Heyuan Shi,Shijun Chen,Runzhe Wang,Yuhan Chen,Weibo Zhang,Qiang Zhang,Yuheng Shen,Xiaohai Shi,Chao Hu,Yu Jiang

DOI: https://doi.org/10.1145/3691620.3695278

2024-01-01

Abstract:Directed grey-box fuzzing is a widely used automatic testing technique that has helped developers test specific code space in the target program. Although many directed fuzzers are designed to test the Linux kernel, challenges still remain due to the complexity of industrial requirements and deployment environments. In this paper, we collaborate with developers from Alibaba and the OpenAnolis community to conduct an industry practice of directed kernel fuzzing for open-source Linux distribution. We highlight typical challenges in deploying directed kernel fuzzing, including target-related kernel configuration options being disabled, unrelated initial seeds limiting fuzzing startup performance, no support for kernel feature interface fuzzing, independent fuzzer execution limiting fuzzing effectiveness, much manual work to triage and analyze crashes, and hard to integrate into the existing fuzzing framework. We provide solutions to these challenges, which allowed us to discover 11 previously unknown kernel bugs related to cloud-native features, io_uring, and other components in the OpenAnolis Linux distribution.

Bodong Zhao,Zheming Li,Shisong Qin,Zheyu Ma,Ming Yuan,Wenyu Zhu,Zhihong Tian,Chao Zhang

2022-01-01

Abstract:Coverage-guided fuzzing has achieved great success in finding software vulnerabilities. Existing coverage-guided fuzzers generally favor test cases that hit new code, and discard ones that exercise the same code. However, such a strategy is not optimum. A new test case exercising the same code could be better than a previous test case, as it may trigger new program states useful for code exploration and bug discovery. In this paper, we assessed the limitation of coverage-guided fuzzing solutions and proposed a state-aware fuzzing solution StateFuzz to address this issue. First, we model program states with values of state-variables and utilize static analysis to recognize such variables. Then, we instrument target programs to track such variables' values and infer program state transition at runtime. Lastly, we utilize state information to prioritize test cases that can trigger new states, and apply a three-dimension feedback mechanism to fine-tune the evolutionary direction of coverage-guided fuzzers. We have implemented a prototype of StateFuzz, and evaluated it on Linux upstream drivers and Android drivers. Evaluation results show that StateFuzz is effective at discovering both new code and vulnerabilities. It finds 18 unknown vulnerabilities and 2 known but unpatched vulnerabilities, and reaches 19% higher code coverage and 32% higher state coverage than the state-of-the-art fuzzer Syzkaller.

He LI,Chao ZHANG,Xin YANG,Jun-hu ZHU

DOI: https://doi.org/10.3969/j.issn.1000-1220.2019.09.034

2019-01-01

Abstract:As an efficient vulnerability discovering method,fuzzing testing has been widely used in operating system kernel security. Kernel fuzzing significantly improves the security of operating system kernel and driver programs. At present,the use of fuzzing tech-niques for operating systems on different platforms for vulnerability discovering has become a research hotspot. This paper studies the existing kernel fuzzing methods,summarizes the development of kernel fuzzing and technical ideas,and attempts to classify kernel fuzzing. Summarizes the new technologies used in kernel fuzzing in recent years. Finally,the problems in the current research are dis-cussed,and the future development trend of kernel fuzzing testing is prospected.

