Jiawei Liu,Yuheng Huang,Zhijie Wang,Lei Ma,Chunrong Fang,Mingzheng Gu,Xufan Zhang,Zhenyu Chen

DOI: https://doi.org/10.1145/3628159

IF: 3.685

2023-01-01

ACM Transactions on Software Engineering and Methodology

Abstract:Deep learning (DL) libraries have become the key component in developing and deploying DL-based software nowadays. With the growing popularity of applying DL models in both academia and industry across various domains, any bugs inherent in the DL libraries can potentially cause unexpected server outcomes. As such, there is an urgent demand for improving the software quality of DL libraries. Although there are some existing approaches specifically designed for testing DL libraries, their focus is usually limited to one specific domain, such as computer vision (CV). It is still not very clear how the existing approaches perform in detecting bugs of different DL libraries regarding different task domains and to what extent. To bridge this gap, we first conduct an empirical study on four representative and state-of-the-art DL library testing approaches. Our empirical study results reveal that it is hard for existing approaches to generalize to other task domains. We also find that the test inputs generated by these approaches usually lack diversity, with only a few types of bugs. What is worse, the false-positive rate of existing approaches is also high ( up to 58% ). To address these issues, we propose a guided differential fuzzing approach based on generation , namely, Gandalf . To generate testing inputs across diverse task domains effectively, Gandalf adopts the context-free grammar to ensure validity and utilizes a Deep Q-Network to maximize the diversity. Gandalf also includes 15 metamorphic relations to make it possible for the generated test cases to generalize across different DL libraries. Such a design can decrease the false positives because of the semantic difference for different APIs. We evaluate the effectiveness of Gandalf on nine versions of three representative DL libraries, covering 309 operators from computer vision, natural language processing, and automated speech recognition. The evaluation results demonstrate that Gandalf can effectively and efficiently generate diverse test inputs. Meanwhile, Gandalf successfully detects five categories of bugs with only 3.1% false-positive rates. We report all 49 new unique bugs found during the evaluation to the DL libraries’ developers, and most of these bugs have been confirmed. Details about our empirical study and evaluation results are available on our project website. 1

Yinlin Deng,Chunqiu Steven Xia,Chenyuan Yang,Shizhuo Dylan Zhang,Shujing Yang,Lingming Zhang

2023-04-05

Abstract:Deep Learning (DL) library bugs affect downstream DL applications, emphasizing the need for reliable systems. Generating valid input programs for fuzzing DL libraries is challenging due to the need for satisfying both language syntax/semantics and constraints for constructing valid computational graphs. Recently, the TitanFuzz work demonstrates that modern Large Language Models (LLMs) can be directly leveraged to implicitly learn all the constraints to generate valid DL programs for fuzzing. However, LLMs tend to generate ordinary programs following similar patterns seen in their massive training corpora, while fuzzing favors unusual inputs that cover edge cases or are unlikely to be manually produced. To fill this gap, this paper proposes FuzzGPT, the first technique to prime LLMs to synthesize unusual programs for fuzzing. FuzzGPT is built on the well-known hypothesis that historical bug-triggering programs may include rare/valuable code ingredients important for bug finding. Traditional techniques leveraging such historical information require intensive human efforts to design dedicated generators and ensure the validity of generated programs. FuzzGPT demonstrates that this process can be fully automated via the intrinsic capabilities of LLMs (including fine-tuning and in-context learning), while being generalizable and applicable to challenging domains. While FuzzGPT can be applied with different LLMs, this paper focuses on the powerful GPT-style models: Codex and CodeGen. Moreover, FuzzGPT also shows the potential of directly leveraging the instruct-following capability of the recent ChatGPT for effective fuzzing. Evaluation on two popular DL libraries (PyTorch and TensorFlow) shows that FuzzGPT can substantially outperform TitanFuzz, detecting 76 bugs, with 49 already confirmed as previously unknown bugs, including 11 high-priority bugs or security vulnerabilities.

