T-Fuzz: Fuzzing by Program Transformation

Peng, Hui; Shoshitaishvili, Yan; Payer, Mathias

doi:10.1109/sp.2018.00056

Cited by 217 publications

(154 citation statements)

References 21 publications

Supporting

Mentioning

151

Contrasting

Unclassified

Order By: Relevance

“…Our work builds on coverage-based greybox fuzzing (CGF) [31], [37], which is a popular and effective approach for software vulnerability detection. The AFL fuzzer [31] and its extensions [1], [2], [7], [11], [17], [18], [21], [27] constitute the most widely used embodiment of CGF. CGF is a promising middle ground between blackbox and whitebox fuzzing.…”

Section: Related Workmentioning

confidence: 99%

Smart Greybox Fuzzing

Pham

Böhme

Santosa³

et al. 2020

IIEEE Trans. Software Eng.

View full text Add to dashboard Cite

Coverage-based greybox fuzzing (CGF) is one of the most successful methods for automated vulnerability detection. Given a seed file (as a sequence of bits), CGF randomly flips, deletes or bits to generate new files. CGF iteratively constructs (and fuzzes) a seed corpus by retaining those generated files which enhance coverage. However, random bitflips are unlikely to produce valid files (or valid chunks in files), for applications processing complex file formats.In this work, we introduce smart greybox fuzzing (SGF) which leverages a high-level structural representation of the seed file to generate new files. We define innovative mutation operators that work on the virtual file structure rather than on the bit level which allows SGF to explore completely new input domains while maintaining file validity. We introduce a novel validity-based power schedule that enables SGF to spend more time generating files that are more likely to pass the parsing stage of the program, which can expose vulnerabilities much deeper in the processing logic.Our evaluation demonstrates the effectiveness of SGF. On several libraries that parse structurally complex files, our tool AFLSMART explores substantially more paths (up to 200%) and exposes more vulnerabilities than baseline AFL. Our tool AFLSMART has discovered 42 zero-day vulnerabilities in widely-used, well-tested tools and libraries; so far 17 CVEs were assigned.

show abstract

Section: Related Workmentioning

confidence: 99%

Smart Greybox Fuzzing

Pham

Böhme

Santosa³

et al. 2020

IIEEE Trans. Software Eng.

View full text Add to dashboard Cite

show abstract

“…Prior work has seeded fuzzing by replaying sequences of kernel API calls [25], commands from Android apps to smart IoT Devices [18], and input provided by human assistants [55]. Recent techniques for improving code coverage during fuzz testing include introducing selective symbolic execution [58], control-and data-flow analysis on the program under test [50], reducing collisions in code coverage measurements [23], and altering the program under test [46]. Prior work applies existing fuzz testers to discover AC vulnerabilities in whole programs [37], [47], and in Java programs by combining fuzz testing with symbolic execution [43] or seeding black box fuzzing with information taken from program traces [40].…”

Section: Fuzz Testingmentioning

confidence: 99%

“…Indeed, these tools are evaluated by the slowdown they can achieve for a given program, as opposed to the amount of code they successfully cover. Achieving high code coverage on any program under test is a notoriously difficult task because common program patterns like comparing input to magic values or checksum tests are difficult to bypass using fuzzing alone, although program transformation tricks like splitting each comparison into a series of one byte comparisons [36] or simply removing them from the program [46] can improve coverage. Augmenting fuzzing with advanced techniques like taint analysis [50] or symbolic execution [44], [58] helps overcome these fuzzing roadblocks, and RedQueen [12] showed how advanced tracing hardware can emulate these more heavyweight techniques by providing a fuzzer with enough information to establish correspondence between program inputs and internal program state.…”

