Zicong Gao,Hao Xiong,Weiyu Dong,Rui Chang,Rui Yang,Yajin Zhou,Liehui Jiang

DOI: https://doi.org/10.1109/tse.2023.3326144

IF: 7.4

2024-01-01

IEEE Transactions on Software Engineering

Abstract:Mutation-based fuzzing has been widely used in both academia and industry. Recently, researchers observe that the mutation scheduling scheme affects the efficiency of fuzzing. Accordingly, they propose PSO algorithm or machine learning-based technique to optimize the scheduling process. However, these methods fail to consider the fact that the optimal operator distribution of different seeds is different, even for the same program. In this paper, we propose a novel general scheduling scheme, named FA-fuzz, to find the optimal selecting probability distribution of mutation operators, which is based on the observations that the effective mutation operators are different for different seeds. Specifically, our method is based on the firefly algorithm. The positions of fireflies are mapped to the selection probability distribution of different mutation operators. The brightness of fireflies is expressed as the efficiency of discovering unique testcases. We implement prototype systems on multiple state-of-art fuzzers, and perform evaluations on two datasets. Our proposed method improves both the number of unique paths and unique bugs on real-world datasets. In addition, we discover 30 zero-day vulnerabilities in eight real-world programs, which demonstrate the effectiveness of FA-fuzz.

Shunkai Zhu,Jingyi Wang,Jun Sun,Jie Yang,Xingwei Lin,Tianyi Wang,Liyi Zhang,Peng Cheng

DOI: https://doi.org/10.1109/tse.2023.3338129

IF: 7.4

2024-01-01

IEEE Transactions on Software Engineering

Abstract:Fuzzing is one of the prevailing methods for vulnerability detection. However, even state-of-the-art fuzzing methods become ineffective after some period of time, i.e., the coverage hardly improves as existing methods are ineffective to focus the attention of fuzzing on covering the hard-to-trigger program paths. In other words, they cannot generate inputs that can break the bottleneck due to the fundamental difficulty in capturing the complex relations between the test inputs and program coverage. In particular, existing fuzzers suffer from the following main limitations: 1) lacking an overall analysis of the program to identify the most “rewarding” seeds, and 2) lacking an effective mutation strategy which could continuously select and mutates the more relevant “bytes” of the seeds. In this work, we propose an approach called ATT UZZ to address these two issues systematically. First, we propose a lightweight dynamic analysis technique that estimates the “reward” of covering each basic block and selects the most rewarding seeds accordingly. Second, we mutate the selected seeds according to a neural network model which predicts whether a certain “rewarding” block will be covered given certain mutations on certain bytes of a seed. The model is a deep learning model equipped with an attention mechanism which is learned and updated periodically whilst fuzzing. Our evaluation shows that ATT UZZ significantly outperforms 5 state-of-the-art grey-box fuzzers on 6 popular real-world programs and MAGMA data sets at achieving higher edge coverage and finding new bugs. In particular, ATT UZZ achieved 1.2X edge coverage and 1.8X bugs detected than AFL ++ over 24-hour runs. In addition, ATT UZZ also finds 4 new bugs in the latest version of some popular software including p7zip and openUSD.

Yiru Zhao,Xiaoke Wang,Lei Zhao,Yueqiang Cheng,Heng Yin

DOI: https://doi.org/10.48550/arXiv.2101.00612

2021-01-03

Software Engineering

Abstract:Coverage-based greybox fuzzing (CGF) has been approved to be effective in finding security vulnerabilities. Seed scheduling, the process of selecting an input as the seed from the seed pool for the next fuzzing iteration, plays a central role in CGF. Although numerous seed scheduling strategies have been proposed, most of them treat these seeds independently and do not explicitly consider the relationships among the seeds. In this study, we make a key observation that the relationships among seeds are valuable for seed scheduling. We design and propose a "seed mutation tree" by investigating and leveraging the mutation relationships among seeds. With the "seed mutation tree", we further model the seed scheduling problem as a Monte-Carlo Tree Search (MCTS) problem. That is, we select the next seed for fuzzing by walking this "seed mutation tree" through an optimal path, based on the estimation of MCTS. We implement two prototypes, AlphaFuzz on top of AFL and AlphaFuzz++ on top of AFL++. The evaluation results on three datasets (the UniFuzz dataset, the CGC binaries, and 12 real-world binaries) show that AlphaFuzz and AlphaFuzz++ outperform state-of-the-art fuzzers with higher code coverage and more discovered vulnerabilities. In particular, AlphaFuzz discovers 3 new vulnerabilities with CVEs.

