Yan Pan,Wei Lin,Liang Jiao,Yuefei Zhu

DOI: https://doi.org/10.1155/2022/6880677

IF: 1.968

2022-05-06

Security and Communication Networks

Abstract:The widely used network protocols play a crucial role in various systems. However, the protocol vulnerabilities caused by the design of the network protocol or its implementation by programmers lead to multiple security incidents and substantial losses. Hence, it is important to study the protocol fuzzing in order to ensure its correctness. However, the challenges of protocol fuzzing are the mutation of protocol messages and the deep interactivity of the protocol implementation. This paper proposes a model-based grey-box fuzzing approach for protocol implementations, including the server-side and client-side. The proposed method is divided into two phases: automata learning based on the minimally adequate teacher (MAT) framework and grey-box fuzzing guided by the learned model and code coverage. The StateFuzzer tool used for evaluation is presented to demonstrate the validity and feasibility of the proposed approach. The server-side fuzzing can achieve similar or higher code coverage and vulnerability discovery capability than those of AFLNET and StateAFL. Considering the client, the results show that it achieves 1.5X branch coverage (on average) compared with the default AFL, and 1.3X branch coverage compared with AFLNET and StateAFL, using the typical implementations such as OpenSSL, LibreSSL, and Live555. The StateFuzzer identifies a new memory corruption bug in Live555 (2021-08-25) and 14 distinct discrepancies based on differential testing.

computer science, information systems,telecommunications

Steve Kremer,Max Ammann,L. Hirschi

DOI: https://doi.org/10.1109/SP54263.2024.00096

2024-05-19

Abstract:Critical and widely used cryptographic protocols have repeatedly been found to contain flaws in their design and their implementation. A prominent class of such vulnerabilities is logical attacks, e.g. attacks that exploit flawed protocol logic. Automated formal verification methods, based on the Dolev-Yao (DY) attacker, formally define and excel at finding such flaws, but operate only on abstract specification models. Fully automated verification of existing protocol implementations is today still out of reach. This leaves open whether such implementations are secure. Unfortunately, this blind spot hides numerous attacks, such as recent logical attacks on widely used TLS implementations introduced by implementation bugs.We answer by proposing a novel and effective technique that we call DY model-guided fuzzing, which precludes logical attacks against protocol implementations. The main idea is to consider as possible test cases the set of abstract DY executions of the DY attacker, and use a novel mutation-based fuzzer to explore this set. The DY fuzzer concretizes each abstract execution to test it on the program under test. This approach enables reasoning at a more structural and security-related level of messages represented as formal terms (e.g. decrypt a message and re-encrypt it with a different key) as opposed to random bit-level modifications that are much less likely to produce relevant logical adversarial behaviors. We implement a full-fledged and modular DY protocol fuzzer. We demonstrate its effectiveness by fuzzing three popular TLS implementations, resulting in the discovery of four novel vulnerabilities.

Computer Science

Gaoning Pan,Tianxiang Luo,Yiming Tao,Xiao Lei,Shuangxi Chen,Hui Liu,Chunming Wu

DOI: https://doi.org/10.1109/PST58708.2023.10319984

2023-01-01

Abstract:With the popularity of computers and mobile devices and the development of the Internet, browsers (applications used to retrieve and display information resources on the World Wide Web) are often included by default and have become an indispensable software. Therefore, research on browser security issues is essential for protecting information assets. Among many browsers in the industry, Chrome, as a cross-platform web browser developed by Google, occupies a large market share in desktop browsers, and its security risks are further amplified as its kernel is used by many other browsers. Therefore, the research on the security issues of Chrome browser is critical for browser security. This paper focuses on the vulnerability detection of the process communication interface in Chrome browser, and designs and implements a fuzzing framework, auto-mojo-fuzz (AMF). The fuzzing process mainly designs a sample optimization technique to ensure the effectiveness of input samples and improve the efficiency of fuzzing. After implementing the AMF solution, we evaluate the generated test samples to demonstrate the effectiveness of the sample optimization technique. We also prove the possibility of discovering more vulnerabilities with AMF, and tests it with the latest version of Chrome browser, finding five unique crashes, four of which are verified as security vulnerabilities, effectively proving the automatic and efficient ability of this framework to discover vulnerabilities in the process communication interfaces in browsers.