Mingzhe Wang,Jie Liang,Chijin Zhou,Yuanliang Chen,Zhiyong Wu,Yu Jiang

DOI: https://doi.org/10.1109/ICST49551.2021.00043

2021-01-01

Abstract:Fuzzing is a promising method for discovering vulnerabilities. Recently, various techniques are developed to improve the efficiency of fuzzing, and impressive gains are observed in evaluation results. However, evaluation is complex, as many factors affect the results, for example, test suites, baseline and metrics. Even more, most experiment setups are lab-oriented, lacking industrial settings such as large code-base and parallel runs. The correlation between the academic evaluation results and the bug-finding ability in real industrial settings has not been sufficiently studied. In this paper, we test representative fuzzing techniques to reveal their efficiency in industrial settings. First, we apply typical fuzzers on academic widely used small projects from LAVA-M suite. We also apply the same fuzzers on large practical projects from Google's fuzzer-test-suite, which is rarely used in academic settings. Both experiments are performed in both single and parallel run. By analyzing the results, we found that most optimizations working well on LAVA-M suite fail to achieve satisfying results on Google's fuzzer-test-suite (e.g. compared to AFL, QSYM detects 82x more synthesized bugs in LAVA-M, but only detects 26% real bugs in Google's fuzzer-test-suite), and the original AFL even outperforms most academic optimization variants in industry widely used parallel runs (e.g. AFL covers 13% more paths than AFLFast). Then, we summarize common pitfalls of those optimizations, analyze the corresponding root causes, and propose potential directions such as orchestrations and synchronization to overcome the problems. For example, when running in parallel on those large practical projects, the proposed horizontal orchestration could cover 36%-82% more paths, and discover 46%-150% more unique crashes or bugs, compared to fuzzers such as AFL, FairFuzz and QSYM.

Yuheng Shen,Shijun Chen,Jianzhong Liu,Yiru Xu,Qiang Zhang,Runzhe Wang,Heyuan Shi,Yu Jiang

DOI: https://doi.org/10.1109/rtss59052.2023.00059

2023-01-01

Abstract:Rt-Linux contains critical modifications that are much less tested than the vanilla kernel, thus placing many systems at risk. In this paper, we present DRLF, a directed fuzzer targeted towards fuzzing any code area in Rt- Linux, thus allowing for more efficient tests on Rt-Linux's unique code sections. DRLF performs directed fuzzing through a kernel-level weighted callgraph construction technique, and prioritizing input sequences that exhibit less distance to the target code. Evaluations show that DRLF delivers better cover speed while achieving a 24.70% coverage increase for the targeting code areas. DRLF also found 11 previously unknown bugs within Rt-Linux, and has been integrated into Alibaba's CI/CD pipeline.

Mingzhe Wang,Zhiyong Wu,Xinyi Xu,Jie Liang,Chijin Zhou,Huafeng Zhang,Yu Jiang

DOI: https://doi.org/10.1109/icse-seip52600.2021.00042

2021-05-01

Abstract:As an infrastructure for data persistence and analysis, Database Management Systems (DBMSs) are the cornerstones of modern enterprise software. To improve their correctness, the industry has been applying blackbox fuzzing for decades. Recently, the research community achieved impressive fuzzing gains using coverage guidance. However, due to the complexity and distributed nature of enterprise-level DBMSs, seldom are these researches applied to the industry. In this paper, we apply coverage-guided fuzzing to enterpriselevel DBMSs from Huawei and Bloomberg LP. In our practice of testing GaussDB and Comdb2, we found major challenges in all three testing stages. The challenges are collecting precise coverage, optimizing fuzzing performance, and analyzing root causes. In search of a general method to overcome these challenges, we propose Ratel, a coverage-guided fuzzer for enterprise-level DBMSs. With its industry-oriented design, Ratel improves the feedback precision, enhances the robustness of input generation, and performs an on-line investigation on the root cause of bugs. As a result, Ratel outperformed other fuzzers in terms of coverage and bugs. Compared to industrial black box fuzzers SQLsmith and SQLancer, as well as coverage-guided academic fuzzer Squirrel, Ratel covered 38.38%, 106.14%, 583.05% more basic blocks than the best results of other three fuzzers in GaussDB, PostgreSQL, and Comdb2, respectively. More importantly, Ratel has discovered 32, 42, and 5 unknown bugs in GaussDB, Comdb2, and PostgreSQL.