Software Engineering

Zicong Gao,Hao Xiong,Weiyu Dong,Rui Chang,Rui Yang,Yajin Zhou,Liehui Jiang

DOI: https://doi.org/10.1109/tse.2023.3326144

IF: 7.4

2024-01-01

IEEE Transactions on Software Engineering

Abstract:Mutation-based fuzzing has been widely used in both academia and industry. Recently, researchers observe that the mutation scheduling scheme affects the efficiency of fuzzing. Accordingly, they propose PSO algorithm or machine learning-based technique to optimize the scheduling process. However, these methods fail to consider the fact that the optimal operator distribution of different seeds is different, even for the same program. In this paper, we propose a novel general scheduling scheme, named FA-fuzz, to find the optimal selecting probability distribution of mutation operators, which is based on the observations that the effective mutation operators are different for different seeds. Specifically, our method is based on the firefly algorithm. The positions of fireflies are mapped to the selection probability distribution of different mutation operators. The brightness of fireflies is expressed as the efficiency of discovering unique testcases. We implement prototype systems on multiple state-of-art fuzzers, and perform evaluations on two datasets. Our proposed method improves both the number of unique paths and unique bugs on real-world datasets. In addition, we discover 30 zero-day vulnerabilities in eight real-world programs, which demonstrate the effectiveness of FA-fuzz.

Nima Shiri Harzevili,Mohammad Mahdi Mohajer,Moshi Wei,Hung Viet Pham,Song Wang

2023-12-25

Abstract:Recently, many Deep Learning fuzzers have been proposed for testing of DL libraries. However, they either perform unguided input generation (e.g., not considering the relationship between API arguments when generating inputs) or only support a limited set of corner case test inputs. Furthermore, a substantial number of developer APIs crucial for library development remain untested, as they are typically not well-documented and lack clear usage guidelines. To fill this gap, we propose a novel fuzzer named Orion, which combines guided test input generation and corner case test input generation based on a set of fuzzing rules constructed from historical data that is known to trigger vulnerabilities in the implementation of DL APIs. To extract the fuzzing rules, we first conduct an empirical study regarding the root cause analysis of 376 vulnerabilities in two of the most popular DL libraries, i.e., PyTorch and TensorFlow. We then construct the rules based on the root causes of the historical vulnerabilities. Our evaluation shows that Orion reports 135 vulnerabilities on the latest releases of TensorFlow and PyTorch, 76 of which were confirmed by the library developers. Among the 76 confirmed vulnerabilities, 69 are previously unknown, and 7 have already been fixed. The rest are awaiting further confirmation. Regarding end-user APIs, Orion was able to detect 31.8% and 90% more vulnerabilities on TensorFlow and PyTorch, respectively, compared to the state-of-the-art conventional fuzzer, i.e., DeepRel. When compared to the state-of-the-art LLM-based DL fuzzer, AtlasFuzz, Orion detected 13.63% more vulnerabilities on TensorFlow and 18.42% more vulnerabilities on PyTorch. Regarding developer APIs, Orion stands out by detecting 117% more vulnerabilities on TensorFlow and 100% more vulnerabilities on PyTorch compared to the most relevant fuzzer designed for developer APIs, such as FreeFuzz.

Cryptography and Security,Software Engineering

Yinlin Deng,Chunqiu Steven Xia,Haoran Peng,Chenyuan Yang,Lingming Zhang

DOI: https://doi.org/10.48550/arXiv.2212.14834

2023-03-07

Abstract:Detecting bugs in Deep Learning (DL) libraries (e.g., TensorFlow/PyTorch) is critical for almost all downstream DL systems in ensuring effectiveness/safety for end users. Meanwhile, traditional fuzzing techniques can be hardly effective for such a challenging domain since the input DL programs need to satisfy both the input language (e.g., Python) syntax/semantics and the DL API input/shape constraints for tensor computations. To address these limitations, we propose TitanFuzz - the first approach to directly leveraging Large Language Models (LLMs) to generate input programs for fuzzing DL libraries. LLMs are titanic models trained on billions of code snippets and can auto-regressively generate human-like code snippets. Our key insight is that modern LLMs can also include numerous code snippets invoking DL library APIs in their training corpora, and thus can implicitly learn both language syntax/semantics and intricate DL API constraints for valid DL program generation. More specifically, we use both generative and infilling LLMs (e.g., Codex/InCoder) to generate and mutate valid/diverse input DL programs for fuzzing. Our experimental results demonstrate that TitanFuzz can achieve 30.38%/50.84% higher code coverage than state-of-the-art fuzzers on TensorFlow/PyTorch. Furthermore, TitanFuzz is able to detect 65 bugs, with 41 already confirmed as previously unknown bugs. This paper demonstrates that modern titanic LLMs can be leveraged to directly perform both generation-based and mutation-based fuzzing studied for decades, while being fully automated, generalizable, and applicable to domains challenging for traditional approaches (such as DL systems). We hope TitanFuzz can stimulate more work in this promising direction of LLMs for fuzzing.

