Over the past decade, fuzzers have become the most widely used tools to test software security and robustness. Generating random inputs and feeding them to an application, they help detect undesired program behavior such as bugs and vulnerabilities.
FANDANGO, a new open-source fuzzing tool, uses an evolutionary algorithm to automatically generate myriads of high-quality test inputs that satisfy defined constraints. Advancing language-based testing by a decisive step, FANDANGO employs an iterative procedure that is modeled on biological evolution, yielding customized inputs that cover both semantics and syntax. Now available in its 1.0 release, FANDANGO has been developed by researchers at the CISPA Helmholtz Center
for Information Security.
CISPA-researchers José Antonio Zamudio Amaya and Professor Dr. Andreas Zeller have introduced the bio-inspired algorithm to software fuzzing. In an emulation of biological evolution, their algorithm performs a process of mutation and selection to produce inputs that closely correspond to the tester’s conditions. Their paper is published in the journal Proceedings of the ACM on Software Engineering.
Zamudio explains, “The evolutionary algorithm is pretty straightforward. We start with a population of inputs that come from the specifications of a program. And then we do two things: first, mutate those inputs to trigger different changes and second, cross these inputs, which means combining parts of two inputs to produce offspring. We repeat this process and with every iteration, we evaluate the quality of the inputs in terms of meeting the constraints imposed by the tester.”
This process results in valid test inputs that are customized to specifically explore particular parts of the program that is being tested.
FANDANGO offers complete control over test inputs
While not the first fuzzing tool to automate test generation, FANDANGO is the first tool that gives software testers complete control over the characteristics of the inputs they generate. As Zeller explains, “In contrast to a normal fuzzer, Fandango produces inputs which are under the control of the tester, because we assume that the testers a) know what a typical input looks like and b) tend to have an idea where typical bugs might be. They are the ones with the domain knowledge and we want them to be able to use that domain knowledge when testing a program.”
FANDANGO enables testers not only to specify the syntax of the input, i.e., the structure they want it to have, but also to define the semantics of the input, i.e., its meaning and specific properties.
To illustrate FANDANGO’s benefits for software testing, Zeller uses the example of an online shop for custom-made furniture, where customers are required to enter individual values for height, length and depth that, taken together, determine the size of a piece of furniture.
“In this case,” Zeller explains, “it would be interesting to see what the program does when I say, for instance, ‘this piece of furniture should have a length of less than zero or a seating surface of one square kilometer.’ Using our evolutionary algorithm, FANDANGO could automatically compute values for all these individual fields—height, length, depth—that would precisely satisfy the condition of this immense surface of one square kilometer.”
Feedback invited: FANDANGO is available on GitHub
To let software testers and programmers benefit from their research, Zamudio and Zeller have made FANDANGO available on GitHub. The program is open-source and comes in the form of a simple command-line tool, accompanied by tutorials and extensive documentation. The CISPA researchers are also openly inviting feedback with the aim of improving their fuzzer even further.
“I can’t wait to see how people are using FANDANGO and what they suggest we implement further. I’ve already been talking to people at various companies. The idea of being in control over what should be tested and the idea of being able to check the results of a computation is a real boon to them,” Zeller says.
The CISPA research on FANDANGO will be presented at the International Symposium on Software Testing and Analysis (ISSTA 2025) in Trondheim, Norway on June 27, 2025.
More information:
José Antonio Zamudio Amaya et al, FANDANGO: Evolving Language-Based Testing, Proceedings of the ACM on Software Engineering (2025). DOI: 10.1145/3728915
Provided by
CISPA Helmholtz Center for Information Security
Citation:
Open-source fuzzer uses evolutionary algorithm to produce customized test inputs (2025, June 26)
retrieved 26 June 2025
from https://techxplore.com/news/2025-06-source-fuzzer-evolutionary-algorithm-customized.html
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no
part may be reproduced without the written permission. The content is provided for information purposes only.
