Mining hot calling contexts in small space

D’Elia, Daniele Cono; Demetrescu, Camil; Finocchi, Irene

doi:10.1002/spe.2348

Cited by 11 publications

(5 citation statements)

References 63 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…WEIZZ computes context-sensitivity information for branch coverage and comparison tables by maintaining a shadow call stack in QEMU. To deal with the often large number of contexts in programs [32], like in ANGORA we extend the number of buckets in the coverage map from 2 16 as in AFL to 2 18 , and compute the index using the source and destination basic block addresses and a one-word hash of the call stack. In the ANGORA experience, context-sensitive branch coverage may let a fuzzer explore programs more pervasively [9].…”

Section: Methodsmentioning

confidence: 99%

WEIZZ: Automatic Grey-box Fuzzing for Structured Binary Formats

Fioraldi,

D'Elia,

Coppa

2019

Preprint

Self Cite

View full text Add to dashboard Cite

Fuzzing technologies have evolved at a fast pace in recent years, revealing bugs in programs with ever increasing depth and speed. Applications working with complex formats are however more difficult to take on, as inputs need to meet certain format-specific characteristics to get through the initial parsing stage and reach deeper behaviors of the program.Unlike prior proposals based on manually written format specifications, in this paper we present a technique to automatically generate and mutate inputs for unknown chunk-based binary formats. We propose a technique to identify dependencies between input bytes and comparison instructions, and later use them to assign tags that characterize the processing logic of the program. Tags become the building block for structureaware mutations involving chunks and fields of the input.We show that our techniques performs comparably to structure-aware fuzzing proposals that require human assistance. Our prototype implementation WEIZZ revealed 11 unknown bugs in widely used programs.

show abstract

Section: Methodsmentioning

confidence: 99%

WEIZZ: Automatic Grey-box Fuzzing for Structured Binary Formats

Fioraldi,

D'Elia,

Coppa

2019

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…Due to their sheer number, a static enumeration of calling contexts is often unfeasible [65], and even space-efficient dynamic methods need wide identifiers to keep collisions low [66]. Furthermore, for complex programs, short executions often result in dozens of million distinct contexts [13], [67]. Unlike cloning, these techniques incur non-negligible temporal or spatial overheads, hindering an effective composition with local feedbacks used by fuzzers.…”

Section: Related Workmentioning

confidence: 99%

Predictive Context-sensitive Fuzzing

Borrello,

Fioraldi,

D'Elia

et al. 2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Coverage-guided fuzzers expose bugs by progressively mutating testcases to drive execution to new program locations. Code coverage is currently the most effective and popular exploration feedback. For several bugs, though, also how execution reaches a buggy program location may matter: for those, only tracking what code a testcase exercises may lead fuzzers to overlook interesting program states. Unfortunately, context-sensitive coverage tracking comes with an inherent state explosion problem. Existing attempts to implement contextsensitive coverage-guided fuzzers struggle with it, experiencing non-trivial issues for precision (due to coverage collisions) and performance (due to context tracking and queue/map explosion).In this paper, we show that a much more effective approach to context-sensitive fuzzing is possible. First, we propose function cloning as a backward-compatible instrumentation primitive to enable precise (i.e., collision-free) context-sensitive coverage tracking. Then, to tame the state explosion problem, we argue to account for contextual information only when a fuzzer explores contexts selected as promising. We propose a prediction scheme to identify one pool of such contexts: we analyze the data-flow diversity of the incoming argument values at call sites, exposing to the fuzzer a contextually refined clone of the callee if the latter sees incoming abstract objects that its uses at other sites do not.Our work shows that, by applying function cloning to program regions that we predict to benefit from context-sensitivity, we can overcome the aforementioned issues while preserving, and even improving, fuzzing effectiveness. On the FuzzBench suite, our approach largely outperforms state-of-the-art coverageguided fuzzing embodiments, unveiling more and different bugs without incurring explosion or other apparent inefficiencies. On these heavily tested subjects, we also found 8 enduring security issues in 5 of them, with 6 CVE identifiers issued.

show abstract

“…The second facility is a shadow stack to track the calling context (i.e., the sequence of functions currently active on the stack [34]) of heap allocations. This information is crucial to track the origin of heap blocks that later get involved in memory violations.…”

Section: Qasan Extension For Qemumentioning

confidence: 99%

Fuzzing Binaries for Memory Safety Errors with QASan

Fioraldi

D’Elia

Querzoni

2020

2020 IEEE Secure Development (SecDev)

Self Cite

View full text Add to dashboard Cite

Fuzz testing techniques are becoming pervasive for their ever-improving ability to generate crashing trial cases for programs. Memory safety violations however can lead to silent corruptions and errors, and a fuzzer may recognize them only in the presence of sanitization machinery. For closed-source software combining sanitization with fuzzing incurs practical obstacles that we try to tackle with an architecture-independent proposal called QASan for detecting heap memory violations. In our tests QASan is competitive with standalone sanitizers and adds a moderate 1.61x average slowdown to the AFL++ fuzzer while enabling it to reveal more heap-related bugs.

show abstract

Mining hot calling contexts in small space

Cited by 11 publications

References 63 publications

WEIZZ: Automatic Grey-box Fuzzing for Structured Binary Formats

WEIZZ: Automatic Grey-box Fuzzing for Structured Binary Formats

Predictive Context-sensitive Fuzzing

Fuzzing Binaries for Memory Safety Errors with QASan

Contact Info

Product

Resources

About