WEIZZ: automatic grey-box fuzzing for structured binary formats

Fioraldi, Andrea; D’Elia, Daniele Cono; Coppa, Emilio

doi:10.1145/3395363.3397372

Cited by 43 publications

(29 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Beside the memory corruptions we found in the state log experiment in Section V-D and the novel crashes found in the CGC dataset, we also performed experiments on other software to further demonstrate that IJON is useful for finding security bugs. In particular, we picked dmg2img, a tool that was very recently fuzzed by the authors of WEIZZ [18]. We applied patches for the vulnerabilities found, and continued fuzzing using IJON.…”

Section: G Real-world Softwarementioning

confidence: 99%

Ijon: Exploring Deep State Spaces via Fuzzing

Aschermann

Schumilo

Abbasi

et al. 2020

2020 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

show abstract

Section: G Real-world Softwarementioning

confidence: 99%

Ijon: Exploring Deep State Spaces via Fuzzing

Aschermann

Schumilo

Abbasi

et al. 2020

2020 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

show abstract

“…With it, variants of specific targets can also be written by experienced security testers. Fioraldi et al [30] proposed a new technique that can generate and mutate inputs automatically for the binary format of unknown basic blocks. This technique enables the input to meet the characteristics of certain formats during the initial analysis phase and enables deeper path access.…”

Section: Related Workmentioning

confidence: 99%

ReFuzz: A Remedy for Saturation in Coverage-Guided Fuzzing

Qian

Zhang

et al. 2021

Electronics

View full text Add to dashboard Cite

Coverage-guided greybox fuzzing aims at generating random test inputs to trigger vulnerabilities in target programs while achieving high code coverage. In the process, the scale of testing gradually becomes larger and more complex, and eventually, the fuzzer runs into a saturation state where new vulnerabilities are hard to find. In this paper, we propose a fuzzer, ReFuzz, that acts as a complement to existing coverage-guided fuzzers and a remedy for saturation. This approach facilitates the generation of inputs that lead only to covered paths by omitting all other inputs, which is exactly the opposite of what existing fuzzers do. ReFuzz takes the test inputs generated from the regular saturated fuzzing process and continue to explore the target program with the goal of preserving the code coverage. The insight is that coverage-guided fuzzers tend to underplay already covered execution paths during fuzzing when seeking to reach new paths, causing covered paths to be examined insufficiently. In our experiments, ReFuzz discovered tens of new unique crashes that AFL failed to find, of which nine vulnerabilities were submitted and accepted to the CVE database.

show abstract

“…WEIZZ [34] explores instead a different approach that flips one bit at a time on the entire input, checking after each bit flip which comparison operands have changed during the program execution, possibly suggesting a dependency between the altered bit and the affected branch conditions. While more accurate than colorization, this approach may incur a large overhead, especially in presence of large inputs.…”

Section: Coverage-based Grey-box Fuzzing An Orthogonal Approach To Se Is Coverage-based Grey-box Fuzzing (Cgf)mentioning

confidence: 99%

“…5 a 0 d b a, objdump 2.34, optipng 0.7.6, readelf 2.34, tcpdump 4.9.3 (libpcap 1.9.1), and tiff2pdf 4.1.0. These targets have been heavily fuzzed by the community [27], and used in previous evaluations of state-of-the-art fuzzers [4], [5], [10], [33], [34]. As seeds, we use the AFL test cases [1], or when missing, minimal syntactically valid files [40].…”

Section: Ev a L U A T Io Nmentioning

confidence: 99%

Fuzzing Symbolic Expressions

Borzacchiello

Coppa

Demetrescu

2021

2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE)

Self Cite

View full text Add to dashboard Cite

Recent years have witnessed a wide array of results in software testing, exploring different approaches and methodologies ranging from fuzzers to symbolic engines, with a full spectrum of instances in between such as concolic execution and hybrid fuzzing. A key ingredient of many of these tools is Satisfiability Modulo Theories (SMT) solvers, which are used to reason over symbolic expressions collected during the analysis. In this paper, we investigate whether techniques borrowed from the fuzzing domain can be applied to check whether symbolic formulas are satisfiable in the context of concolic and hybrid fuzzing engines, providing a viable alternative to classic SMT solving techniques. We devise a new approximate solver, Fu z z y -Sa t , and show that it is both competitive with and complementary to state-of-the-art solvers such as Z3 with respect to handling queries generated by hybrid fuzzers.

show abstract

WEIZZ: automatic grey-box fuzzing for structured binary formats

Cited by 43 publications

References 22 publications

Ijon: Exploring Deep State Spaces via Fuzzing

Ijon: Exploring Deep State Spaces via Fuzzing

ReFuzz: A Remedy for Saturation in Coverage-Guided Fuzzing

Fuzzing Symbolic Expressions

Contact Info

Product

Resources

About