Zicong Gao,Hao Xiong,Weiyu Dong,Rui Chang,Rui Yang,Yajin Zhou,Liehui Jiang

DOI: https://doi.org/10.1109/tse.2023.3326144

IF: 7.4

2024-01-01

IEEE Transactions on Software Engineering

Abstract:Mutation-based fuzzing has been widely used in both academia and industry. Recently, researchers observe that the mutation scheduling scheme affects the efficiency of fuzzing. Accordingly, they propose PSO algorithm or machine learning-based technique to optimize the scheduling process. However, these methods fail to consider the fact that the optimal operator distribution of different seeds is different, even for the same program. In this paper, we propose a novel general scheduling scheme, named FA-fuzz, to find the optimal selecting probability distribution of mutation operators, which is based on the observations that the effective mutation operators are different for different seeds. Specifically, our method is based on the firefly algorithm. The positions of fireflies are mapped to the selection probability distribution of different mutation operators. The brightness of fireflies is expressed as the efficiency of discovering unique testcases. We implement prototype systems on multiple state-of-art fuzzers, and perform evaluations on two datasets. Our proposed method improves both the number of unique paths and unique bugs on real-world datasets. In addition, we discover 30 zero-day vulnerabilities in eight real-world programs, which demonstrate the effectiveness of FA-fuzz.

Bodong Zhao,Zheming Li,Shisong Qin,Zheyu Ma,Ming Yuan,Wenyu Zhu,Zhihong Tian,Chao Zhang

2022-01-01

Abstract:Coverage-guided fuzzing has achieved great success in finding software vulnerabilities. Existing coverage-guided fuzzers generally favor test cases that hit new code, and discard ones that exercise the same code. However, such a strategy is not optimum. A new test case exercising the same code could be better than a previous test case, as it may trigger new program states useful for code exploration and bug discovery. In this paper, we assessed the limitation of coverage-guided fuzzing solutions and proposed a state-aware fuzzing solution StateFuzz to address this issue. First, we model program states with values of state-variables and utilize static analysis to recognize such variables. Then, we instrument target programs to track such variables' values and infer program state transition at runtime. Lastly, we utilize state information to prioritize test cases that can trigger new states, and apply a three-dimension feedback mechanism to fine-tune the evolutionary direction of coverage-guided fuzzers. We have implemented a prototype of StateFuzz, and evaluated it on Linux upstream drivers and Android drivers. Evaluation results show that StateFuzz is effective at discovering both new code and vulnerabilities. It finds 18 unknown vulnerabilities and 2 known but unpatched vulnerabilities, and reaches 19% higher code coverage and 32% higher state coverage than the state-of-the-art fuzzer Syzkaller.

Ji Shi,Wei Zou,Chao Zhang,Lingxiao Tan,Yanyan Zou,Yue Peng,Wei Huo

DOI: https://doi.org/10.1186/s42400-022-00116-x

2022-01-01

Abstract:Grey-box fuzzing techniques have been widely used in software bug finding. In general, there are many decisions to make in the fuzzing process, including which code block in the target program should be explored first, which bytes of an input seed should be mutated to reach the target code block, and how to mutate the chosen input bytes. However, existing solutions usually rely on random exploration or certain heuristics to choose where and how to fuzz, which limits the efficiency of fuzzing. In this paper, we propose a novel solution CAMFuzz to guide the fuzzing process with explainable decisions in explainable artificial intelligence (XAI). First, we propose a dynamic weight adjustment algorithm, which considers both the difficulty of reaching a block and the number of unvisited blocks nearby, to find code blocks worthy to explore first. Second, we utilize a widely used local interpretation technique, i.e., class activation mapping (CAM), to recognize which part of an input seed should be mutated to reach a given target code block. Therefore, CAMFuzz can distinguish which part of code in the program is more important and which positions in the input file should be mutated first, in order to achieve a better code coverage and bug finding efficiency. Third, to further help the fuzzer increase fuzzing efficiency, we leverage a lightweight static program analysis to help the fuzzer identify magic values. We implement a prototype of CAMFuzz and evaluate it on 13 real-world programs (including 11 open source targets, 2 closed-source commercial products including a Microsoft component and Hancom Office) Results show that CAMFuzz outperforms state-of-the-art fuzzers in both code coverage and bug finding. To detail, CAMFuzz on average achieves 2.07 × more bugs and 1.17 × coverage improvements. In total, it found 19 previously unknown vulnerabilities, of which 6 have been assigned by CVE so far.

