[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
research-article
Open access

FuzzFactory: domain-specific fuzzing with waypoints

Published: 10 October 2019 Publication History

Abstract

Coverage-guided fuzz testing has gained prominence as a highly effective method of finding security vulnerabilities such as buffer overflows in programs that parse binary data. Recently, researchers have introduced various specializations to the coverage-guided fuzzing algorithm for different domain-specific testing goals, such as finding performance bottlenecks, generating valid inputs, handling magic-byte comparisons, etc. Each such solution can require non-trivial implementation effort and produces a distinct variant of a fuzzing tool. We observe that many of these domain-specific solutions follow a common solution pattern.
In this paper, we present FuzzFactory, a framework for developing domain-specific fuzzing applications without requiring changes to mutation and search heuristics. FuzzFactory allows users to specify the collection of dynamic domain-specific feedback during test execution, as well as how such feedback should be aggregated. FuzzFactory uses this information to selectively save intermediate inputs, called waypoints, to augment coverage-guided fuzzing. Such waypoints always make progress towards domain-specific multi-dimensional objectives. We instantiate six domain-specific fuzzing applications using FuzzFactory: three re-implementations of prior work and three novel solutions, and evaluate their effectiveness on benchmarks from Google's fuzzer test suite. We also show how multiple domains can be composed to perform better than the sum of their parts. For example, we combine domain-specific feedback about strict equality comparisons and dynamic memory allocations, to enable the automatic generation of LZ4 bombs and PNG bombs.