Roberto Natella

DOI: https://doi.org/10.1007/s10664-022-10233-3

2022-10-04

Abstract:Fuzzing network servers is a technical challenge, since the behavior of the target server depends on its state over a sequence of multiple messages. Existing solutions are costly and difficult to use, as they rely on manually-customized artifacts such as protocol models, protocol parsers, and learning frameworks. The aim of this work is to develop a greybox fuzzer (StateaAFL) for network servers that only relies on lightweight analysis of the target program, with no manual customization, in a similar way to what the AFL fuzzer achieved for stateless programs. The proposed fuzzer instruments the target server at compile-time, to insert probes on memory allocations and network I/O operations. At run-time, it infers the current protocol state of the target server by taking snapshots of long-lived memory areas, and by applying a fuzzy hashing algorithm (Locality-Sensitive Hashing) to map memory contents to a unique state identifier. The fuzzer incrementally builds a protocol state machine for guiding fuzzing. We implemented and released StateaAFL as open-source software. As a basis for reproducible experimentation, we integrated StateaAFL with a large set of network servers for popular protocols, with no manual customization to accomodate for the protocol. The experimental results show that the fuzzer can be applied with no manual customization on a large set of network servers for popular protocols, and that it can achieve comparable, or even better code coverage and bug detection than customized fuzzing. Moreover, our qualitative analysis shows that states inferred from memory better reflect the server behavior than only using response codes from messages.

Cryptography and Security,Operating Systems,Software Engineering

Tarun Yadav,Koustav Sadhukhan

DOI: https://doi.org/10.1007/978-981-13-5826-5_27

2019-02-20

Abstract:TLS protocol is an essential part of secure Internet communication. In past, many attacks have been identified on the protocol. Most of these attacks are due to flaws in protocol implementation. The flaws are due to improper design and implementation of program logic by programmers. One of the widely used implementation of TLS is SChannel which is used in Windows operating system since its inception. We have used protocol state fuzzing to identify vulnerable and undesired state transitions in the state machine of the protocol for various versions of SChannel. The client as well as server components have been analyzed thoroughly using this technique and various flaws have been discovered in the implementation. Exploitation of these flaws under specific circumstances may lead to serious attacks which could disrupt secure communication. In this paper, we analyze state machine models of TLS protocol implementation of SChannel library and describe weaknesses and design flaws in these models, found using protocol state fuzzing.

Networking and Internet Architecture,Cryptography and Security,Machine Learning

Yan Pan,Wei Lin,Yubo He,Yuefei Zhu

DOI: https://doi.org/10.1371/journal.pone.0262176

IF: 3.7

2022-01-24

PLoS ONE

Abstract:Transport layer security (TLS) protocol is the most widely used security protocol in modern network communications. However, protocol vulnerabilities caused by the design of the network protocol or its implementation by programmers emerge one after another. Meanwhile, various versions of TLS protocol implementations exhibit different behavioral characteristics. Researchers are attempting to find the differences in protocol implementations based on differential testing, which is conducive to discovering the vulnerabilities. This paper provides a solution to find the differences more efficiently by targeting the TLS protocol handshake process. The differences of different implementations during the fuzzing process, such as code coverage and response data, are taken to guide the mutation of test cases, and the seeds are mutated based on the TLS protocol syntax. In addition, the definition of duplicate discrepancies is theoretically explored to investigate the root cause of the discrepancies and to reduce the number of duplicate cases that are caused by the same reason. Besides, the necessary conditions for excluding duplicate cases are further analyzed to develop the deduplication strategy. The proposed method is developed based on open-source tools, i.e., NEZHA and TLS-diff. Three types of widely used TLS protocol implementations, i.e., OpenSSL, BoringSSL, and LibreSSL, are taken for experimental testing. The experimental results show that the proposed method can effectively improve the ability to find differences between different implementations. Under the same test scale or the same time, the amount of discrepancies increases by about 20% compared to TLS-diff, indicating the effectiveness of the deduplication strategy.

