Binary-level Directed Fuzzing for Use-After-Free Vulnerabilities

Nguyen, Manh-Dung; Bardin, Sébastien; Bonichon, Richard; Groz, Roland; Lemerre, Matthieu

doi:10.48550/arxiv.2002.10751

Cited by 3 publications

(25 citation statements)

References 37 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For example, selecting critical sites, such as memory allocation function malloc() or string manipulation function strcpy(), as targets are more likely to trigger memory corruption bugs. Besides, we can leverage the relationship among targets to accelerate detecting complex behavioral bugs, such as use-after-free [22,28]. Thus, the involvement of targets gives more chance to optimize DGF by applying customized techniques that are specific to DGF.…”

Section: Difference Between Cgf and Dgfmentioning

confidence: 99%

“…For example, in order to trigger use-after-free vulnerabilities, a sequence of operations (e.g., allocate memory, use memory, and free memory) must be executed in a specific order. UAFuzz [22] and UAFL [28] leverages target sequences instead of target sites to find use-after-free vulnerabilities. LOLLY [23] also uses target statement sequences to guide greybox fuzzing to trigger bugs that resulted from the sequential execution of multiple statements.…”

Section: Assessment Of The-state-of-the-art Workmentioning

confidence: 99%

“…In the exploration phase, the low-frequency seeds are prioritized to improve the coverage, and for the exploitation phase, the low distance seeds are preferred to achieve the target code areas. UAFuzz is a tailored directed greybox fuzzer for complex behavioral use-after-free vulnerabilities [22]. Different from the distance based on the control-flow graph, it uses a distance metric of call chains leading to the target functions that are more likely to include both allocation and free functions.…”

Section: Seed Prioritizationmentioning

confidence: 99%

“…UAFL [28] uses the operation sequence coverage as the feedback to guide the testcase generation to progressively cover the operation sequences that are likely to trigger use-after-free vulnerabilities. UAFuzz [22] also uses a sequenceness-aware target similarity metric to measure the similarity between the execution of a seed and the target UAF bug trace. The sequenceness-aware target similarity metric concretely assesses how many targets a seed execution trace covers at runtime and takes ordering of the targets into account.…”

Section: Seed Prioritizationmentioning

confidence: 99%

“…For now, DGF has evolved beyond the primary pattern that depends on manually labeled target sites and distance-based metrics to prioritize the seeds. A great number of variations have been realized to boost software testing under different scenarios, such as fuzzers directed by target sequence [22][23][24], by semantic information [25,26], by parser [27], by typestate [28], by sanitizer checks [29,30], by memory usage [31], and by vulnerable probability [32]. Complex deep behavioral testing scenes, such as use-afterfree bugs [22,28], memory consumption bugs [31], memory violation bugs [33], algorithmic complexity vulnerabilities [5], input validation bugs in robotic vehicles [34], and deep stateful bugs [35].…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

The Progress, Challenges, and Perspectives of Directed Greybox Fuzzing

Wang¹,

Zhang²,

Lü³

et al. 2020

Preprint

View full text Add to dashboard Cite

Greybox fuzzing has been the most scalable and practical approach to software testing. Most greybox fuzzing tools are coverage guided as code coverage is strongly correlated with bug coverage. However, since most covered codes may not contain bugs, blindly extending code coverage is less efficient, especially for corner cases. Unlike coverage-based fuzzers who extend the code coverage in an undirected manner, a directed fuzzer spends most of its time budget on reaching specific target locations (e.g., the bug-prone zone) without wasting resources stressing unrelated parts. Thus, directed greybox fuzzing is particularly suitable for scenarios such as patch testing, bug reproduction, and special bug hunting. In this paper, we conduct the first in-depth study of directed greybox fuzzing. We investigate 28 state-of-the-art fuzzers (82% are published after 2019) closely related to DGF, which have various directed types and optimization techniques. Based on the feature of DGF, we extract 15 metrics to conduct a thorough assessment of the collected tools and systemize the knowledge of this field. Finally, we summarize the challenges and provide perspectives of this field, aiming to facilitate and boost future research on this topic.

