SHI Yan,QIANG Weizhong,ZOU Deqing,JIN Hai

DOI: https://doi.org/10.11959/j.issn.2096-109x.2024001

2024-01-01

Abstract:Fuzzing is a technique that was used to detect potential vulnerabilities and errors in software or systems by generating random,abnormal,or invalid test cases.When applying fuzzing to the kernel,more complex and challenging obstacles were encountered compared to user-space applications.The kernel,being a highly intricate software system,consists of numerous interconnected modules,subsystems,and device drivers,which presented challenges such as a massive codebase,complex interfaces,and runtime uncertainty.Traditional fuzzing methods could only generate inputs that simply satisfied interface specifications and explicit call dependencies,making it difficult to thoroughly explore the kernel.In contrast,evolutionary kernel fuzzing employed heuristic evolutionary strategies to dynamically adjust the generation and selection of test cases,guided by feedback mechanisms.This iterative process aimed to generate higher-quality test cases.Existing work on evolutionary kernel fuzzing was examined.The concept of evolutionary kernel fuzzing was explained,and its general framework was summarized.The existing work on evolutionary kernel fuzzing was classified and compared based on the type of feedback mechanism utilized.The principles of how feedback mechanisms guided evolution were analyzed from the perspectives of collecting,analyzing,and utilizing runtime information.Additionally,the development direction of evolutionary kernel fuzzing was discussed.

Bodong Zhao,Zheming Li,Shisong Qin,Zheyu Ma,Ming Yuan,Wenyu Zhu,Zhihong Tian,Chao Zhang

2022-01-01

Abstract:Coverage-guided fuzzing has achieved great success in finding software vulnerabilities. Existing coverage-guided fuzzers generally favor test cases that hit new code, and discard ones that exercise the same code. However, such a strategy is not optimum. A new test case exercising the same code could be better than a previous test case, as it may trigger new program states useful for code exploration and bug discovery. In this paper, we assessed the limitation of coverage-guided fuzzing solutions and proposed a state-aware fuzzing solution StateFuzz to address this issue. First, we model program states with values of state-variables and utilize static analysis to recognize such variables. Then, we instrument target programs to track such variables' values and infer program state transition at runtime. Lastly, we utilize state information to prioritize test cases that can trigger new states, and apply a three-dimension feedback mechanism to fine-tune the evolutionary direction of coverage-guided fuzzers. We have implemented a prototype of StateFuzz, and evaluated it on Linux upstream drivers and Android drivers. Evaluation results show that StateFuzz is effective at discovering both new code and vulnerabilities. It finds 18 unknown vulnerabilities and 2 known but unpatched vulnerabilities, and reaches 19% higher code coverage and 32% higher state coverage than the state-of-the-art fuzzer Syzkaller.

Heyuan Shi,Shijun Chen,Runzhe Wang,Yuhan Chen,Weibo Zhang,Qiang Zhang,Yuheng Shen,Xiaohai Shi,Chao Hu,Yu Jiang

DOI: https://doi.org/10.1145/3691620.3695278

2024-01-01

Abstract:Directed grey-box fuzzing is a widely used automatic testing technique that has helped developers test specific code space in the target program. Although many directed fuzzers are designed to test the Linux kernel, challenges still remain due to the complexity of industrial requirements and deployment environments. In this paper, we collaborate with developers from Alibaba and the OpenAnolis community to conduct an industry practice of directed kernel fuzzing for open-source Linux distribution. We highlight typical challenges in deploying directed kernel fuzzing, including target-related kernel configuration options being disabled, unrelated initial seeds limiting fuzzing startup performance, no support for kernel feature interface fuzzing, independent fuzzer execution limiting fuzzing effectiveness, much manual work to triage and analyze crashes, and hard to integrate into the existing fuzzing framework. We provide solutions to these challenges, which allowed us to discover 11 previously unknown kernel bugs related to cloud-native features, io_uring, and other components in the OpenAnolis Linux distribution.

吴志勇,王红川,孙乐昌,潘祖烈,刘京菊

DOI: https://doi.org/10.3969/j.issn.1001-3695.2010.03.006

2010-01-01

Abstract:By analyzing and comparing several definitions of Fuzzing,this paper gave a new definition accroding to the know-ledge and methods using currently,summerized its new ideas,new methods and corresponding defeats from these aspects like differences from black-box testing,framework and test data generation mechanism.Based on these defeats and the requiments from practical application,proposed concrete research directions and methods.

