly any work applying automated testing techniques to detect faults and vulnerabilities in shell interpreters. To address this important shortcoming, we present ShellFuzzer: a technique to test Unix shell interpreters by automatically generating a large number of shell scripts. ShellFuzzer combines grammar-based generation with selected random mutations, so as to produce a diverse range of shell programs with predictable characteristics (e.g., valid according to the language standard, and free from destructive behavior). In our experimental evaluation, ShellFuzzer generated shell programs that exposed 8 previously unknown issues that affected a recent version of the mksh POSIX-compliant shell; the shell maintainers confirmed 7 of these issues, and addressed them in the latest revisions of the shell's open-source implementation.