Caroline Lemieux,Koushik Sen

DOI: https://doi.org/10.1145/3238147.3238176

2018-09-03

Abstract:In recent years, fuzz testing has proven itself to be one of the most effective techniques for finding correctness bugs and security vulnerabilities in practice. One particular fuzz testing tool, American Fuzzy Lop (AFL), has become popular thanks to its ease-of-use and bug-finding power. However, AFL remains limited in the bugs it can find since it simply does not cover large regions of code. If it does not cover parts of the code, it will not find bugs there. We propose a two-pronged approach to increase the coverage achieved by AFL. First, the approach automatically identifies branches exercised by few AFL-produced inputs (rare branches), which often guard code that is empirically hard to cover by naively mutating inputs. The second part of the approach is a novel mutation mask creation algorithm, which allows mutations to be biased towards producing inputs hitting a given rare branch. This mask is dynamically computed during fuzz testing and can be adapted to other testing targets. We implement this approach on top of AFL in a tool named FairFuzz. We conduct evaluation on real-world programs against state-of-the-art versions of AFL. We find that on these programs FairFuzz achieves high branch coverage at a faster rate that state-of-the-art versions of AFL. In addition, on programs with nested conditional structure, it achieves sustained increases in branch coverage after 24 hours (average 10.6% increase). In qualitative analysis, we find that FairFuzz has an increased capacity to automatically discover keywords.

Wenshuo Wang,Liang Cheng,Yang Zhang

DOI: https://doi.org/10.48550/arXiv.2010.03482

2021-02-27

Abstract:Coverage-based graybox fuzzer (CGF), such as AFL has gained great success in vulnerability detection thanks to its ease-of-use and bug-finding power. Since some code fragments such as memory allocation are more vulnerable than others, various improving techniques have been proposed to explore the more vulnerable areas by collecting extra information from the program under test or its executions. However, these improvements only consider limited types of information sources and ignore the fact that the priority a seed input to be fuzzed may be influenced by all the code it covers. Based on the above observations, we propose a fuzzing method based on the importance of functions. First, a data structure called Attributed Interprocedural Control Flow Graph (AICFG) is devised to combine different features of code fragments. Second, the importance of each node in the AICFG is calculated based on an improved PageRank algorithm, which also models the influence between connected nodes. During the fuzzing process, the node importance is updated periodically by a propagation algorithm. Then the seed selection and energy scheduling of a seed input are determined by the importance of its execution trace. We implement this approach on top of AFL in a tool named FunAFL and conduct an evaluation on 14 real-world programs against AFL and two of its improvements. FunAFL, with 17% higher branch coverage than others on average, finds 13 bugs and 3 of them are confirmed by CVE after 72 hours.

