Bo Shuai,Mengjun Li,Haifeng Li,Quan Zhang,Chaojing Tang

DOI: https://doi.org/10.1109/CECNet.2013.6703400

2013-01-01

Abstract:In order to solve the problems of traditional Fuzzing technique for software vulnerability detection, this paper proposes a novel method based on genetic algorithm and dynamic taint analysis. First, static analysis is applied to calculate the critical path information, including danger functions, high cyclomatic number functions and loop structures. Second, dynamic taint analysis is introduced to identify the key bytes to reduce the input space. Third, the genetic algorithm fitness function is constructed based on the critical path information to guide the test case generation and the genetic operators are executed on the reduced input space. Experiments show that the method could obtain higher vulnerability detection accuracy and efficiency.

Xinshi Zhou,Bin Wu

DOI: https://doi.org/10.1109/itnec48623.2020.9084765

2020-01-01

Abstract:Web fuzzing has always been an effective way to detect web vulnerabilities. Normally, traditional web fuzzing method mainly use limited test cases or generate test cases based on certain rules, which cause web fuzzing slow and inefficient. To solve this problem, we present improved genetic algorithm with a new mutation method to generate test cases. And the concept of preset functional units is proposed: test cases are divided into different functional units to ensure that the semantic structure will not be damaged during crossover and mutation. The experimental results show that the improved algorithm can generate better test cases than the standard genetic algorithm (SGA) and the adaptive genetic algorithm (AGA) and also detect more web vulnerabilities.

Yuwei Li,Shouling Ji,Chenyang Lyu,Yuan Chen,Jianhai Chen,Qinchen Gu,Chunming Wu,Raheem Beyah

DOI: https://doi.org/10.1109/TCYB.2020.3013675

Abstract:Fuzzing is a technique of finding bugs by executing a target program recurrently with a large number of abnormal inputs. Most of the coverage-based fuzzers consider all parts of a program equally and pay too much attention to how to improve the code coverage. It is inefficient as the vulnerable code only takes a tiny fraction of the entire code. In this article, we design and implement an evolutionary fuzzing framework called V-Fuzz, which aims to find bugs efficiently and quickly in limited time for binary programs. V-Fuzz consists of two main components: 1) a vulnerability prediction model and 2) a vulnerability-oriented evolutionary fuzzer. Given a binary program to V-Fuzz, the vulnerability prediction model will give a prior estimation on which parts of a program are more likely to be vulnerable. Then, the fuzzer leverages an evolutionary algorithm to generate inputs which are more likely to arrive at the vulnerable locations, guided by the vulnerability prediction result. The experimental results demonstrate that V-Fuzz can find bugs efficiently with the assistance of vulnerability prediction. Moreover, V-Fuzz has discovered ten common vulnerabilities and exposures (CVEs), and three of them are newly discovered.

Wenjie Wang,Donghai Tian,Rui Ma,Hang Wei,Qianjin Ying,Xiaoqi Jia,Lei Zuo

DOI: https://doi.org/10.23919/jcc.2021.08.001

2021-01-01

China Communications

Abstract:Fuzzing is an effective technique to find security bugs in programs by quickly exploring the input space of programs. To further discover vulnerabilities hidden in deep execution paths, the hybrid fuzzing combines fuzzing and concolic execution for going through complex branch conditions. In general, we observe that the execution path which comes across more and complex basic blocks may have a higher chance of containing a security bug. Based on this observation, we propose a hybrid fuzzing method assisted by static analysis for binary programs. The basic idea of our method is to prioritize seed inputs according to the complexity of their associated execution paths. For this purpose, we utilize static analysis to evaluate the complexity of each basic block and employ the hardware trace mechanism to dynamically extract the execution path for calculating the seed inputs' weights. The key advantage of our method is that our system can test binary programs efficiently by using the hardware trace and hybrid fuzzing. To evaluate the effectiveness of our method, we design and implement a prototype system, namely SHFuzz. The evaluation results show SHFuzz discovers more unique crashes on several real-world applications and the LAVA-M dataset when compared to the previous solutions.

