datAFLow: Towards a Data-Flow-Guided Fuzzer

Herrera, Adrian; Payer, Mathias; Hosking, Antony L.

doi:10.14722/fuzzing.2022.23001

Cited by 5 publications

(1 citation statement)

References 42 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Finally, other efforts investigate auxiliary feedbacks involving data profiles [58], [49], [63]. As one may naturally augment local feedbacks with our cloning-based context-sensitivity, future research may involve identifying profitable combinations.…”

Section: Related Workmentioning

confidence: 99%

Predictive Context-sensitive Fuzzing

Borrello,

Fioraldi,

D'Elia

et al. 2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Coverage-guided fuzzers expose bugs by progressively mutating testcases to drive execution to new program locations. Code coverage is currently the most effective and popular exploration feedback. For several bugs, though, also how execution reaches a buggy program location may matter: for those, only tracking what code a testcase exercises may lead fuzzers to overlook interesting program states. Unfortunately, context-sensitive coverage tracking comes with an inherent state explosion problem. Existing attempts to implement contextsensitive coverage-guided fuzzers struggle with it, experiencing non-trivial issues for precision (due to coverage collisions) and performance (due to context tracking and queue/map explosion).In this paper, we show that a much more effective approach to context-sensitive fuzzing is possible. First, we propose function cloning as a backward-compatible instrumentation primitive to enable precise (i.e., collision-free) context-sensitive coverage tracking. Then, to tame the state explosion problem, we argue to account for contextual information only when a fuzzer explores contexts selected as promising. We propose a prediction scheme to identify one pool of such contexts: we analyze the data-flow diversity of the incoming argument values at call sites, exposing to the fuzzer a contextually refined clone of the callee if the latter sees incoming abstract objects that its uses at other sites do not.Our work shows that, by applying function cloning to program regions that we predict to benefit from context-sensitivity, we can overcome the aforementioned issues while preserving, and even improving, fuzzing effectiveness. On the FuzzBench suite, our approach largely outperforms state-of-the-art coverageguided fuzzing embodiments, unveiling more and different bugs without incurring explosion or other apparent inefficiencies. On these heavily tested subjects, we also found 8 enduring security issues in 5 of them, with 6 CVE identifiers issued.

show abstract

Section: Related Workmentioning

confidence: 99%

Predictive Context-sensitive Fuzzing

Borrello,

Fioraldi,

D'Elia

et al. 2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

DatAFLow : Toward a Data-Flow-Guided Fuzzer

Herrera

Payer

Hosking

2023

ACM Trans. Softw. Eng. Methodol.

View full text Add to dashboard Cite

Coverage-guided greybox fuzzers rely on control-flow coverage feedback to explore a target program and uncover bugs. Compared to control-flow coverage, data-flow coverage offers a more fine-grained approximation of program behavior. Data-flow coverage captures behaviors not visible as control flow and should intuitively discover more (or different) bugs. Despite this advantage, fuzzers guided by data-flow coverage have received relatively little attention, appearing mainly in combination with heavyweight program analyses (e.g., taint analysis, symbolic execution). Unfortunately, these more accurate analyses incur a high run-time penalty, impeding fuzzer throughput. Lightweight data-flow alternatives to control-flow fuzzing remain unexplored. We present DatAFLow, a greybox fuzzer guided by lightweight data-flow profiling. We also establish a framework for reasoning about data-flow coverage, allowing the computational cost of exploration to be balanced with precision. Using this framework, we extensively evaluate DatAFLow across different precisions, comparing it against state-of-the-art fuzzers guided by control flow, taint analysis, and data flow. Our results suggest that the ubiquity of control-flow-guided fuzzers is well-founded. The high run-time costs of data-flow-guided fuzzing (∼ 10 × higher than control-flow-guided fuzzing) significantly reduces fuzzer iteration rates, adversely affecting bug discovery and coverage expansion. Despite this, DatAFLow uncovered bugs that state-of-the-art control-flow-guided fuzzers (notably, AFL++) failed to find. This was because data-flow coverage revealed states in the target not visible under control-flow coverage. Thus, we encourage the community to continue exploring lightweight data-flow profiling; specifically, to lower run-time costs and to combine this profiling with control-flow coverage to maximize bug-finding potential.

show abstract

DatAFLow : Toward a Data-flow-guided Fuzzer

Herrera

Payer

Hosking

2023

ACM Trans. Softw. Eng. Methodol.

View full text Add to dashboard Cite

This Replicating Computational Report (RCR) describes (a) our datAFLow fuzzer, and (b) how to replicate the results in “ datAFLow : Toward a Data-Flow-Guided Fuzzer”. Our primary artifact is the datAFLow fuzzer. Unlike traditional coverage-guided greybox fuzzers—which use control-flow coverage to drive program exploration— datAFLow uses data-flow coverage to drive exploration. This is achieved through a set of LLVM-based analyses and transformations. In addition to datAFLow , we also provide a set of tools, scripts, and patches for (a) statically analyzing data flows in a target program, (b) compiling a target program with the datAFLow instrumentation, (c) evaluating datAFLow on the Magma benchmark suite, and (d) evaluating datAFLow on the DDFuzz dataset. datAFLow is available at https://github.com/HexHive/datAFLow.

show abstract

datAFLow: Towards a Data-Flow-Guided Fuzzer

Cited by 5 publications

References 42 publications

Predictive Context-sensitive Fuzzing

Predictive Context-sensitive Fuzzing

DatAFLow : Toward a Data-Flow-Guided Fuzzer

DatAFLow : Toward a Data-flow-guided Fuzzer

Contact Info

Product

Resources

About