Supplementary Material

a174-padhye (a174-padhye.webm)
Presentation at OOPSLA '19

References

[1]
Cornelius Aschermann, Tommaso Frassetto, Thorsten Holz, Patrick Jauernig, Ahmad-Reza Sadeghi, and Daniel Teuchert. 2019. Nautilus: Fishing for Deep Bugs with Grammars. In 26th Annual Network and Distributed System Security Symposium (NDSS ’19) .
[2]
Marcel Böhme, Van-Thuan Pham, Manh-Dung Nguyen, and Abhik Roychoudhury. 2017. Directed Greybox Fuzzing. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS ’17) .
[3]
Marcel Böhme, Van-Thuan Pham, and Abhik Roychoudhury. 2016. Coverage-based Greybox Fuzzing As Markov Chain. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS ’16) .
[4]
Peng Chen and Hao Chen. 2018. Angora: Efficient Fuzzing by Principled Search. In Proceedings of the 39th IEEE Symposium on Security and Privacy .
[5]
Yuanliang Chen, Yu Jiang, Fuchen Ma, Jie Liang, Mingzhe Wang, Chijin Zhou, Xun Jiao, and Zhuo Su. 2019. EnFuzz: Ensemble Fuzzing with Seed Synchronization among Diverse Fuzzers. In 28th USENIX Security Symposium (USENIX Security 19) . USENIX Association, Santa Clara, CA. https://www.usenix.org/conference/usenixsecurity19/presentation/chenyuanliang
[6]
Nicolas Coppik, Oliver Schwahn, and Neeraj Suri. 2019. MemFuzz: Using Memory Accesses to Guide Fuzzing. In 2019 12th IEEE Conference on Software Testing, Validation and Verification (ICST) . IEEE, 48–58.
[7]
Google. 2019a. Continuous fuzzing of open source software. https://opensource.google.com/projects/oss-fuzz . Accessed March 26, 2019.
[8]
Google. 2019b. Set of tests for fuzzing engines. https://github.com/google/fuzzer-test-suite . Accessed March 20, 2019.
[9]
Lei Wei Junjie Wang, Bihuan Chen and Yang Liu. 2019. Superion: Grammar-Aware Greybox Fuzzing. In 41st International Conference on Software Engineering (ICSE ’19) .
[10]
Kevin Laeufer, Jack Koenig, Donggyu Kim, Jonathan Bachrach, and Koushik Sen. 2018. RFUZZ: Coverage-directed Fuzz Testing of RTL on FPGAs. In Proceedings of the International Conference on Computer-Aided Design (ICCAD ’18). ACM, New York, NY, USA, Article 28, 8 pages.
[11]
LafIntel. 2016. Circumventing Fuzzing Roadblocks with Compiler Transformations. https://lafintel.wordpress.com/2016/08/ 15/circumventing-fuzzing-roadblocks-with-compiler-transformations/ . Accessed March 20, 2019.
[12]
Chris Lattner and Vikram Adve. 2004. LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation. In Proceedings of the International Symposium on Code Generation and Optimization: Feedback-directed and Runtime Optimization (CGO ’04) . IEEE Computer Society, Washington, DC, USA, 75–. http://dl.acm.org/citation.cfm?id=977395. 977673
[13]
Caroline Lemieux, Rohan Padhye, Koushik Sen, and Dawn Song. 2018. PerfFuzz: Automatically Generating Pathological Inputs. In Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2018). ACM, New York, NY, USA, 254–265.
[14]
Caroline Lemieux and Koushik Sen. 2018. FairFuzz: A Targeted Mutation Strategy for Increasing Greybox Fuzz Testing Coverage. In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering (ASE ’18).
[15]
Yuekang Li, Bihuan Chen, Mahinthan Chandramohan, Shang-Wei Lin, Yang Liu, and Alwen Tiu. 2017. Steelix: Program-state Based Binary Fuzzing. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering (ESEC/FSE 2017) .
[16]
LLVM Developer Group. 2016. libFuzzer. http://llvm.org/docs/LibFuzzer.html . Accessed March 20, 2019.
[17]
Chi-Keung Luk, Robert Cohn, Robert Muth, Harish Patil, Artur Klauser, Geoff Lowney, Steven Wallace, Vijay Janapa Reddi, and Kim Hazelwood. 2005. Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation. In Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’05) . ACM, New York, NY, USA, 190–200.
[18]
Valentin J. M. Manès, HyungSeok Han, Choongwoo Han, Sang Kil Cha, Manuel Egele, Edward J. Schwartz, and Maverick Woo. 2018. Fuzzing: Art, Science, and Engineering. CoRR abs/1812.00140 (2018). arXiv: 1812.00140 http://arxiv.org/abs/ 1812.00140
[19]
Shirin Nilizadeh, Yannic Noller, and Corina S. Păsăreanu. 2019. DifFuzz: Differential Fuzzing for Side-channel Analysis. In Proceedings of the 41st International Conference on Software Engineering (ICSE ’19). IEEE Press, Piscataway, NJ, USA, 176–187.
[20]
