Confuzzion: A Java Virtual Machine Fuzzer for Type Confusion Vulnerabilities

Bonnaventure, William; Khanfir, Ahmed; Bartel, Alexandre; Papadakis, Mike; Traon, Yves Le

doi:10.1109/qrs54544.2021.00069

Cited by 6 publications

(4 citation statements)

References 38 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…One of their discoveries touches on a highly critical security vulnerability in Java 9 that allowed untrusted code to disable the Security Manager and elevate its privileges. Confuzzion [7] is another JVM fuzzer which is more generic in the sense that it allows the generation of programs that are not possible to generate with Classming or Classfuzz. Dean et al [18] demonstrated that there is a significant number of flaws in the Java language and in these two browsers supporting it.…”

Section: Java Securitymentioning

confidence: 99%

An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities

Sayar

Bartel

Bodden

et al. 2023

ACM Trans. Softw. Eng. Methodol.

Self Cite

View full text Add to dashboard Cite

Nowadays, an increasing number of applications uses deserialization. This technique, based on rebuilding the instance of objects from serialized byte streams, can be dangerous since it can open the application to attacks such as remote code execution (RCE) if the data to deserialize is originating from an untrusted source. Deserialization vulnerabilities are so critical that they are in OWASP’s list of top 10 security risks for web applications. This is mainly caused by faults in the development process of applications and by flaws in their dependencies, i.e., flaws in the libraries used by these applications. No previous work has studied deserialization attacks in-depth: How are they performed? How are weaknesses introduced and patched? And for how long are vulnerabilities present in the codebase? To yield a deeper understanding of this important kind of vulnerability, we perform two main analyses: one on attack gadgets, i.e., exploitable pieces of code, present in Java libraries, and one on vulnerabilities present in Java applications. For the first analysis, we conduct an exploratory large-scale study by running 256 515 experiments in which we vary the versions of libraries for each of the 19 publicly available exploits. Such attacks rely on a combination of gadgets present in one or multiple Java libraries. A gadget is a method which is using objects or fields that can be attacker-controlled. Our goal is to precisely identify library versions containing gadgets and to understand how gadgets have been introduced and how they have been patched. We observe that the modification of one innocent-looking detail in a class – such as making it public – can already introduce a gadget. Furthermore, we noticed that among the studied libraries, 37.5% are not patched, leaving gadgets available for future attacks. For the second analysis, we manually analyze 104 deserialization vulnerabilities CVEs to understand how vulnerabilities are introduced and patched in real-life Java applications. Results indicate that the vulnerabilities are not always completely patched or that a workaround solution is proposed. With a workaround solution, applications are still vulnerable since the code itself is unchanged.

show abstract

Section: Java Securitymentioning

confidence: 99%

An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities

Sayar

Bartel

Bodden

et al. 2023

ACM Trans. Softw. Eng. Methodol.

Self Cite

View full text Add to dashboard Cite

show abstract

“…Classfuzz [26] is a coverage-guided method on JVM compilers, it employs MCMC sampling to guide mutator selection. Confuzzion [18] introduces a mutational feedback-guided fuzzer on JVM for exposing the type of confusion vulnerabilities. It uses historical execution information to randomly select mutation methods to generate new test cases.…”

Section: Related Workmentioning

confidence: 99%

A Generative and Mutational Approach for Synthesizing Bug-Exposing Test Cases to Guide Compiler Fuzzing

Ye,

Hu,

Tang

et al. 2023

Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Enginee

View full text Add to dashboard Cite

Random test case generation, or fuzzing, is a viable means for uncovering compiler bugs. Unfortunately, compiler fuzzing can be time-consuming and inefficient with purely randomly generated test cases due to the complexity of modern compilers. We present ComFuzz, a focused compiler fuzzing framework. ComFuzz aims to improve compiler fuzzing efficiency by focusing on testing components and language features that are likely to trigger compiler bugs.Our key insight is human developers tend to make common and repeat errors across compiler implementations; hence, we can leverage the previously reported buggy-exposing test cases of a programming language to test a new compiler implementation. To this end, ComFuzz employs deep learning to learn a test program generator from open-source projects hosted on GitHub. With the machinegenerated test programs in place, ComFuzz then leverages a set of carefully designed mutation rules to improve the coverage and bug-exposing capabilities of the test cases. We evaluate ComFuzz on 11 compilers for JS and Java programming languages. Within 260 hours of automated testing runs, we discovered 33 unique bugs across nine compilers, of which 29 have been confirmed and 22, including an API documentation defect, have already been fixed by the developers. We also compared ComFuzz to eight prior fuzzers on four evaluation metrics. In a 24-hour comparative test, ComFuzz uncovers at least 1.5× more bugs than the state-of-the-art baselines.

show abstract

“…It first compiles each benign/vulnerable program, then perform code transformations in the bytecode version of the program such that it does not break the vulnerable code semantics. We perform this step using a modified version of CONFUZZION [14] (see Section IV-C). INTJECT then decompiles the resulting mutated code pair into a new benign/vulnerable source code pair.…”

Section: Intjectmentioning

confidence: 99%

“…3) Mutated Datasets: In this work, we propose the use of semantic-preserving program mutations to transform an original dataset into a rich and diverse one that allows to learn the vulnerability intent under varying contexts. To mutate the original dataset, we employ CONFUZZION [14]. Basically, CONFUZZION is a mutation-based feedback-guided black-box JVM fuzzer, which is focused on the type confusion vulnerabilities detection.…”

Section: Experimental Datasetsmentioning

confidence: 99%

IntJect: Vulnerability Intent Bug Seeding

Petit

Khanfir

Soremekun

et al. 2022

2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)

Self Cite

View full text Add to dashboard Cite

Studying and exposing software vulnerabilities is important to ensure software security, safety, and reliability. Software engineers often inject vulnerabilities into their programs to test the reliability of their test suites, vulnerability detectors, and security measures. However, state-of-the-art vulnerability injection methods only capture code syntax/patterns, they do not learn the intent of the vulnerability and are limited to the syntax of the original dataset. To address this challenge, we propose the first intent-based vulnerability injection method that learns both the program syntax and vulnerability intent. Our approach applies a combination of NLP methods and semantic-preserving program mutations (at the bytecode level) to inject code vulnerabilities. Given a dataset of known vulnerabilities (containing benign and vulnerable code pairs), our approach proceeds by employing semantic-preserving program mutations to transform the existing dataset to semantically similar code. Then, it learns the intent of the vulnerability via neural machine translation (Seq2Seq) models. The key insight is to employ Seq2Seq to learn the intent (context) of the vulnerable code in a manner that is agnostic of the specific program instance. We evaluate the performance of our approach using 1275 vulnerabilities belonging to five (5) CWEs from the Juliet test suite. We examine the effectiveness of our approach in producing compilable and vulnerable code. Our results show that INTJECT is effective, almost all (99%) of the code produced by our approach is vulnerable and compilable. We also demonstrate that the vulnerable programs generated by INTJECT are semantically similar to the withheld original vulnerable code. Finally, we show that our mutation-based data transformation approach outperforms its alternatives, namely data obfuscation and using the original data.

show abstract

Confuzzion: A Java Virtual Machine Fuzzer for Type Confusion Vulnerabilities

Cited by 6 publications

References 38 publications

An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities

An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities

A Generative and Mutational Approach for Synthesizing Bug-Exposing Test Cases to Guide Compiler Fuzzing

IntJect: Vulnerability Intent Bug Seeding

Contact Info

Product

Resources

About