Cryptography and Security

Shuitao Gan,Chao Zhang,Xiaojun Qin,Xuwen Tu,Kang Li,Zhongyu Pei,Zuoning Chen

DOI: https://doi.org/10.1109/tdsc.2020.3027690

2022-01-01

Abstract:Coverage-guided fuzzing is a widely used and effective solution to find software vulnerabilities. Tracking code coverage and utilizing it to guide fuzzing are crucial to coverage-guided fuzzers. However, tracking full and accurate path coverage is infeasible in practice due to the high instrumentation overhead. Popular fuzzers (e.g., AFL) often use coarse coverage information, e.g., edge hit counts stored in a compact bitmap, to achieve highly efficient greybox testing. Such inaccuracy and incompleteness in coverage introduce serious limitations to fuzzers. First, it causes path collisions, which prevent fuzzers from discovering potential paths that lead to new crashes. More importantly, it prevents fuzzers from making wise decisions on fuzzing strategies. In this paper, we propose a coverage sensitive fuzzing solution CollAFL. It mitigates path collisions by providing more accurate coverage information, while still preserving low instrumentation overhead. It also utilizes the coverage information to apply three new fuzzing strategies, promoting the speed of discovering new paths and vulnerabilities. We implemented a prototype of CollAFL based on the popular fuzzer AFL and evaluated it on 24 popular applications. The results showed that path collisions are common, i.e., up to 75% of edges could collide with others in some applications, and CollAFL could reduce the edge collision ratio to nearly zero. Moreover, armed with the three fuzzing strategies, CollAFL outperforms AFL in terms of both code coverage and vulnerability discovery. On average, CollAFL covered 20% more program paths, found 320% more unique crashes and 260% more bugs than AFL in 200 hours. In total, CollAFL found 157 new security bugs with 95 new CVEs assigned.

Wei-Lun Huang,Kang G. Shin

2024-09-14

Abstract:Grey-box fuzzing is widely used for testing embedded systems (ESes). The fuzzers often test the ES firmware in a fully emulated environment without real peripherals. To achieve decent code coverage, some state-of-the-art (SOTA) fuzzers infer the memory-mapped I/O (MMIO) behavior of peripherals from the firmware binary. We find the thus-generated MMIO models stateless, fixed, and poor at handling ES firmware's MMIO reads for retrieval of a data chunk. This leaves ample room for improving the code coverage. We propose ES-Fuzz to enhance the coverage of firmware fuzz-testing with stateful MMIO models that adapt to the fuzzer's coverage bottleneck. ES-Fuzz runs concurrently with a given fuzzer and starts a new run whenever the fuzzer's coverage stagnates. It exploits the highest-coverage test case in each run and generates new stateful MMIO models that boost the fuzzer's coverage at that time. We have implemented ES-Fuzz upon Fuzzware and evaluated it with 24 popular ES firmware. ES-Fuzz is shown to improve Fuzzware's coverage by up to $47\%$ and find new bugs in these firmware.

Cryptography and Security

Yuwei Li,Shouling Ji,Chenyang Lv,Yuan Chen,Jianhai Chen,Qinchen Gu,Chunming Wu

DOI: https://doi.org/10.48550/arxiv.1901.01142

2019-01-01

Abstract:Fuzzing is a technique of finding bugs by executing a software recurrently with a large number of abnormal inputs. Most of the existing fuzzers consider all parts of a software equally, and pay too much attention on how to improve the code coverage. It is inefficient as the vulnerable code only takes a tiny fraction of the entire code. In this paper, we design and implement a vulnerability-oriented evolutionary fuzzing prototype named V-Fuzz, which aims to find bugs efficiently and quickly in a limited time. V-Fuzz consists of two main components: a neural network-based vulnerability prediction model and a vulnerability-oriented evolutionary fuzzer. Given a binary program to V-Fuzz, the vulnerability prediction model will give a prior estimation on which parts of the software are more likely to be vulnerable. Then, the fuzzer leverages an evolutionary algorithm to generate inputs which tend to arrive at the vulnerable locations, guided by the vulnerability prediction result. Experimental results demonstrate that V-Fuzz can find bugs more efficiently than state-of-the-art fuzzers. Moreover, V-Fuzz has discovered 10 CVEs, and 3 of them are newly discovered. We reported the new CVEs, and they have been confirmed and fixed.