Junqiang Li,Senyi Li,Gang Sun,Ting Chen,Hongfang Yu

DOI: https://doi.org/10.1109/tifs.2022.3192991

IF: 7.231

2022-08-02

IEEE Transactions on Information Forensics and Security

Abstract:Greybox fuzzing has been widely used in stateless programs and has achieved great success. However, most state-of-the-art greybox fuzzers have slow speed and shallow state depth coverage in fuzzing stateful network protocol programs, which are able to remember and store the details of interactions. The existing greybox fuzzers for network protocol programs first send a series of well-defined prefix sequences of input messages and then send mutated messages to test the target state of a stateful network protocol. This process leads to a high time cost. In this paper, we propose SNPSFuzzer, a fast greybox fuzzer for stateful network protocols using snapshots. SNPSFuzzer dumps the context information when the network protocol program is in a specific state and restores it when the state needs to be fuzzed. Furthermore, we design a message chain analysis algorithm to explore more and deeper network protocol states. Our evaluation shows that compared with the state-of-the-art network protocol greybox fuzzer AFLNET, SNPSFuzzer improves the message processing speed of network protocol fuzzing by 70.7% and increases the path coverage by 20.9% on average within 24 hours. Moreover, SNPSFuzzer exposes a previously unreported vulnerability in the program Tinydtls.

computer science, theory & methods,engineering, electrical & electronic

Liu Yu,Shen Yanlong,Zhou Ying

2024-08-13

Abstract:Stateful Coverage-Based Greybox Fuzzing (SCGF) is considered the state-of-the-art method for network protocol greybox fuzzing. During the protocol fuzzing process, SCGF constructs the state machine of the target protocol by identifying protocol states. Optimal states are selected for fuzzing using heuristic methods, along with corresponding seeds and mutation regions, to effectively conduct fuzz testing. Nevertheless, existing SCGF methodologies prioritise the selection of protocol states without considering the correspondence between program basic block coverage information and protocol states. To address this gap, this paper proposes a statemap-based reverse state selection method for SCGF. This approach prioritises the coverage information of fuzzy test seeds, and delves deeper into the correspondence between the basic block coverage information of the programme and the protocol state, with the objective of improving the bitmap coverage. The state map is employed to simplify the state machine representation method. Furthermore, the design of different types of states has enabled the optimisation of the method of constructing message sequences, the reduction in the length of message sequences further improve the efficiency of test case execution. By optimising the SCGF, we developed SMGFuzz and conducted experiments utilising Profuzzbench in order to assess the testing efficiency of SMGFuzz.The results indicate that compared to AFLNet, SMGFuzz achieved an average increase of 12.48% in edges coverage, a 50.1% increase in unique crashes and a 40.2% increase in test case execution speed over a period of 24 hours.

Cryptography and Security

Jie Liang,Yu Jiang,Mingzhe Wang,Xun Jiao,Yuanliang Chen,Houbing Song,Kim-Kwang Raymond Choo

DOI: https://doi.org/10.1109/TDSC.2019.2961339

2021-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Fuzzing is one of the most effective vulnerability detection techniques, widely used in practice. However, the performance of fuzzers may be limited by their inability to pass complicated checks, inappropriate mutation frequency, arbitrary mutation strategy, or the variability of the environment. In this article, we present DeepFuzzer, an enhanced greybox fuzzer with qualified seed generation, bal...