Section: Introductionmentioning

confidence: 99%

HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Guided Micro-Fuzzing

Blair¹,

Mambretti²,

Arshad³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Fifteen billion devices run Java and many of them are connected to the Internet. As this ecosystem continues to grow, it remains an important task to discover any unknown security threats these devices face. Fuzz testing repeatedly runs software on random inputs in order to trigger unexpected program behaviors, such as crashes or timeouts, and has historically revealed serious security vulnerabilities. Contemporary fuzz testing techniques focus on identifying memory corruption vulnerabilities that allow adversaries to achieve either remote code execution or information disclosure. Meanwhile, Algorithmic Complexity (AC) vulnerabilities, which are a common attack vector for denial-ofservice attacks, remain an understudied threat.In this paper, we present HotFuzz, a framework for automatically discovering AC vulnerabilities in Java libraries. HotFuzz uses micro-fuzzing, a genetic algorithm that evolves arbitrary Java objects in order to trigger the worst-case performance for a method under test. We define Small Recursive Instantiation (SRI) as a technique to derive seed inputs represented as Java objects to micro-fuzzing. After micro-fuzzing, HotFuzz synthesizes test cases that triggered AC vulnerabilities into Java programs and monitors their execution in order to reproduce vulnerabilities outside the fuzzing framework. HotFuzz outputs those programs that exhibit high CPU utilization as witnesses for AC vulnerabilities in a Java library.We evaluate HotFuzz over the Java Runtime Environment (JRE), the 100 most popular Java libraries on Maven, and challenges contained in the DARPA Space and Time Analysis for Cybersecurity (STAC) program. We evaluate SRI's effectiveness by comparing the performance of micro-fuzzing with SRI, measured by the number of AC vulnerabilities detected, to simply using empty values as seed inputs. In this evaluation, we verified known AC vulnerabilities, discovered previously unknown AC vulnerabilities that we responsibly reported to vendors, and received confirmation from both IBM and Oracle. Our results demonstrate that micro-fuzzing finds AC vulnerabilities in realworld software, and that micro-fuzzing with SRI-derived seed inputs outperforms using empty values.

show abstract

“…Steelix [26] and REDQUEEN [4] detect magic bytes checking and infer their input offsets to solve them without taint analysis. T-Fuzz ignores input checks in the original program and leverages symbolic execution to filter false positives and reproduce true bugs [28]. TaintScopre fixs checksum values in the generated inputs using symbolic execution [37].…”

Section: Related Work 71 Solving Complicated Constraintsmentioning

confidence: 99%

“…Taintscope [37] uses taint tracking to infer checksum-handling code and bypasses these checks using control flow alteration since these checks are hard to satisfy when mutating the input. T-Fuzz [28] detects complex checks without taint tracking. Both approaches use symbolic execution to generate valid input that would solve target constraints.…”

Section: Using Taint Tracking To Guide Fuzzingmentioning

confidence: 99%

Matryoshka

Chen¹,

Liu

Chen

2019

Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Greybox fuzzing has made impressive progress in recent years, evolving from heuristics-based random mutation to solving individual branch constraints. However, they have difficulty solving path constraints that involve deeply nested conditional statements, which are common in image and video decoders, network packet analyzers, and checksum tools. We propose an approach for addressing this problem. First, we identify all the control flow-dependent conditional statements of the target conditional statement. Next, we select the taint flow-dependent conditional statements. Finally, we use three strategies to find an input that satisfies all conditional statements simultaneously. We implemented this approach in a tool called Matryoshka 1 and compared its effectiveness on 13 open source programs with other state-of-the-art fuzzers. Matryoshka achieved significantly higher cumulative line and branch coverage than AFL, QSYM, and Angora. We manually classified the crashes found by Matryoshka into 41 unique new bugs and obtained 12 CVEs. Our evaluation demonstrates the key technique contributing to Matryoshka's impressive performance: among the nesting constraints of a target conditional statement, Matryoshka collects only those that may cause the target unreachable, which greatly simplifies the path constraint that it has to solve. CCS CONCEPTS• Security and privacy → Software security engineering; • Software and its engineering → Software testing and debugging.

show abstract

T-Fuzz: Fuzzing by Program Transformation

Cited by 217 publications

References 21 publications

Smart Greybox Fuzzing

Smart Greybox Fuzzing

HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Guided Micro-Fuzzing

Matryoshka

Contact Info

Product

Resources

About