Software Engineering

Yuanping Nie,Xiong Xiao,Bing Yang,Hanqing Li,Long Luo,Hongfang Yu,Gang Sun

DOI: https://doi.org/10.1109/eeiss62553.2024.00007

2024-01-01

Abstract:In recent years, deep learning (DL) applications have been widely used in both industrial and academic domains. Bugs in the DL framework have become one of the leading causes of DI. model training and deployment failures. At present, fuzzing has emerged as one of the most effective and commonly used techniques to detect bugs in the DL framework. However, existing fuzzing techniques focus on testing the high-level APIs and use a random-based generation approach to explore the vast input space of API parameters. This kind of approach suffers low effectiveness because it cannot distinguish which lines in the lower-level component have been executed. We analyzed the structure of the most popular DL frameworks (e.g., TensorFlow and PyTorch) and found that line coverage information from the Python layer can be used to characterize the execution of the underlying layers. Therefore, we propose PCFuzz, a Python coverage -guided fuzzing technique, to address the above question. The main idea of PCFuzz is to perform guided fuzzing tests based on the Python line coverage of lower-level components. To collect Python coverage at a low cost, we designed a light weighted Python instrumentation approach specifically for DL frameworks. On the basis of this instrumentation, PCFuzz then leverages coverage to optimize the mutation scheduling, thereby enhancing the overall effectiveness of DL framework fuzzing. We conduct experiments on the most popular DL frameworks TensorFlow and PyTorch and compare PCFuzz with the state-of-the-art model -level fuzzer LEMON and API -level fuzzer FreeFuzz. The results show that PCFuzz is more efficient in covering the codes in the low-level Python libraries and raw operations. Specifically, within the same time cost, PCFuzz achieves on average 13.9x higher Python line coverage than LEMON. For FreeFuzz, PCFuzz achieves on average 52.56% higher Python line coverage. In addition, during our preliminary experiments, PCFuzz discovered 1 previously unknown hug in TensorFlow.

Hong Jin Kang,Pattarakrit Rattanukul,Stefanus Agus Haryono,Truong Giang Nguyen,Chaiyong Ragkhitwetsagul,Corina Pasareanu,David Lo

DOI: https://doi.org/10.48550/arXiv.2212.04038

2022-12-08

Abstract:Many modern software systems are enabled by deep learning libraries such as TensorFlow and PyTorch. As deep learning is now prevalent, the security of deep learning libraries is a key concern. Fuzzing deep learning libraries presents two challenges. Firstly, to reach the functionality of the libraries, fuzzers have to use inputs from the valid input domain of each API function, which may be unknown. Secondly, many inputs are redundant. Randomly sampled invalid inputs are likely not to trigger new behaviors. While existing approaches partially address the first challenge, they overlook the second challenge. We propose SkipFuzz, an approach for fuzzing deep learning libraries. To generate valid inputs, SkipFuzz learns the input constraints of each API function using active learning. By using information gained during fuzzing, SkipFuzz infers a model of the input constraints, and, thus, generate valid inputs. SkipFuzz comprises an active learner which queries a test executor to obtain feedback for inference. After constructing hypotheses, the active learner poses queries and refines the hypotheses using the feedback from the test executor, which indicates if the library accepts or rejects an input, i.e., if it satisfies the input constraints or not. Inputs from different categories are used to invoke the library to check if a set of inputs satisfies a function's input constraints. Inputs in one category are distinguished from other categories by possible input constraints they would satisfy, e.g. they are tensors of a certain shape. As such, SkipFuzz is able to refine its hypothesis by eliminating possible candidates of the input constraints. This active learning-based approach addresses the challenge of redundant inputs. Using SkipFuzz, we have found and reported 43 crashes. 28 of them have been confirmed, with 13 unique CVEs assigned.

