ProFuzzer: On-the-fly Input Type Probing for Better Zero-Day Vulnerability Discovery

You, Wei; Wang, Xueqiang; Ma, Shiqing; Huang, Jianjun; Zhang, Xiangyu; Liang, Bin

doi:10.1109/sp.2019.00057

Cited by 92 publications

(70 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Generally, input mutation can also be viewed as input prioritization: if we see the input space as all the combinations of bytes, then input mutation prioritizes a subset of inputs from the input space by mutation. Previous work design comprehensive mutation strategies [12,26,31,58] and optimal mutation scheduling approaches [36]. These input mutation approaches are all complementary to our proposed input prioritization scheme.…”

Section: Input Mutation and Energy Assignmentmentioning

confidence: 99%

“…Wang et al [53] apply the address rather than the count of memory access. Type-aware fuzzers such as Angora [12], TIFF [26], and ProFuzzer [58] identify inputs that associated to specific memory operations and mutate towards targeted programs or patterns, but they cause higher overhead due to type inference, and that input mutation is separate from input prioritization in our context that could be complementary to our approach.…”

Section: Coverage Accountingmentioning

confidence: 99%

See 1 more Smart Citation

Not All Coverage Measurements Are Equal: Fuzzing by Coverage Accounting for Input Prioritization

Wang¹,

Jia²,

Liu³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Coverage-based fuzzing has been actively studied and widely adopted for finding vulnerabilities in real-world software applications. With coverage information, such as statement coverage and transition coverage, as the guidance of input mutation, coverage-based fuzzing can generate inputs that cover more code and thus find more vulnerabilities without prerequisite information such as input format. Current coveragebased fuzzing tools treat covered code equally. All inputs that contribute to new statements or transitions are kept for future mutation no matter what the statements or transitions are and how much they impact security. Although this design is reasonable from the perspective of software testing that aims at full code coverage, it is inefficient for vulnerability discovery since that 1) current techniques are still inadequate to reach full coverage within a reasonable amount of time, and that 2) we always want to discover vulnerabilities early so that it can be fixed promptly. Even worse, due to the non-discriminative code coverage treatment, current fuzzing tools suffer from recent anti-fuzzing techniques and become much less effective in finding vulnerabilities from programs enabled with anti-fuzzing schemes. To address the limitation caused by equal coverage, we propose coverage accounting, a novel approach that evaluates coverage by security impacts. Coverage accounting attributes edges by three metrics based on three different levels: function, loop and basic block. Based on the proposed metrics, we design a new scheme to prioritize fuzzing inputs and develop TortoiseFuzz, a greybox fuzzer for finding memory corruption vulnerabilities. We evaluated TortoiseFuzz on 30 real-world applications and compared it with 6 state-of-the-art greybox and hybrid fuzzers: AFL, AFLFast, FairFuzz, MOPT, QSYM, and Angora. Statistically, TortoiseFuzz found more vulnerabilities than 5 out of 6 fuzzers (AFL, AFLFast, FairFuzz, MOPT, and Angora), and it had a comparable result to QSYM yet only consumed around 2% of QSYM's memory usage on average. We also compared coverage accounting metrics with two other metrics, AFL-Sensitive and LEOPARD, and TortoiseFuzz performed significantly better than both metrics in finding vulnerabilities. Furthermore, we applied the coverage accounting metrics to QSYM and noticed that coverage accounting helps increase the number of discovered vulnerabilities by 28.6% on average. TortoiseFuzz found 20 zero-day vulnerabilities with 15 confirmed with CVE identifications.

show abstract

Section: Input Mutation and Energy Assignmentmentioning

confidence: 99%

Section: Coverage Accountingmentioning

confidence: 99%

Not All Coverage Measurements Are Equal: Fuzzing by Coverage Accounting for Input Prioritization

Wang¹,

Jia²,

Liu³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Many tools [8], [12], [14], [29], [20], [13], [30] apply various techniques to boost the fuzzing process. AFLFast, AFLGo, CollAFL, and VUzzer focus on improving the seed selection.…”