Shunkai Zhu,Jingyi Wang,Jun Sun,Jie Yang,Xingwei Lin,Tianyi Wang,Liyi Zhang,Peng Cheng

DOI: https://doi.org/10.1109/tse.2023.3338129

IF: 7.4

2024-01-01

IEEE Transactions on Software Engineering

Abstract:Fuzzing is one of the prevailing methods for vulnerability detection. However, even state-of-the-art fuzzing methods become ineffective after some period of time, i.e., the coverage hardly improves as existing methods are ineffective to focus the attention of fuzzing on covering the hard-to-trigger program paths. In other words, they cannot generate inputs that can break the bottleneck due to the fundamental difficulty in capturing the complex relations between the test inputs and program coverage. In particular, existing fuzzers suffer from the following main limitations: 1) lacking an overall analysis of the program to identify the most “rewarding” seeds, and 2) lacking an effective mutation strategy which could continuously select and mutates the more relevant “bytes” of the seeds. In this work, we propose an approach called ATT UZZ to address these two issues systematically. First, we propose a lightweight dynamic analysis technique that estimates the “reward” of covering each basic block and selects the most rewarding seeds accordingly. Second, we mutate the selected seeds according to a neural network model which predicts whether a certain “rewarding” block will be covered given certain mutations on certain bytes of a seed. The model is a deep learning model equipped with an attention mechanism which is learned and updated periodically whilst fuzzing. Our evaluation shows that ATT UZZ significantly outperforms 5 state-of-the-art grey-box fuzzers on 6 popular real-world programs and MAGMA data sets at achieving higher edge coverage and finding new bugs. In particular, ATT UZZ achieved 1.2X edge coverage and 1.8X bugs detected than AFL ++ over 24-hour runs. In addition, ATT UZZ also finds 4 new bugs in the latest version of some popular software including p7zip and openUSD.

Dongdong She,Adam Storek,Yuchong Xie,Seoyoung Kweon,Prashast Srivastava,Suman Jana

2024-06-07

Abstract:Fuzzing is an effective technique for discovering software vulnerabilities by generating random test inputs and executing them against the target program. However, fuzzing large and complex programs remains challenging due to difficulties in uncovering deeply hidden vulnerabilities. This paper addresses the limitations of existing coverage-guided fuzzers, focusing on the scheduler and mutator components. Existing schedulers suffer from information sparsity and the inability to handle fine-grained feedback metrics. The mutators are agnostic of target program branches, leading to wasted computation and slower coverage exploration. To overcome these issues, we propose an end-to-end online stochastic control formulation for coverage-guided fuzzing. Our approach incorporates a novel scheduler and custom mutator that can adapt to branch logic, maximizing aggregate edge coverage achieved over multiple stages. The scheduler utilizes fine-grained branch distance measures to identify frontier branches, where new coverage is likely to be achieved. The mutator leverages branch distance information to perform efficient and targeted seed mutations, leading to robust progress with minimal overhead. We present FOX, a proof-of-concept implementation of our control-theoretic approach, and compare it to industry-standard coverage-guided fuzzers. 6 CPU-years of extensive evaluations on the FuzzBench dataset and complex real-world programs (a total of 38 test programs) demonstrate that FOX outperforms existing state-of-the-art fuzzers, achieving average coverage improvements up to 26.45% in real-world standalone programs and 6.59% in FuzzBench programs over the state-of-the-art AFL++. In addition, it uncovers 20 unique bugs in popular real-world applications including eight that are previously unknown, showcasing real-world security impact.