Software Engineering

Siqi Li,Yun Lin,Xiaofei Xie,Yuekang Li,Xiaohong Li,Weimin Ge,Yang Liu,Jinsong Dong

DOI: https://doi.org/10.1109/ASE51524.2021.9678794

IF: 1.677

2021-01-01

Automated Software Engineering

Abstract:Fuzzing has been a widely-used technique for discovering software vulnerabilities. Many existing fuzzers leverage coverage-feedback to evolve seeds to maximize (optimize) program branch coverage. Recently, some techniques propose to train deep learning models to predict the branch coverage of an arbitrary input. Those techniques have proved their success in improving coverage and discovering bugs under different experimental settings. However, deep learning models, usually as a black magic box, are notoriously lack of explanation. Moreover, their performance can be sensitive to the collected runtime coverage information for training, indicating potentially unstable performance. To this end, in this work we conduct a systematic and extensive empirical study on 4 types of deep learning models across 6 projects to reproduce the actual performance of deep learning fuzzers, analyze the advantages and disadvantages of deep learning in the process of fuzzing applications, and explore the future direction of the combination of the two. Our empirical results reveal that the deep learning models can only be effective in very limited scenarios, which is largely restrained by training data imbalance, dependant labels, model over-generalization, and the insufficient expressiveness of the state-of-the-art models. Consequently, the estimated gradients by the models to cover a branch can be less helpful in many scenarios.

Wang Jie,Cao Kefan,Fang Chunrong,Chen Jinxin

DOI: https://doi.org/10.23940/ijpe.19.10.p13.26752682

2019-01-01

International Journal of Performability Engineering

Abstract:In the past years, many resources have been allocated to research on deep learning networks for better classification and recognition. These models have higher accuracy and wider application contexts, but the weakness of easily being attacked by adversarial examples has raised our concern. It is widely acknowledged that the reliability of many safety-critical systems must be confirmed. However, not all systems have sufficient robustness, which makes it necessary to test these models before going into service. In this work, we introduce FDFuzz, an automated fuzzing technique that exposes incorrect behaviors of neural networks. Under the guidance of the neuron coverage metric, the fuzzing process aims to find those examples to let the network make mistakes via mutating inputs, which are then correctly classified. FDFuzz employs a feature detection technique to analyze input images and improve the efficiency of mutation by features of keypoints. Compared with TensorFuzz, the state-of-the-art open source library for neural network testing, FDFuzz demonstrates higher efficiency in generating adversarial examples and makes better use of elements in corpus. Although our mutation function consumes more time to generate new elements, it can generate 250% more adversarial examples and save testing time.

Jiazhen Gu,Xuchuan Luo,Yangfan Zhou,Xin Wang

DOI: https://doi.org/10.48550/arXiv.2204.08734

2022-04-19

Software Engineering

Abstract:Deep learning (DL) techniques are proven effective in many challenging tasks, and become widely-adopted in practice. However, previous work has shown that DL libraries, the basis of building and executing DL models, contain bugs and can cause severe consequences. Unfortunately, existing testing approaches still cannot comprehensively exercise DL libraries. They utilize existing trained models and only detect bugs in model inference phase. In this work we propose Muffin to address these issues. To this end, Muffin applies a specifically-designed model fuzzing approach, which allows it to generate diverse DL models to explore the target library, instead of relying only on existing trained models. Muffin makes differential testing feasible in the model training phase by tailoring a set of metrics to measure the inconsistencies between different DL libraries. In this way, Muffin can best exercise the library code to detect more bugs. To evaluate the effectiveness of Muffin, we conduct experiments on three widely-used DL libraries. The results demonstrate that Muffin can detect 39 new bugs in the latest release versions of popular DL libraries, including Tensorflow, CNTK, and Theano.