Yuwei Li,Yuan Chen,Shouling Ji,Xuhong Zhang,Guanglu Yan,Alex X.Liu,Chunming Wu,Zulie Pan,Peng Lin

DOI: https://doi.org/10.1109/TDSC.2023.3244825

2024-09-20

Abstract:gVisor is a Google-published application-level kernel for containers. As gVisor is lightweight and has sound isolation, it has been widely used in many IT enterprises \cite{Stripe, DigitalOcean, Cloundflare}. When a new vulnerability of the upstream gVisor is found, it is important for the downstream developers to test the corresponding code to maintain the security. To achieve this aim, directed fuzzing is promising. Nevertheless, there are many challenges in applying existing directed fuzzing methods for gVisor. The core reason is that existing directed fuzzers are mainly for general C/C++ applications, while gVisor is an OS kernel written in the Go language. To address the above challenges, we propose G-Fuzz, a directed fuzzing framework for gVisor. There are three core methods in G-Fuzz, including lightweight and fine-grained distance calculation, target related syscall inference and utilization, and exploration and exploitation dynamic switch. Note that the methods of G-Fuzz are general and can be transferred to other OS kernels. We conduct extensive experiments to evaluate the performance of G-Fuzz. Compared to Syzkaller, the state-of-the-art kernel fuzzer, G-Fuzz outperforms it significantly. Furthermore, we have rigorously evaluated the importance for each core method of G-Fuzz. G-Fuzz has been deployed in industry and has detected multiple serious vulnerabilities.

Cryptography and Security

SHI Yan,QIANG Weizhong,ZOU Deqing,JIN Hai

DOI: https://doi.org/10.11959/j.issn.2096-109x.2024001

2024-01-01

Abstract:Fuzzing is a technique that was used to detect potential vulnerabilities and errors in software or systems by generating random,abnormal,or invalid test cases.When applying fuzzing to the kernel,more complex and challenging obstacles were encountered compared to user-space applications.The kernel,being a highly intricate software system,consists of numerous interconnected modules,subsystems,and device drivers,which presented challenges such as a massive codebase,complex interfaces,and runtime uncertainty.Traditional fuzzing methods could only generate inputs that simply satisfied interface specifications and explicit call dependencies,making it difficult to thoroughly explore the kernel.In contrast,evolutionary kernel fuzzing employed heuristic evolutionary strategies to dynamically adjust the generation and selection of test cases,guided by feedback mechanisms.This iterative process aimed to generate higher-quality test cases.Existing work on evolutionary kernel fuzzing was examined.The concept of evolutionary kernel fuzzing was explained,and its general framework was summarized.The existing work on evolutionary kernel fuzzing was classified and compared based on the type of feedback mechanism utilized.The principles of how feedback mechanisms guided evolution were analyzed from the perspectives of collecting,analyzing,and utilizing runtime information.Additionally,the development direction of evolutionary kernel fuzzing was discussed.

Yang Lan,Di Jin,Zhun Wang,Wende Tan,Zheyu Ma,Chao Zhang

DOI: https://doi.org/10.1109/ase56229.2023.00124

2024-01-01

Abstract:Fuzzing is widely adopted to discover vulnerabilities in software, including the kernel. One of the most popular and state-of-the-art fuzzers for kernels is Syzkaller. However, Syzkaller has a much lower testing throughput compared to other user-space fuzzers, which affects the efficiency of both Syzkaller and other Syzkaller-based fuzzers. In this paper, we profiled the performance of Syzkaller, recognized that the major cost comes from program isolation and kernel instrumentation, and then proposed kernel image duplication and three optimization techniques to mitigate such overheads and present the solution Thunderkaller. Our solution does not change or depend on the fuzzing algorithm in any way, orthogonal to other refinements to Syzkaller. Our evaluation shows that, in 24 hours, Thunderkaller speeds up 2.8× compared to vanilla Syzkaller, achieves 25.8% more basic block coverage, detects 21 more unique bugs, and triggers the common bugs 6.3× faster. In a long time of fuzzing, we have found 6 unique Linux kernel bugs and obtained a CVE.

