Directed Greybox Fuzzing

Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security Pub Date : 2017-10-30 DOI:10.1145/3133956.3134020

Marcel Böhme, Van-Thuan Pham, Manh-Dung Nguyen, Abhik Roychoudhury

{"title":"Directed Greybox Fuzzing","authors":"Marcel Böhme, Van-Thuan Pham, Manh-Dung Nguyen, Abhik Roychoudhury","doi":"10.1145/3133956.3134020","DOIUrl":null,"url":null,"abstract":"Existing Greybox Fuzzers (GF) cannot be effectively directed, for instance, towards problematic changes or patches, towards critical system calls or dangerous locations, or towards functions in the stack-trace of a reported vulnerability that we wish to reproduce. In this paper, we introduce Directed Greybox Fuzzing (DGF) which generates inputs with the objective of reaching a given set of target program locations efficiently. We develop and evaluate a simulated annealing-based power schedule that gradually assigns more energy to seeds that are closer to the target locations while reducing energy for seeds that are further away. Experiments with our implementation AFLGo demonstrate that DGF outperforms both directed symbolic-execution-based whitebox fuzzing and undirected greybox fuzzing. We show applications of DGF to patch testing and crash reproduction, and discuss the integration of AFLGo into Google's continuous fuzzing platform OSS-Fuzz. Due to its directedness, AFLGo could find 39 bugs in several well-fuzzed, security-critical projects like LibXML2. 17 CVEs were assigned.","PeriodicalId":191367,"journal":{"name":"Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security","volume":"558 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"528","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3133956.3134020","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 528

Abstract

Existing Greybox Fuzzers (GF) cannot be effectively directed, for instance, towards problematic changes or patches, towards critical system calls or dangerous locations, or towards functions in the stack-trace of a reported vulnerability that we wish to reproduce. In this paper, we introduce Directed Greybox Fuzzing (DGF) which generates inputs with the objective of reaching a given set of target program locations efficiently. We develop and evaluate a simulated annealing-based power schedule that gradually assigns more energy to seeds that are closer to the target locations while reducing energy for seeds that are further away. Experiments with our implementation AFLGo demonstrate that DGF outperforms both directed symbolic-execution-based whitebox fuzzing and undirected greybox fuzzing. We show applications of DGF to patch testing and crash reproduction, and discuss the integration of AFLGo into Google's continuous fuzzing platform OSS-Fuzz. Due to its directedness, AFLGo could find 39 bugs in several well-fuzzed, security-critical projects like LibXML2. 17 CVEs were assigned.

查看原文本刊更多论文

定向灰盒模糊

现有的Greybox Fuzzers (GF)不能有效地指导，例如，针对有问题的更改或补丁，针对关键的系统调用或危险的位置，或者针对我们希望重现的报告漏洞的堆栈跟踪中的功能。在本文中，我们引入了定向灰盒模糊(DGF)，它产生的输入目标是有效地达到给定的目标程序位置集。我们开发并评估了一个模拟的基于退火的功率计划，该计划逐渐将更多的能量分配给靠近目标位置的种子，同时减少远离目标位置的种子的能量。用我们实现的AFLGo进行的实验表明，DGF优于基于定向符号执行的白盒模糊测试和无向灰盒模糊测试。我们展示了DGF在补丁测试和崩溃再现中的应用，并讨论了将AFLGo集成到Google的连续模糊测试平台OSS-Fuzz中。由于它的指导性，AFLGo可以在LibXML2等几个模糊的、安全关键的项目中发现39个bug。17名cve被分配。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

自引率

0.00%

发文量