Cerebro: context-aware adaptive fuzzing for effective vulnerability detection

Li, Yuekang; Xue, Yinxing; Chen, Hongxu; Wu, Xiuheng; Zhang, Cen; Xie, Xiaofei; Wang, Haijun; Liu, Yang

doi:10.1145/3338906.3338975

Cited by 70 publications

(32 citation statements)

References 34 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A test case that has more chances to cover OSs with mutations should be assigned with more energy. Existing coverage-based fuzzers (e.g., AFL) usually calculate the energy for the selected test case as follows [23]:…”

Section: Power Schedulingmentioning

confidence: 99%

“…Recently, lots of greybox fuzzing techniques have been proposed to detect various types of bugs [1, 4, 6, 9, 16, 21-23, 25, 28, 29, 31, 46]. These techniques either enhance the different components of the greybox fuzzer [4,16,[21][22][23]25] or combine greybox fuzzing with other techniques such as static analysis [23,29], symbolic execution [31,46], or taint analysis [9,28]. These techniques are general purpose techniques which are not designed to detect a specific type of bugs with more effectiveness.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Typestate-guided fuzzer for discovering use-after-free vulnerabilities

Wang

Xie

et al. 2020

Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering

Self Cite

View full text Add to dashboard Cite

Existing coverage-based fuzzers usually use the individual control flow graph (CFG) edge coverage to guide the fuzzing process, which has shown great potential in finding vulnerabilities. However, CFG edge coverage is not effective in discovering vulnerabilities such as use-after-free (UaF). This is because, to trigger UaF vulnerabilities, one needs not only to cover individual edges, but also to traverse some (long) sequence of edges in a particular order, which is challenging for existing fuzzers. To this end, we propose to model UaF vulnerabilities as typestate properties, and develop a typestateguided fuzzer, named UAFL, for discovering vulnerabilities violating typestate properties. Given a typestate property, we first perform a static typestate analysis to find operation sequences potentially violating the property. Our fuzzing process is then guided by the operation sequences in order to progressively generate test cases triggering property violations. In addition, we also employ an information flow analysis to improve the efficiency of the fuzzing process. We have performed a thorough evaluation of UAFL on 14 widely-used real-world programs. The experiment results show that UAFL substantially outperforms the state-of-the-art fuzzers, including AFL, AFLFast, FairFuzz, MOpt, Angora and QSYM, in terms of the time taken to discover vulnerabilities. We have discovered 10 previously unknown vulnerabilities, and received 5 new CVEs. CCS CONCEPTS• Security and privacy → Software security engineering.

show abstract

Section: Power Schedulingmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Typestate-guided fuzzer for discovering use-after-free vulnerabilities

Wang

Xie

et al. 2020

Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering

Self Cite

View full text Add to dashboard Cite

show abstract

“…MOpt [25] uses a customized Particle Swarm Optimization (PSO) algorithm to optimize the mutation operation scheduler. Cerebro [23] utilizes various factors such as code complexity, coverage, and execution time to improve seed scheduling strategy. AFLGO [11] and Hawkeye [12] leverage seed [22] and Laf-intel [5] split magic bytes to make them as weak constraint with extra implemetation.…”

Section: Related Workmentioning

confidence: 99%

CrFuzz: fuzzing multi-purpose programs through input validation

Song

Jang

et al. 2020

Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Softw

View full text Add to dashboard Cite

Fuzz testing has been proved its effectiveness in discovering software vulnerabilities. Empowered its randomness nature along with a coverage-guiding feature, fuzzing has been identified a vast number of vulnerabilities in real-world programs. This paper begins with an observation that the design of the current state-of-the-art fuzzers is not well suited for a particular (but yet important) set of software programs. Specifically, current fuzzers have limitations in fuzzing programs serving multiple purposes, where each purpose is controlled by extra options. This paper proposes CrFuzz, which overcomes this limitation. CrFuzz designs a clustering analysis to automatically predict if a newly given input would be accepted or not by a target program. Exploiting this prediction capability, CrFuzz is designed to efficiently explore the programs with multiple purposes. We employed CrFuzz for three state-of-the-art fuzzers, AFL, QSYM, and MOpt, and CrFuzz-augmented versions have shown 19.3% and 5.68% better path and edge coverage on average. More importantly, during two weeks of long-running experiments, CrFuzz discovered 277 previously unknown vulnerabilities where 212 of those are already confirmed and fixed by the respected vendors. We would like to emphasize that many of these vulnerabilities were discoverd from FFMpeg, ImageMagick, and Graphicsmagick, all of which are targets of Google's OSS-Fuzz project and thus heavily fuzzed for last three years by far. Nevertheless, CrFuzz identified a remarkable number of vulnerabilities, demonstrating its effectiveness of vulnerability finding capability. CCS CONCEPTS • Security and privacy → Software security engineering.

show abstract

“…In this chapter, we demonstrate the detailed design of FOT and breifly discuss the extensions(namely, Hawkeye [1] and Cerebro [37]) built on top of FOT. By the end of this chapter, we also discuss the differences between FOT and other greybox fuzzing frameworks 1 .…”

Section: Chapter 3 Fot: a Versatile Configurable Extensible Fuzzingmentioning

confidence: 99%

Semantic-based vulnerability analysis of software

Li¹

Self Cite

View full text Add to dashboard Cite

The contributions of the co-authors are as follows: • Hongxu and I were the lead authors. We share equal contribution. We wrote the code and conducted the experiments together. I received a lot of help and love during my Ph.D. study from many people. No words can fully express my thankfulness but I do want to thank some of them explicitly here. First, I would like to thank my supervisor Prof. Yang Liu for his precious guidance and constructive feedback. His passion for research and work has influenced me a lot. His knowledge and experience provides me guidance and courage to solve different research problems. His selfless support helped me to get through the difficult periods. Second, I would like to specially thank my senior Hongxu Chen. He is very knowledgeable and generous. I have collaborated with him for many works and he has shown admirable perseverance and talents during research. I would also like to thank Dr. Alwen Tiu, Dr. Bihuan Chen and Dr. Lei Wei as they are the very first people who helped me during my Ph.D. study. Their valuable support and help have guided me to get on the right track of research.

show abstract

Cerebro: context-aware adaptive fuzzing for effective vulnerability detection

Cited by 70 publications

References 34 publications

Typestate-guided fuzzer for discovering use-after-free vulnerabilities

Typestate-guided fuzzer for discovering use-after-free vulnerabilities

CrFuzz: fuzzing multi-purpose programs through input validation

Semantic-based vulnerability analysis of software

Contact Info

Product

Resources

About