Xiaochen Zou,Guoren Li,Weiteng Chen,Hang Zhang,Zhiyun Qian

DOI: https://doi.org/10.48550/arXiv.2111.06002

2021-11-11

Cryptography and Security

Abstract:Fuzzing has become one of the most effective bug finding approach for software. In recent years, 24*7 continuous fuzzing platforms have emerged to test critical pieces of software, e.g., Linux kernel. Though capable of discovering many bugs and providing reproducers (e.g., proof-of-concepts), a major problem is that they neglect a critical function that should have been built-in, i.e., evaluation of a bug's security impact. It is well-known that the lack of understanding of security impact can lead to delayed bug fixes as well as patch propagation. In this paper, we develop SyzScope, a system that can automatically uncover new "high-risk" impacts given a bug with seemingly "low-risk" impacts. From analyzing over a thousand low-risk bugs on syzbot, SyzScope successfully determined that 183 low-risk bugs (more than 15%) in fact contain high-risk impacts, e.g., control flow hijack and arbitrary memory write, some of which still do not have patches available yet.

Jiacheng Xu,Xuhong Zhang,Shouling Ji,Yuan Tian,Binbin Zhao,Qinying Wang,Peng Cheng,Jiming Chen

DOI: https://doi.org/10.14722/ndss.2024.23131

2024-01-01

Abstract:Kernels are at the heart of modern operating systems, whereas their development comes with vulnerabilities.Coverage-guided fuzzing has proven to be a promising software testing technique.When applying fuzzing to kernels, the salient aspect of it is that the input is a sequence of system calls (syscalls).As kernels are complex and stateful, specific sequences of syscalls are required to build up necessary states to trigger code deep in the kernels.However, the syscall sequences generated by existing fuzzers fall short in maintaining states to sufficiently cover deep code in the kernels where vulnerabilities favor residing.In this paper, we present a practical and effective kernel fuzzing framework, called MOCK, which is capable of learning the contextual dependencies in syscall sequences and then generating context-aware syscall sequences.To conform to the statefulness when fuzzing kernel, MOCK adaptively mutates syscall sequences in line with the calling context.MOCK integrates the context-aware dependency with (1) a customized language model-guided dependency learning algorithm, (2) a context-aware syscall sequence mutation algorithm, and (3) an adaptive task scheduling strategy to balance exploration and exploitation.Our evaluation shows that MOCK performs effectively in achieving branch coverage (up to 32% coverage growth), producing highquality input (50% more interrelated sequences), and discovering bugs (15% more unique crashes) than the state-of-the-art kernel fuzzers.Various setups including initial seeds and a pre-trained model further boost MOCK's performance.Additionally, MOCK also discovers 15 unique bugs in the most recent Linux kernels, including two CVEs.

Jie Liang,Mingzhe Wang,Yuanliang Chen,Yu Jiang,Renwei Zhang

DOI: https://doi.org/10.1109/SANER.2018.8330260

2018-01-01

Abstract:Fuzz testing has helped security researchers and organizations discover a large number of vulnerabilities. Although it is efficient and widely used in industry, hardly any empirical studies and experience exist on the customization of fuzzers to real industrial projects. In this paper, collaborating with the engineers from Huawei, we present the practice of adapting fuzz testing to a proprietary message middleware named libmsg, which is responsible for the message transfer of the entire distributed system department. We present the main obstacles coming across in applying an efficient fuzzer to libmsg, including system configuration inconsistency, system build complexity, fuzzing driver absence. The solutions for those typical obstacles are also provided. For example, for the most difficult and expensive obstacle of writing fuzzing drivers, we present a low-cost approach by converting existing sample code snippets into fuzzing drivers. After overcoming those obstacles, we can effectively identify software bugs, and report 9 previously unknown vulnerabilities, including flaws that lead to denial of service or system crash.