Xiangzhong Shen,Jieyi Zhang,Xiaonan Wang,Hongfang Yu,Gang Sun

DOI: https://doi.org/10.1109/dsc53577.2021.00059

2021-01-01

Abstract:Deep learning(DL) frameworks are widely used for neural network model training and prediction in a lot of areas such as computer vision, natural language processing, medical image and so on. However, DL frameworks may contain bugs that lead to serious security problems, e.g., resource leakage, crashes, computational errors and abnormal behaviors, etc. In this work, we proposed FAME, a DL framework fuzzing system extended from LEMON with API mutation and optimizations for layer and weight mutation. FAME takes inconsistency as feedback to guide fuzzing and it's also able to detect two types of bugs: NaN bugs and crashes. In detail, NaN bugs represent computational logic defects in DL framework while crashes means serious problem in program logic or implementation. Compared with LEMON, FAME is able to adopt API mutation to generate models which could cover a mass of available values of parameters for selected layers. To be more clear, illegal parameters could cause model construction failure or DL frameworks' abnormal behaviors. In addition, we analyzed the disadvantages of some layer mutations and weight mutations of LEMON and proposed optimized methods to overcome them. We conducted FAME on five DL frameworks, i.e., TensorFlow, Pytorch, CNTK, Theano and MXNet to evaluate the effectiveness of our approach. The results of 7-day experiments demonstrate that FAME is effective to detect bugs in DL frameworks with totally 4 NaN and Crash bugs found.

Junjie Chen,Yihua Liang,Qingchao Shen,Jiajun Jiang,Shuochuan Li

2024-08-21

Abstract:DL frameworks are the basis of constructing all DL programs and models, and thus their bugs could lead to the unexpected behaviors of any DL program or model relying on them. Such a wide effect demonstrates the necessity and importance of guaranteeing DL frameworks' quality. Understanding the characteristics of DL framework bugs is a fundamental step for this quality assurance task, facilitating designing effective bug detection and debugging approaches. Hence, in this work we conduct the most large-scale study on 1,000 bugs from four popular and diverse DL frameworks (i.e., TensorFlow, PyTorch, MXNet, and DL4J). By analyzing the root causes and symptoms of DL framework bugs associated with 5 components decomposed from DL frameworks, as well as measuring test coverage achieved by three state-of-the-art testing techniques, we obtain 12 major findings for the comprehensive understanding of DL framework bugs and the current status of existing DL framework testing practice, and then provide a series of actionable guidelines for better DL framework bug detection and debugging. Finally, based on the guidelines, we design and implement a prototype DL-framework testing tool, called TenFuzz, which is evaluated to be effective and finds 3 unknown bugs on the latest TensorFlow framework in a preliminary study, indicating the significance of our guidelines.

Software Engineering

Ilya Yegorov,Eli Kobrin,Darya Parygina,Alexey Vishnyakov,Andrey Fedotov

2024-03-19

Abstract:Ensuring the security and reliability of machine learning frameworks is crucial for building trustworthy AI-based systems. Fuzzing, a popular technique in secure software development lifecycle (SSDLC), can be used to develop secure and robust software. Popular machine learning frameworks such as PyTorch and TensorFlow are complex and written in multiple programming languages including C/C++ and Python. We propose a dynamic analysis pipeline for Python projects using the Sydr-Fuzz toolset. Our pipeline includes fuzzing, corpus minimization, crash triaging, and coverage collection. Crash triaging and severity estimation are important steps to ensure that the most critical vulnerabilities are addressed promptly. Furthermore, the proposed pipeline is integrated in GitLab CI. To identify the most vulnerable parts of the machine learning frameworks, we analyze their potential attack surfaces and develop fuzz targets for PyTorch, TensorFlow, and related projects such as h5py. Applying our dynamic analysis pipeline to these targets, we were able to discover 3 new bugs and propose fixes for them.

Cryptography and Security,Artificial Intelligence,Software Engineering

Jiawei Wu,Senyi Li,Junqiang Li,Long Luo,Hongfang Yu,Gang Sun

DOI: https://doi.org/10.1109/dsc55868.2022.00061

2022-01-01

Abstract:The large-scale use of deep learning (DL) technology makes it important to ensure software security in DL systems. All DL systems depend on the DL framework to achieve development tasks. If any vulnerability exists in the DL framework, DL systems will contain potential security risks. In addition, existing DL framework testing methods typically use inconsistencies as the feedback and cannot effectively cover the entire layer, leading to inefficiencies in finding vulnerabilities.In this work, we propose DeepCov, a layer edge coverage based DL framework fuzzing system. DeepCov uses the mutation-based method to generate models that fully explore layer APIs of the DL framework. DeepCov detects three types of bugs, including inconsistency, NaN and crash bugs. Compared to the previous inconsistency guided tool LEMON, DeepCov considers the layer edge coverage metric and uses the multi-dimensional evaluation based seed selection and strategic layer addition operator. By analysing and utilizing the information from models, DeepCov generates mutated models with more API calls of layer types which eventually explore larger model layer space in the DL framework testing. To show the effectiveness of our approach, we evaluated DeepCov on five DL frameworks, i.e., TensorFlow, Pytorch, CNTK, Theano and MXNet. The results show that DeepCov achieves 5 times improvement in the number of tested layer types compared with LEMON. Moreover, 6 crash bugs, 11 unique inconsistency bugs, and a NaN bug were found.