Cryptography and Security

Yisen Wang,Weiyu Dong,Zicong Gao,Rui Chang

DOI: https://doi.org/10.1002/cpe.5756

2020-04-08

Abstract:Fuzzing is an effective approach to detect software vulnerabilities utilizing changeable generated inputs. However, fuzzing the network protocol on the firmware of IoT devices is limited by inefficiency of test case generation, cross‐architecture instrumentation, and fault detection. In this article, we propose the Fw‐fuzz, a coverage‐guided and crossplatform framework for fuzzing network services running in the context of firmware on embedded architectures, which can generate more valuable test cases by introspecting program runtime information and using a genetic algorithm model. Specifically, we propose novel dynamic instrumentation in Fw‐fuzz to collect the running state of the firmware program. Then Fw‐fuzz adopts a genetic algorithm model to guide the generation of inputs with high code coverage. We fully implement the prototype system of Fw‐fuzz and conduct evaluations on network service programs of various architectures in MIPS, ARM, and PPC. By comparing with the protocol fuzzers Boofuzz and Peach in metrics of edge coverage, our prototype system achieves an average growth of 33.7% and 38.4%, respectively. We further verify six known vulnerabilities and discover 5 0‐day vulnerabilities with the Fw‐fuzz, which prove the validity and utility of our framework. The overhead of our system expressed as an additional 5% of memory growth.

Computer Science,Engineering

Xiaoqi Zhao,Haipeng Qu,Wenjie Lv,Shuo Li,Jianliang Xu

DOI: https://doi.org/10.3390/math9030205

IF: 2.4

2021-01-01

Mathematics

Abstract:Coverage-based Greybox Fuzzing (CGF) is a practical and effective solution for finding bugs and vulnerabilities in software. A key challenge of CGF is how to select conducive seeds and allocate accurate energy. To address this problem, we propose a novel many-objective optimization solution, MooFuzz, which can identify different states of the seed pool and continuously gather different information about seeds to guide seed schedule and energy allocation. First, MooFuzz conducts risk marking in dangerous positions of the source code. Second, it can automatically update the collected information, including the path risk, the path frequency, and the mutation information. Next, MooFuzz classifies seed pool into three states and adopts different objectives to select seeds. Finally, we design an energy recovery mechanism to monitor energy usage in the fuzzing process and reduce energy consumption. We implement our fuzzing framework and evaluate it on seven real-world programs. The experimental results show that MooFuzz outperforms other state-of-the-art fuzzers, including AFL, AFLFast, FairFuzz, and PerfFuzz, in terms of path discovery and bug detection.

Chenyang Lyu,Shouling Ji,Yuwei Li,Junfeng Zhou,Jianhai Chen,Jing Chen

DOI: https://doi.org/10.48550/arXiv.1807.02606

2019-06-03

Abstract:Fuzzing is an automated application vulnerability detection method. For genetic algorithm-based fuzzing, it can mutate the seed files provided by users to obtain a number of inputs, which are then used to test the objective application in order to trigger potential crashes. As shown in existing literature, the seed file selection is crucial for the efficiency of fuzzing. However, current seed selection strategies do not seem to be better than randomly picking seed files. Therefore, in this paper, we propose a novel and generic system, named SmartSeed, to generate seed files towards efficient fuzzing. Specifically, SmartSeed is designed based on a machine learning model to learn and generate high-value binary seeds. We evaluate SmartSeed along with American Fuzzy Lop (AFL) on 12 open-source applications with the input formats of mp3, bmp or flv. We also combine SmartSeed with different fuzzing tools to examine its compatibility. From extensive experiments, we find that SmartSeed has the following advantages: First, it only requires tens of seconds to generate sufficient high-value seeds. Second, it can generate seeds with multiple kinds of input formats and significantly improves the fuzzing performance for most applications with the same input format. Third, SmartSeed is compatible to different fuzzing tools. In total, our system discovers more than twice unique crashes and 5,040 extra unique paths than the existing best seed selection strategy for the evaluated 12 applications. From the crashes found by SmartSeed, we discover 16 new vulnerabilities and have received their CVE IDs.

Cryptography and Security

Wenjie Wang,Donghai Tian,Rui Ma,Hang Wei,Qianjin Ying,Xiaoqi Jia,Lei Zuo

DOI: https://doi.org/10.23919/jcc.2021.08.001

2021-01-01

China Communications

Abstract:Fuzzing is an effective technique to find security bugs in programs by quickly exploring the input space of programs. To further discover vulnerabilities hidden in deep execution paths, the hybrid fuzzing combines fuzzing and concolic execution for going through complex branch conditions. In general, we observe that the execution path which comes across more and complex basic blocks may have a higher chance of containing a security bug. Based on this observation, we propose a hybrid fuzzing method assisted by static analysis for binary programs. The basic idea of our method is to prioritize seed inputs according to the complexity of their associated execution paths. For this purpose, we utilize static analysis to evaluate the complexity of each basic block and employ the hardware trace mechanism to dynamically extract the execution path for calculating the seed inputs' weights. The key advantage of our method is that our system can test binary programs efficiently by using the hardware trace and hybrid fuzzing. To evaluate the effectiveness of our method, we design and implement a prototype system, namely SHFuzz. The evaluation results show SHFuzz discovers more unique crashes on several real-world applications and the LAVA-M dataset when compared to the previous solutions.