Hao Sun,Yuheng Shen,Jianzhong Liu,Yiru Xu,Yu Jiang

2022-01-01

Abstract:Kernel fuzzing is a dynamic testing technique that has successfully found numerous kernel vulnerabilities. However, existing kernel fuzzers, such as Syzkaller, depend on system call specifications to generate test cases. Writing such specifications requires an immense amount of domain knowledge while being extremely laborious. Meanwhile, automated generation of the specification is still an open problem due to the complexity of the kernel, including entry function extraction and input type identification. As a result, the current amount of system call information is insufficient to test the entire kernel code base thoroughly. Syzkaller covers an average of 38% of Linux kernel code with current Syzlang specifications for a prolonged time of fuzzing. In this paper, we propose KSG to generate system call specifications for kernel fuzzers automatically. First, it utilizes probe-based tracing to extract entry functions accurately. Then, it uses path-sensitive analysis to collect precise input types and range constraints in each execution path of entry functions. Based on the aforementioned information, KSG generates specifications in the domain language Syzlang, which is used by most kernel fuzzers. We evaluated KSG on several versions of the Linux kernel. It automatically generated 2433 unique specifications. Leveraging the newly generated specifications, Syzkaller and Moonshine achieved coverage improvements of 22% and 23% respectively. Furthermore, our approach assisted fuzzers to discover 26 previously unknown bugs, where 13 and 6 bugs were fixed and assigned with CVEs, respectively.

Yisen Wang,Weiyu Dong,Zicong Gao,Rui Chang

DOI: https://doi.org/10.1002/cpe.5756

2020-04-08

Abstract:Fuzzing is an effective approach to detect software vulnerabilities utilizing changeable generated inputs. However, fuzzing the network protocol on the firmware of IoT devices is limited by inefficiency of test case generation, cross‐architecture instrumentation, and fault detection. In this article, we propose the Fw‐fuzz, a coverage‐guided and crossplatform framework for fuzzing network services running in the context of firmware on embedded architectures, which can generate more valuable test cases by introspecting program runtime information and using a genetic algorithm model. Specifically, we propose novel dynamic instrumentation in Fw‐fuzz to collect the running state of the firmware program. Then Fw‐fuzz adopts a genetic algorithm model to guide the generation of inputs with high code coverage. We fully implement the prototype system of Fw‐fuzz and conduct evaluations on network service programs of various architectures in MIPS, ARM, and PPC. By comparing with the protocol fuzzers Boofuzz and Peach in metrics of edge coverage, our prototype system achieves an average growth of 33.7% and 38.4%, respectively. We further verify six known vulnerabilities and discover 5 0‐day vulnerabilities with the Fw‐fuzz, which prove the validity and utility of our framework. The overhead of our system expressed as an additional 5% of memory growth.

Computer Science,Engineering

Xin Tan,Yuan Zhang,Jiadong Lu,Xin Xiong,Zhuang Liu,Min Yang

DOI: https://doi.org/10.1145/3576915.3623146

2023-01-01

Abstract:Bug reports and patch commits are dramatically increasing for OS kernels, incentivizing a critical need for kernel-level bug reproduction and patch testing. Directed greybox fuzzing (DGF), aiming to stress-test a specific part of code, is a promising approach for bug reproduction and patch testing. However, the existing DGF methods exclusively target user-space applications, presenting intrinsic limitations in handling OS kernels. In particular, these methods cannot pinpoint the appropriate system calls and the needed syscall parameter values to reach the target location,resulting in low efficiency and waste of resources. In this paper, we present SyzDirect, a DGF solution for the Linux kernel. With a novel, scalable static analysis of the Linux kernel, SyzDirect identifies valuable information such as correct system calls and conditions on their arguments to reach the target location. During fuzzing, SyzDirect utilizes the static analysis results to guide the generation and mutation of test cases, followed by leveraging distance-based feedback for seed prioritization and power scheduling. We evaluated SyzDirect on upstream Linux kernels for bug reproduction and patch testing. The results show that SyzDirect can reproduce 320% more bugs and reach 25.6% more target patches than generic kernel fuzzers. It also improves the speed of bug reproduction and patch reaching by a factor of 154.3 and 680.9, respectively.