Yuwei Li,Shouling Ji,Chenyang Lv,Yuan Chen,Jianhai Chen,Qinchen Gu,Chunming Wu

DOI: https://doi.org/10.48550/arxiv.1901.01142

2019-01-01

Abstract:Fuzzing is a technique of finding bugs by executing a software recurrently with a large number of abnormal inputs. Most of the existing fuzzers consider all parts of a software equally, and pay too much attention on how to improve the code coverage. It is inefficient as the vulnerable code only takes a tiny fraction of the entire code. In this paper, we design and implement a vulnerability-oriented evolutionary fuzzing prototype named V-Fuzz, which aims to find bugs efficiently and quickly in a limited time. V-Fuzz consists of two main components: a neural network-based vulnerability prediction model and a vulnerability-oriented evolutionary fuzzer. Given a binary program to V-Fuzz, the vulnerability prediction model will give a prior estimation on which parts of the software are more likely to be vulnerable. Then, the fuzzer leverages an evolutionary algorithm to generate inputs which tend to arrive at the vulnerable locations, guided by the vulnerability prediction result. Experimental results demonstrate that V-Fuzz can find bugs more efficiently than state-of-the-art fuzzers. Moreover, V-Fuzz has discovered 10 CVEs, and 3 of them are newly discovered. We reported the new CVEs, and they have been confirmed and fixed.

Guangcheng Liang,Lejian Liao,Xin Xu,Jianguang Du,Guoqiang Li,Henglong Zhao

DOI: https://doi.org/10.1109/CIS.2013.135

2013-01-01

Abstract:In this paper we present a new vulnerability-targeted black box fuzzing approach to effectively detect errors in the program. Unlike the standard fuzzing techniques that randomly change bytes of the input file, our approach remarkably reduces the fuzzing range by utilizing an efficient dynamic taint analysis technique. It locates the regions of seed files that affect the values used at the hazardous points. Thus it enables to pay more attention to deep errors in the core of the program. Because our approach is directly targeted to the specific potential vulnerabilities, most of the detected errors are with vulnerability signatures. Besides, this approach does not need the information of the input file format in advance. So it is especially appropriate for testing applications with complex and highly structured input file formats. We design and implement a prototype, Taint Fuzz, to realize this approach. The experiments demonstrate that Taint Fuzz can effectively expose more errors with much lower time cost and much smaller number of input samples compared with the standard fuzzer.

Bo Shuai,Haifeng Li,Jian Wang,Quan Zhang,Chaojing Tang

DOI: https://doi.org/10.2991/nceece-15.2016.213

2016-01-01

Abstract:In order to elevate efficiency of traditional Fuzzing technique, a novel method using genetic algorithm is proposed based on path coverage and test cost. There are evidences that GA has been already successful in generating test cases. Considering path coverage as the test adequacy criterion, we have designed a GA-based test data generator that is able to synthesize multiple test data to cover multiple target paths. Meanwhile, in order to reduce the test cost in Fuzzing process, test cost is analyzed respectively from running time and loop structure in the method. Experimental results show that proposed approach could obtain higher vulnerability detection accuracy and efficiency.

Michael Wang,Michael Robinson

2023-07-22

Abstract:Fuzzing is a popular vulnerability automated testing method utilized by professionals and broader community alike. However, despite its abilities, fuzzing is a time-consuming, computationally expensive process. This is problematic for the open source community and smaller developers, as most people will not have dedicated security professionals and/or knowledge to perform extensive testing on their own. The goal of this project is to increase the efficiency of existing fuzzers by allowing fuzzers to explore more paths and find more bugs in shorter amounts of time, while still remaining operable on a personal device. To accomplish this, adversarial methods are built on top of current evolutionary algorithms to generate test cases for further and more efficient fuzzing. The results of this show that adversarial attacks do in fact increase outpaces existing fuzzers significantly and, consequently, crashes found.

