Yongjian Guo,Xi Xiao,Yuanyi Lin,Hao Li,Xiangbo Wu,Tao Zhou

DOI: https://doi.org/10.1109/trustcom60117.2023.00139

2024-01-01

Abstract:Rust is an emerging programming language that has gained popularity in many academic and industrial projects due to its memory safety features. However, despite its safety advantages, there are still many serious bugs in existing Rust projects. The lack of suitable fuzz targets has been a major challenge in Rust fuzz testing, as existing fuzzing tools often rely on manual efforts to write test targets, which is time-consuming and cannot be directly applied to library function interfaces. While the previous work has made significant progress in generating fuzz targets for Rust, it still cannot effectively test special functions with generics and polymorphism.To address this issue, this paper proposes an automated approach for generating fuzz targets for Rust library functions, called RVFuzz. RVFuzz addresses the challenges by performing static analysis through variable instantiation, ensuring that special functions in Rust, such as those with generics and polymorphism, are covered in the interface sequence analysis. It then traverses the library function dependency graph to generate a set of reasonable and non-redundant target function sequences for fuzz testing. Any compilation errors encountered during the process are used to refine the sequence generation. RVFuzz successfully generated fuzz targets for 10 popular Rust projects, achieving an impressive interface coverage rate of 92.3%.

Jianfeng Jiang,Hui Xu,Yangfan Zhou

DOI: https://doi.org/10.1109/ASE51524.2021.9678813

2021-01-01

Abstract:Robustness is a key concern for Rust library development because Rust promises no risks of undefined behaviors if developers use safe APIs only. Fuzzing is a practical approach for examining the robustness of programs. However, existing fuzzing tools are not directly applicable to library APIs due to the absence of fuzz targets. It mainly relies on human efforts to design fuzz targets case by case...

Zicong Gao,Hao Xiong,Weiyu Dong,Rui Chang,Rui Yang,Yajin Zhou,Liehui Jiang

DOI: https://doi.org/10.1109/tse.2023.3326144

IF: 7.4

2024-01-01

IEEE Transactions on Software Engineering

Abstract:Mutation-based fuzzing has been widely used in both academia and industry. Recently, researchers observe that the mutation scheduling scheme affects the efficiency of fuzzing. Accordingly, they propose PSO algorithm or machine learning-based technique to optimize the scheduling process. However, these methods fail to consider the fact that the optimal operator distribution of different seeds is different, even for the same program. In this paper, we propose a novel general scheduling scheme, named FA-fuzz, to find the optimal selecting probability distribution of mutation operators, which is based on the observations that the effective mutation operators are different for different seeds. Specifically, our method is based on the firefly algorithm. The positions of fireflies are mapped to the selection probability distribution of different mutation operators. The brightness of fireflies is expressed as the efficiency of discovering unique testcases. We implement prototype systems on multiple state-of-art fuzzers, and perform evaluations on two datasets. Our proposed method improves both the number of unique paths and unique bugs on real-world datasets. In addition, we discover 30 zero-day vulnerabilities in eight real-world programs, which demonstrate the effectiveness of FA-fuzz.

Yehong Zhang,Jun Wu,Hui Xu

2023-12-19

Abstract:Fuzzing is a popular bug detection technique achieved by testing software executables with random inputs. This technique can also be extended to libraries by constructing executables that call library APIs, known as fuzz drivers. Automated fuzz driver synthesis has been an important research topic in recent years since it can facilitate the library fuzzing process. Nevertheless, existing approaches generally ignore generic APIs or simply treat them as normal APIs. As a result, they cannot generate effective fuzz drivers for generic APIs. This paper studies the automated fuzz driver synthesis problem for Rust libraries with generic APIs. The problem is essential because Rust emphasizes security, and generic APIs are widely employed in Rust crates. Each generic API can have numerous monomorphic versions as long as the type constraints are satisfied. The critical challenge to this problem lies in prioritizing these monomorphic versions and providing valid inputs for them. To address the problem, we extend existing API-dependency graphs to support generic APIs. By solving such dependencies and type constraints, we can generate a collection of candidate monomorphic APIs. Further, we apply a similarity-based filter to prune redundant versions, particularly if multiple monomorphic APIs adopt the identical trait implementation. Experimental results with 29 popular open-source libraries show that our approach can achieve promising generic API coverage with a low rate of invalid fuzz drivers. Besides, we find 23 bugs previously unknown in these libraries, with 18 bugs related to generic APIs.