Van-Thuan Pham,Marcel Böhme,Andrew E. Santosa,Alexandru Răzvan Căciulescu,Abhik Roychoudhury

DOI: https://doi.org/10.48550/arXiv.1811.09447

2018-11-23

Abstract:Coverage-based greybox fuzzing (CGF) is one of the most successful methods for automated vulnerability detection. Given a seed file (as a sequence of bits), CGF randomly flips, deletes or bits to generate new files. CGF iteratively constructs (and fuzzes) a seed corpus by retaining those generated files which enhance coverage. However, random bitflips are unlikely to produce valid files (or valid chunks in files), for applications processing complex file formats. In this work, we introduce smart greybox fuzzing (SGF) which leverages a high-level structural representation of the seed file to generate new files. We define innovative mutation operators that work on the virtual file structure rather than on the bit level which allows SGF to explore completely new input domains while maintaining file validity. We introduce a novel validity-based power schedule that enables SGF to spend more time generating files that are more likely to pass the parsing stage of the program, which can expose vulnerabilities much deeper in the processing logic. Our evaluation demonstrates the effectiveness of SGF. On several libraries that parse structurally complex files, our tool AFLSmart explores substantially more paths (up to 200%) and exposes more vulnerabilities than baseline AFL. Our tool AFLSmart has discovered 42 zero-day vulnerabilities in widely-used, well-tested tools and libraries; so far 17 CVEs were assigned.

Cryptography and Security

Ruijie Meng,Zhen Dong,Jialin Li,Ivan Beschastnikh,Abhik Roychoudhury

DOI: https://doi.org/10.1145/3510003.3510082

2022-01-01

Abstract:Software model checking as well as runtime verification are verification techniques which are widely used for checking temporal properties of software systems. Even though they are property verification techniques, their common usage in practice is in "bug finding", that is, finding violations of temporal properties. Motivated by this observation and leveraging the recent progress in fuzzing, we build a greybox fuzzing framework to find violations of Linear-time Temporal Logic (LTL) properties. Our framework takes as input a sequential program written in C/C++, and an LTL property. It finds violations, or counterexample traces, of the LTL property in stateful software systems; however, it does not achieve verification. Our work substantially extends directed greybox fuzzing to witness arbitrarily complex event orderings. We note that existing directed greybox fuzzing approaches are limited to witnessing reaching a location or witnessing simple event orderings like use-after-free. At the same time, compared to model checkers, our approach finds the counterexamples faster, thereby finding more counterexamples within a given time budget. Our LTL-Fuzzer tool, built on top of the AFL fuzzer, is shown to be effective in detecting bugs in well-known protocol implementations, such as OpenSSL and Telnet. We use LTL-Fuzzer to reproduce known vulnerabilities (CVEs), to find 15 zero-day bugs by checking properties extracted from RFCs (for which 12 CVEs have been assigned), and to find violations of both safety as well as liveness properties in real-world protocol implementations. Our work represents a practical advance over software model checkers - while simultaneously representing a conceptual advance over existing greybox fuzzers. Our work thus provides a starting point for understanding the unexplored synergies among software model checking, runtime verification and greybox fuzzing.

Zhengxiong Luo,Junze Yu,Feilong Zuo,Jianzhong Liu,Yu Jiang,Ting Chen,Abhik Roychoudhury,Jiaguang Sun