Pin Ji,Yang Feng,Duo Wu,Lingyue Yan,Pengling Chen,Jia Liu,Zhihong Zhao

DOI: https://doi.org/10.1109/tse.2024.3509975

IF: 7.4

2024-01-01

IEEE Transactions on Software Engineering

Abstract:The rapidly developing deep learning (DL) techniques have been applied insoftware systems with various application scenarios. However, they could alsopose new safety threats with potentially serious consequences, especially insafety-critical domains. DL libraries serve as the underlying foundation for DLsystems, and bugs in them can have unpredictable impacts that directly affectthe behaviors of DL systems. Previous research on fuzzing DL libraries stillhas limitations in the diversity of test inputs, the construction of testoracles, and the precision of detection. In this paper, we propose MoCo, anovel fuzzing testing method for DL libraries via assembling code. MoCo firstdisassembles the seed code file to obtain the template and code blocks, andthen employs code block mutation operators (e.g., API replacement, randomgeneration, and boundary checking) to generate more new code blocks adapted tothe template. By inserting context-appropriate code blocks into the templatestep by step, MoCo can generate a tree of code files with intergenerationalrelations. According to the derivation relations in this tree and the appliedmutation operators, we construct the test oracle based on the execution stateconsistency. Since the granularity of code assembly and mutation is controlledrather than randomly divergent, we can quickly pinpoint the lines of code wherethe bugs are located and the corresponding triggering conditions. We conduct acomprehensive experiment to evaluate the efficiency and effectiveness of MoCousing three widely-used DL libraries (i.e., TensorFlow, PyTorch, and Jittor).During the experiment, MoCo detects 64 new bugs of four types in three DLlibraries, where 51 bugs have been confirmed, and 13 bugs have been fixed bydevelopers.

Jianmin Guo,Yu Jiang,Yue Zhao,Quan Chen,Jiaguang Sun

DOI: https://doi.org/10.1145/3236024.3264835

2018-01-01

Abstract:Deep learning (DL) systems are increasingly applied to safety-critical domains such as autonomous driving cars. It is of significant importance to ensure the reliability and robustness of DL systems. Existing testing methodologies always fail to include rare inputs in the testing dataset and exhibit low neuron coverage. In this paper, we propose DLFuzz, the first differential fuzzing testing framework to guide DL systems exposing incorrect behaviors. DLFuzz keeps minutely mutating the input to maximize the neuron coverage and the prediction difference between the original input and the mutated input, without manual labeling effort or cross-referencing oracles from other DL systems with the same functionality. We present empirical evaluations on two well-known datasets to demonstrate its efficiency. Compared with DeepXplore, the state-of-the-art DL whitebox testing framework, DLFuzz does not require extra efforts to find similar functional DL systems for cross-referencing check, but could generate 338.59% more adversarial inputs with 89.82% smaller perturbations, averagely obtain 2.86% higher neuron coverage, and save 20.11% time consumption.

Kairui Gong,Wenchuan Yang,Baojiang Cui,Chen Chen

DOI: https://doi.org/10.1109/EIECT58010.2022.00080

2022-01-01

Abstract:With the development of information technology, program vulnerabilities have become more complex and diversified, posing a great threat to the security of computer systems. Among many vulnerability detection methods, fuzzing is an popular method of automatic vulnerability mining which efficiency depends on the quality of generated samples. Some work has introduced reinforcement learning into fuzzing to provide an intelligent scheme for vulnerability mining, but there is still the problem of exploring invalid sample space. In order to solve this problem, this paper proposes a new fuzzer called DRLFCfuzzer, which is based on data boundary segmentation technology and guided by multi-dimensional deep reinforcement learning. We model the fuzzing process as a Markov decision process, add the segmentation of data boundaries and the selection of data blocks on the basis of multi-dimensional mutation, and improve the efficiency of the fuzzing by pruning unnecessary exploration of sample spaces. The experimental results show that DRLFCfuzzer achieves code coverage of 128% to 800% of AFL and 112% to 160% of general deep reinforcement learning fuzzer and more crashes in some programs of the Fuzzer-Test-Suite dataset and three real world programs.

