Guangcheng Liang,Lejian Liao,Xin Xu,Jianguang Du,Guoqiang Li,Henglong Zhao

DOI: https://doi.org/10.1109/CIS.2013.135

2013-01-01

Abstract:In this paper we present a new vulnerability-targeted black box fuzzing approach to effectively detect errors in the program. Unlike the standard fuzzing techniques that randomly change bytes of the input file, our approach remarkably reduces the fuzzing range by utilizing an efficient dynamic taint analysis technique. It locates the regions of seed files that affect the values used at the hazardous points. Thus it enables to pay more attention to deep errors in the core of the program. Because our approach is directly targeted to the specific potential vulnerabilities, most of the detected errors are with vulnerability signatures. Besides, this approach does not need the information of the input file format in advance. So it is especially appropriate for testing applications with complex and highly structured input file formats. We design and implement a prototype, Taint Fuzz, to realize this approach. The experiments demonstrate that Taint Fuzz can effectively expose more errors with much lower time cost and much smaller number of input samples compared with the standard fuzzer.

Bin ZHANG,Meng-jun LI,bo WU,Chao-jing TANG

DOI: https://doi.org/10.3969/j.issn.1004-373X.2014.19.028

2014-01-01

Abstract:Since traditional fuzzy testing may test the same state space repeatedly due to the different input,and lead to a low efficiency,a binary oriented fuzzy testing technique based on dynamic taint analysis combined with input field classification technology is presented in this paper,which can perform the oriented fuzzy testing for typical security-sensitive operation and general module function,and serve as a good solution to the problem of low efficiency of the traditional fuzzy testing. The proto-type system TaintedFuzz was also realized for binary oriented fuzzy testing. The experiment proves that the method is capable of exploring the typical security vulnerabilities in the binary program efficiently.

Wenjie Wang,Donghai Tian,Rui Ma,Hang Wei,Qianjin Ying,Xiaoqi Jia,Lei Zuo

DOI: https://doi.org/10.23919/jcc.2021.08.001

2021-01-01

China Communications

Abstract:Fuzzing is an effective technique to find security bugs in programs by quickly exploring the input space of programs. To further discover vulnerabilities hidden in deep execution paths, the hybrid fuzzing combines fuzzing and concolic execution for going through complex branch conditions. In general, we observe that the execution path which comes across more and complex basic blocks may have a higher chance of containing a security bug. Based on this observation, we propose a hybrid fuzzing method assisted by static analysis for binary programs. The basic idea of our method is to prioritize seed inputs according to the complexity of their associated execution paths. For this purpose, we utilize static analysis to evaluate the complexity of each basic block and employ the hardware trace mechanism to dynamically extract the execution path for calculating the seed inputs' weights. The key advantage of our method is that our system can test binary programs efficiently by using the hardware trace and hybrid fuzzing. To evaluate the effectiveness of our method, we design and implement a prototype system, namely SHFuzz. The evaluation results show SHFuzz discovers more unique crashes on several real-world applications and the LAVA-M dataset when compared to the previous solutions.

Lu Yu,Yuliang Lu,Yi Shen,Yuwei Li,Zulie Pan

DOI: https://doi.org/10.1038/s41598-022-07355-5

IF: 4.6

2022-01-01

Scientific Reports

Abstract:Directed greybox fuzzing (DGF) is an effective method to detect vulnerabilities of the specified target code. Nevertheless, there are three main issues in the existing DGFs. First, the target vulnerable code of the DGFs needs to be manually selected, which is tedious. Second, DGFs mainly leverage distance information as feedback, which neglects the unequal roles of different code snippets in reaching the targets. Third, most of the existing DGFs need the source code of the test programs, which is not available for binary programs. In this paper, we propose a vulnerability-oriented directed binary fuzzing framework named VDFuzz, which automatically identifies the targets and leverages dynamic information to guide the fuzzing. In specific, VDFuzz consists of two components, a target identifier and a directed fuzzer. The target identifier is designed based on a neural-network, which can automatically locate the target code areas that are similar to the known vulnerabilities. Considering the inequality of code snippets in reaching the given target, the directed fuzzer assigns different weights to basic blocks and takes the weights as feedback to generate test cases to reach the target code. Experimental results demonstrate that VDFuzz outperformed the state-of-the-art fuzzers and was effective in vulnerability detection of real-world programs.