Heyuan Shi,Runzhe Wang,Ying Fu,Mingzhe Wang,Xiaohai Shi,Xun Jiao,Houbing Song,Yu Jiang,Jiaguang Sun

DOI: https://doi.org/10.1145/3338906.3340460

2019-01-01

Abstract:Coverage-guided kernel fuzzing is a widely-used technique that has helped kernel developers and testers discover numerous vulnerabilities. However, due to the high complexity of application and hardware environment, there is little study on deploying fuzzing to the enterprise-level Linux kernel. In this paper, collaborating with the enterprise developers, we present the industry practice to deploy kernel fuzzing on four different enterprise Linux distributions that are responsible for internal business and external services of the company. We have addressed the following outstanding challenges when deploying a popular kernel fuzzer, syzkaller, to these enterprise Linux distributions: coverage support absence, kernel configuration inconsistency, bugs in shallow paths, and continuous fuzzing complexity. This leads to a vulnerability detection of 41 reproducible bugs which are previous unknown in these enterprise Linux kernel and 6 bugs with CVE IDs in U.S. National Vulnerability Database, including flaws that cause general protection fault, deadlock, and use-after-free.

Xiaohan Zhang,Cen Zhang,Xinghua Li,Zhengjie Du,Bing Mao,Yuekang Li,Yaowen Zheng,Yeting Li,Li Pan,Yang Liu,Robert Deng

DOI: https://doi.org/10.1145/3696788

IF: 16.6

2024-10-12

ACM Computing Surveys

Abstract:Communication protocols form the bedrock of our interconnected world, yet vulnerabilities within their implementations pose significant security threats. Recent developments have seen a surge in fuzzing-based research dedicated to uncovering these vulnerabilities within protocol implementations. However, there still lacks a systematic overview of protocol fuzzing for answering the essential questions such as what the unique challenges are, how existing works solve them, and so on. To bridge this gap, we conducted a comprehensive investigation of related works from both academia and industry. Our study includes a detailed summary of the specific challenges in protocol fuzzing and provides a systematic categorization and overview of existing research efforts. Furthermore, we explore and discuss potential future research directions in protocol fuzzing.

computer science, theory & methods

Valentin J.M. Manès,HyungSeok Han,Choongwoo Han,Sang Kil Cha,Manuel Egele,Edward J. Schwartz,Maverick Woo,Valentin J.M. Manes

DOI: https://doi.org/10.1109/tse.2019.2946563

IF: 7.4

2021-11-01

IEEE Transactions on Software Engineering

Abstract:Among the many software testing techniques available today, fuzzing has remained highly popular due to its conceptual simplicity, its low barrier to deployment, and its vast amount of empirical evidence in discovering real-world software vulnerabilities. At a high level, fuzzing refers to a process of repeatedly running a program with generated inputs that may be syntactically or semantically malformed. While researchers and practitioners alike have invested a large and diverse effort towards improving fuzzing in recent years, this surge of work has also made it difficult to gain a comprehensive and coherent view of fuzzing. To help preserve and bring coherence to the vast literature of fuzzing, this paper presents a unified, general-purpose model of fuzzing together with a taxonomy of the current fuzzing literature. We methodically explore the design decisions at every stage of our model fuzzer by surveying the related literature and innovations in the art, science, and engineering that make modern-day fuzzers effective.

engineering, electrical & electronic,computer science, software engineering

Shihao Jiang,Yu Zhang,Junqiang Li,Hongfang Yu,Long Luo,Gang Sun

2024-02-27

Abstract:As one of the most successful and effective software testing techniques in recent years, fuzz testing has uncovered numerous bugs and vulnerabilities in modern software, including network protocol software. In contrast to other fuzzing targets, network protocol software exhibits its distinct characteristics and challenges, introducing a plethora of research questions that need to be addressed in the design and implementation of network protocol fuzzers. While some research work has evaluated and systematized the knowledge of general fuzzing techniques at a high level, there is a lack of similar analysis and summarization for fuzzing research specific to network protocols. This paper offers a comprehensive exposition of network protocol software's fuzzing-related features and conducts a systematic review of some representative advancements in network protocol fuzzing since its inception. We summarize state-of-the-art strategies and solutions in various aspects, propose a unified protocol fuzzing process model, and introduce the techniques involved in each stage of the model. At the same time, this paper also summarizes the promising research directions in the landscape of protocol fuzzing to foster exploration within the community for more efficient and intelligent modern network protocol fuzzing techniques.