Mingzhe Wang,Jie Liang,Yuanliang Chen,Yu Jiang,Xun Jiao,Han Liu,Xibin Zhao,Jiaguang Sun

DOI: https://doi.org/10.1145/3183440.3183494

2018-01-01

Abstract:Mutation-based fuzzing is a widely used software testing technique for bug and vulnerability detection, and the testing performance is greatly affected by the quality of initial seeds and the effectiveness of mutation strategy. In this paper, we present SAFL1, an efficient fuzzing testing tool augmented with qualified seed generation and efficient coverage-directed mutation. First, symbolic execution is used in a lightweight approach to generate qualified initial seeds. Valuable explore directions are learned from the seeds, thus the later fuzzing process can reach deep paths in program state space earlier and easier. Moreover, we implement a fair and fast coverage-directed mutation algorithm. It helps the fuzzing process to exercise rare and deep paths with higher probability. We implement SAFL based on KLEE and AFL and conduct thoroughly repeated evaluations on real-world program benchmarks against state-of-the-art versions of AFL. After 24 hours, compared to AFL and AFLFast, it discovers 214% and 133% more unique crashes, covers 109% and 63% more paths and achieves 279% and 180% more covered branches. Video link: https://youtu.be/LkiFLNMBhVE

Bodong Zhao,Zheming Li,Shisong Qin,Zheyu Ma,Ming Yuan,Wenyu Zhu,Zhihong Tian,Chao Zhang

2022-01-01

Abstract:Coverage-guided fuzzing has achieved great success in finding software vulnerabilities. Existing coverage-guided fuzzers generally favor test cases that hit new code, and discard ones that exercise the same code. However, such a strategy is not optimum. A new test case exercising the same code could be better than a previous test case, as it may trigger new program states useful for code exploration and bug discovery. In this paper, we assessed the limitation of coverage-guided fuzzing solutions and proposed a state-aware fuzzing solution StateFuzz to address this issue. First, we model program states with values of state-variables and utilize static analysis to recognize such variables. Then, we instrument target programs to track such variables' values and infer program state transition at runtime. Lastly, we utilize state information to prioritize test cases that can trigger new states, and apply a three-dimension feedback mechanism to fine-tune the evolutionary direction of coverage-guided fuzzers. We have implemented a prototype of StateFuzz, and evaluated it on Linux upstream drivers and Android drivers. Evaluation results show that StateFuzz is effective at discovering both new code and vulnerabilities. It finds 18 unknown vulnerabilities and 2 known but unpatched vulnerabilities, and reaches 19% higher code coverage and 32% higher state coverage than the state-of-the-art fuzzer Syzkaller.

Ruixiang Qian,Quanjun Zhang,Chunrong Fang,Lihua Guo

DOI: https://doi.org/10.1145/3545258.3545285

2022-01-01

Abstract:Coverage guided fuzzing (CGF) is an effective testing technique which has detected hundreds of thousands of bugs from various software applications. It focuses on maximizing code coverage to reveal more bugs during fuzzing. However, a higher coverage does not necessarily imply a better fault detection capability. Triggering a bug involves not only exercising the specific program path but also reaching interesting program states in that path. In this paper, we use mutation testing to improve CGF in detecting bugs. We use mutation scores as additional feedback to guide fuzzing towards detecting bugs rather than just covering code. To evaluate our approach, we conduct a well-designed experiment on 5 benchmarks. We choose the state-of-the-art fuzzing technique Zest as baseline and construct two modified techniques on it using our approach. The experimental results show that our approach can improve CGF in both code coverage and bug detection.

Tai D. Nguyen,Long H. Pham,Jun Sun

2023-07-05

Abstract:Fuzzing has emerged as a powerful technique for finding security bugs in complicated real-world applications. American fuzzy lop (AFL), a leading fuzzing tool, has demonstrated its powerful bug finding ability through a vast number of reported CVEs. However, its random mutation strategy is unable to generate test inputs that satisfy complicated branching conditions (e.g., magic-byte comparisons, checksum tests, and nested if-statements), which are commonly used in image decoders/encoders, XML parsers, and checksum tools. Existing approaches (such as Steelix and Neuzz) on addressing this problem assume unrealistic assumptions such as we can satisfy the branch condition byte-to-byte or we can identify and focus on the important bytes in the input (called hot-bytes) once and for all. In this work, we propose an approach called \tool~which is designed based on the following principles. First, there is a complicated relation between inputs and branching conditions and thus we need not only an expressive model to capture such relationship but also an informative measure so that we can learn such relationship effectively. Second, different branching conditions demand different hot-bytes and we must adjust our fuzzing strategy adaptively depending on which branches are the current bottleneck. We implement our approach as an open source project and compare its efficiency with other state-of-the-art fuzzers. Our evaluation results on 10 real-world programs and LAVA-M dataset show that \tool~achieves sustained increases in branch coverage and discovers more bugs than other fuzzers.

