Ijon: Exploring Deep State Spaces via Fuzzing

Aschermann, Cornelius; Schumilo, Sergej; Abbasi, Ali; Holz, Thorsten

doi:10.1109/sp40000.2020.00117

Cited by 76 publications

(59 citation statements)

References 34 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Across many cycles, AFL learns to produce interesting inputs as it expands the code coverage map. Although simple, this strategy is surprisingly successful: several recent advanced fuzzers [4,9,14] follow the same high-level process. Overall, AFL-style, greybox fuzzing has proven extremely successful on Linux systems.…”

Section: Background: Why Harness Generation?mentioning

confidence: 99%

“…Although most recent research efforts focus on improving fuzzing Linux applications [4,9,14,22,39,50,69], Windows programs are also vulnerable to memory safety issues. Past researchers have uncovered many vulnerabilities by performing a manual audit [43].…”

Section: Background: Why Harness Generation?mentioning

confidence: 99%

“…Recent fuzzing efforts have found thousands of vulnerabilities in opensource projects [12,28,52,62]. There are continuous efforts to make fuzzing faster [4,9,53] and smarter [60,65,67].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

WINNIE : Fuzzing Windows Applications with Harness Synthesis and Fast Cloning

Jung

Tong²,

Hong³

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Fuzzing is an emerging technique to automatically validate programs and uncover bugs. It has been widely used to test many programs and has found thousands of security vulnerabilities. However, existing fuzzing efforts are mainly centered around Unix-like systems, as Windows imposes unique challenges for fuzzing: a closed-source ecosystem, the heavy use of graphical interfaces and the lack of fast process cloning machinery. In this paper, we propose two solutions to address the challenges Windows fuzzing faces. Our system, WINNIE, first tries to synthesize a harness for the application, a simple program that directly invokes target functions, based on sample executions. It then tests the harness, instead of the original complicated program, using an efficient implementation of fork on Windows. Using these techniques, WINNIE can bypass irrelevant GUI code to test logic deep within the application. We used WINNIE to fuzz 59 closed-source Windows binaries, and it successfully generated valid fuzzing harnesses for all of them. In our evaluation, WINNIE can support 2.2× more programs than existing Windows fuzzers could, and identified 3.9× more program states and achieved 26.6× faster execution. In total, WINNIE found 61 unique bugs in 32 Windows binaries.

show abstract

Section: Background: Why Harness Generation?mentioning

confidence: 99%

Section: Background: Why Harness Generation?mentioning

confidence: 99%

See 1 more Smart Citation

WINNIE : Fuzzing Windows Applications with Harness Synthesis and Fast Cloning

Jung

Tong²,

Hong³

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Greybox fuzzing (mainly coverage-based) has already been widely used in the security industry [3,10]. It is also a hot research topic; many fuzzers like AFLFast [5], CollAFL [11], Angora [12], QSYM [13], MOPT [14], and IJON [16] are proposed.…”

Section: Related Workmentioning

confidence: 99%

“…Though coverage-based fuzzing usually does not need sophisticated program analysis or the grammar of program input like whitebox fuzzing [9], it is shown to be able to gradually exercise different parts of the program and discover many vulnerabilities [3]. Now, coverage-based fuzzing is being both used by the security industry [3,10] and researched by the academia [5,[11][12][13][14][15][16].…”

Section: Introductionmentioning

confidence: 99%

MultiFuzz: A Coverage-Based Multiparty-Protocol Fuzzer for IoT Publish/Subscribe Protocols

Zeng

Lin

Guo

et al. 2020

Sensors

View full text Add to dashboard Cite

The publish/subscribe model has gained prominence in the Internet of things (IoT) network, and both Message Queue Telemetry Transport (MQTT) and Constrained Application Protocol (CoAP) support it. However, existing coverage-based fuzzers may miss some paths when fuzzing such publish/subscribe protocols, because they implicitly assume that there are only two parties in a protocol, which is not true now since there are three parties, i.e., the publisher, the subscriber and the broker. In this paper, we propose MultiFuzz, a new coverage-based multiparty-protocol fuzzer. First, it embeds multiple-connection information in a single input. Second, it uses a message mutation algorithm to stimulate protocol state transitions, without the need of protocol specifications. Third, it uses a new desockmulti module to feed the network messages into the program under test. desockmulti is similar to desock (Preeny), a tool widely used by the community, but it is specially designed for fuzzing and is 10x faster. We implement MultiFuzz based on AFL, and use it to fuzz two popular projects Eclipse Mosquitto and libCoAP. We reported discovered problems to the projects. In addition, we compare MultiFuzz with AFL and two state-of-the-art fuzzers, MOPT and AFLNET, and find it discovering more paths and crashes.

show abstract

The progress, challenges, and perspectives of directed greybox fuzzing

Wang,

Zhou,

Yue

et al. 2023

Software Testing Verif & Rel

View full text Add to dashboard Cite

SummaryGreybox fuzzing is a scalable and practical approach for software testing. Most greybox fuzzing tools are coverage‐guided as reaching high code coverage is more likely to find bugs. However, since most covered codes may not contain bugs, blindly extending code coverage is less efficient, especially for corner cases. Unlike coverage‐guided greybox fuzzing which increases code coverage in an undirected manner, directed greybox fuzzing (DGF) spends most of its time allocation on reaching specific targets (e.g. the bug‐prone zone) without wasting resources stressing unrelated parts. Thus, DGF is particularly suitable for scenarios such as patch testing, bug reproduction, and special bug detection. For now, DGF has become an active research area. However, DGF has general limitations and challenges that are worth further studying. Based on the investigation of 42 state‐of‐the‐art fuzzers that are closely related to DGF, we conducted the first in‐depth study to summarize the empirical evidence on the research progress of DGF. This paper studies DGF from a broader view, which takes into account not only the location‐directed type that targets specific code parts but also the behavior‐directed type that aims to expose abnormal program behaviors. By analyzing the benefits and limitations of DGF research, we try to identify gaps in current research, meanwhile, reveal new research opportunities and suggest areas for further investigation.

show abstract

Ijon: Exploring Deep State Spaces via Fuzzing

Abstract: Fig. 1: AFL and AFL + IJON trying to defeat Bowser in Super Mario Bros. (Level 3-4). The lines are the traces of all runs found by the fuzzer.

Cited by 76 publications

References 34 publications

WINNIE : Fuzzing Windows Applications with Harness Synthesis and Fast Cloning

WINNIE : Fuzzing Windows Applications with Harness Synthesis and Fast Cloning

MultiFuzz: A Coverage-Based Multiparty-Protocol Fuzzer for IoT Publish/Subscribe Protocols

The progress, challenges, and perspectives of directed greybox fuzzing

Contact Info

Product

Resources

About