Software Engineering

Jinyan Xu,Yiyuan Liu,Sirui He,Haoran Lin,Yajin Zhou,Cong Wang

DOI: https://doi.org/10.5281/zenodo.8024468

2023-01-01

Abstract:Modern processors are too complex to be bug free. Recently, a few hardware fuzzing techniques have shown promising results in verifying processor designs. However, due to the complexity of processors, they suffer from complex input grammar, deceptive mutation guidance, and model implementation differences. Therefore, how to effectively and efficiently verify processors is still an open problem. This paper proposes MorFuzz, a novel processor fuzzer that can efficiently discover software triggerable hardware bugs. The core idea behind MorFuzz is to use runtime information to generate instruction streams with valid formats and meaningful semantics. MorFuzz designs a new input structure to provide multi-level runtime mutation primitives and proposes the instruction morphing technique to mutate instruction dynamically. Besides, we also extend the co-simulation framework to various microarchitectures and develop the state synchronization technique to eliminate implementation differences. We evaluate MorFuzz on three popular open-source RISC-V processors: CVA6, Rocket, BOOM, and discover 17 new bugs (with 13 CVEs assigned). Our evaluation shows MorFuzz achieves 4.4x and 1.6x more state coverage than the state-of-the-art fuzzer, DifuzzRTL, and the famous constrained instruction generator, riscv-dv.

Chaitanya Rahalkar

DOI: https://doi.org/10.48550/arXiv.2306.15596

2023-07-03

Abstract:Fuzzing is a widely used software security testing technique that is designed to identify vulnerabilities in systems by providing invalid or unexpected input. Continuous fuzzing systems like OSS-FUZZ have been successful in finding security bugs in many different software systems. The typical process of finding security bugs using fuzzing involves several steps: first, the "fuzz-worthy" functions that are likely to contain vulnerabilities must be identified; second, the setup requirements for the API must be understood before it can be called; third, a fuzzing harness must be written and bound to a coverage-guided fuzzer like LLVM's LibFuzzer; and finally, the security bugs discovered by the fuzzing harness must be triaged and checked for reproducibility. This project focuses on automating the first two steps in this process. In particular, we present an automated system that can generate fuzzing harnesses for library APIs and binary protocol parsers by analyzing unit tests. This allows for the scaling of the fuzzing infrastructure in proportion to the growth of the codebase, without the need for manual coding of harnesses. Additionally, we develop a metric to assess the "fuzz-worthiness" of an API, enabling us to prioritize the most promising targets for testing.

Cryptography and Security

Han Zheng,Jiayuan Zhang,Yuhang Huang,Zezhong Ren,He Wang,Chunjie Cao,Yuqing Zhang,Flavio Toffalini,Mathias Payer

DOI: https://doi.org/10.48550/arXiv.2207.13393

2022-07-27

Abstract:Greybox fuzzing is the de-facto standard to discover bugs during development. Fuzzers execute many inputs to maximize the amount of reached code. Recently, Directed Greybox Fuzzers (DGFs) propose an alternative strategy that goes beyond "just" coverage: driving testing toward specific code targets by selecting "closer" seeds. DGFs go through different phases: exploration (i.e., reaching interesting locations) and exploitation (i.e., triggering bugs). In practice, DGFs leverage coverage to directly measure exploration, while exploitation is, at best, measured indirectly by alternating between different targets. Specifically, we observe two limitations in existing DGFs: (i) they lack precision in their distance metric, i.e., averaging multiple paths and targets into a single score (to decide which seeds to prioritize), and (ii) they assign energy to seeds in a round-robin fashion without adjusting the priority of the targets (exhaustively explored targets should be dropped). We propose FishFuzz, which draws inspiration from trawl fishing: first casting a wide net, scraping for high coverage, then slowly pulling it in to maximize the harvest. The core of our fuzzer is a novel seed selection strategy that builds on two concepts: (i) a novel multi-distance metric whose precision is independent of the number of targets, and (ii) a dynamic target ranking to automatically discard exhausted targets. This strategy allows FishFuzz to seamlessly scale to tens of thousands of targets and dynamically alternate between exploration and exploitation phases. We evaluate FishFuzz by leveraging all sanitizer labels as targets. Extensively comparing FishFuzz against modern DGFs and coverage-guided fuzzers shows that FishFuzz reached higher coverage compared to the direct competitors, reproduces existing bugs (70.2% faster), and finally discovers 25 new bugs (18 CVEs) in 44 programs.