Tielei Wang,Tao Wei,Guofei Gu,Wei Zou

DOI: https://doi.org/10.1109/sp.2010.37

2010-01-01

Abstract:Fuzz testing has proven successful in finding security vulnerabilities in large programs. However, traditional fuzz testing tools have a well-known common drawback: they are ineffective if most generated malformed inputs are rejected in the early stage of program running, especially when target programs employ checksum mechanisms to verify the integrity of inputs. In this paper, we present TaintScope, an automatic fuzzing system using dynamic taint analysis and symbolic execution techniques, to tackle the above problem. TaintScope has several novel contributions: 1) TaintScope is the first checksum-aware fuzzing tool to the best of our knowledge. It can identify checksum fields in input instances, accurately locate checksum-based integrity checks by using branch profiling techniques, and bypass such checks via control flow alteration. 2) TaintScope is a directed fuzzing tool working at X86 binary level (on both Linux and Window). Based on fine-grained dynamic taint tracing, TaintScope identifies which bytes in a well-formed input are used in security-sensitive operations (e.g., invoking system/library calls) and then focuses on modifying such bytes. Thus, generated inputs are more likely to trigger potential vulnerabilities. 3) TaintScope is fully automatic, from detecting checksum, directed fuzzing, to repairing crashed samples. It can fix checksum values in generated inputs using combined concrete and symbolic execution techniques. We evaluate TaintScope on a number of large real-world applications. Experimental results show that TaintScope can accurately locate the checksum checks in programs and dramatically improve the effectiveness of fuzz testing. TaintScope has already found 27 previously unknown vulnerabilities in several widely used applications, including Adobe Acrobat, Google Picasa, Microsoft Paint, and ImageMagick. Most of these severe vulnerabilities have been confirmed by Secunia and oCERT, and assigned CVE identifiers (such as CVE-2009-1882, CVE-2009-2688). Corresponding patches from vendors are released or in progress based on our reports.

Tielei Wang,Tao Wei,Guofei Gu,Wei Zou

DOI: https://doi.org/10.1145/2019599.2019600

2011-01-01

ACM Transactions on Information and System Security

Abstract:Fuzz testing has proven successful in finding security vulnerabilities in large programs. However, traditional fuzz testing tools have a well-known common drawback: they are ineffective if most generated inputs are rejected at the early stage of program running, especially when target programs employ checksum mechanisms to verify the integrity of inputs. This article presents TaintScope, an automatic fuzzing system using dynamic taint analysis and symbolic execution techniques, to tackle the above problem. TaintScope has several novel features: (1) TaintScope is a checksum-aware fuzzing tool. It can identify checksum fields in inputs, accurately locate checksum-based integrity checks by using branch profiling techniques, and bypass such checks via control flow alteration. Furthermore, it can fix checksum values in generated inputs using combined concrete and symbolic execution techniques. (2) TaintScope is a taint-based fuzzing tool working at the x86 binary level. Based on fine-grained dynamic taint tracing, TaintScope identifies the “hot bytes” in a well-formed input that are used in security-sensitive operations (e.g., invoking system/library calls), and then focuses on modifying such bytes with random or boundary values. (3) TaintScope is also a symbolic-execution-based fuzzing tool. It can symbolically evaluate a trace, reason about all possible values that can execute the trace, and then detect potential vulnerabilities on the trace. We evaluate TaintScope on a number of large real-world applications. Experimental results show that TaintScope can accurately locate the checksum checks in programs and dramatically improve the effectiveness of fuzz testing. TaintScope has already found 30 previously unknown vulnerabilities in several widely used applications, including Adobe Acrobat, Flash Player, Google Picasa, and Microsoft Paint. Most of these severe vulnerabilities have been confirmed by Secunia and oCERT, and assigned CVE identifiers (such as CVE-2009-1882, CVE-2009-2688). Vendor patches have been released or are in preparation based on our reports.

NIE Sen,LI Xiao,WANG Yi-jun,XUE Zhi

DOI: https://doi.org/10.3969/j.issn.1009-8054.2013.12.025

2013-01-01

Abstract:As the problem of software vulnerabilities becomes increasingly serious,smart Fuzzing technology is widely applied in the field of vulnerability mining and software security.Frameworks for smart Fuzzing based on symbolic execution and taint analysis are developed.Under the concept of vulnerability problem and software test methodology,this paper describes theories in smart Fuzzing technology and some released smart Fuzzing frameworks,including the bottlenecks.Finally,this paper proposes a blueprint of smart Fuzzing framework based on whole system symbolic execution and cloud computing infrastructure.It can be used as a practical platform toward the COTS software fuzzing.

