Automated Vulnerability Analysis: Leveraging Control Flow for Evolutionary Input Crafting

Sparks, Sherri; Embleton, Shawn; Cunningham, R.; Zou, Changwei

doi:10.1109/acsac.2007.27

Cited by 62 publications

(27 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The use of evolutionary algorithms for input generation purposes is a well-explored research area in software engineering [7], [34]. There have been attempts to use evolutionary algorithms for input generation to discover vulnerabilities in applications [25], [42], [45]. The difference lies in the fact that these approaches assume a-priori knowledge of the application to focus on the paths leading to vulnerable parts of the program.…”

Section: A Search-based Evolutionary Input Generationmentioning

confidence: 99%

VUzzer: Application-aware Evolutionary Fuzzing

Rawat¹,

Jain²,

Kumar³

et al. 2017

Proceedings 2017 Network and Distributed System Security Symposium

455

446

View full text Add to dashboard Cite

Fuzzing is an effective software testing technique to find bugs. Given the size and complexity of real-world applications, modern fuzzers tend to be either scalable, but not effective in exploring bugs that lie deeper in the execution, or capable of penetrating deeper in the application, but not scalable. In this paper, we present an application-aware evolutionary fuzzing strategy that does not require any prior knowledge of the application or input format. In order to maximize coverage and explore deeper paths, we leverage control-and data-flow features based on static and dynamic analysis to infer fundamental properties of the application. This enables much faster generation of interesting inputs compared to an application-agnostic approach. We implement our fuzzing strategy in VUzzer and evaluate it on three different datasets: DARPA Grand Challenge binaries (CGC), a set of real-world applications (binary input parsers), and the recently released LAVA dataset. On all of these datasets, VUzzer yields significantly better results than state-of-the-art fuzzers, by quickly finding several existing and new bugs. Permission to freely reproduce all or part of this paper for noncommercial purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited without the prior written consent of the Internet Society, the first-named author (for reproduction of an entire paper only), and the author's employer if the paper was prepared within the scope of employment.

show abstract

Section: A Search-based Evolutionary Input Generationmentioning

confidence: 99%

VUzzer: Application-aware Evolutionary Fuzzing

Rawat¹,

Jain²,

Kumar³

et al. 2017

Proceedings 2017 Network and Distributed System Security Symposium

455

446

View full text Add to dashboard Cite

show abstract

“…Dowser [24] performs static analysis at compile time to find vulnerable code like loops and pointers, so as QTEP [54]. Sparks et al [49] extracts the control flow graphs from the target to help input generation. Steelix [33] and VUzzer [43] analyze magic values, immediate values, and strings that can affect control flow.…”

Section: Related Workmentioning

confidence: 99%

Not All Coverage Measurements Are Equal: Fuzzing by Coverage Accounting for Input Prioritization

Wang¹,

Jia²,

Liu³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Coverage-based fuzzing has been actively studied and widely adopted for finding vulnerabilities in real-world software applications. With coverage information, such as statement coverage and transition coverage, as the guidance of input mutation, coverage-based fuzzing can generate inputs that cover more code and thus find more vulnerabilities without prerequisite information such as input format. Current coveragebased fuzzing tools treat covered code equally. All inputs that contribute to new statements or transitions are kept for future mutation no matter what the statements or transitions are and how much they impact security. Although this design is reasonable from the perspective of software testing that aims at full code coverage, it is inefficient for vulnerability discovery since that 1) current techniques are still inadequate to reach full coverage within a reasonable amount of time, and that 2) we always want to discover vulnerabilities early so that it can be fixed promptly. Even worse, due to the non-discriminative code coverage treatment, current fuzzing tools suffer from recent anti-fuzzing techniques and become much less effective in finding vulnerabilities from programs enabled with anti-fuzzing schemes. To address the limitation caused by equal coverage, we propose coverage accounting, a novel approach that evaluates coverage by security impacts. Coverage accounting attributes edges by three metrics based on three different levels: function, loop and basic block. Based on the proposed metrics, we design a new scheme to prioritize fuzzing inputs and develop TortoiseFuzz, a greybox fuzzer for finding memory corruption vulnerabilities. We evaluated TortoiseFuzz on 30 real-world applications and compared it with 6 state-of-the-art greybox and hybrid fuzzers: AFL, AFLFast, FairFuzz, MOPT, QSYM, and Angora. Statistically, TortoiseFuzz found more vulnerabilities than 5 out of 6 fuzzers (AFL, AFLFast, FairFuzz, MOPT, and Angora), and it had a comparable result to QSYM yet only consumed around 2% of QSYM's memory usage on average. We also compared coverage accounting metrics with two other metrics, AFL-Sensitive and LEOPARD, and TortoiseFuzz performed significantly better than both metrics in finding vulnerabilities. Furthermore, we applied the coverage accounting metrics to QSYM and noticed that coverage accounting helps increase the number of discovered vulnerabilities by 28.6% on average. TortoiseFuzz found 20 zero-day vulnerabilities with 15 confirmed with CVE identifications.

show abstract

“…Some other researches focus on analyzing the software vulnerabilities that may cause serious threats. Network security assessment, reversed engineering, or fuzz testing [3][4] [5] are often used in these researches to find out vulnerabilities and threats. The followings are some of the well-known vulnerability scoring standard and vulnerabilities database:…”

Section: A Security Audit and Assessment Mechanismsmentioning

confidence: 99%

An Analysis of Security Patch Lifecycle Using Google Trend Tool

Kuo

Ruan

Chen

et al. 2012

2012 Seventh Asia Joint Conference on Information Security

View full text Add to dashboard Cite

Information security audit has become more and more important nowadays. Among the audited items, the status of security patch could be the most important part. In this paper, we proposed a security patch lifecycle to assess the information security risk with the help of vulnerability databases. A case study using the Google Trend is also given to demonstrate that the proposed security patch lifecycle is both useful and practical.

show abstract

Automated Vulnerability Analysis: Leveraging Control Flow for Evolutionary Input Crafting

Cited by 62 publications

References 5 publications

VUzzer: Application-aware Evolutionary Fuzzing

VUzzer: Application-aware Evolutionary Fuzzing

Not All Coverage Measurements Are Equal: Fuzzing by Coverage Accounting for Input Prioritization

An Analysis of Security Patch Lifecycle Using Google Trend Tool

Contact Info

Product

Resources

About