Shuitao Gan,Chao Zhang,Xiaojun Qin,Xuwen Tu,Kang Li,Zhongyu Pei,Zuoning Chen

DOI: https://doi.org/10.1109/tdsc.2020.3027690

2022-01-01

Abstract:Coverage-guided fuzzing is a widely used and effective solution to find software vulnerabilities. Tracking code coverage and utilizing it to guide fuzzing are crucial to coverage-guided fuzzers. However, tracking full and accurate path coverage is infeasible in practice due to the high instrumentation overhead. Popular fuzzers (e.g., AFL) often use coarse coverage information, e.g., edge hit counts stored in a compact bitmap, to achieve highly efficient greybox testing. Such inaccuracy and incompleteness in coverage introduce serious limitations to fuzzers. First, it causes path collisions, which prevent fuzzers from discovering potential paths that lead to new crashes. More importantly, it prevents fuzzers from making wise decisions on fuzzing strategies. In this paper, we propose a coverage sensitive fuzzing solution CollAFL. It mitigates path collisions by providing more accurate coverage information, while still preserving low instrumentation overhead. It also utilizes the coverage information to apply three new fuzzing strategies, promoting the speed of discovering new paths and vulnerabilities. We implemented a prototype of CollAFL based on the popular fuzzer AFL and evaluated it on 24 popular applications. The results showed that path collisions are common, i.e., up to 75% of edges could collide with others in some applications, and CollAFL could reduce the edge collision ratio to nearly zero. Moreover, armed with the three fuzzing strategies, CollAFL outperforms AFL in terms of both code coverage and vulnerability discovery. On average, CollAFL covered 20% more program paths, found 320% more unique crashes and 260% more bugs than AFL in 200 hours. In total, CollAFL found 157 new security bugs with 95 new CVEs assigned.

Yuheng Shen,Yiru Xu,Hao Sun,Jianzhong Liu,Zichen Xu,Aiguo Cui,Heyuan Shi,Yu Jiang

DOI: https://doi.org/10.1109/tcad.2022.3198910

IF: 2.9

2022-01-01

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:Embedded operating systems (Embedded OSs) are extensively deployed in many mission-critical industrial scenarios. Any defects within these systems may result in unacceptable losses. Therefore, it is imperative to develop tools to detect bugs within Embedded OSs, thus minimizing potential impacts on industrial infrastructures. Coverage-guided fuzzing is a vulnerability detection technique that has found numerous real-world vulnerabilities within both application programs as well as kernels. However, state-of-the-art kernel fuzzers, e.g., Syzkaller, mainly target general purpose-operating systems, such as Linux, macOS, and Windows, whereas Embedded OSs support is mostly lacking. In this article, we propose Tardis, the first Embedded OSs fuzzer capable of testing a wide selection of Embedded OSs while leveraging coverage feedback. Tardis conducts OS-agnostic code coverage collection and analysis, allowing developers and testers to test a wide range of Embedded OSs without significant manual efforts. We implemented and evaluated Tardis on several well-known Embedded OSs, such as UC/OS and FreeRTOS. Tardis can successfully perform fuzz testing on these kernels without significant manual effort for adaptation. By leveraging coverage feedback, Tardis can cover 51.32% more branches than black-box fuzzing on average on the respective Embedded OSs over 24 h. Tardis also found 17 previously unknown bugs among the target Embedded OSs.