Luhang Xu,Liangze Yin,Wei Dong,Weixi Jia,Yongjun Li

DOI: https://doi.org/10.18293/seke2018-120

2018-01-01

Abstract:Fuzzing is an important method for binary vulnerability mining. It can analyze binary programs without their source codes, which is not easy to do by other technologies. But due to the blindness of input generation, binary fuzzing often falls into traps for a long time when the new mutated inputs cannot generate unexplored paths. In this paper, we propose an efficient and flexible fuzzing framework named Tinker. It defines the growth rate of path coverage to measure the current state of fuzzing. If the fuzzing falls into low-speed or blocked states, a symbolic analysis procedure is invoked to generate a new input which can help the fuzzing jump out of the trap. In the symbolic analysis procedure, we employ dynamic execution to track the traversed nodes. The untraversed branches are then identified according to the recorded data of American Fuzzy Lop (AFL) [M. Zalewski, American Fuzzy Lop (2014), http://lcamtuf.coredump.cx/afl/ ]. At last, we employ control flow graph (CFG) to construct complete paths to these branches and a new input is generated using symbolic execution. Moreover, to expedite the detection of vulnerabilities, we generate inputs which trigger more high-risk system calls first, such that the possibility of finding vulnerabilities can be improved. Tinker has been implemented and the experiments on DARPA CGC benchmark show that Tinker is more efficient in vulnerability mining than state-of-the-art binary vulnerability mining tools.

Yifeng Wan,Wenting Wang,Jiajun Sun,Donghai Tian

DOI: https://doi.org/10.1145/3670105.3670111

2024-01-01

Abstract:Fuzzing, which rapidly generates test cases through seed mutation, is considered as one of the most efficient detection technologies currently available. Directed fuzzing has the ability to gradually guide the fuzzer towards specific targets specified by the user, thereby enhancing the efficiency of discovering vulnerabilities in specified areas. However, fuzzing may hit bottlenecks and fail to reach the target area effectively, resulting in fuzzing stagnation. Traditional directed fuzzers calculate the distance between seed execution paths and points, which leads to resource-consuming preprocessing. In this paper, we proposed a new directed fuzzing method which extracts the dominance path of the target from ICFG, locates critical bottlenecks using basic block access frequency and selects fuzzing seeds that reaches these targets. Meanwhile we improved the "exploration-exploitation" phase switching mechanism and energy assignment algorithm. We implemented the techniques in a prototype system, BDFuzz. Crash reproduction experiments on several real-world programs show that BDFuzz outperforms other classic fuzzers, AFL and AFLGo.

Zhi Liu,Xiaosong Zhang,Xiongda Li

DOI: https://doi.org/10.1109/mines.2010.108

2010-01-01

Abstract:Software vulnerability is the major root of security issues which results in serious attacks such as DDOS and worms. How to find vulnerability especially on binaries has been an alluring but challenging topic. Traditional black-box fuzzing heavily relies on input format so that it cannot work on unknown formats, more severely, it cannot generate effective test cases because it randomly change input values. Therefore, fuzzing is rarely effective in real-world circumstances. Information flow tracking, namely taint analysis, has been used in recent years in attack detection and malware analysis but no prior work has used this technique to actively find software vulnerability on binaries. In this paper, we propose a novel approach to find software vulnerability via dynamic tainting consisting of three steps. First execute target program with a seed input being independent of input format. Then identify relevant bytes by back tracking from vulnerability points, defined as dangerous library or system calls, to the original input. Finally generate new test cases by mutating relevant bytes while irrelevant parts remain unchanged. It guarantees that new inputs are able to divert execution flow to vulnerability points. We implemented the system in Windows and evaluated two real-world vulnerabilities. Compared with black-box fuzzing, experiment results show our approach can generate effective test inputs to expose vulnerabilities in short time, which also incurs low overhead.