Han Zheng,Jiayuan Zhang,Yuhang Huang,Zezhong Ren,He Wang,Chunjie Cao,Yuqing Zhang,Flavio Toffalini,Mathias Payer

DOI: https://doi.org/10.48550/arXiv.2207.13393

2022-07-27

Abstract:Greybox fuzzing is the de-facto standard to discover bugs during development. Fuzzers execute many inputs to maximize the amount of reached code. Recently, Directed Greybox Fuzzers (DGFs) propose an alternative strategy that goes beyond "just" coverage: driving testing toward specific code targets by selecting "closer" seeds. DGFs go through different phases: exploration (i.e., reaching interesting locations) and exploitation (i.e., triggering bugs). In practice, DGFs leverage coverage to directly measure exploration, while exploitation is, at best, measured indirectly by alternating between different targets. Specifically, we observe two limitations in existing DGFs: (i) they lack precision in their distance metric, i.e., averaging multiple paths and targets into a single score (to decide which seeds to prioritize), and (ii) they assign energy to seeds in a round-robin fashion without adjusting the priority of the targets (exhaustively explored targets should be dropped). We propose FishFuzz, which draws inspiration from trawl fishing: first casting a wide net, scraping for high coverage, then slowly pulling it in to maximize the harvest. The core of our fuzzer is a novel seed selection strategy that builds on two concepts: (i) a novel multi-distance metric whose precision is independent of the number of targets, and (ii) a dynamic target ranking to automatically discard exhausted targets. This strategy allows FishFuzz to seamlessly scale to tens of thousands of targets and dynamically alternate between exploration and exploitation phases. We evaluate FishFuzz by leveraging all sanitizer labels as targets. Extensively comparing FishFuzz against modern DGFs and coverage-guided fuzzers shows that FishFuzz reached higher coverage compared to the direct competitors, reproduces existing bugs (70.2% faster), and finally discovers 25 new bugs (18 CVEs) in 44 programs.

Cryptography and Security

Wang Xiajing,Hu Changzhen,Ma Rui,Tian Donghai,He Jinyuan

DOI: https://doi.org/10.1007/s10664-020-09927-3

IF: 3.762

2021-01-01

Empirical Software Engineering

Abstract:Mutation-based fuzzing is a simple yet effective technique to discover bugs and security vulnerabilities in software. Given a set of well-formed initial seeds, mutation-based fuzzers continually generate interesting seeds by applying specific mutation strategy in order to maximize code coverage or the number of unique bugs explored at any point-in-time. However, existing fuzzers remain limited in the paths it could cover since it simply follows a uniform distribution to choose mutation operators. In this paper, we proposed a novel context-aware adaptive mutation scheme, namely CMFuzz, which utilizes a contextual bandit algorithm LinUCB to effectively choose optimal mutation operators for various seed files. To this end, CMFuzz dynamically extracts and encodes file characteristics, which allows mutation-based fuzzers to perform context-aware mutation. We apply this scheme on top of several state-of-the-art fuzzers, i.e., PTfuzz, AFL, and AFLFast, and implement CMFuzz-PT, CMFuzz-AFL, and CMFuzz-AFLFast, respectively. We conduct evaluation on 12 real-world open source applications and LAVA-M dataset against their counterparts. Extensive evaluations demonstrate that CMFuzz-based fuzzers achieve higher code coverage and find more crashes at a faster rate than their counterparts on most cases. Furthermore, we also utilize other mainstream bandit algorithms, e.g., Thompson Sample and epsilon-greedy, and implement Thompson-PT and Greedy-PT based on PTfuzz to examine the performance of proposed model. CMFuzz-PT significantly outperforms Thompson-PT especially in terms of unique crashes and paths, i.e., found 1.79× unique crashes and 1.29× unique paths on average. Compared to Greedy-PT, our approach still increases the amount of unique crashes and paths by 1.11× and 1.05×, respectively.

