Abstract:Buffer-overruns are a prevalent vulnerability in software libraries and applications. Fuzz testing is one of the effective techniques to detect vulnerabilities in general. Greybox fuzzers such as AFL automatically generate a sequence of test inputs for a given program using a fitness-guided search process. A recently proposed approach in the literature introduced a buffer-overrun specific fitness metric called "headroom", which tracks how close each generated test input comes to exposing the vulnerabilities. T… Show more
“…Meanwhile, CVE information, commit changes, binary diffing techniques, and tools such as UBSan and AddressSanitizer, are adopted to label various potential vulnerable code regions. Examples include DrillerGo [28], TortoiseFuzz [27], AFLChurn [26], GREY-HOUND [15], DeltaFuzz [25], 1DVUL [23], SAVIOR [100] and HDR-Fuzz [101]. • The fuzzing process has been enhanced with various approaches, such as using data-flow analysis and semantic analysis to generate valid input, using symbolic execution to pass complex constraints.…”
Section: Overviewmentioning
confidence: 99%
“…It defines the distance of constraints as how well a given seed satisfies the constraints and prioritizes the seeds that better satisfy the constraints in order. AFL-HR [81] and HDR-Fuzz [101] adopt a vulnerability-oriented fitness metric called headroom, which indicates how closely a test input can expose a hard-to-manifest vulnerability (e.g. buffer or integer overflow) at a given vulnerability location.…”
Section: Customized Fitness Metricsmentioning
confidence: 99%
“…For example, AFLChurn [26] leverages lightweight ant colony optimization instead of expensive taint analysis to find "interesting bytes" and realize a byte-level power scheduling; -Leverage parallel computing. For example, HDR-Fuzz [101] uses another core to run AddressSanitizer in parallel and provides guidance to the directedness. Large-scale parallel fuzzing [109,110] can also be adopted to improve efficiency further.…”
Section: Performance Deductionmentioning
confidence: 99%
“…Multi-dimensional fitness metrics are also proposed to detect hardto-manifest vulnerabilities. Examples include AFL-HR [81], HDRFuzz [101] and AFLPro [86]. • To facilitate target identification, tools based on machine learning can predict and label potential targets automatically, examples include SUZZER [31], V-Fuzz [30], DeFuzz [32], and SemFuzz [22].…”
SummaryGreybox fuzzing is a scalable and practical approach for software testing. Most greybox fuzzing tools are coverage‐guided as reaching high code coverage is more likely to find bugs. However, since most covered codes may not contain bugs, blindly extending code coverage is less efficient, especially for corner cases. Unlike coverage‐guided greybox fuzzing which increases code coverage in an undirected manner, directed greybox fuzzing (DGF) spends most of its time allocation on reaching specific targets (e.g. the bug‐prone zone) without wasting resources stressing unrelated parts. Thus, DGF is particularly suitable for scenarios such as patch testing, bug reproduction, and special bug detection. For now, DGF has become an active research area. However, DGF has general limitations and challenges that are worth further studying. Based on the investigation of 42 state‐of‐the‐art fuzzers that are closely related to DGF, we conducted the first in‐depth study to summarize the empirical evidence on the research progress of DGF. This paper studies DGF from a broader view, which takes into account not only the location‐directed type that targets specific code parts but also the behavior‐directed type that aims to expose abnormal program behaviors. By analyzing the benefits and limitations of DGF research, we try to identify gaps in current research, meanwhile, reveal new research opportunities and suggest areas for further investigation.