Networking and Internet Architecture

Xiaogang Zhu,Sheng Wen,Seyit Camtepe,Yang Xiang

DOI: https://doi.org/10.1145/3512345

IF: 16.6

2022-01-28

ACM Computing Surveys

Abstract:Fuzz testing (fuzzing) has witnessed its prosperity in detecting security flaws recently. It generates a large number of test cases and monitors the executions for defects. Fuzzing has detected thousands of bugs and vulnerabilities in various applications. Although effective, there lacks systematic analysis of gaps faced by fuzzing. As a technique of defect detection, fuzzing is required to narrow down the gaps between the entire input space and the defect space. Without limitation on the generated inputs, the input space is infinite. However, defects are sparse in an application, which indicates that the defect space is much smaller than the entire input space. Besides, because fuzzing generates numerous test cases to repeatedly examine targets, it requires fuzzing to perform in an automatic manner. Due to the complexity of applications and defects, it is challenging to automatize the execution of diverse applications. In this paper, we systematically review and analyze the gaps as well as their solutions, considering both breadth and depth. This survey can be a roadmap for both beginners and advanced developers to better understand fuzzing.

computer science, theory & methods

Qi Lanlan,Wen Jiangtao,Huang Hui,Wang Xiong,Wu Zhiyong

DOI: https://doi.org/10.1007/978-3-642-38460-8_10

2013-01-01

Abstract:From Miller firstly introduced the fuzzing in 1990 and found failures in over 25 % of UNIX programs, to recent TaintScope system presented by Peking University and the discovery of 27 0day vulnerabilities in several popular software including Adobe Acrobat, the practical experiences and results have illuminated that fuzzing are effective for vulnerability mining. In this paper, fuzzing is studied and surveyed. First, new features of fuzzing are analyzed. And then, give the definition of Cd and Md. Cd and Md describe the ability to implement vulnerability mining on the vulnerability of the test case. Based on the Cd and Md, this paper also gives a new fuzzing architecture Feedback Fuzz.

Zhaowei Zhang,Hongzheng Zhang,Jinjing Zhao,Yanfei Yin

DOI: https://doi.org/10.3390/electronics12132904

IF: 2.9

2023-07-02

Electronics

Abstract:Network protocols, as the communication rules among computer network devices, are the foundation for the normal operation of networks. However, security issues arising from design flaws and implementation vulnerabilities in network protocols pose significant risks to network operations and security. Network protocol fuzzing is an effective technique for discovering and mitigating security flaws in network protocols. It offers unparalleled advantages compared to other security analysis techniques thanks to the minimal requirement for prior knowledge of the target and low deployment complexity. Nevertheless, the randomness in test case generation, uncontrollable test coverage, and unstable testing efficiency introduce challenges in ensuring the controllability of the testing process and results. In order to comprehensively survey the development of network protocol fuzzing techniques and analyze their advantages and existing issues, in this paper, we categorized and summarized the protocol fuzzing and its related techniques based on the generation methods of test cases and testing conditions. Specifically, we overviewed the development trajectory and patterns of these techniques over the past two decades according to chronological order. Based on this analysis, we further predict the future directions of fuzzing techniques.

engineering, electrical & electronic,computer science, information systems,physics, applied

Jiacheng Xu,Xuhong Zhang,Shouling Ji,Yuan Tian,Binbin Zhao,Qinying Wang,Peng Cheng,Jiming Chen