Hanxiang Xu,Wei Ma,Ting Zhou,Yanjie Zhao,Kai Chen,Qiang Hu,Yang Liu,Haoyu Wang

2024-12-19

Abstract:In recent years, the programming capabilities of large language models (LLMs) have garnered significant attention. Fuzz testing, a highly effective technique, plays a key role in enhancing software reliability and detecting vulnerabilities. However, traditional fuzz testing tools rely on manually crafted fuzz drivers, which can limit both testing efficiency and effectiveness. To address this challenge, we propose an automated fuzz testing method driven by a code knowledge graph and powered by an LLM-based intelligent agent system, referred to as CKGFuzzer. We approach fuzz driver creation as a code generation task, leveraging the knowledge graph of the code repository to automate the generation process within the fuzzing loop, while continuously refining both the fuzz driver and input seeds. The code knowledge graph is constructed through interprocedural program analysis, where each node in the graph represents a code entity, such as a function or a file. The knowledge graph-enhanced CKGFuzzer not only effectively resolves compilation errors in fuzz drivers and generates input seeds tailored to specific API usage scenarios, but also analyzes fuzz driver crash reports, assisting developers in improving code quality. By querying the knowledge graph of the code repository and learning from API usage scenarios, we can better identify testing targets and understand the specific purpose of each fuzz driver. We evaluated our approach using eight open-source software projects. The experimental results indicate that CKGFuzzer achieved an average improvement of 8.73% in code coverage compared to state-of-the-art techniques. Additionally, CKGFuzzer reduced the manual review workload in crash case analysis by 84.4% and successfully detected 11 real bugs (including nine previously unreported bugs) across the tested libraries.

Software Engineering,Cryptography and Security

Ruixiang Qian,Quanjun Zhang,Chunrong Fang,Lihua Guo

DOI: https://doi.org/10.1145/3545258.3545285

2022-01-01

Abstract:Coverage guided fuzzing (CGF) is an effective testing technique which has detected hundreds of thousands of bugs from various software applications. It focuses on maximizing code coverage to reveal more bugs during fuzzing. However, a higher coverage does not necessarily imply a better fault detection capability. Triggering a bug involves not only exercising the specific program path but also reaching interesting program states in that path. In this paper, we use mutation testing to improve CGF in detecting bugs. We use mutation scores as additional feedback to guide fuzzing towards detecting bugs rather than just covering code. To evaluate our approach, we conduct a well-designed experiment on 5 benchmarks. We choose the state-of-the-art fuzzing technique Zest as baseline and construct two modified techniques on it using our approach. The experimental results show that our approach can improve CGF in both code coverage and bug detection.

Chijin Zhou,Mingzhe Wang,Jie Liang,Zhe Liu,Chengnian Sun,Yu Jiang

DOI: https://doi.org/10.1109/ASE.2019.00106

2019-01-01

Abstract:ABSTRACTFuzzing is widely used for vulnerability detection. One of the challenges for an efficient fuzzing is covering code guarded by constraints such as the magic number and nested conditions. Recently, academia has partially addressed the challenge via whitebox methods. However, high-level constraints such as array sorts, virtual function invocations and tree set queries are yet to be handled. To meet this end, we present VisFuzz1, an interactive tool for better understanding and intervening fuzzing process via real-time visualization. It extracts call graph and control flow graph from source code, maps each function and basic block to the line of source code and tracks real-time execution statistics with detail constraint contexts. With VisFuzz, test engineers first locate blocking constraints, and then learn its semantic context, which helps to craft targeted inputs or update test drivers. Preliminary evaluations are conducted on four real-world programs in Google fuzzer-test-suite. Given additional 15 minutes to understand and intervene the state of fuzzing, the intervened fuzzing outperforms the original pure AFL fuzzing, and the path coverage improvements range from 10.84% to 150.58%, equally fuzzed for 12 hours.

