NEUZZ: Efficient Fuzzing with Neural Program Smoothing

2019 IEEE Symposium on Security and Privacy (SP) Pub Date : 2018-07-15 DOI:10.1109/SP.2019.00052

Dongdong She, Kexin Pei, Dave Epstein, Junfeng Yang, Baishakhi Ray, S. Jana

{"title":"NEUZZ: Efficient Fuzzing with Neural Program Smoothing","authors":"Dongdong She, Kexin Pei, Dave Epstein, Junfeng Yang, Baishakhi Ray, S. Jana","doi":"10.1109/SP.2019.00052","DOIUrl":null,"url":null,"abstract":"Fuzzing has become the de facto standard technique for finding software vulnerabilities. However, even state-of-the-art fuzzers are not very efficient at finding hard-to-trigger software bugs. Most popular fuzzers use evolutionary guidance to generate inputs that can trigger different bugs. Such evolutionary algorithms, while fast and simple to implement, often get stuck in fruitless sequences of random mutations. Gradient-guided optimization presents a promising alternative to evolutionary guidance. Gradient-guided techniques have been shown to significantly outperform evolutionary algorithms at solving high-dimensional structured optimization problems in domains like machine learning by efficiently utilizing gradients or higher-order derivatives of the underlying function. However, gradient-guided approaches are not directly applicable to fuzzing as real-world program behaviors contain many discontinuities, plateaus, and ridges where the gradient-based methods often get stuck. We observe that this problem can be addressed by creating a smooth surrogate function approximating the target program’s discrete branching behavior. In this paper, we propose a novel program smoothing technique using surrogate neural network models that can incrementally learn smooth approximations of a complex, real-world program's branching behaviors. We further demonstrate that such neural network models can be used together with gradient-guided input generation schemes to significantly increase the efficiency of the fuzzing process. Our extensive evaluations demonstrate that NEUZZ significantly outperforms 10 state-of-the-art graybox fuzzers on 10 popular real-world programs both at finding new bugs and achieving higher edge coverage. NEUZZ found 31 previously unknown bugs (including two CVEs) that other fuzzers failed to find in 10 real-world programs and achieved 3X more edge coverage than all of the tested graybox fuzzers over 24 hour runs. Furthermore, NEUZZ also outperformed existing fuzzers on both LAVA-M and DARPA CGC bug datasets.","PeriodicalId":272713,"journal":{"name":"2019 IEEE Symposium on Security and Privacy (SP)","volume":"5 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-07-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"142","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2019 IEEE Symposium on Security and Privacy (SP)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP.2019.00052","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 142

Abstract

Fuzzing has become the de facto standard technique for finding software vulnerabilities. However, even state-of-the-art fuzzers are not very efficient at finding hard-to-trigger software bugs. Most popular fuzzers use evolutionary guidance to generate inputs that can trigger different bugs. Such evolutionary algorithms, while fast and simple to implement, often get stuck in fruitless sequences of random mutations. Gradient-guided optimization presents a promising alternative to evolutionary guidance. Gradient-guided techniques have been shown to significantly outperform evolutionary algorithms at solving high-dimensional structured optimization problems in domains like machine learning by efficiently utilizing gradients or higher-order derivatives of the underlying function. However, gradient-guided approaches are not directly applicable to fuzzing as real-world program behaviors contain many discontinuities, plateaus, and ridges where the gradient-based methods often get stuck. We observe that this problem can be addressed by creating a smooth surrogate function approximating the target program’s discrete branching behavior. In this paper, we propose a novel program smoothing technique using surrogate neural network models that can incrementally learn smooth approximations of a complex, real-world program's branching behaviors. We further demonstrate that such neural network models can be used together with gradient-guided input generation schemes to significantly increase the efficiency of the fuzzing process. Our extensive evaluations demonstrate that NEUZZ significantly outperforms 10 state-of-the-art graybox fuzzers on 10 popular real-world programs both at finding new bugs and achieving higher edge coverage. NEUZZ found 31 previously unknown bugs (including two CVEs) that other fuzzers failed to find in 10 real-world programs and achieved 3X more edge coverage than all of the tested graybox fuzzers over 24 hour runs. Furthermore, NEUZZ also outperformed existing fuzzers on both LAVA-M and DARPA CGC bug datasets.

查看原文本刊更多论文

NEUZZ:有效模糊与神经程序平滑

模糊测试实际上已经成为发现软件漏洞的标准技术。然而，即使是最先进的fuzzers在发现难以触发的软件漏洞方面也不是很有效。大多数流行的fuzzers使用进化指导来生成可以触发不同bug的输入。这种进化算法虽然快速且易于实现，但常常陷入无果的随机突变序列中。梯度导向优化是一种很有前途的替代进化导向的方法。通过有效地利用梯度或底层函数的高阶导数，梯度引导技术已被证明在解决机器学习等领域的高维结构化优化问题方面明显优于进化算法。然而，梯度引导的方法并不能直接应用于模糊测试，因为现实世界的程序行为包含许多不连续、高原和山脊，而基于梯度的方法往往会在这些地方陷入困境。我们观察到，这个问题可以通过创建一个光滑的代理函数来解决，该函数近似于目标程序的离散分支行为。在本文中，我们提出了一种新的程序平滑技术，该技术使用代理神经网络模型，可以增量地学习复杂的，现实世界程序分支行为的光滑近似。我们进一步证明，这种神经网络模型可以与梯度引导的输入生成方案一起使用，以显着提高模糊过程的效率。我们的广泛评估表明，NEUZZ在10个流行的现实世界程序中，在发现新漏洞和实现更高的边缘覆盖方面，明显优于10个最先进的灰盒模糊器。NEUZZ发现了31个以前未知的错误(包括两个cve)，这些错误是其他fuzzers在10个实际程序中未能发现的，并且在24小时的运行中实现了比所有测试的灰盒fuzzers多3倍的边缘覆盖率。此外，NEUZZ在LAVA-M和DARPA CGC bug数据集上也优于现有的fuzzers。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2019 IEEE Symposium on Security and Privacy (SP)

自引率

0.00%

发文量