2023-01-01

Abstract:Protocol implementations are essential components in network infrastructures. Flaws hidden in the implementations can easily render devices vulnerable to adversaries. Therefore, guaranteeing their correctness is important. However, commonly used vulnerability detection techniques, such as fuzz testing, face increasing challenges in testing these implementations due to ineffective feedback mechanisms and insufficient protocol state-space exploration techniques. This paper presents BLEEM, a packet-sequence-oriented black-box fuzzer for vulnerability detection of protocol implementations. Instead of focusing on individual packet generation, BLEEM generates packets on a sequence level. It provides an effective feedback mechanism by analyzing the system output sequence noninvasively, supports guided fuzzing by resorting to state-space tracking that encompasses all parties timely, and utilizes interactive traffic information to generate protocol-logic-aware packet sequences. We evaluate BLEEM on 15 widely-used implementations of well-known protocols (e.g., TLS and QUIC). Results show that, compared to the state-of-the-art protocol fuzzers such as Peach, BLEEM achieves substantially higher branch coverage (up to 174.93% improvement) within 24 hours. Furthermore, BLEEM exposed 15 security-critical vulnerabilities in prominent protocol implementations, with 10 CVEs assigned.

Hongxiang Zhang,Yuyang Rong,Yifeng He,Hao Chen

2024-06-14

Abstract:Greybox fuzzing has achieved success in revealing bugs and vulnerabilities in programs. However, randomized mutation strategies have limited the fuzzer's performance on structured data. Specialized fuzzers can handle complex structured data, but require additional efforts in grammar and suffer from low throughput. In this paper, we explore the potential of utilizing the Large Language Model to enhance greybox fuzzing for structured data. We utilize the pre-trained knowledge of LLM about data conversion and format to generate new valid inputs. We further fine-tuned it with paired mutation seeds to learn structured format and mutation strategies effectively. Our LLM-based fuzzer, LLAMAFUZZ, integrates the power of LLM to understand and mutate structured data to fuzzing. We conduct experiments on the standard bug-based benchmark Magma and a wide variety of real-world programs. LLAMAFUZZ outperforms our top competitor by 41 bugs on average. We also identified 47 unique bugs across all trials. Moreover, LLAMAFUZZ demonstrated consistent performance on both bug trigger and bug reached. Compared to AFL++, LLAMAFUZZ achieved 27.19% more branches in real-world program sets on average. We also demonstrate a case study to explain how LLMs enhance the fuzzing process in terms of code coverage.

Cryptography and Security,Artificial Intelligence,Software Engineering

Guofeng He,Yichen Xin,Xiuchuan Cheng,Guangqiang Yin

DOI: https://doi.org/10.3390/electronics13050912

IF: 2.9

2024-02-29

Electronics

Abstract:Directed greybox fuzzing can mainly be used for vulnerability mining and vulnerability replication. However, there are still some issues with existing directional fuzzing tools. One is that after providing problematic changes or patches, it is not possible to quickly target and discover the problem. Secondly, it is difficult to break through the magic byte path, making it difficult to mine deep vulnerabilities. This article proposes a new vulnerability mining and repair framework: American Fuzz Lop Plus (AFL++). Firstly, we utilize alias analysis to enhance inter-procedural control flow graphs and redefine the distance calculation formula to obtain more accurate distances. Secondly, the Newton interpolation method is used for the energy initialization of each seed to prevent test cases from being filtered out due to low energy. A heuristic energy scheduling algorithm is proposed to judiciously schedule the energy of seeds. During the path exploration phase, by adjusting the seed energy, shorter-distance seeds quickly reach the target; with increasing time, seeds tend to explore deeper paths. We then represent the symbolic distance by the number of instructions passed to reach the target and investigate the shortest path search strategy to achieve path pruning, alleviating the problem of path explosion. Finally, based on the above methods, we implement the AFL++ prototype system, integrating directed greybox fuzzing with symbolic execution technology for vulnerability discovery. By interleaving directed symbolic execution and directed greybox fuzzing, the efficiency of vulnerability discovery and reproduction is effectively enhanced.

engineering, electrical & electronic,computer science, information systems,physics, applied

School of Information Management, Nanjing University,Zuo Zhi-Qiang,Guan Le,Wang Lin-Zhang,Li Xuan-Dong,Shi Jin,Liu Peng