Xiaogang Zhu,Shigang Liu,Xian Li,Sheng Wen,Jun Zhang,Camtepe Seyit,Yang Xiang

2020-01-01

Abstract: Fuzzing is one of the most effective technique to identify potential software vulnerabilities. Most of the fuzzers aim to improve the code coverage, and there is lack of directedness (e.g., fuzz the specified path in a software). In this paper, we proposed a deep learning (DL) guided directed fuzzing for software vulnerability detection, named DeFuzz. DeFuzz includes two main schemes: (1) we employ a pre-trained DL prediction model to identify the potentially vulnerable functions and the locations (i.e., vulnerable addresses). Precisely, we employ Bidirectional-LSTM (BiLSTM) to identify attention words, and the vulnerabilities are associated with these attention words in functions. (2) then we employ directly fuzzing to fuzz the potential vulnerabilities by generating inputs that tend to arrive the predicted locations. To evaluate the effectiveness and practical of the proposed DeFuzz technique, we have conducted experiments on real-world data sets. Experimental results show that our DeFuzz can discover coverage more and faster than AFL. Moreover, DeFuzz exposes 43 more bugs than AFL on real-world applications.

Bo Shuai,Mengjun Li,Haifeng Li,Quan Zhang,Chaojing Tang

DOI: https://doi.org/10.1109/CECNet.2013.6703400

2013-01-01

Abstract:In order to solve the problems of traditional Fuzzing technique for software vulnerability detection, this paper proposes a novel method based on genetic algorithm and dynamic taint analysis. First, static analysis is applied to calculate the critical path information, including danger functions, high cyclomatic number functions and loop structures. Second, dynamic taint analysis is introduced to identify the key bytes to reduce the input space. Third, the genetic algorithm fitness function is constructed based on the critical path information to guide the test case generation and the genetic operators are executed on the reduced input space. Experiments show that the method could obtain higher vulnerability detection accuracy and efficiency.

Ying WANG,Li-ze GU,Yi-xian YANG,Yu-xin DONG

DOI: https://doi.org/10.3969/j.issn.0372-2112.2014.10.023

2014-01-01

Abstract:The dynamic testing for automaticlly identifing security vulnerabilities in binary executables has received increas-ingly interest in recent years .In this paper ,we present a new automated whitebox fuzzing tool EWFT (Execution-based Whitebox Fuzzing Tool ) ,which implements dynamic symbolic execution and taint tracing techniques during program execution .Our contribu-tions are:1 )we propose a ROBDD (Reduced Ordered Binary Decision Diagram )-based approach to analyse execution process ,2 )we introduce a new path weight analysis algorithm (PWA )for searching path space and automating test data generation ,and 3 )we build a prototype tool that automatically finds software vulnerabilities .Results of our experiments show that execution-based whitebox fuzzing is powerful to identify variety of security vulnerabilities in real applications .Compared to the related work in the research area ,it explored deeper program paths on the average ,and achieved higher structural coverage .

Xiaosong Zhang,Lin Shao,Jiong Zheng

DOI: https://doi.org/10.1109/ICACIA.2008.4770021

2008-01-01

Abstract:Buffer overflow vulnerabilities can cause attacks that result in serious consequences. However the techniques of buffer overflow vulnerability detection are limited to manual analysis, binary-patch comparison, fuzzing and so on. They rely on manual analysis, thus cause high overhead. In this paper, we propose a novel method of detection of buffer overflow vulnerabilities, which is based on fuzzing, data-flow dynamic analysis and automated exception analysis. This new method effectively improves the detection of unknown security vulnerabilities (0 Day). Moreover, it is more automated and has better performance in finding new security vulnerabilities.

Manh-Dung Nguyen,Sébastien Bardin,Richard Bonichon,Roland Groz,Matthieu Lemerre

DOI: https://doi.org/10.48550/arXiv.2002.10751

2020-08-17

Abstract:Directed fuzzing focuses on automatically testing specific parts of the code by taking advantage of additional information such as (partial) bug stack trace, patches or risky operations. Key applications include bug reproduction, patch testing and static analysis report verification. Although directed fuzzing has received a lot of attention recently, hard-to-detect vulnerabilities such as Use-After-Free (UAF) are still not well addressed, especially at the binary level. We propose UAFuzz, the first (binary-level) directed greybox fuzzer dedicated to UAF bugs. The technique features a fuzzing engine tailored to UAF specifics, a lightweight code instrumentation and an efficient bug triage step. Experimental evaluation for bug reproduction on real cases demonstrates that UAFuzz significantly outperforms state-of-the-art directed fuzzers in terms of fault detection rate, time to exposure and bug triaging. UAFuzz has also been proven effective in patch testing, leading to the discovery of 30 new bugs (7 CVEs) in programs such as Perl, GPAC and GNU Patch. Finally, we provide to the community a large fuzzing benchmark dedicated to UAF, built on both real codes and real bugs.