Jun Li,Chao Zhang

DOI: https://doi.org/10.12783/dtcse/cimns2017/17417

2017-01-01

DEStech Transactions on Computer Science and Engineering

Abstract:Coverage-based fuzzing is widely used in finding program bugs. While state-of-the-art coverage-based fuzzers, either ignore the differences between newly discovered edges or consider only control flow features (e.g., depth) when prioritizing seeds for mutation. In this paper, we propose a semantic sensitive coverage-based fuzzing solutions, SSFuzzer. When new edges are discovered during fuzzing, it evaluates the semantic features of the new edges and update the weights of testcases. Seeds with heavier weights will first be picked to mutate and be given more energy to mutate (i.e., more testcases will be generated). We evaluate not only positive semantic features (e.g., memory access) but also negative ones (e.g., error handling) of edges. We implemented a prototype based on AFL. Experiment results demonstrate that SSFuzzer can discover vulnerabilities faster.

NIE Sen,LI Xiao,WANG Yi-jun,XUE Zhi

DOI: https://doi.org/10.3969/j.issn.1009-8054.2013.12.025

2013-01-01

Abstract:As the problem of software vulnerabilities becomes increasingly serious,smart Fuzzing technology is widely applied in the field of vulnerability mining and software security.Frameworks for smart Fuzzing based on symbolic execution and taint analysis are developed.Under the concept of vulnerability problem and software test methodology,this paper describes theories in smart Fuzzing technology and some released smart Fuzzing frameworks,including the bottlenecks.Finally,this paper proposes a blueprint of smart Fuzzing framework based on whole system symbolic execution and cloud computing infrastructure.It can be used as a practical platform toward the COTS software fuzzing.

Tai Yue,Yibo Jin,Fengwei Zhang,Zhenyu Ning,Pengfei Wang,Xu Zhou,Kai Lu

DOI: https://doi.org/10.1145/3678890.3678933

2024-01-01

Abstract:Coverage-based greybox fuzzing (CGF) is an efficient technique for detecting vulnerabilities, but its coverage-feedback mechanism introduces significant overhead in binary-only fuzzing. Although hardware-assisted greybox fuzzing (HGF) has been proposed to address this issue, existing approaches struggle to achieve a balance between the efficiency and sensitivity of coverage, as well as to cope with trace buffer overflow. In this paper, we review the typical HGF tools and identify several challenges in their coverage-feedback mechanisms, including efficiency, sensitivity, and stability. Taking Arm CoreSight as an example, we present an efficient tool called Stalker to address these challenges. To achieve high-speed execution while maintaining a branch-sensitivity coverage, we propose two coverage strategies with different overheads and sensitivities and design a novel double-layer coverage mechanism that maximizes the benefits of these strategies. We further accelerate Stalker by conducting many optimizations in the decoder and kernel. To mitigate the imprecision and instability in coverage introduced by trace buffer overflow, we propose an adaptive CPU frequency modulation mechanism that adjusts the bandwidth of the trace units. We implement Stalker on an Arm Juno R2 development board and thoroughly evaluate the efficiency and sensitivity of coverage-feedback mechanisms in existing tools. Our comprehensive evaluations demonstrate that Stalker outperforms other state-of-the-art (SOTA) tools in addressing these challenges. Compared with Armored-Edge, Armored-Path, and μ AFL, Stalker accelerates the execution speed by 2.81 ×, 1.74 ×, and 1.4 × and covers Math 1, Math 2, and Math 3 more branches, as well as Math 4, Math 5, and Math 6 more paths, respectively.

Xiajing Wang,Rui Ma,Wei Huo,Zheng Zhang,Jinyuan He,Chaonan Zhang,Donghai Tian

DOI: https://doi.org/10.1016/j.jss.2023.111880

IF: 3.5

2023-10-17

Journal of Systems and Software

Abstract:Fuzzing has gained significant traction in academic research as well as industry thanks to its effectiveness for discovering software vulnerabilities. However, even the state-of-the-art fuzzers are not very efficient at identifying promising seeds. Coverage-guided fuzzers, while fast and scalable, usually employ single criterion to evaluate the quality of seeds, which may incur bias and pass up optimal seeds. In this paper, we devise a novel potential-aware fuzzing scheme, namely SYNTONY, which seeks to measure seed potential utilizing multiple objectives and prioritize promising seeds that are more likely to generate interesting seeds via mutation. More specifically, SYNTONY leverages efficient swarm intelligence techniques like Particle Swarm Optimization (PSO) to explore multi-criteria seed selection, which allows SYNTONY to choose effectively promising seeds. Furthermore, we introduce decent power scheduling strategy to discover significantly more paths or crashes by gravitating towards more potential seeds. We implement this scheme on top of several state-of-the-art fuzzers, i.e., AFL, AFL++, FairFuzz, and PTFuzz. Our evaluations on 11 popular real-world programs demonstrate that SYNTONY significantly increases the number of unique crashes triggered and edge coverage discovered by 132.06% and 28.69% over AFL++. Further comparison also shows that SYNTONY outperforms other state-of-the-art fuzzers, e.g., AFL, FairFuzz, and PTFuzz. Also, extensive evaluations illustrate that SYNTONY provides a great compatibility and expansibility, while introducing negligible overhead.

