728 research outputs found
Towards Smart Hybrid Fuzzing for Smart Contracts
Smart contracts are Turing-complete programs that are executed across a
blockchain network. Unlike traditional programs, once deployed they cannot be
modified. As smart contracts become more popular and carry more value, they
become more of an interesting target for attackers. In recent years, smart
contracts suffered major exploits, costing millions of dollars, due to
programming errors. As a result, a variety of tools for detecting bugs has been
proposed. However, majority of these tools often yield many false positives due
to over-approximation or poor code coverage due to complex path constraints.
Fuzzing or fuzz testing is a popular and effective software testing technique.
However, traditional fuzzers tend to be more effective towards finding shallow
bugs and less effective in finding bugs that lie deeper in the execution. In
this work, we present CONFUZZIUS, a hybrid fuzzer that combines evolutionary
fuzzing with constraint solving in order to execute more code and find more
bugs in smart contracts. Evolutionary fuzzing is used to exercise shallow parts
of a smart contract, while constraint solving is used to generate inputs which
satisfy complex conditions that prevent the evolutionary fuzzing from exploring
deeper paths. Moreover, we use data dependency analysis to efficiently generate
sequences of transactions, that create specific contract states in which bugs
may be hidden. We evaluate the effectiveness of our fuzzing strategy, by
comparing CONFUZZIUS with state-of-the-art symbolic execution tools and
fuzzers. Our evaluation shows that our hybrid fuzzing approach produces
significantly better results than state-of-the-art symbolic execution tools and
fuzzers
Combining Static and Dynamic Analysis for Vulnerability Detection
In this paper, we present a hybrid approach for buffer overflow detection in
C code. The approach makes use of static and dynamic analysis of the
application under investigation. The static part consists in calculating taint
dependency sequences (TDS) between user controlled inputs and vulnerable
statements. This process is akin to program slice of interest to calculate
tainted data- and control-flow path which exhibits the dependence between
tainted program inputs and vulnerable statements in the code. The dynamic part
consists of executing the program along TDSs to trigger the vulnerability by
generating suitable inputs. We use genetic algorithm to generate inputs. We
propose a fitness function that approximates the program behavior (control
flow) based on the frequencies of the statements along TDSs. This runtime
aspect makes the approach faster and accurate. We provide experimental results
on the Verisec benchmark to validate our approach.Comment: There are 15 pages with 1 figur
Directed Greybox Fuzzing with Stepwise Constraint Focusing
Dynamic data flow analysis has been widely used to guide greybox fuzzing.
However, traditional dynamic data flow analysis tends to go astray in the
massive path tracking and requires to process a large volume of data, resulting
in low efficiency in reaching the target location. In this paper, we propose a
directed greybox fuzzer based on dynamic constraint filtering and focusing
(CONFF). First, all path constraints are tracked, and those with high priority
are filtered as the next solution targets. Next, focusing on a single path
constraint to be satisfied, we obtain its data condition and probe the mapping
relationship between it and the input bytes through multi-byte mapping and
single-byte mapping. Finally, various mutation strategies are utilized to solve
the path constraint currently focused on, and the target location of the
program is gradually approached through path selection. The CONFF fuzzer can
reach a specific location faster in the target program, thus efficiently
triggering the crash. We designed and implemented a prototype of the CONFF
fuzzer and evaluated it with the LAVA-1 dataset and some real-world
vulnerabilities. The results show that the CONFF fuzzer can reproduce crashes
on the LAVA-1 dataset and most of the real-world vulnerabilities. For most
vulnerabilities, the CONFF fuzzer reproduced the crashes with significantly
reduced time compared to state-of-the-art fuzzers. On average, the CONFF fuzzer
was 23.7x faster than the state-of-the-art code coverage-based fuzzer Angora
and 27.3x faster than the classical directed greybox fuzzer AFLGo
- …