Section: Mutation-based Fuzzingmentioning

confidence: 99%

“…It also uses taint analysis to help mutate seeds. FairFuzz [13], ProFuzzer [30], and MOPT [15] focus on improving the seed mutation. FairFuzz only mutates seeds which hit rare branches and it strives to ensure the mutant seeds still hit the rarest ones.…”

Section: Mutation-based Fuzzingmentioning

confidence: 99%

DeepFuzzer: Accelerated Deep Greybox Fuzzing

Liang

Jiang

Wang

et al. 2020

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

Fuzzing is one of the most effective vulnerability detection techniques, widely used in practice. However, the performance of fuzzers may be limited by their inability to pass complicated checks, inappropriate mutation frequency, arbitrary mutation strategy, or the variability of the environment. In this paper, we present DeepFuzzer, an enhanced greybox fuzzer with qualified seed generation, balanced seed selection, and hybrid seed mutation. First, we use symbolic execution in a lightweight approach to generate qualified initial seeds which then guide the fuzzer through complex checks. Second, we apply a statistical seed selection algorithm to balance the mutation frequency between different seeds. Further, we develop a hybrid mutation strategy. The random and restricted mutation strategies are combined to maintain a dynamic balance between global exploration and deep search. We evaluate DeepFuzzer on the widely used benchmark Google fuzzer-test-suite which consists of real-world programs. Compared with AFL, AFLFast, FairFuzz, QSYM, and MOPT in the 24-hour experiment, DeepFuzzer discovers 30%, 240%, 102%, 147%, and 257% more unique crashes, executes 40%, 36%, 36%, 98%, and 15% more paths, and covers 37%, 34%, 34%, 101%, and 11% more branches, respectively. Furthermore, we present the practice of fuzzing a message middleware from Huawei with DeepFuzzer, and 9 new vulnerabilities are reported.

show abstract

“…This is based on the intuition that most inputs generated by the fuzzers are invalid inputs which will Chapter 2. Related Work [9] AFLGo [12] FairFuzz [13] Vuzzer [14] Angora [15] CollAFL [16] Hawkeye [1] Slowfuzz [17] Perffuzz [18] Driller [19] Qsym [20] Redqueen [21] Mopt [22] Savior [23] Zest [24] GRIMOIRE [25] Superion [26] Profuzzer [27] [28] [29] UnTracer [30] be rejected by the tested program before executing the main processing logic. Thus, the frequently visited branches are more likely to be shallow code which is bug-free, increasing the importance of seed inputs which execute low frequency branches.…”

Section: Seed Selection and Power Schedulingmentioning

confidence: 99%

Semantic-based vulnerability analysis of software

Li¹

View full text Add to dashboard Cite

The contributions of the co-authors are as follows: • Hongxu and I were the lead authors. We share equal contribution. We wrote the code and conducted the experiments together. I received a lot of help and love during my Ph.D. study from many people. No words can fully express my thankfulness but I do want to thank some of them explicitly here. First, I would like to thank my supervisor Prof. Yang Liu for his precious guidance and constructive feedback. His passion for research and work has influenced me a lot. His knowledge and experience provides me guidance and courage to solve different research problems. His selfless support helped me to get through the difficult periods. Second, I would like to specially thank my senior Hongxu Chen. He is very knowledgeable and generous. I have collaborated with him for many works and he has shown admirable perseverance and talents during research. I would also like to thank Dr. Alwen Tiu, Dr. Bihuan Chen and Dr. Lei Wei as they are the very first people who helped me during my Ph.D. study. Their valuable support and help have guided me to get on the right track of research.

show abstract

ProFuzzer: On-the-fly Input Type Probing for Better Zero-Day Vulnerability Discovery

Cited by 92 publications

References 26 publications

Not All Coverage Measurements Are Equal: Fuzzing by Coverage Accounting for Input Prioritization

Not All Coverage Measurements Are Equal: Fuzzing by Coverage Accounting for Input Prioritization

DeepFuzzer: Accelerated Deep Greybox Fuzzing

Semantic-based vulnerability analysis of software

Contact Info

Product

Resources

About