Cryptography and Security,Software Engineering

Xiajing Wang,Rui Ma,Wei Huo,Zheng Zhang,Jinyuan He,Chaonan Zhang,Donghai Tian

DOI: https://doi.org/10.1016/j.jss.2023.111880

IF: 3.5

2023-10-17

Journal of Systems and Software

Abstract:Fuzzing has gained significant traction in academic research as well as industry thanks to its effectiveness for discovering software vulnerabilities. However, even the state-of-the-art fuzzers are not very efficient at identifying promising seeds. Coverage-guided fuzzers, while fast and scalable, usually employ single criterion to evaluate the quality of seeds, which may incur bias and pass up optimal seeds. In this paper, we devise a novel potential-aware fuzzing scheme, namely SYNTONY, which seeks to measure seed potential utilizing multiple objectives and prioritize promising seeds that are more likely to generate interesting seeds via mutation. More specifically, SYNTONY leverages efficient swarm intelligence techniques like Particle Swarm Optimization (PSO) to explore multi-criteria seed selection, which allows SYNTONY to choose effectively promising seeds. Furthermore, we introduce decent power scheduling strategy to discover significantly more paths or crashes by gravitating towards more potential seeds. We implement this scheme on top of several state-of-the-art fuzzers, i.e., AFL, AFL++, FairFuzz, and PTFuzz. Our evaluations on 11 popular real-world programs demonstrate that SYNTONY significantly increases the number of unique crashes triggered and edge coverage discovered by 132.06% and 28.69% over AFL++. Further comparison also shows that SYNTONY outperforms other state-of-the-art fuzzers, e.g., AFL, FairFuzz, and PTFuzz. Also, extensive evaluations illustrate that SYNTONY provides a great compatibility and expansibility, while introducing negligible overhead.

computer science, theory & methods, software engineering

Yuwei Li,Shouling Ji,Chenyang Lyu,Yuan Chen,Jianhai Chen,Qinchen Gu,Chunming Wu,Raheem Beyah

DOI: https://doi.org/10.1109/TCYB.2020.3013675

Abstract:Fuzzing is a technique of finding bugs by executing a target program recurrently with a large number of abnormal inputs. Most of the coverage-based fuzzers consider all parts of a program equally and pay too much attention to how to improve the code coverage. It is inefficient as the vulnerable code only takes a tiny fraction of the entire code. In this article, we design and implement an evolutionary fuzzing framework called V-Fuzz, which aims to find bugs efficiently and quickly in limited time for binary programs. V-Fuzz consists of two main components: 1) a vulnerability prediction model and 2) a vulnerability-oriented evolutionary fuzzer. Given a binary program to V-Fuzz, the vulnerability prediction model will give a prior estimation on which parts of a program are more likely to be vulnerable. Then, the fuzzer leverages an evolutionary algorithm to generate inputs which are more likely to arrive at the vulnerable locations, guided by the vulnerability prediction result. The experimental results demonstrate that V-Fuzz can find bugs efficiently with the assistance of vulnerability prediction. Moreover, V-Fuzz has discovered ten common vulnerabilities and exposures (CVEs), and three of them are newly discovered.