show abstract

Section: Difference Between Cgf and Dgfmentioning

confidence: 99%

Section: Assessment Of The-state-of-the-art Workmentioning

confidence: 99%

Section: Seed Prioritizationmentioning

confidence: 99%

Section: Seed Prioritizationmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

The Progress, Challenges, and Perspectives of Directed Greybox Fuzzing

Wang¹,

Zhang²,

Lü³

et al. 2020

Preprint

View full text Add to dashboard Cite

show abstract

The progress, challenges, and perspectives of directed greybox fuzzing

Wang,

Zhou,

Yue

et al. 2023

Software Testing Verif & Rel

View full text Add to dashboard Cite

SummaryGreybox fuzzing is a scalable and practical approach for software testing. Most greybox fuzzing tools are coverage‐guided as reaching high code coverage is more likely to find bugs. However, since most covered codes may not contain bugs, blindly extending code coverage is less efficient, especially for corner cases. Unlike coverage‐guided greybox fuzzing which increases code coverage in an undirected manner, directed greybox fuzzing (DGF) spends most of its time allocation on reaching specific targets (e.g. the bug‐prone zone) without wasting resources stressing unrelated parts. Thus, DGF is particularly suitable for scenarios such as patch testing, bug reproduction, and special bug detection. For now, DGF has become an active research area. However, DGF has general limitations and challenges that are worth further studying. Based on the investigation of 42 state‐of‐the‐art fuzzers that are closely related to DGF, we conducted the first in‐depth study to summarize the empirical evidence on the research progress of DGF. This paper studies DGF from a broader view, which takes into account not only the location‐directed type that targets specific code parts but also the behavior‐directed type that aims to expose abnormal program behaviors. By analyzing the benefits and limitations of DGF research, we try to identify gaps in current research, meanwhile, reveal new research opportunities and suggest areas for further investigation.

show abstract

UltraFuzz: Towards Resource-Saving in Distributed Fuzzing

Zhou

Wang

Liu

et al. 2023

IIEEE Trans. Software Eng.

View full text Add to dashboard Cite

Recent research has sought to improve fuzzing performance via parallel computing. However, researchers focus on improving efficiency while ignoring the increasing cost of testing resources. Parallel fuzzing in the distributed environment amplifies the resource-wasting problem caused by the random nature of fuzzing. In the parallel mode, owing to the lack of an appropriate task dispatching scheme and timely fuzzing status synchronization among different fuzzing instances, task conflicts and workload imbalance occur, making the resourcewasting problem severe. In this paper, we design UltraFuzz, a fuzzer for resource-saving in distributed fuzzing. Based on centralized dynamic scheduling, UltraFuzz can dispatch tasks and schedule power globally and reasonably to avoid resourcewasting. Besides, UltraFuzz can elastically allocate computing power for fuzzing and seed evaluation, thereby avoiding the potential bottleneck of seed evaluation that blocks the fuzzing process. UltraFuzz was evaluated using real-world programs, and the results show that with the same testing resource, UltraFuzz outperforms state-of-the-art tools, such as AFL, AFL-P, PAFL, and EnFuzz. Most importantly, the experiment reveals certain results that seem counter-intuitive, namely that parallel fuzzing can achieve "super-linear acceleration" when compared with single-core fuzzing. We conduct additional experiments to reveal the deep reasons behind this phenomenon and dig deep into the inherent advantages of parallel fuzzing over serial fuzzing, including the global optimization of seed energy scheduling and the escape of local optimal seed. Additionally, 24 real-world vulnerabilities were discovered using UltraFuzz.

show abstract

Binary-level Directed Fuzzing for Use-After-Free Vulnerabilities

Cited by 3 publications

References 37 publications

The Progress, Challenges, and Perspectives of Directed Greybox Fuzzing

The Progress, Challenges, and Perspectives of Directed Greybox Fuzzing

The progress, challenges, and perspectives of directed greybox fuzzing

UltraFuzz: Towards Resource-Saving in Distributed Fuzzing

Contact Info

Product

Resources

About