Cryptography and Security

Yunbo Ni,Yang Feng,Zixi Liu,Runtao Chen,Baowen Xu

2024-11-04

Abstract:The Rust programming language has garnered significant attention due to its robust safety features and memory management capabilities. Despite its guaranteed memory safety, Rust programs suffer from runtime errors that are unmanageable, i.e., panic errors. Notably, traditional memory issues such as null pointer dereferences, which are prevalent in other languages, are less likely to be triggered in Rust due to its strict ownership rules. However, the unique nature of Rust's panic bugs, which arise from the language's stringent safety and ownership paradigms, presents a distinct challenge. Over half of the bugs in rustc, Rust's own compiler, are attributable to crash stemming from panic errors. However, addressing Rust panic bugs is challenging and requires significant effort, as existing fix patterns are not directly applicable due to the design and feature of Rust <a class="link-external link-http" href="http://language.Therefore" rel="external noopener nofollow">this http URL</a>, developing foundational infrastructure, including datasets, fixing patterns, and automated repair tools, is both critical and urgent. This paper introduces a comprehensive infrastructure, namely PanicFI, aimed at providing supports for understanding Rust panic bugs and developing automated techniques. In PanicFI, we construct a dataset, Panic4R, comprising 102 real panic bugs and their fixes from the top 500 most-downloaded open-source <a class="link-external link-http" href="http://crates.Then" rel="external noopener nofollow">this http URL</a>, through an analysis of the Rust compiler implementation , we identify Rust-specific patterns for fixing panic bugs, providing insights and guidance for generating patches. Moreover, we develop PanicKiller, the first automated tool for fixing Rust panic bugs, which has already contributed to the resolution of 28 panic bugs in open-source <a class="link-external link-http" href="http://projects.The" rel="external noopener nofollow">this http URL</a> practicality and efficiency of PanicKiller confirm the effectiveness of the patterns mined within PanicFI.

Software Engineering

Kang Chen,Ming Wen,Haoxiang Jia,Rongxin Wu,Hai Jin

DOI: https://doi.org/10.1109/saner60148.2024.00039

2024-01-01

Abstract:Software systems often encounter various errors or exceptions in practice, and thus proper error handling code is essential to ensure the reliability of software systems. Unfortunately, error handling code is often bug-prone, while sufficiently testing them is challenging as such code often cannot be triggered under normal conditions. Motivated by this, recent studies have proposed to leverage software fault injection (SFI) based fuzzing to discover potential bugs in complicated error handling code. Despite the promising results achieved, their effectiveness and efficiency are still compromised in practice due to the huge search space of error sites, inadequate fuzzing guidance, and the overhead induced by context-sensitive SFI. To achieve effective and efficient testing of error handling code, this study presents AFL-FI, which first utilizes a similarity-based method to identify suspicious error sites, and then incorporates the idea of error site coverage to guide the fuzzing process. Finally, the design of lightweight context-sensitive SFI enables AFL-FI to execute test cases efficiently. We evaluate AFL-FI on eight large-scale open-source projects, and the results show that it can outperform existing state-of-the-art fuzzing tools significantly in terms of branch code coverage. More importantly, AFL-FI has discovered 13 previously unknown bugs, and all of them have been confirmed while 12 of them have been fixed. Besides, our evaluation also demonstrates that all the key designs of AFL- F I are effective that contribute significantly to its overall performance.