Software Engineering

Lu Yu,Yuliang Lu,Yi Shen,Yuwei Li,Zulie Pan

DOI: https://doi.org/10.1038/s41598-022-07355-5

IF: 4.6

2022-01-01

Scientific Reports

Abstract:Directed greybox fuzzing (DGF) is an effective method to detect vulnerabilities of the specified target code. Nevertheless, there are three main issues in the existing DGFs. First, the target vulnerable code of the DGFs needs to be manually selected, which is tedious. Second, DGFs mainly leverage distance information as feedback, which neglects the unequal roles of different code snippets in reaching the targets. Third, most of the existing DGFs need the source code of the test programs, which is not available for binary programs. In this paper, we propose a vulnerability-oriented directed binary fuzzing framework named VDFuzz, which automatically identifies the targets and leverages dynamic information to guide the fuzzing. In specific, VDFuzz consists of two components, a target identifier and a directed fuzzer. The target identifier is designed based on a neural-network, which can automatically locate the target code areas that are similar to the known vulnerabilities. Considering the inequality of code snippets in reaching the given target, the directed fuzzer assigns different weights to basic blocks and takes the weights as feedback to generate test cases to reach the target code. Experimental results demonstrate that VDFuzz outperformed the state-of-the-art fuzzers and was effective in vulnerability detection of real-world programs.

Baojiang Cui,Xiaobing Liang,Jianxin Wang

DOI: https://doi.org/10.1007/978-3-642-25664-6_30

2011-01-01

Abstract:The automatic identification of security vulnerabilities in the binary code is still a young but important research area for the security researchers. In recent years, the number of identified integer overflow vulnerabilities has been increasing rapidly. In this paper, we present a smart software vulnerability detection technology, which is used for the identification of integer overflow vulnerabilities in the binary executables. The proposed algorithm is combined with debugger module, static analysis module and genetic algorithm module. We use the fitness function to guide the generation of the tested data and use static analysis to provide the information that the genetic module needs. Theory analyses and experiment results indicate that the detection technology based upon genetic algorithm can identify the exceptions in the object program and is more efficient than the common Fuzzing technology.

Ying WANG,Li-ze GU,Yi-xian YANG,Yu-xin DONG

DOI: https://doi.org/10.3969/j.issn.0372-2112.2014.10.023

2014-01-01

Abstract:The dynamic testing for automaticlly identifing security vulnerabilities in binary executables has received increas-ingly interest in recent years .In this paper ,we present a new automated whitebox fuzzing tool EWFT (Execution-based Whitebox Fuzzing Tool ) ,which implements dynamic symbolic execution and taint tracing techniques during program execution .Our contribu-tions are:1 )we propose a ROBDD (Reduced Ordered Binary Decision Diagram )-based approach to analyse execution process ,2 )we introduce a new path weight analysis algorithm (PWA )for searching path space and automating test data generation ,and 3 )we build a prototype tool that automatically finds software vulnerabilities .Results of our experiments show that execution-based whitebox fuzzing is powerful to identify variety of security vulnerabilities in real applications .Compared to the related work in the research area ,it explored deeper program paths on the average ,and achieved higher structural coverage .

Bo Wu,Bin Zhang,Sha Meng Wen,Meng Jun Li,Quan Zhang,Chao Jing Tang

DOI: https://doi.org/10.4028/www.scientific.net/amm.571-572.539

2014-01-01

Applied Mechanics and Materials

Abstract:Traditional Fuzzing is simple and easy to deploy but inefficient due to different inputs usually execute the redundant path. In this paper, we put forward a binary-oriented Fuzzing technique based on input format analysis and dynamic taint analysis, which can detect vulnerability more efficient than traditional Fuzzing method. We implemented a prototype system called Smart and Directed Fuzz (SDFuzz), which first searches the locations where interested functions are called, then uses dynamic taint analysis technique to classify input data into safety-related data and safety-unrelated data, finally mutates safety-related data to direct the test procedure. The evaluation shows that our method can be used to detect vulnerabilities in binary software efficiently.