Cryptography and Security

Baojiang Cui,Fuwei Wang,Yongle Hao,Xiaofeng Chen

DOI: https://doi.org/10.1007/s00500-015-2017-6

2016-01-01

Abstract:Fuzz testing is widely used as an automatic solution for discovering vulnerabilities in binary programs that process files. Restricted by their high blindness and low code path coverage, fuzzing tests typically provide quite low efficiencies. In this paper, a novel API in-memory fuzz testing technique for eliminating the blindness of existing techniques is discussed. This technique employs dynamic taint analyses to locate the routines and instructions that belong to the target binary executables, and it consists of parsing and processing the input data. Within the testing phase, binary instrumentation is used to construct loops around such routines, in which the contained taint memory values are mutated in each loop. According to experiments using the prototype tool, this technique could effectively detect defects such as stack overflows. Compared with traditional fuzzing tools, this API in-memory fuzzing eliminated the bottleneck of interrupting execution paths and gained a greater than 95 % enhancement in execution speed.

Zhi-yong Wu,Xiao-juan Wang,Hui Huang,Lan-lan Qi

DOI: https://doi.org/10.1109/IMCCC.2011.106

2011-01-01

Abstract:During the multi-dimensional Fuzzing technique, how to construct the influencing relationships between input elements and vulnerable statements is a key problem. This paper applies the virtual machine based taint analysis technique on multi-dimensional Fuzzing, gives detailed design and the experiment result shows the method is feasible.

Ruoyu Zhang,Shiqiu Huang,Zhengwei Qi,Haibing Guan

DOI: https://doi.org/10.1016/j.camwa.2011.08.001

IF: 3.218

2012-01-01

Computers & Mathematics with Applications

Abstract:The evolution of computer science has exposed us to the growing gravity of security problems and threats. Dynamic taint analysis is a prevalent approach to protect a program from malicious behaviors, but fails to provide any information about the code which is not executed. This paper describes a novel approach to overcome the limitation of traditional dynamic taint analysis by integrating static analysis into the system and presents framework SDCF to detect software vulnerabilities with high code coverage. Our experiments show that SDCF is not only able to provide efficient runtime protection by introducing an overhead of 4.16× based on the taint tracing technique, but is also capable of discovering latent software vulnerabilities which have not been exploited, and achieve code coverage of more than 90%.

Xiaogang Zhu,Shigang Liu,Alireza Jolfaei

DOI: https://doi.org/10.1109/jsen.2023.3301517

IF: 4.3

2024-01-01

IEEE Sensors Journal

Abstract:The security issues in sensors impede the experience of using sensors to improve the quality of our life. By analysing security issues in open-source programs for sensors, we can understand the security problems in sensors. Fuzzing is one of the most effective techniques to identify potential software vulnerabilities. Most fuzzers aim to improve code coverage. However, a tester may want to focus on examining some specific code regions. In this paper, we proposed a deep learning (DL) guided fuzzing for software vulnerability detection, named DeFuzz. DeFuzz includes two main schemes: (1) We employ a pre-trained DL prediction model to identify the potentially vulnerable functions and the locations ( i.e ., vulnerable addresses). Precisely, we employ Bidirectional-LSTM (BiLSTM) to identify attention words, and the vulnerabilities are associated with these attention words in functions. (2) Then, we employ directed fuzzing to examine the potential vulnerabilities by generating inputs that tend to arrive at the predicted locations. To evaluate the effectiveness of the proposed DeFuzz technique, we have conducted experiments on real-world data sets. Experimental results show that our DeFuzz can discover more coverage and run faster than AFL. Moreover, DeFuzz exposes 43 more bugs than AFL on real-world applications.

Ruoyu Zhang,Shiqiu Huang,Zhengwei Qi,Haibin Guan

DOI: https://doi.org/10.1109/IMIS.2011.59

2011-01-01

Abstract:Dynamic taint analysis has been proved to be very effective in solving security problems recently, especially in software vulnerability detection and malicious behavior prevention. Unfortunately, most of current researches in this field focus on the runtime protection, and are incapable to discover the potential threat in the software. This paper describes a novel approach to overcome the limitation of traditional dynamic taint analysis by integrating static analysis into the system and presents framework SDCF. The framework translates the binary into assembly code and tracks the data flow. Then with static method, the system can get the important information which can't be gained at runtime, such as unexecuted part of the code. When this information is acquired, they will be provided to the client tools. The practicability of the framework is validated by implementing and evaluating a tool built on SDCF. The result of the experiments shows that our system is able to detect latent software vulnerabilities efficiently.