Yuanhang Zhou,Fuchen Ma,Yuanliang Chen,Meng Ren,Yu Jiang

DOI: https://doi.org/10.1145/3628160

IF: 3.685

2024-01-01

ACM Transactions on Software Engineering and Methodology

Abstract:Cryptography is a core component of many security applications, and flaws hidden in its implementation will affect the functional integrity or, more severely, pose threats to data security. Hence, guaranteeing the correctness of the implementation is important. However, the semantic characteristics (e.g., diverse input data and complex functional transformation) challenge those traditional program validation techniques (e.g., static analysis and dynamic fuzzing). In this article, we propose CLFuzz, a semantic-aware fuzzer for the vulnerability detection of cryptographic algorithm implementation. CLFuzz first extracts the semantic information of targeted algorithms including their cryptographic-specific constraints and function signatures. Based on them, CLFuzz generates high-quality input data adaptively to trigger error-prone situations efficiently. Furthermore, CLFuzz applies innovative logical cross-check that strengthens the logical bug detection ability. We evaluate CLFuzz on the widely used implementations of 54 cryptographic algorithms. It outperforms state-of-the-art cryptographic fuzzing tools. For example, compared with Cryptofuzz, it achieves a coverage speedup of 3.4× and increases the final coverage by 14.4%. Furthermore, CLFuzz has detected 12 previously unknown implementation bugs in 8 cryptographic algorithms (e.g., CMAC in OpenSSL and Message Digest in SymCrypt), most of which are security-critical and have been successfully collected in the national vulnerability database (7 in NVD/CNVD) and is awarded by the Microsoft bounty program (2 for $1,000).

Xiaogang Zhu,Xiaotao Feng,Xiaozhu Meng,Sheng Wen,Seyit Camtepe,Yang Xiang,Kui Ren

DOI: https://doi.org/10.1109/tdsc.2020.3008826

2020-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Coverage-guided fuzzing is one of the most effective solutions for vulnerability discovery. Among coverage-guided fuzzing, full-speed fuzzing, such as UnTracer, traces test cases only when they discover new coverage. Due to the high expense of tracing test cases, full-speed fuzzers improve the efficiency of fuzzing by tracing only coverage-increasing test cases. However, the existing full-speed fuzzer (i.e., UnTracer) is based on basic block coverage, suffering a severe problem called edge collision. Moreover, such fuzzers neglect the path frequency, which affects fuzzing effectiveness. In this article, we propose CSI-Fuzz, a fuzzer utilizing coverage sensitive instrumentation to address the problems of existing full-speed fuzzing. CSI-Fuzz directly instruments at edges, which solves the problem of edge collision. Meanwhile, CSI-Fuzz sets path identifiers to count the frequency of covered paths. Our CSI-Fuzz can be recognized as an add-on and seamlessly applied to existing coverage-guided fuzzers. We accordingly implement CSI-Fuzz based on two widely-adopted fuzzers, AFL and AFLFast, to evaluate its performance. The experiments demonstrate that CSI-Fuzz discovers more edges than AFL, AFLFast, and UnTracer. Additionally, CSI-Fuzz exposes more bugs than the other fuzzers.

computer science, information systems, software engineering, hardware & architecture

Dongdong She,Adam Storek,Yuchong Xie,Seoyoung Kweon,Prashast Srivastava,Suman Jana

2024-06-07

Abstract:Fuzzing is an effective technique for discovering software vulnerabilities by generating random test inputs and executing them against the target program. However, fuzzing large and complex programs remains challenging due to difficulties in uncovering deeply hidden vulnerabilities. This paper addresses the limitations of existing coverage-guided fuzzers, focusing on the scheduler and mutator components. Existing schedulers suffer from information sparsity and the inability to handle fine-grained feedback metrics. The mutators are agnostic of target program branches, leading to wasted computation and slower coverage exploration. To overcome these issues, we propose an end-to-end online stochastic control formulation for coverage-guided fuzzing. Our approach incorporates a novel scheduler and custom mutator that can adapt to branch logic, maximizing aggregate edge coverage achieved over multiple stages. The scheduler utilizes fine-grained branch distance measures to identify frontier branches, where new coverage is likely to be achieved. The mutator leverages branch distance information to perform efficient and targeted seed mutations, leading to robust progress with minimal overhead. We present FOX, a proof-of-concept implementation of our control-theoretic approach, and compare it to industry-standard coverage-guided fuzzers. 6 CPU-years of extensive evaluations on the FuzzBench dataset and complex real-world programs (a total of 38 test programs) demonstrate that FOX outperforms existing state-of-the-art fuzzers, achieving average coverage improvements up to 26.45% in real-world standalone programs and 6.59% in FuzzBench programs over the state-of-the-art AFL++. In addition, it uncovers 20 unique bugs in popular real-world applications including eight that are previously unknown, showcasing real-world security impact.