DOI: https://doi.org/10.1007/s11390-021-1196-0

IF: 1.871

2021-01-01

Journal of Computer Science and Technology

Abstract:Fuzzing is known to be one of the most effective techniques to uncover security vulnerabilities of large-scale software systems. During fuzzing, it is crucial to distribute the fuzzing resource appropriately so as to achieve the best fuzzing performance under a limited budget. Existing distribution strategies of American Fuzzy Lop (AFL) based greybox fuzzing focus on increasing coverage blindly without considering the metrics of code regions, thus lacking the insight regarding which region is more likely to be vulnerable and deserves more fuzzing resources. We tackle the above drawback by proposing a vulnerable region-aware greybox fuzzing approach. Specifically, we distribute more fuzzing resources towards regions that are more likely to be vulnerable based on four kinds of code metrics. We implemented the approach as an extension to AFL named RegionFuzz. Large-scale experimental evaluations validate the effectiveness and efficiency of RegionFuzz-11 new bugs including three new CVEs are successfully uncovered by RegionFuzz.

Ruijie Meng,Zhen Dong,Jialin Li,Ivan Beschastnikh,Abhik Roychoudhury

2021-01-01

Abstract:Software model checking is a verification technique which is widely used for checking temporal properties of software systems. Even though it is a property verification technique, its common usage in practice is in bug finding, that is, finding violations of temporal properties. Motivated by this observation and leveraging the recent progress in fuzzing, we build a greybox fuzzing framework to find violations of Linear-time Temporal Logic (LTL) properties. Our framework takes as input a sequential program written in C/C++, and an LTL property. It finds violations, or counterexample traces, of the LTL property in stateful software systems; however, it does not achieve verification. Our work substantially extends directed greybox fuzzing to witness arbitrarily complex event orderings. We note that existing directed greybox fuzzing approaches are limited to witnessing reaching a location or witnessing simple event orderings like use-after-free. At the same time, compared to model checkers, our approach finds the counterexamples faster, thereby finding more counterexamples within a given time budget. Our LTL-Fuzzer tool, built on top of the AFL fuzzer, is shown to be effective in detecting bugs in well-known protocol implementations, such as OpenSSL and Telnet. We use LTL-Fuzzer to reproduce known vulnerabilities (CVEs), to find 15 zero-day bugs by checking properties extracted from RFCs (for which 10 CVEs have been assigned), and to find violations of both safety as well as liveness properties in real-world protocol implementations. Our work represents a practical advance over software model checkers -- while simultaneously representing a conceptual advance over existing greybox fuzzers. Our work thus provides a starting point for understanding the unexplored synergies between software model checking and greybox fuzzing.

Zhiqiang Wei,Xijia Wei,Xinghua Zhao,Zongtang Hu,Chu Xu

DOI: https://doi.org/10.1109/access.2024.3365712

IF: 3.9

2024-02-28

IEEE Access

Abstract:As the Internet of Things (IoT) industry grows, the risk of network protocol security threats has also increased. One protocol that has come under scrutiny for its security vulnerabilities is MQTT (Message Queuing Telemetry Transport), which is widely used. To address this issue, an automated execution program called fuzz has been developed to verify the security of MQTT brokers. This program is provided with various random and unexpected input data and monitored for different responses, such as acknowledgments, crashes, failures, or memory leaks. To generate a significant number of realistic MQTT protocols, we have proposed a Generative Adversarial Networks (GAN)-based protocol fuzzer called SGANFuzz. Our experimental results show that SGANFuzz has successfully detected 6 vulnerabilities among 7 MQTT implementations, including 3 CVE bugs. Compared to the state-of-the-art fuzzing tools, SGANFuzz has proven to be the most efficient fuzzing tool in terms of vulnerability detection and has expanded the feedback coverage by receiving more unique network responses from MQTT brokers.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yong-Hao Zou,Jia-Ju Bai,Jielong Zhou,Jiangfeng Tan,Chenggang Qin,Shi-Min Hu