Xiaoyu He,Xiaofei Xie,Yuekang Li,Jianwen Sun,Feng Li,Wei Zou,Yang Liu,Lei Yu,Jianhua Zhou,Wenchang Shi,Wei Huo

DOI: https://doi.org/10.1145/3460120.3484823

2021-01-01

Abstract:JavaScript engines have been shown prone to security vulnerabilities, which can lead to serious consequences due to their popularity. Fuzzing is an effective testing technique to discover vulnerabilities. The main challenge of fuzzing JavaScript engines is to generate syntactically and semantically valid inputs such that deep functionalities can be explored. However, due to the dynamic nature of JavaScript and the special features of different engines, it is quite challenging to generate semantically meaningful test inputs. We observed that state-of-the-art semantic-aware JavaScript fuzzers usually require manually written rules to analyze the semantics for a JavaScript engine, which is labor-intensive, incomplete and engine-specific. Moreover, the error rate of generated test cases is still high. Another challenge is that existing fuzzers cannot generate new method calls that are not included in the initial seed corpus or pre-defined rules, which limits the bug-finding capability. To this end, we propose a novel semantic-aware fuzzing technique named SoFi. To guarantee the validity of the generated test cases, SoFi adopts a fine-grained program analysis to identify available variables and infer types of these variables for the mutation. Moreover, an automatic repair strategy is proposed to repair syntax/semantic errors in invalid test cases. To improve the exploration capability of SoFi, we propose a reflection-based analysis to identify unseen attributes and methods of objects, which are further used in the mutation. With fine-grained analysis and reflection-based augmentation, SoFi can generate more valid and diverse test cases. Besides, SoFi is general in different JavaScript engines without any manual configuration (e.g., the grammar rules). The evaluation results have shown that SoFi outperforms state-of-the-art techniques in generating semantically valid inputs, improving code coverage and detecting more bugs. SoFi discovered 51 bugs in popular JavaScript engines, 28 of which have been confirmed or fixed by the developers and 10 CVE IDs have been assigned.

Chengquan Zhang,Yang Feng,Yaokun Zhang,Yuxuan Dai,Baowen Xu

DOI: https://doi.org/10.1109/qrs62785.2024.00035

2024-01-01

Abstract:Rust is a nascent programming language designed to improve memory safety for system programming while maintaining high performance. The Rust language ensures memory safety through its ownership mechanism and by performing compile-time checks on safe code. However, for low-level controls, developers are allowed to bypass these checks by marking their code as unsafe, which in turn introduces memory vulnerabilities. Beyond these memory-related concerns, the existence and nature of other common bugs such as run-time panics have not been thoroughly explored. In this paper, we conduct a comprehensive empirical study to characterize bugs and their fixes beyond memory safety concerns by manually inspecting bug patches in Rust programs. We identify 790 bug fixes from 1100 commits in six widely-used Rust projects and the Rust standard library, and then investigate their root causes and symptoms. Furthermore, we analyze the relationships between these bugs and unsafe code (i.e., whether they are caused by the use of unsafe code and to what extent it impacts them). Our bug study introduces a classification of 15 root causes and 6 symptoms, and categorizes bugs into different groups according to their relationships with safe/unsafe code. We identify 19 major findings and draw broader lessons from them to guide the research community towards future directions in program testing, analysis, fault localization, and repair for Rust language.

Mingzhe Wang,Jie Liang,Chijin Zhou,Yuanliang Chen,Zhiyong Wu,Yu Jiang

DOI: https://doi.org/10.1109/ICST49551.2021.00043

2021-01-01

Abstract:Fuzzing is a promising method for discovering vulnerabilities. Recently, various techniques are developed to improve the efficiency of fuzzing, and impressive gains are observed in evaluation results. However, evaluation is complex, as many factors affect the results, for example, test suites, baseline and metrics. Even more, most experiment setups are lab-oriented, lacking industrial settings such as large code-base and parallel runs. The correlation between the academic evaluation results and the bug-finding ability in real industrial settings has not been sufficiently studied. In this paper, we test representative fuzzing techniques to reveal their efficiency in industrial settings. First, we apply typical fuzzers on academic widely used small projects from LAVA-M suite. We also apply the same fuzzers on large practical projects from Google's fuzzer-test-suite, which is rarely used in academic settings. Both experiments are performed in both single and parallel run. By analyzing the results, we found that most optimizations working well on LAVA-M suite fail to achieve satisfying results on Google's fuzzer-test-suite (e.g. compared to AFL, QSYM detects 82x more synthesized bugs in LAVA-M, but only detects 26% real bugs in Google's fuzzer-test-suite), and the original AFL even outperforms most academic optimization variants in industry widely used parallel runs (e.g. AFL covers 13% more paths than AFLFast). Then, we summarize common pitfalls of those optimizations, analyze the corresponding root causes, and propose potential directions such as orchestrations and synchronization to overcome the problems. For example, when running in parallel on those large practical projects, the proposed horizontal orchestration could cover 36%-82% more paths, and discover 46%-150% more unique crashes or bugs, compared to fuzzers such as AFL, FairFuzz and QSYM.