“…Meanwhile, CVE information, commit changes, binary diffing techniques, and tools such as UBSan and AddressSanitizer, are adopted to label various potential vulnerable code regions. Examples include DrillerGo [28], TortoiseFuzz [27], AFLChurn [26], GREY-HOUND [15], DeltaFuzz [25], 1DVUL [23], SAVIOR [100] and HDR-Fuzz [101]. • The fuzzing process has been enhanced with various approaches, such as using data-flow analysis and semantic analysis to generate valid input, using symbolic execution to pass complex constraints.…”
Section: Overviewmentioning
confidence: 99%
“…It defines the distance of constraints as how well a given seed satisfies the constraints and prioritizes the seeds that better satisfy the constraints in order. AFL-HR [81] and HDR-Fuzz [101] adopt a vulnerability-oriented fitness metric called headroom, which indicates how closely a test input can expose a hard-to-manifest vulnerability (e.g. buffer or integer overflow) at a given vulnerability location.…”
Section: Customized Fitness Metricsmentioning
confidence: 99%
“…For example, AFLChurn [26] leverages lightweight ant colony optimization instead of expensive taint analysis to find "interesting bytes" and realize a byte-level power scheduling; -Leverage parallel computing. For example, HDR-Fuzz [101] uses another core to run AddressSanitizer in parallel and provides guidance to the directedness. Large-scale parallel fuzzing [109,110] can also be adopted to improve efficiency further.…”
Section: Performance Deductionmentioning
confidence: 99%
“…Multi-dimensional fitness metrics are also proposed to detect hardto-manifest vulnerabilities. Examples include AFL-HR [81], HDRFuzz [101] and AFLPro [86]. • To facilitate target identification, tools based on machine learning can predict and label potential targets automatically, examples include SUZZER [31], V-Fuzz [30], DeFuzz [32], and SemFuzz [22].…”
SummaryGreybox fuzzing is a scalable and practical approach for software testing. Most greybox fuzzing tools are coverage‐guided as reaching high code coverage is more likely to find bugs. However, since most covered codes may not contain bugs, blindly extending code coverage is less efficient, especially for corner cases. Unlike coverage‐guided greybox fuzzing which increases code coverage in an undirected manner, directed greybox fuzzing (DGF) spends most of its time allocation on reaching specific targets (e.g. the bug‐prone zone) without wasting resources stressing unrelated parts. Thus, DGF is particularly suitable for scenarios such as patch testing, bug reproduction, and special bug detection. For now, DGF has become an active research area. However, DGF has general limitations and challenges that are worth further studying. Based on the investigation of 42 state‐of‐the‐art fuzzers that are closely related to DGF, we conducted the first in‐depth study to summarize the empirical evidence on the research progress of DGF. This paper studies DGF from a broader view, which takes into account not only the location‐directed type that targets specific code parts but also the behavior‐directed type that aims to expose abnormal program behaviors. By analyzing the benefits and limitations of DGF research, we try to identify gaps in current research, meanwhile, reveal new research opportunities and suggest areas for further investigation.
“…It helps the administrator to detect the attack and catch the intruder in real-time by sending a real-time message and email. The tool named Address Sanitizer has been implemented in GCC by Google to detect errors in memory [54]. It is used to detect Out-of-bounds, Use-after-free, and memory leaks.…”
Section: Compiler Based Mitigation Techniquesmentioning
Buffer Overflow (BOF) has been a ubiquitous security vulnerability for more than three decades, potentially compromising any software application or system. This vulnerability occurs primarily when someone attempts to write more bytes of data (shellcode) than a buffer can handle. To date, this primitive attack has been used to attack many different software systems, resulting in numerous buffer overflows. The most common type of buffer overflow is the stack overflow vulnerability, through which an adversary can gain admin privileges remotely, which can then be used to execute shellcode. Numerous mitigation techniques have been developed and deployed to reduce the likelihood of BOF attacks, but attackers still manage to bypass these techniques. A variety of mitigation techniques have been proposed and implemented on the hardware, operating system, and compiler levels. These techniques include No-EXecute (NX) and Address Space Layout Randomization (ASLR). The NX bit prevents the execution of malicious code by making various portions of the address space of a process inoperable. The ASLR algorithm randomly assigns addresses to various parts of the logical address space of a process as it is loaded in memory for execution. Position Independent Executable (PIE) and ASLR provide more robust protection by randomly generating binary segments. Read-only relocation (RELRO) protects the Global Offset Table (GOT) from overwriting attacks. StackGuard protects the stack by placing the canary before the return address in order to prevent stack smashing attacks. Despite all the mitigation techniques in place, hackers continue to be successful in bypassing them, making buffer overflow a persistent vulnerability. The current work aims to describe the stack-based buffer overflow vulnerability and review in detail the mitigation techniques reported in the literature as well as how hackers attempt to bypass them.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.