XIAO Tian,JIANG Zhihao,TANG Peng,HUANG Zheng,GUO Jie,QIU Weidong

DOI: https://doi.org/10.11959/j.issn.2096−109x.2023027

2023-01-01

Abstract:With the continuous growth and advancement of the Internet and information technology, continuous growth and advancement of the Internet and information technology.Nevertheless, these applications’ vulnerabilities pose a severe threat to information security and users’ privacy.Fuzzing was widely used as one of the main tools for automatic vulnerability detection due to its ease of vulnerability recurrence and low false positive errors.It generates test cases randomly and executes the application by optimization in terms of coverage or sample generation to detect deeper program paths.However, the mutation operation in fuzzing is blind and tends to make the generated test cases execute the same program path.Consequently, traditional fuzzing tests have problems such as low efficiency, high randomness of inputs generation and limited pertinence of the program structure.To address these problems, a directional fuzzing based on deep reinforcement learning was proposed, which used deep reinforcement learning networks with information obtained by staking program to guide the selection of the inputs.Besides, it enabled fast approximation and inspection of the program paths that may exist vulnerabilities.The experimental results showed that the proposed approach had better performance than the popular fuzzing tools such as AFL and AFLGO in terms of vulnerability detection and recurrence on the LAVA-M dataset and real applications like LibPNG and Binutils.Therefore, the approach can provide support for further vulnerability mining and security research.

Xiaogang Zhu,Shigang Liu,Xian Li,Sheng Wen,Jun Zhang,Camtepe Seyit,Yang Xiang

2020-01-01

Abstract: Fuzzing is one of the most effective technique to identify potential software vulnerabilities. Most of the fuzzers aim to improve the code coverage, and there is lack of directedness (e.g., fuzz the specified path in a software). In this paper, we proposed a deep learning (DL) guided directed fuzzing for software vulnerability detection, named DeFuzz. DeFuzz includes two main schemes: (1) we employ a pre-trained DL prediction model to identify the potentially vulnerable functions and the locations (i.e., vulnerable addresses). Precisely, we employ Bidirectional-LSTM (BiLSTM) to identify attention words, and the vulnerabilities are associated with these attention words in functions. (2) then we employ directly fuzzing to fuzz the potential vulnerabilities by generating inputs that tend to arrive the predicted locations. To evaluate the effectiveness and practical of the proposed DeFuzz technique, we have conducted experiments on real-world data sets. Experimental results show that our DeFuzz can discover coverage more and faster than AFL. Moreover, DeFuzz exposes 43 more bugs than AFL on real-world applications.

Xiajing Wang,Changzhen Hu,Rui Ma,Binbin Li,Xuefei Wang

DOI: https://doi.org/10.1109/ICTAI50040.2020.00098

2020-01-01

Abstract:Fuzzing is a well-known technique for efficiently finding software vulnerabilities. Unfortunately, due to syntax check, even the state-of-the-art fuzzers are not very efficient at discovering hard-to-trigger bugs in applications that expect highly structured inputs. Grammar-based fuzzers, while effective, often require expert knowledge and incur significant computational overhead. In this paper, we present LAFuzz, an automated fuzzer that generates high-quality seed inputs, which utilizes a variety of deep neural network model with different setup to efficiently fuzz programs that expect structured or unstructured inputs. We achieve this by combining mutation-based fuzzing and generation-based fuzzing offline. Our evaluation on 8 popular real-world applications demonstrated that LAFuzz-LSTM and LAFuzz-Attention significantly outperform AFL, a state-of-the-art fuzzer, on most cases both at discovering more crashes and achieving higher code coverage. In total, LAFuzz-LSTM and LAFuzz-Attention can effectively improve the code coverage over AFL by 7.55% and 7.67%; and both fuzzers can consistently discover 30.19% as well as 82.39% more unique crashes. Furthermore, extensive evaluation also showed that LAFuzz provides a great compatibility and expansibility.