VUzzer: Application-aware Evolutionary Fuzzing

Rawat, Sanjay; Jain, Vivek; Kumar, Ashish; Cojocar, Lucian; Giuffrida, Cristiano; Bos, Herbert

doi:10.14722/ndss.2017.23404

Cited by 450 publications

(485 citation statements)

References 24 publications

(43 reference statements)

Supporting

Mentioning

484

Contrasting

Unclassified

Order By: Relevance

“…Control flow and data flow features have been used to guide the fuzzing process [4] , while semantic features are rarely considered. We observe that some program operations are more likely to fail the program or introduce a vulnerability, while other operations are not.…”

Section: Semantic Featuresmentioning

confidence: 99%

“…Previous work has proved that better code coverage results in higher probability of finding bugs [5] . Thus, state-of-the-art fuzzers like AFL [7] and Vuzzer [4] employ a coverage-based fuzzing strategy. More specifically, program control flow is interpreted as a graph, and vertices are used to represent basic blocks, edges are used to represent transitions between the basic blocks.…”

Section: Introductionmentioning

confidence: 99%

“…However, it treats all newly discovered edges equally and select seeds in sequence, thus cannot select the most promising ones to mutate. AFLFast [3] and Vuzzer [4] improve the seed selection strategy to improve the efficiency or effectiveness of bug finding. AFLFast measures the frequency of all exercised paths, selects seeds that have been fuzzed fewer, and allocates more energy to seeds that exercise low-frequent paths.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Semantic Sensitive Coverage-based Fuzzing

Li¹,

Zhang²

2018

dtcse

View full text Add to dashboard Cite

Abstract. Coverage-based fuzzing is widely used in finding program bugs. While state-of-the-art coverage-based fuzzers, either ignore the differences between newly discovered edges or consider only control flow features (e.g., depth) when prioritizing seeds for mutation. In this paper, we propose a semantic sensitive coverage-based fuzzing solutions, SSFuzzer. When new edges are discovered during fuzzing, it evaluates the semantic features of the new edges and update the weights of testcases. Seeds with heavier weights will first be picked to mutate and be given more energy to mutate (i.e., more testcases will be generated). We evaluate not only positive semantic features (e.g., memory access) but also negative ones (e.g., error handling) of edges. We implemented a prototype based on AFL. Experiment results demonstrate that SSFuzzer can discover vulnerabilities faster.

show abstract

Section: Semantic Featuresmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Semantic Sensitive Coverage-based Fuzzing

Li¹,

Zhang²

2018

dtcse

View full text Add to dashboard Cite

show abstract

“…The fuzzing discipline has evolved from its very beginnings [9] in 1990 to an active area of research providing advanced testing frameworks [1,2,11,14,15]. Beyond generational (format-aware) and mutational (format-blind) fuzzers we can generally distinguish between feedback-driven and black-box fuzzers.…”

Section: Related Workmentioning

confidence: 99%

“…Recent research focuses on advancing single fuzzers [2,11,15] and optimal scheduling of fuzzers, test case corpora, and targets during fuzzing campaigns [19]. But how can we optimize the interaction between fuzzers?…”

mentioning

confidence: 99%

Chemotactic Test Case Recombinationfor Large-Scale Fuzzing

Böttinger

2017

JCSM

View full text Add to dashboard Cite

We present a bio-inspired method for large-scale fuzzing to detect vulnerabilities in binary executables. In our approach we deploy small groups of feedback-driven explorers that guide colonies of high throughput fuzzers to promising regions in input space. We achieve this by applying the biological concept of chemotaxis: The explorer fuzzers mark test case regions that drive the target binary to previously undiscovered execution paths with an attractant. This allows us to construct a force of attraction that draws the trailing fuzzers to high-quality test cases. By introducing hierarchies of explorers we construct a colony of fuzzers that is divided into multiple subgroups. Each subgroup is guiding a trailing group and simultaneously drawn itself by the traces of their respective explorers. We implement a prototype and evaluate our presented algorithm to show the feasibility of our approach.

show abstract

Fw‐fuzz: A code coverage‐guided fuzzing framework for network protocols on firmware

Gao¹,

Dong²,

Chang

et al. 2020

Concurrency and Computation

View full text Add to dashboard Cite

Summary Fuzzing is an effective approach to detect software vulnerabilities utilizing changeable generated inputs. However, fuzzing the network protocol on the firmware of IoT devices is limited by inefficiency of test case generation, cross‐architecture instrumentation, and fault detection. In this article, we propose the Fw‐fuzz, a coverage‐guided and crossplatform framework for fuzzing network services running in the context of firmware on embedded architectures, which can generate more valuable test cases by introspecting program runtime information and using a genetic algorithm model. Specifically, we propose novel dynamic instrumentation in Fw‐fuzz to collect the running state of the firmware program. Then Fw‐fuzz adopts a genetic algorithm model to guide the generation of inputs with high code coverage. We fully implement the prototype system of Fw‐fuzz and conduct evaluations on network service programs of various architectures in MIPS, ARM, and PPC. By comparing with the protocol fuzzers Boofuzz and Peach in metrics of edge coverage, our prototype system achieves an average growth of 33.7% and 38.4%, respectively. We further verify six known vulnerabilities and discover 5 0‐day vulnerabilities with the Fw‐fuzz, which prove the validity and utility of our framework. The overhead of our system expressed as an additional 5% of memory growth.

show abstract

VUzzer: Application-aware Evolutionary Fuzzing

Cited by 450 publications

References 24 publications

Semantic Sensitive Coverage-based Fuzzing

Semantic Sensitive Coverage-based Fuzzing

Chemotactic Test Case Recombinationfor Large-Scale Fuzzing

Fw‐fuzz: A code coverage‐guided fuzzing framework for network protocols on firmware

Contact Info

Product

Resources

About