Guanxing Wen,Yuqing Zhang,Qixu Liu,Dingning Yang

DOI: https://doi.org/10.1145/2484313.2484372

2013-01-01

Abstract:Fuzz testing is an automated testing technique where random data is used as an input to software systems in order to reveal security bugs/vulnerabilities. Fuzzed inputs must be binaries embedded with compiled bytecodes when testing against ActionScript virtual machines (AVMs). The current fuzzing method for JavaScript-like virtual machines is very limited when applied to compiler-involved AVMs. The complete source code should be both grammatically and semantically valid to allow execution by first passing through the compiler. In this paper, we present ScriptGene , an algorithmic approach to overcome the additional complexity of generating valid ActionScript programs. First, nearly-valid code snippets are randomly generated, with some controls on instruction flow. Second, we present a novel mutation method where the former code snippets are lexically analyzed and mutated with runtime information of the AVM, which helps us to build context for undefined behaviours against compiler-check and produce a high code coverage. Accordingly, we have implemented and evaluated ScriptGene on three different versions of Adobe AVMs. Results demonstrate that ScriptGene not only covers almost all the blocks of the official test suite (Tamarin), but also is capable of nearly twice the code coverage. The discovery of six bugs missed by the official test suite demonstrates the effectiveness, validity and novelty of ScriptGene .

Chen,Baojiang Cui,Jinxin Ma,Runpu Wu,Jianchao Guo,Wenqian Liu

DOI: https://doi.org/10.1016/j.cose.2018.02.002

2018-01-01

Abstract:Fuzzing is an effective and widely used technique for finding security bugs and vulnerabilities in software. It inputs irregular test data into a target program to try to trigger a vulnerable condition in the program execution. Since the first random fuzzing system was constructed, fuzzing efficiency has been greatly improved by combination with several useful techniques, including dynamic symbolic execution, coverage guide, grammar representation, scheduling algorithms, dynamic taint analysis, static analysis and machine learning. In this paper, we will systematically review these techniques and their corresponding representative fuzzing systems. By introducing the principles, advantages and disadvantages of these techniques, we hope to provide researchers with a systematic and deeper understanding of fuzzing techniques and provide some references for this field.

Manh-Dung Nguyen,Sébastien Bardin,Richard Bonichon,Roland Groz,Matthieu Lemerre

DOI: https://doi.org/10.48550/arXiv.2002.10751

2020-08-17

Abstract:Directed fuzzing focuses on automatically testing specific parts of the code by taking advantage of additional information such as (partial) bug stack trace, patches or risky operations. Key applications include bug reproduction, patch testing and static analysis report verification. Although directed fuzzing has received a lot of attention recently, hard-to-detect vulnerabilities such as Use-After-Free (UAF) are still not well addressed, especially at the binary level. We propose UAFuzz, the first (binary-level) directed greybox fuzzer dedicated to UAF bugs. The technique features a fuzzing engine tailored to UAF specifics, a lightweight code instrumentation and an efficient bug triage step. Experimental evaluation for bug reproduction on real cases demonstrates that UAFuzz significantly outperforms state-of-the-art directed fuzzers in terms of fault detection rate, time to exposure and bug triaging. UAFuzz has also been proven effective in patch testing, leading to the discovery of 30 new bugs (7 CVEs) in programs such as Perl, GPAC and GNU Patch. Finally, we provide to the community a large fuzzing benchmark dedicated to UAF, built on both real codes and real bugs.

Cryptography and Security

Yuan LIU,Yong-hui YANG,Chun-rui ZHANG,Wei WANG

DOI: https://doi.org/10.3969/j.issn.0372-2112.2017.03.007

2017-01-01

Abstract:Considering the features of the traditional Fuzzing technology,a method is proposed for Fuzzing test case generating in vulnerability exploiting,which is aimed at nonlinear solution and single input problem.This method takes advantage of the genetic algorithm and deals with those two problems mentioned above.The experiment results show that,the proposed solution has an obvious improvement compared with the early method which generates the test cases randomly.