Ruixiang Qian,Quanjun Zhang,Chunrong Fang,Lihua Guo,Zhenyu Chen

DOI: https://doi.org/10.1145/3702974

IF: 3.685

2024-01-01

ACM Transactions on Software Engineering and Methodology

Abstract:Greybox fuzzing is dedicated to revealing software bugs by maximizing code coverage. Concentrating on code coverage, greybox fuzzing effectively exposes bugs in real-world programs by continuously executing the program under test (PUT) with the test inputs generated from initial seeds, making it a popular software testing technique. Although powerful, the effectiveness of greybox fuzzing can be restricted in some cases. Ignoring the significant degrees of executed functions, traditional greybox fuzzing usually fails to identify significant seeds that execute more significant functions, and thus may assign similar energy to significant and trivial seeds when conducting power scheduling. As a result, the effectiveness of greybox fuzzing can be degraded due to wasting too much energy on trivial seeds. In this paper, we introduce function significance (FS) to measure the significant degrees of functions. Our key insight is that the influential functions that connect to many other functions are significant to greybox fuzzing as they provide more probabilities to reach previously unexplored code regions. To quantify FS, we conduct influence analysis upon the call graphs extracted from the PUTs to obtain the centrality values of function nodes. With FS as the significance measurement, we further propose FunFuzz , an FS-aware greybox fuzzing technique, to optimize significant seeds and tackle the aforementioned restriction. To this end, FunFuzz dynamically tracks the functions executed by a seed during fuzzing, and computes the significance score for the seed by accumulating the FS values of the functions executed by it. Based on the computed FS values, FunFuzz then takes an estimation-based power scheduling to assign more (or less) energy to seeds that achieve over-estimated (or under-estimated) significance scores. Specifically, the seed energy is adjusted by multiplying with a scale factor computed regarding the ratio of the actual significance score achieved by executing the seed and the estimated significance score predicted by a linear model constructed on-the-fly. To evaluate FunFuzz , we prototype it on top of AFL++ and conduct experiments with 15 programs, of which 10 are from common real-world projects and five are from Magma, and compare it to seven popular fuzzers. The experimental results obtained through fuzzing exceeding 40,800 CPU hours show that: (1) In terms of covering code, FunFuzz outperforms AFL++ by achieving 0.1% \(\sim\) 18.4% more region coverage on 13 out of 15 targets. (2) In terms of finding bugs, FunFuzz unveils 114 unique crashes and 25 Magma bugs (which are derived from CVEs) in 20 trials of 24-hour fuzzing, which are the most compared to the competitor fuzzers and include 32 crashes and 1 Magma bug that the other fuzzers fail to discover. Besides the experiments focusing on code coverage and bug finding, we evaluate the key components of FunFuzz , namely the FS-centered estimation-based power scheduling and the lazy FS computation mechanism. The extensive evaluation not only suggests FunFuzz ’s superiority in code coverage and bug finding, but also demonstrates the effectiveness of the two components.

Lianpei Zhou,Xi Xiao,Guangwu Hu,Hao Li,Xiangbo Wu,Tao Zhou

DOI: https://doi.org/10.1109/trustcom60117.2023.00138

2024-01-01

Abstract:Traditional coverage-based fuzzing gives equal attention to every part of a code. Despite much progress, we observe that existing schemes still not comprehensively use the coverage feedback mechanism when fuzzing bulky JavaScript engines because of severe path collisions. To improve the precision of coverage feedback and target the vulnerable JIT compiler of Javascript engines, we presented our fuzzer, called LF(Light Fuzzer), a lightweight and high-precision fuzzer for bulky JavaScript engines fuzzing. First, LF advocates a technique to confine instrumentation to the JIT-related "critical functions" to mitigate collisions. Additionally, LF utilizes static analysis to establish dominant relationships between critical functions. Lastly, LF incorporates seed scheduling with feedback information of control flow at the function level to dynamically target JIT. These combined strategies make LF a lightweight and high-precision fuzzer for fuzzing bulky JavaScript engines. In our evaluation, LF outperforms the state-of-art coverage-guided JavaScript fuzzer DIE in different coverage types, and LF is also more effective in triggering unique crashes compared to DIE.

