Using Structured Random Data to Precisely Fuzz Media Players

Users rarely consider their media player as a security critical application. However, with an increasing amount of media content available on the web, users are exposing themselves to attack by downloading possibly malicious content. We focus on identifying vulnerabilities in three media formats (AVI, MPEG and Ogg) and two media players (MPlayer and VLC). We use a modification of traditional format-free fuzzing techniques to identify vulnerabilities in the format-strict environment of media players. We build upon typical fuzzing techniques by (1) adding structure to random files and (2) randomizing real files. We find that with these added techniques, fuzzing can be used to find bugs in applications with strict format requirements. Randomizing real files can, with no knowledge of file structure, identify a wide variety of bugs. While strategically adding structure to random files can produce a greater number of crashes, this was not correlated with finding a greater number of unique bugs.