2021-01-01

Abstract:TCP stacks provide reliable data transmission in network, and thus they should be correctly implemented and well tested to ensure reliability and security. However, testing TCP stacks is difficult. First, a TCP stack accepts packets and system calls that have dependencies between each other, and thus generating effective test cases is challenging. Second, a TCP stack has various complex state transitions, but existing testing approaches target covering states instead of covering state transitions, and thus their testing coverage is limited. Finally, our study of TCP stack commits shows that 87% of bug-fixing commits are related to semantic bugs (such as RFC violations), but existing bug sanitizers can detect only memory bugs not semantic bugs. In this paper, we design a novel fuzzing framework named TCP-Fuzz, to effectively test TCP stacks and detect bugs. TCP-Fuzz consists of three key techniques: (1) a dependencybased strategy that considers dependencies between packets and system calls, to generate effective test cases; (2) a transition-guided fuzzing approach that uses a new coverage metric named branch transition as program feedback, to improve the coverage of state transitions; (3) a differential checker that compares the outputs of multiple TCP stacks for the same inputs, to detect semantic bugs. We have evaluated TCP-Fuzz on five widely-used TCP stacks (TLDK, F-Stack, mTCP, FreeBSD TCP and Linux TCP), and find 56 real bugs (including 8 memory bugs and 48 semantic bugs). 40 of these bugs have been confirmed by related developers.

Dongge Liu,Van-Thuan Pham,Gidon Ernst,Toby Murray,Benjamin I.P. Rubinstein

DOI: https://doi.org/10.48550/arXiv.2112.15498

2022-01-07

Abstract:The statefulness property of network protocol implementations poses a unique challenge for testing and verification techniques, including Fuzzing. Stateful fuzzers tackle this challenge by leveraging state models to partition the state space and assist the test generation process. Since not all states are equally important and fuzzing campaigns have time limits, fuzzers need effective state selection algorithms to prioritize progressive states over others. Several state selection algorithms have been proposed but they were implemented and evaluated separately on different platforms, making it hard to achieve conclusive findings. In this work, we evaluate an extensive set of state selection algorithms on the same fuzzing platform that is AFLNet, a state-of-the-art fuzzer for network servers. The algorithm set includes existing ones supported by AFLNet and our novel and principled algorithm called AFLNetLegion. The experimental results on the ProFuzzBench benchmark show that (i) the existing state selection algorithms of AFLNet achieve very similar code coverage, (ii) AFLNetLegion clearly outperforms these algorithms in selected case studies, but (iii) the overall improvement appears insignificant. These are unexpected yet interesting findings. We identify problems and share insights that could open opportunities for future research on this topic.

Software Engineering,Cryptography and Security,Machine Learning

Marcel Böhme,Van-Thuan Pham,Abhik Roychoudhury

DOI: https://doi.org/10.1145/2976749.2978428

2016-10-24

Abstract:Coverage-based Greybox Fuzzing (CGF) is a random testing approach that requires no program analysis. A new test is generated by slightly mutating a seed input. If the test exercises a new and interesting path, it is added to the set of seeds; otherwise, it is discarded. We observe that most tests exercise the same few "high-frequency" paths and develop strategies to explore significantly more paths with the same number of tests by gravitating towards low-frequency paths. We explain the challenges and opportunities of CGF using a Markov chain model which specifies the probability that fuzzing the seed that exercises path i generates an input that exercises path j. Each state (i.e., seed) has an energy that specifies the number of inputs to be generated from that seed. We show that CGF is considerably more efficient if energy is inversely proportional to the density of the stationary distribution and increases monotonically every time that seed is chosen. Energy is controlled with a power schedule. We implemented the exponential schedule by extending AFL. In 24 hours, AFLFAST exposes 3 previously unreported CVEs that are not exposed by AFL and exposes 6 previously unreported CVEs 7x faster than AFL. AFLFAST produces at least an order of magnitude more unique crashes than AFL.