Hongxu Chen,Yuekang Li,Bihuan Chen,Yinxing Xue,Yang Liu

DOI: https://doi.org/10.1145/3236024.3264593

2018-01-01

Abstract:Greybox fuzzing is one of the most effective approaches for detecting software vulnerabilities. Various new techniques have been continuously emerging to enhance the effectiveness and/or efficiency by incorporating novel ideas into different components of a greybox fuzzer. However, there lacks a modularized fuzzing framework that can easily plugin new techniques and hence facilitate the reuse, integration and comparison of different techniques. To address this problem, we propose a fuzzing framework, namely Fuzzing Orchestration Toolkit (FOT). FOT is designed to be versatile, configurable and extensible. With FOT and its extensions, we have found 111 new bugs from 11 projects. Among these bugs, 18 CVEs have been assigned. Video link: https://youtu.be/O6Qu7BJ8RP0.

Jiaxian Lin,Tianyu Li,Yang Chen,Guangsheng Wei,Jiadong Lin,Sen Zhang,Hui Xu

DOI: https://doi.org/10.1109/issre59848.2023.00023

2023-01-01

Abstract:Representational state transfer (REST) is a widely employed architecture by web applications and cloud. Users can invoke such services according to the specification of their application interfaces, namely RESTful APIs. Existing approaches for fuzzing RESTful APIs are generally based on classic API-dependency graphs. However, such dependencies are inefficient for REST services due to the explosion of dependencies among APIs. In this paper, we propose a novel tree-based approach that can better capture the essential dependencies and largely improve the efficiency of RESTful API fuzzing. In particular, the hierarchical information of the endpoints across multiple APIs enables us to construct an API tree, and the relationships of tree nodes can indicate the priority of resource dependencies, e.g., it’s more likely that a node depends on its parent node rather than its offspring or siblings. We employ two real-world REST projects and the REST-Go benchmark for evaluation and compare the performance of foREST with two state-of-the-art fuzzing tools, RESTler and EvoMaster (black-box mode). Results show that foREST can achieve substantial coverage improvement in most experiments. Besides, foREST finds 20 new bugs previously unknown.

Thorsten Holz,Samuel Groß,Simon Koch,Lukas Bernhard,Martin Johns

DOI: https://doi.org/10.14722/ndss.2023.24290

Abstract:—JavaScript has become an essential part of the Internet infrastructure, and today’s interactive web applications would be inconceivable without this programming language. On the downside, this interactivity implies that web applications rely on an ever-increasing amount of computationally intensive JavaScript code, which burdens the JavaScript engine responsible for efficiently executing the code. To meet these rising performance demands, modern JavaScript engines ship with sophisticated just-in-time (JIT) compilers. However, JIT compilers are a complex technology and, consequently, provide a broad attack surface for potential faults that might even be security-critical. Previous work on discovering software faults in JavaScript engines found many vulnerabilities, often using fuzz testing. Unfortunately, these fuzzing approaches are not designed to generate source code that actually triggers JIT semantics. Consequently, JIT vulnerabilities are unlikely to be discovered by existing methods. In this paper, we close this gap and present the first fuzzer that focuses on JIT vulnerabilities. More specifically, we present the design and implementation of an intermediate representation (IR) that focuses on discovering JIT compiler vulnerabilities. We implemented a complete prototype of the proposed approach and evaluated our fuzzer over a period of six months. In total, we discovered 17 confirmed security vulnerabilities. Our results show that targeted JIT fuzzing is possible and a dangerously neglected gap in fuzzing coverage for JavaScript engines.

