3 research outputs found
Typestate-Guided Fuzzer for Discovering Use-after-Free Vulnerabilities
© 2020 Association for Computing Machinery. Existing coverage-based fuzzers usually use the individual control flow graph (CFG) edge coverage to guide the fuzzing process, which has shown great potential in finding vulnerabilities. However, CFG edge coverage is not effective in discovering vulnerabilities such as use-after-free (UaF). This is because, to trigger UaF vulnerabilities, one needs not only to cover individual edges, but also to traverse some (long) sequence of edges in a particular order, which is challenging for existing fuzzers. To this end, we propose to model UaF vulnerabilities as typestate properties, and develop a typestateguided fuzzer, named UAFL, for discovering vulnerabilities violating typestate properties. Given a typestate property, we first perform a static typestate analysis to find operation sequences potentially violating the property. Our fuzzing process is then guided by the operation sequences in order to progressively generate test cases triggering property violations. In addition, we also employ an information flow analysis to improve the efficiency of the fuzzing process. We have performed a thorough evaluation of UAFL on 14 widely-used real-world programs. The experiment results show that UAFL substantially outperforms the state-of-the-art fuzzers, including AFL, AFLFast, FairFuzz, MOpt, Angora and QSYM, in terms of the time taken to discover vulnerabilities. We have discovered 10 previously unknown vulnerabilities, and received 5 new CVEs
MTFuzz: Fuzzing with a Multi-Task Neural Network
Fuzzing is a widely used technique for detecting software bugs and
vulnerabilities. Most popular fuzzers generate new inputs using an evolutionary
search to maximize code coverage. Essentially, these fuzzers start with a set
of seed inputs, mutate them to generate new inputs, and identify the promising
inputs using an evolutionary fitness function for further mutation. Despite
their success, evolutionary fuzzers tend to get stuck in long sequences of
unproductive mutations. In recent years, machine learning (ML) based mutation
strategies have reported promising results. However, the existing ML-based
fuzzers are limited by the lack of quality and diversity of the training data.
As the input space of the target programs is high dimensional and sparse, it is
prohibitively expensive to collect many diverse samples demonstrating
successful and unsuccessful mutations to train the model. In this paper, we
address these issues by using a Multi-Task Neural Network that can learn a
compact embedding of the input space based on diverse training samples for
multiple related tasks (i.e., predicting for different types of coverage). The
compact embedding can guide the mutation process by focusing most of the
mutations on the parts of the embedding where the gradient is high. \tool
uncovers previously unseen bugs and achieves an average of more
edge coverage compared with 5 state-of-the-art fuzzer on 10 real-world
programs.Comment: ACM Joint European Software Engineering Conference and Symposium on
the Foundations of Software Engineering (ESEC/FSE) 202
Hawkeye: Towards a desired directed grey-box fuzzer
Dockerfile for Hakweye DGF.# get docker
image, hawkeye.tar
tar xf
hawkeye.tar.tar.bz2 -C .
# import docker
image
docker import
hawkeye.tar
# get image id
of hawkeye.tar, IMAGE_ID
docker image ls
# run the
docker
docker run -w /root -it --privileged $IMAGE_ID bash
Note: Hawkeye is
actually implemented on top of FOT framework
(https://dl.acm.org/citation.cfm?id=3264593).</div