Tai Yue,Yibo Jin,Fengwei Zhang,Zhenyu Ning,Pengfei Wang,Xu Zhou,Kai Lu

DOI: https://doi.org/10.1145/3678890.3678933

2024-01-01

Abstract:Coverage-based greybox fuzzing (CGF) is an efficient technique for detecting vulnerabilities, but its coverage-feedback mechanism introduces significant overhead in binary-only fuzzing. Although hardware-assisted greybox fuzzing (HGF) has been proposed to address this issue, existing approaches struggle to achieve a balance between the efficiency and sensitivity of coverage, as well as to cope with trace buffer overflow. In this paper, we review the typical HGF tools and identify several challenges in their coverage-feedback mechanisms, including efficiency, sensitivity, and stability. Taking Arm CoreSight as an example, we present an efficient tool called Stalker to address these challenges. To achieve high-speed execution while maintaining a branch-sensitivity coverage, we propose two coverage strategies with different overheads and sensitivities and design a novel double-layer coverage mechanism that maximizes the benefits of these strategies. We further accelerate Stalker by conducting many optimizations in the decoder and kernel. To mitigate the imprecision and instability in coverage introduced by trace buffer overflow, we propose an adaptive CPU frequency modulation mechanism that adjusts the bandwidth of the trace units. We implement Stalker on an Arm Juno R2 development board and thoroughly evaluate the efficiency and sensitivity of coverage-feedback mechanisms in existing tools. Our comprehensive evaluations demonstrate that Stalker outperforms other state-of-the-art (SOTA) tools in addressing these challenges. Compared with Armored-Edge, Armored-Path, and μ AFL, Stalker accelerates the execution speed by 2.81 ×, 1.74 ×, and 1.4 × and covers Math 1, Math 2, and Math 3 more branches, as well as Math 4, Math 5, and Math 6 more paths, respectively.

Dongdong She,Adam Storek,Yuchong Xie,Seoyoung Kweon,Prashast Srivastava,Suman Jana

2024-06-07

Abstract:Fuzzing is an effective technique for discovering software vulnerabilities by generating random test inputs and executing them against the target program. However, fuzzing large and complex programs remains challenging due to difficulties in uncovering deeply hidden vulnerabilities. This paper addresses the limitations of existing coverage-guided fuzzers, focusing on the scheduler and mutator components. Existing schedulers suffer from information sparsity and the inability to handle fine-grained feedback metrics. The mutators are agnostic of target program branches, leading to wasted computation and slower coverage exploration. To overcome these issues, we propose an end-to-end online stochastic control formulation for coverage-guided fuzzing. Our approach incorporates a novel scheduler and custom mutator that can adapt to branch logic, maximizing aggregate edge coverage achieved over multiple stages. The scheduler utilizes fine-grained branch distance measures to identify frontier branches, where new coverage is likely to be achieved. The mutator leverages branch distance information to perform efficient and targeted seed mutations, leading to robust progress with minimal overhead. We present FOX, a proof-of-concept implementation of our control-theoretic approach, and compare it to industry-standard coverage-guided fuzzers. 6 CPU-years of extensive evaluations on the FuzzBench dataset and complex real-world programs (a total of 38 test programs) demonstrate that FOX outperforms existing state-of-the-art fuzzers, achieving average coverage improvements up to 26.45% in real-world standalone programs and 6.59% in FuzzBench programs over the state-of-the-art AFL++. In addition, it uncovers 20 unique bugs in popular real-world applications including eight that are previously unknown, showcasing real-world security impact.

Cryptography and Security

Chenlin Huang,Yusong Tan,Guoyun Duan,Zhiwen Chen,Boyang Zhang,Peiyao Deng,Qianxiang Zhang,Jianhua Sun,Hao Chen,Guoqing Xiao,Qing Liao

DOI: https://doi.org/10.1109/hpcc-dss-smartcity-dependsys53884.2021.00126

2021-01-01

Abstract:With the rapid development of the Internet, data security faces new challenges. As the interface between hardware and user-level applications, operating system is a critical component to ensure the security of sensitive data. Trusted execution environment (TEE) is a special operating system aiming at preventing the illegal access and tampering of sensitive data. Thus, the security of trusted operating system is essential for the whole system. Fuzzing is a promising technique that is widely used to identify vulnerabilities in operating systems and applications. In this paper, we present the design and implementation of a coverage-guided fuzzing framework for trusted operating systems. Specifically, we build a system that can perform fuzz testing for OP-TEE, a widespread TrustZone operating system. To improve efficiency, our systems contains several purpose-build components, which include seed generation and test case mutation to achieve higher coverage, coverage collection, and automatic bug-reproducing. With extensive evaluation, we trigger 38 crashes in OP-TEE. In terms of performance, the average execution speed of our system is 79.4 test cases per second. In summary, we show that fuzzing is a feasible and effective approach to testing trusted operating systems.