DOI: https://doi.org/10.14722/ndss.2024.23131

2024-01-01

Abstract:Kernels are at the heart of modern operating systems, whereas their development comes with vulnerabilities.Coverage-guided fuzzing has proven to be a promising software testing technique.When applying fuzzing to kernels, the salient aspect of it is that the input is a sequence of system calls (syscalls).As kernels are complex and stateful, specific sequences of syscalls are required to build up necessary states to trigger code deep in the kernels.However, the syscall sequences generated by existing fuzzers fall short in maintaining states to sufficiently cover deep code in the kernels where vulnerabilities favor residing.In this paper, we present a practical and effective kernel fuzzing framework, called MOCK, which is capable of learning the contextual dependencies in syscall sequences and then generating context-aware syscall sequences.To conform to the statefulness when fuzzing kernel, MOCK adaptively mutates syscall sequences in line with the calling context.MOCK integrates the context-aware dependency with (1) a customized language model-guided dependency learning algorithm, (2) a context-aware syscall sequence mutation algorithm, and (3) an adaptive task scheduling strategy to balance exploration and exploitation.Our evaluation shows that MOCK performs effectively in achieving branch coverage (up to 32% coverage growth), producing highquality input (50% more interrelated sequences), and discovering bugs (15% more unique crashes) than the state-of-the-art kernel fuzzers.Various setups including initial seeds and a pre-trained model further boost MOCK's performance.Additionally, MOCK also discovers 15 unique bugs in the most recent Linux kernels, including two CVEs.

吴志勇,夏建军,孙乐昌,张旻

DOI: https://doi.org/10.3969/j.issn.1001-3695.2010.08.002

2010-01-01

Abstract:Fuzzing is an effective dynamic vulnerability mining technology,however,there is not too much research on multidimensional Fuzzing. This paper concluded that the problems of multi-dimensional Fuzzing included combinational explosion, covering vulnerable statements and triggering suspend vulnerabilities. Gave a research and a comparison on existing multi-dimensional Fuzzing technologies and got that they could be divided into three basic steps: locating vulnerable statements,finding input elements which influenced corresponding vulnerable statements and finding the vulnerabilities with multi-dimensional Fuzzing technology. At last,gave its further improvement directions.

Hong-bo YAO,Liang YIN,Wei-ping WEN

DOI: https://doi.org/10.3969/j.issn.1671-1122.2011.12.002

2011-01-01

Abstract:With advances in technology, Windows operating system has improved steadily. Combining many memory protection technologies made the traditional buffer-overflow-based attacks to be more useless. In this case, the kernel vulnerability can be used to break through the security line of defense as a starting point. This paper researches the existing mining Windows kernel vulnerability, then proposes a methods on how to find Windows kernel vulnerability based on Fuzzing, summarizes the existing Fuzzing technology, selects three kernel Fuzzing goal which are Windows win32k.sys processing of window messages, third-party driver for IoControlCode processing, security software on the SSDT, ShadowSSDT function of processing, after the analysis of the three principles, Fuzzing data are designed and data input path are identified. Finally, using this method found in case of Windows operating system unknown vulnerabilities verify the validity of the method.

Yuwei Li,Shouling Ji,Chenyang Lv,Yuan Chen,Jianhai Chen,Qinchen Gu,Chunming Wu

DOI: https://doi.org/10.48550/arxiv.1901.01142

2019-01-01

Abstract:Fuzzing is a technique of finding bugs by executing a software recurrently with a large number of abnormal inputs. Most of the existing fuzzers consider all parts of a software equally, and pay too much attention on how to improve the code coverage. It is inefficient as the vulnerable code only takes a tiny fraction of the entire code. In this paper, we design and implement a vulnerability-oriented evolutionary fuzzing prototype named V-Fuzz, which aims to find bugs efficiently and quickly in a limited time. V-Fuzz consists of two main components: a neural network-based vulnerability prediction model and a vulnerability-oriented evolutionary fuzzer. Given a binary program to V-Fuzz, the vulnerability prediction model will give a prior estimation on which parts of the software are more likely to be vulnerable. Then, the fuzzer leverages an evolutionary algorithm to generate inputs which tend to arrive at the vulnerable locations, guided by the vulnerability prediction result. Experimental results demonstrate that V-Fuzz can find bugs more efficiently than state-of-the-art fuzzers. Moreover, V-Fuzz has discovered 10 CVEs, and 3 of them are newly discovered. We reported the new CVEs, and they have been confirmed and fixed.