Cryptography and Security

Peng Deng,Zhemin Yang,Lei Zhang,Guangliang Yang,Wenzheng Hong,Yuan Zhang,Min Yang

DOI: https://doi.org/10.1145/3576915.3623103

2023-01-01

Abstract:Fuzzing is one of the most popular and practical techniques for security analysis. In this work, we aim to address the critical problem of high-quality input generation with a novel input-aware fuzzing approach called NESTFUZZ. NESTFUZZ can universally and automatically model input format specifications and generate valid input. The key observation behind NESTFUZZ is that the code semantics of the target program always highly imply the required input formats. Hence, NESTFUZZ applies fine-grained program analysis to understand the input processing logic, especially the dependencies across different input fields and substructures. To this end, we design a novel data structure, namely Input Processing Tree, and a new cascading dependency-aware mutation strategy to drive the fuzzing. Our evaluation of 20 intensively-tested popular programs shows that NestFuzz is effective and practical. In comparison with the state-of-the-art fuzzers (AFL, AFLFast, AFL++, MOpt, AFLSmart, WEIZZ, ProFuzzer, and TIFF), NestFuzz achieves outperformance in terms of both code coverage and security vulnerability detection. NESTFUZZ finds 46 vulnerabilities that are both unique and serious. Until the moment this paper is written, 39 have been confirmed and 37 have been assigned with CVE-ids.

Daniel Blackwell,David Clark

2024-04-30

Abstract:In this paper, we introduce an approach for improving the early exploration of grey-box fuzzing campaigns; allowing the fuzzer to reach the interesting coverage earlier. To do this, it leverages information from the system under test's (SUT's) control flow graph in order to decide which inputs are likely to lead to discovering most coverage when mutated.

Software Engineering,Cryptography and Security

Chenyang Lyu,Hong Liang,Shouling Ji,Xuhong Zhang,Binbin Zhao,Meng Han,Yun Li,Zhe Wang,Wenhai Wang,Raheem Beyah

DOI: https://doi.org/10.1145/3533767.3534385

2022-01-01

Abstract:The energy allocation strategy is one of the most popular techniques in fuzzing to improve code coverage and vulnerability discovery. The core intuition is that fuzzers should allocate more computational energy to the seed files that have high efficiency to trigger unique paths and crashes after mutation. Existing solutions usually define several properties, e.g., the execution speed, the file size, and the number of the triggered edges in the control flow graph, to serve as the key measurements in their allocation logics to estimate the potential of a seed. The efficiency of a property is usually assumed to be the same across different programs. However, we find that this assumption is not always valid. As a result, the state-of-the-art energy allocation solutions with static energy allocation logics are hard to achieve desirable performance on different programs. To address the above problem, we propose a novel program-sensitive solution, named SLIME, to enable adaptive energy allocation on the seed files with various properties for each program. Specifically, SLIME first designs multiple property-aware queues, with each queue containing the seed files with a specific property. Second, to improve the return of investment, SLIME leverages a customized Upper Confidence Bound Variance-aware (UCB-V) algorithm to statistically select a property queue with the most estimated reward, i.e., finding the most new unique execution paths and crashes. Finally, SLIME mutates the seed files in the selected property queue to perform property-adaptive fuzzing on a program. We evaluate SLIME against state-of-the-art open source fuzzers AFL, MOPT, AFL++, AFL++HIER, EcoFuzz, and TortoiseFuzz on 9 real-world programs. The results demonstrate that SLIME discovers 3.53X, 0.24X, 0.62X, 1.54X, 0.88X, and 3.81X more unique vulnerabilities compared to the above fuzzers, respectively. We will open source the prototype of SLIME to facilitate future fuzzing research.