Computer Science

Robati Shirzad, Mohammad,Lam, Patrick

DOI: https://doi.org/10.1007/s10664-023-10437-1

IF: 3.762

2024-02-13

Empirical Software Engineering

Abstract:Rust is a relatively new programming language which allows programmers to write programs that have low-level control over resources while still ensuring high-level safety guarantees (for programs written in safe Rust). Rust's ownership framework enables programs to meet these two seemingly-contradictory goals. The Rust compiler's Borrow-Checker component enforces the ownership framework requirements that ensure Rust's safety guarantees. Rust is popular: as of 2022, it has ranked first, for the seventh consecutive year, in Stack Overflow's annual Developer Survey as the most-loved programming language. The number of Rust developers is growing as the need for faster and safer software increases. Yet, to our knowledge, no research has sought to identify the most pervasive bug fix patterns within Rust programs. In this project, we introduce Ruxanne, a tool for analyzing and extracting fix patterns in Rust. Ruxanne implements a novel embedding of Rust code into fixed-sized vectors. Using Ruxanne, we mined the top 18 most-starred Rust projects in GitHub to discover the most common bug fix patterns committed to their repositories. We analyzed 87,726 code changes drawn from 57,214 commits across these 18 projects. After clustering the code changes, and conducting a manual analysis, we identified 20 groups of cross-project bug fix patterns, which we categorize as (1) general patterns and (2) borrow-checker-related patterns. Among the general patterns, the most frequently observed pattern is when the user either adds or removes struct fields. In the case of borrow-checker-related patterns, the most common pattern we encountered is when the user removes a clone() call. We describe all detected patterns and their implications to automated program repair.

computer science, software engineering

Wenshuo Wang,Liang Cheng,Yang Zhang

DOI: https://doi.org/10.48550/arXiv.2010.03482

2021-02-27

Abstract:Coverage-based graybox fuzzer (CGF), such as AFL has gained great success in vulnerability detection thanks to its ease-of-use and bug-finding power. Since some code fragments such as memory allocation are more vulnerable than others, various improving techniques have been proposed to explore the more vulnerable areas by collecting extra information from the program under test or its executions. However, these improvements only consider limited types of information sources and ignore the fact that the priority a seed input to be fuzzed may be influenced by all the code it covers. Based on the above observations, we propose a fuzzing method based on the importance of functions. First, a data structure called Attributed Interprocedural Control Flow Graph (AICFG) is devised to combine different features of code fragments. Second, the importance of each node in the AICFG is calculated based on an improved PageRank algorithm, which also models the influence between connected nodes. During the fuzzing process, the node importance is updated periodically by a propagation algorithm. Then the seed selection and energy scheduling of a seed input are determined by the importance of its execution trace. We implement this approach on top of AFL in a tool named FunAFL and conduct an evaluation on 14 real-world programs against AFL and two of its improvements. FunAFL, with 17% higher branch coverage than others on average, finds 13 bugs and 3 of them are confirmed by CVE after 72 hours.

Cryptography and Security

Yuntong Zhang,Ridwan Shariffdeen,Gregory J. Duck,Jiaqi Tan,Abhik Roychoudhury

2023-08-02

Abstract:Fuzz testing (fuzzing) is a well-known method for exposing bugs/vulnerabilities in software systems. Popular fuzzers, such as AFL, use a biased random search over the domain of program inputs, where 100s or 1000s of inputs (test cases) are executed per second in order to expose bugs. If a bug is discovered, it can either be fixed manually by the developer or fixed automatically using an Automated Program Repair (APR) tool. Like fuzzing, many existing APR tools are search-based, but over the domain of patches rather than inputs. In this paper, we propose search-based program repair as patch-level fuzzing. The basic idea is to adapt a fuzzer (AFL) to fuzz over the patch space rather than the input space. Thus we use a patch-space fuzzer to explore a patch space, while using a traditional input level fuzzer to rule out patch candidates and help in patch selection. To improve the throughput, we propose a compilation-free patch validation methodology, where we execute the original (unpatched) program natively, then selectively interpret only the specific patched statements and expressions. Since this avoids (re)compilation, we show that compilation-free patch validation can achieve a similar throughput as input-level fuzzing (100s or 1000s of execs/sec). We show that patch-level fuzzing and input-level fuzzing can be combined, for a co-exploration of both spaces in order to find better quality patches. Such a collaboration between input-level fuzzing and patch-level fuzzing is then employed to search over candidate fix locations, as well as patch candidates in each fix location.

Software Engineering