Libo Chen,Quanpu Cai,Zhenbang Ma,Yanhao Wang,Hong Hu,Minghang Shen,Yue Liu,Shanqing Guo,Haixin Duan,Kaida Jiang,Zhi Xue

DOI: https://doi.org/10.1145/3548606.3559367

2022-01-01

Abstract:ABSTRACTReal-Time Operating System (RTOS) has become the main category of embedded systems. It is widely used to support tasks requiring real-time response such as printers and switches. The security of RTOS has been long overlooked as it was running in special environments isolated from attackers. However, with the rapid development of IoT devices, tremendous RTOS devices are connected to the public network. Due to the lack of security mechanisms, these devices are extremely vulnerable to a wide spectrum of attacks. Even worse, the monolithic design of RTOS combines various tasks and services into a single binary, which hinders the current program testing and analysis techniques working on RTOS. In this paper, we propose SFuzz, a novel slice-based fuzzer, to detect security vulnerabilities in RTOS. Our insight is that RTOS usually divides a complicated binary into many separated but single-minded tasks. Each task accomplishes a particular event in a deterministic way and its control flow is usually straightforward and independent. Therefore, we identify such code from the monolithic RTOS binary and synthesize a slice for effective testing. Specifically, SFuzz first identifies functions that handle user input, constructs call graphs that start from callers of these functions, and leverages forward slicing to build the execution tree based on the call graphs and pruning the paths independent of external inputs. Then, it detects and handles roadblocks within the coarse-grain scope that hinder effective fuzzing, such as instructions unrelated to the user input. And then, it conducts coverage-guided fuzzing on these code snippets. Finally, SFuzz leverages forward and backward slicing to track and verify each path constraint and determine whether a bug discovered in the fuzzer is a real vulnerability. SFuzz successfully discovered 77 zero-day bugs on 35 RTOS samples, and 67 of them have been assigned CVE or CNVD IDs. Our empirical evaluation shows that SFuzz outperforms the state-of-the-art tools (e.g., UnicornAFL) on testing RTOS.

Tingting Yin,Zicong Gao,Zhenghang Xiao,Zheyu Ma,Min Zheng,Chao Zhang

DOI: https://doi.org/10.1109/tdsc.2023.3330852

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:macOS drivers, i.e., Kernel EXTensions (kexts), are attractive attack targets for adversaries. However, automatically discovering vulnerabilities in kexts is extremely challenging because kexts are mostly closed-source, and the latest macOS running on customized Apple Silicon has limited tool-chain support. Most existing static analysis and dynamic testing solutions cannot be applied to the latest macOS. In this paper, we present the first end-to-end fuzzing solution KextFuzz to detect bugs in the latest macOS kexts running on Apple Silicon. Unlike existing driver fuzzing solutions, KextFuzz does not require source code, execution traces, hypervisors, or hardware features (e.g., coverage tracing) and thus is universal and practical. We note that macOS has deployed many mitigations, including pointer authentication, code signature, and userspace kernel layer wrappers, to thwart potential attacks. These mitigations can provide extra knowledge and resources for us to enable kernel fuzzing. KextFuzz exploits these mitigation schemes to instrument the binary for coverage tracking, infer the type and semantic information of kext interfaces, and generate multi-dimension inputs. KextFuzz has found 49 unique kernel bugs in the macOS kexts and got five CVEs. Some bugs could cause severe consequences like running arbitrary code with kernel privilege.

Xiang Tang,Houlin Zhou,Man Zhang,Yuheng Zhang,Guocheng Wu,Hui Lu,Xiang Yu,Zhihong Tian

DOI: https://doi.org/10.1109/cloudnet59005.2023.10490070

2023-01-01

Abstract:Fuzzing technology is the mainstream technology used for vulnerability mining at this stage, and most of the software vulnerabilities are discovered by using this technology. However, one of the main problems of fuzzing technology is that it will generate a large number of crash samples, but not all crashes are vulnerabilities, so how to quickly analyze and judge these crash samples usable is the current vulnerability mining work based on fuzzing technology. The main problem faced aiming at the research on crash exploitability analysis, this article firstly explains the difficulties of vulnerability exploitability analysis, then explains several difficulties in turn, lists some tools and methods for researching these difficulties, and discusses the analysis of vulnerabilities Future development directions and trends in terms of usability.

Kaiyu Shi,Xiangzhan Yu,Yue Zhao

DOI: https://doi.org/10.1145/3444370.3444625

2020-01-01

Abstract:With the rapid advancement of modern technology, software are getting more and more intelligent, whereas the related security issues are also becoming more and more prominent [1]. Developers can easily introduce bugs into a system due to mistakes or poor consideration, which in serious cases may lead to security breaches that can jeopardize the entire system or the entire network. Therefore, efficient and automated security testing techniques or theories are of great importance to software testing and vulnerability detection.