Wenshuo Wang,Liang Cheng,Yang Zhang

DOI: https://doi.org/10.48550/arXiv.2010.03482

2021-02-27

Abstract:Coverage-based graybox fuzzer (CGF), such as AFL has gained great success in vulnerability detection thanks to its ease-of-use and bug-finding power. Since some code fragments such as memory allocation are more vulnerable than others, various improving techniques have been proposed to explore the more vulnerable areas by collecting extra information from the program under test or its executions. However, these improvements only consider limited types of information sources and ignore the fact that the priority a seed input to be fuzzed may be influenced by all the code it covers. Based on the above observations, we propose a fuzzing method based on the importance of functions. First, a data structure called Attributed Interprocedural Control Flow Graph (AICFG) is devised to combine different features of code fragments. Second, the importance of each node in the AICFG is calculated based on an improved PageRank algorithm, which also models the influence between connected nodes. During the fuzzing process, the node importance is updated periodically by a propagation algorithm. Then the seed selection and energy scheduling of a seed input are determined by the importance of its execution trace. We implement this approach on top of AFL in a tool named FunAFL and conduct an evaluation on 14 real-world programs against AFL and two of its improvements. FunAFL, with 17% higher branch coverage than others on average, finds 13 bugs and 3 of them are confirmed by CVE after 72 hours.

Cryptography and Security

Tai D. Nguyen,Long H. Pham,Jun Sun

2023-07-05

Abstract:Fuzzing has emerged as a powerful technique for finding security bugs in complicated real-world applications. American fuzzy lop (AFL), a leading fuzzing tool, has demonstrated its powerful bug finding ability through a vast number of reported CVEs. However, its random mutation strategy is unable to generate test inputs that satisfy complicated branching conditions (e.g., magic-byte comparisons, checksum tests, and nested if-statements), which are commonly used in image decoders/encoders, XML parsers, and checksum tools. Existing approaches (such as Steelix and Neuzz) on addressing this problem assume unrealistic assumptions such as we can satisfy the branch condition byte-to-byte or we can identify and focus on the important bytes in the input (called hot-bytes) once and for all. In this work, we propose an approach called \tool~which is designed based on the following principles. First, there is a complicated relation between inputs and branching conditions and thus we need not only an expressive model to capture such relationship but also an informative measure so that we can learn such relationship effectively. Second, different branching conditions demand different hot-bytes and we must adjust our fuzzing strategy adaptively depending on which branches are the current bottleneck. We implement our approach as an open source project and compare its efficiency with other state-of-the-art fuzzers. Our evaluation results on 10 real-world programs and LAVA-M dataset show that \tool~achieves sustained increases in branch coverage and discovers more bugs than other fuzzers.

Cryptography and Security,Software Engineering

Jun Yang,Peng Zhou,Yunze Ni

DOI: https://doi.org/10.1007/978-3-030-02613-4_28

2018-01-01

Abstract:Software Fuzzing technology is widely used in automated software vulnerability mining. In order to improve efficiency, various techniques such as symbolical execution and taint tracking have been applied to software Fuzzing. Due to the lack of uniform and standardized test samples, researchers can only use existing software for testing. Therefore, there are sample differences when compared with existing technologies, and it is impossible to accurately measure the advantages and disadvantages of different technologies. In this paper, we propose a source-based software vulnerability auto-generation technology, through the analysis of the source code structure characteristics, to find the potential vulnerability insertion point, combined with known types of vulnerabilities, and automatically insert the vulnerability into the source code. We selected some open source projects such as coreutils as the test target, and inserted multiple vulnerabilities in the source code. We create a basis of judgement by providing a standardized sample of vulnerability programs.

Baojiang Cui,XiaoBing Liang,Jianxin Wang

2010-01-01

Abstract:The number of identified integer overflow vulnerabilities has been increasing rapidly in recently years. The path explosion problem caused by the complicated conditional branches in the software results in many difficulties in the detection of integer overflow vulnerabilities. A smart software vulnerability detection technology was developed to identify integer overflow vulnerabilities in binary executables. The algorithm uses symbolic execution technology to obtain path constraint conditions in the binary executables and uses a fitness function to guide the generation of inputs to the detection technology. Tests indicate that the smart detection technology based upon symbolic execution and an integer-valued genetic algorithm more quickly identifies integer overflow vulnerabilities in the object program than conventional Fuzzing detection methods.