244 research outputs found
Recommended from our members
Agamotto: Accelerating Kernel Driver Fuzzing with Lightweight Virtual Machine Checkpoints
Kernel-mode drivers are challenging to analyze for vulnerabilities, yet play a critical role in maintaining the security of OS kernels. Their wide attack surface, exposed via both the system call interface and the peripheral interface, is often found to be the most direct attack vector to compromise an OS kernel. Researchers therefore have proposed many fuzzing techniques to find vulnerabilities in kernel drivers. However, the performance of kernel fuzzers is still lacking, for reasons such as prolonged execution of kernel code, interference between test inputs, and kernel crashes. This paper proposes lightweight virtual machine checkpointing as a new primitive that enables high-throughput kernel driver fuzzing. Our key insight is that kernel driver fuzzers frequently execute similar test cases in a row, and that their performance can be improved by dynamically creating multiple checkpoints while executing test cases and skipping parts of test cases using the created checkpoints. We built a system, dubbed Agamotto, around the virtual machine checkpointing primitive and evaluated it by fuzzing the peripheral attack surface of USB and PCI drivers in Linux. The results are convincing. Agamotto improved the performance of the state-of-the-art kernel fuzzer, Syzkaller, by 66.6% on average in fuzzing 8 USB drivers, and an AFL-based PCI fuzzer by 21.6% in fuzzing 4 PCI drivers, without modifying their underlying input generation algorithm
UniFuzz: Optimizing Distributed Fuzzing via Dynamic Centralized Task Scheduling
Fuzzing is one of the most efficient technology for vulnerability detection.
Since the fuzzing process is computing-intensive and the performance improved
by algorithm optimization is limited, recent research seeks to improve fuzzing
performance by utilizing parallel computing. However, parallel fuzzing has to
overcome challenges such as task conflicts, scalability in a distributed
environment, synchronization overhead, and workload imbalance. In this paper,
we design and implement UniFuzz, a distributed fuzzing optimization based on a
dynamic centralized task scheduling. UniFuzz evaluates and distributes seeds in
a centralized manner to avoid task conflicts. It uses a "request-response"
scheme to dynamically distribute fuzzing tasks, which avoids workload
imbalance. Besides, UniFuzz can adaptively switch the role of computing cores
between evaluating, and fuzzing, which avoids the potential bottleneck of seed
evaluation. To improve synchronization efficiency, UniFuzz shares different
fuzzing information in a different way according to their characteristics, and
the average overhead of synchronization is only about 0.4\%. We evaluated
UniFuzz with real-world programs, and the results show that UniFuzz outperforms
state-of-the-art tools, such as AFL, PAFL and EnFuzz. Most importantly, the
experiment reveals a counter-intuitive result that parallel fuzzing can achieve
a super-linear acceleration to the single-core fuzzing. We made a detailed
explanation and proved it with additional experiments. UniFuzz also discovered
16 real-world vulnerabilities.Comment: 14 pages, 4 figure
Cupid: Automatic Fuzzer Selection for Collaborative Fuzzing
Combining the strengths of individual fuzzing methods is an appealing idea to find software faults more efficiently, especially when the computing budget is limited. In prior work, EnFuzz introduced the idea of ensemble fuzzing and devised three heuristics to classify properties of fuzzers in terms of diversity. Based on these heuristics, the authors manually picked a combination of different fuzzers that collaborate. In this paper, we generalize this idea by collecting and applying empirical data from single, isolated fuzzer runs to automatically identify a set of fuzzers that complement each other when executed collaboratively. To this end, we present Cupid, a collaborative fuzzing framework allowing automated, data-driven selection of multiple complementary fuzzers for parallelized and distributed fuzzing. We evaluate the automatically selected target-independent combination of fuzzers by Cupid on Google's fuzzer-test-suite, a collection of real-world binaries, as well as on the synthetic Lava-M dataset. We find that Cupid outperforms two expert-guided, target-specific and hand-picked combinations on Google's fuzzer-test-suite in terms of branch coverage, and improves bug finding on Lava-M by 10%. Most importantly, we improve the latency for obtaining 95% and 99% of the coverage by 90% and 64%, respectively. Furthermore, Cupid reduces the amount of CPU hours needed to find a high-performing combination of fuzzers by multiple orders of magnitude compared to an exhaustive evaluation
A Survey of Network Protocol Fuzzing: Model, Techniques and Directions
As one of the most successful and effective software testing techniques in
recent years, fuzz testing has uncovered numerous bugs and vulnerabilities in
modern software, including network protocol software. In contrast to other
fuzzing targets, network protocol software exhibits its distinct
characteristics and challenges, introducing a plethora of research questions
that need to be addressed in the design and implementation of network protocol
fuzzers. While some research work has evaluated and systematized the knowledge
of general fuzzing techniques at a high level, there is a lack of similar
analysis and summarization for fuzzing research specific to network protocols.
This paper offers a comprehensive exposition of network protocol software's
fuzzing-related features and conducts a systematic review of some
representative advancements in network protocol fuzzing since its inception. We
summarize state-of-the-art strategies and solutions in various aspects, propose
a unified protocol fuzzing process model, and introduce the techniques involved
in each stage of the model. At the same time, this paper also summarizes the
promising research directions in the landscape of protocol fuzzing to foster
exploration within the community for more efficient and intelligent modern
network protocol fuzzing techniques
- …