computer science, theory & methods, software engineering

Kunpeng Zhang,Xi Xiao,Xiaogang Zhu,Ruoxi Sun,Minhui Xue,Sheng Wen

DOI: https://doi.org/10.1145/3510003.3510063

2022-01-01

Abstract:Coverage-guided Greybox Fuzzing (CGF) is one of the most successful and widely-used techniques for bug hunting. Two major approaches are adopted to optimize CGF: (i) to reduce search space of inputs by inferring relationships between input bytes and path constraints; (ii) to formulate fuzzing processes (e.g., path transitions) and build up probability distributions to optimize power schedules, i.e., the number of inputs generated per seed. However, the former is subjective to the inference results which may include extra bytes for a path constraint, thereby limiting the efficiency of path constraints resolution, code coverage discovery, and bugs exposure; the latter formalization, concentrating on power schedules for seeds alone, is inattentive to the schedule for bytes in a seed. In this paper, we propose a lightweight fuzzing approach, Truzz, to optimize existing Coverage-guided Greybox Fuzzers (CGFs). To address two aforementioned challenges, Truzz identifies the bytes related to the validation checks (i.e., the checks guarding error-handling code), and protects those bytes from being frequently mutated, making most generated inputs examine the functionalities of programs, in lieu of being rejected by validation checks. The byte-wise relationship determination mitigates the problem of loading extra bytes when fuzzers infer the byte-constraint relation. Furthermore, the proposed path transition within Truzz can efficiently prioritize the seed as the new path, harvesting many new edges, and the new path likely belongs to a code region with many undiscovered code lines. To evaluate our approach, we implemented 6 state-of-the-art fuzzers, AFL, AFLFast, NEUZZ, MOPT, FuzzFactory and GreyOne, in Truzz. The experimental results show that on average, Truzz can generate 16.14% more inputs flowing into functional code, in addition to 24.75% more new edges than the vanilla fuzzers. Finally, our approach exposes 13 bugs in 8 target programs, and 6 of them have not been identified by the vanilla fuzzers.

Peng Qian,Hanjie Wu,Zeren Du,Turan Vural,Dazhong Rong,Zheng Cao,Lun Zhang,Yanbin Wang,Jianhai Chen,Qinming He

2023-12-10

Abstract:As blockchain smart contracts become more widespread and carry more valuable digital assets, they become an increasingly attractive target for attackers. Over the past few years, smart contracts have been subject to a plethora of devastating attacks, resulting in billions of dollars in financial losses. There has been a notable surge of research interest in identifying defects in smart contracts. However, existing smart contract fuzzing tools are still unsatisfactory. They struggle to screen out meaningful transaction sequences and specify critical inputs for each transaction. As a result, they can only trigger a limited range of contract states, making it difficult to unveil complicated vulnerabilities hidden in the deep state space. In this paper, we shed light on smart contract fuzzing by employing a sequence-aware mutation and seed mask guidance strategy. In particular, we first utilize data-flow-based feedback to determine transaction orders in a meaningful way and further introduce a sequence-aware mutation technique to explore deeper states. Thereafter, we design a mask-guided seed mutation strategy that biases the generated transaction inputs to hit target branches. In addition, we develop a dynamic-adaptive energy adjustment paradigm that balances the fuzzing resource allocation during a fuzzing campaign. We implement our designs into a new smart contract fuzzer named MuFuzz, and extensively evaluate it on three benchmarks. Empirical results demonstrate that MuFuzz outperforms existing tools in terms of both branch coverage and bug finding. Overall, MuFuzz achieves higher branch coverage than state-of-the-art fuzzers (up to 25%) and detects 30% more bugs than existing bug detectors.

Cryptography and Security