Saahil Ognawala, Thomas Hutzelmann, Eirini Psallida, and Alexander Pretschner. 2018. Improving Function Coverage with Munch: A Hybrid Fuzzing and Directed Symbolic Execution Approach. In Proceedings of the 33rd Annual ACM Symposium on Applied Computing (SAC ’18) . ACM, New York, NY, USA, 1475–1482.
[21]
Rohan Padhye, Caroline Lemieux, and Koushik Sen. 2019a. JQF: Coverage-guided Property-based Testing in Java. In Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2019) . ACM, New York, NY, USA, 398–401.
[22]
Rohan Padhye, Caroline Lemieux, Koushik Sen, Mike Papadakis, and Yves Le Traon. 2019b. Semantic Fuzzing with Zest. In Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2019) . ACM, New York, NY, USA, 329–340.
[23]
Rohan Padhye, Caroline Lemieux, Koushik Sen, Mike Papadakis, and Yves Le Traon. 2019c. Validity Fuzzing and Parametric Generators for Effective Random Testing. In Proceedings of the 41st International Conference on Software Engineering: Companion Proceedings (ICSE ’19) . IEEE Press, Piscataway, NJ, USA, 266–267. https://dl.acm.org/citation.cfm?id=3339777
[24]
Hui Peng, Yan Shoshitaishvili, and Mathias Payer. 2018. T-Fuzz: fuzzing by program transformation. In 2018 IEEE Symposium on Security and Privacy (SP) . IEEE, 697–710.
[25]
Theofilos Petsios, Adrian Tang, Salvatore Stolfo, Angelos D Keromytis, and Suman Jana. 2017a. Nezha: Efficient domainindependent differential testing. In 2017 IEEE Symposium on Security and Privacy (SP). IEEE, 615–632.
[26]
Theofilos Petsios, Jason Zhao, Angelos D. Keromytis, and Suman Jana. 2017b. SlowFuzz: Automated Domain-Independent Detection of Algorithmic Complexity Vulnerabilities. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS ’17) . ACM, New York, NY, USA, 2155–2168.
[27]
Van-Thuan Pham, Marcel Böhme, Andrew E. Santosa, Alexandru Razvan Caciulescu, and Abhik Roychoudhury. 2018. Smart Greybox Fuzzing. CoRR abs/1811.09447 (2018). arXiv: 1811.09447 http://arxiv.org/abs/1811.09447
[28]
Sanjay Rawat, Vivek Jain, Ashish Kumar, Lucian Cojocar, Cristiano Giuffrida, and Herbert Bos. 2017. VUzzer: Applicationaware Evolutionary Fuzzing. In Proceedings of the 2017 Network and Distributed System Security Symposium (NDSS ’17) .
[29]
Kostya Serebryany, Vitaly Buka, and Matt Morehouse. 2017. Structure-aware fuzzing for Clang and LLVM with libprotobufmutator.
[30]
Richard M. Stallman et al. 2009. Using The Gnu Compiler Collection: A Gnu Manual For Gcc Version 4.3.3. CreateSpace, Paramount, CA.
[31]
Nick Stephens, John Grosen, Christopher Salls, Andrew Dutcher, Ruoyu Wang, Jacopo Corbetta, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2016. Driller: Augmenting Fuzzing Through Selective Symbolic Execution. In Proceedings of the 2016 Network and Distributed System Security Symposium (NDSS ’16) .
[32]
Insu Yun, Sangho Lee, Meng Xu, Yeongjin Jang, and Taesoo Kim. 2018. QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing. In Proceedings of the 27th USENIX Conference on Security Symposium (SEC’18). USENIX Association, Berkeley, CA, USA, 745–761. http://dl.acm.org/citation.cfm?id=3277203.3277260
[33]
Michał Zalewski. 2014. American Fuzzy Lop. http://lcamtuf.coredump.cx/afl . Accessed March 20, 2019.
[34]
Michał Zalewski. 2017. American Fuzzy Lop Technical Details. http://lcamtuf.coredump.cx/afl/technical_details.txt . Accessed March 20, 2019.

Cited By

View all
  • (2024)Directed or Undirected: Investigating Fuzzing Strategies in a CI/CD Setup (Registered Report)Proceedings of the 3rd ACM International Fuzzing Workshop10.1145/3678722.3685532(33-41)Online publication date: 13-Sep-2024
  • (2024)Tree-Based versus Hybrid Graphical-Textual Model Editors: An Empirical Study of Testing SpecificationsProceedings of the ACM/IEEE 27th International Conference on Model Driven Engineering Languages and Systems10.1145/3640310.3674102(80-91)Online publication date: 22-Sep-2024
  • (2024)FuzzInMem: Fuzzing Programs via In-memory StructuresProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639172(1-13)Online publication date: 20-May-2024
  • Show More Cited By

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Proceedings of the ACM on Programming Languages
Proceedings of the ACM on Programming Languages  Volume 3, Issue OOPSLA
October 2019
2077 pages
EISSN:2475-1421
DOI:10.1145/3366395
Issue’s Table of Contents
This work is licensed under a Creative Commons Attribution International 4.0 License.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 October 2019
Published in PACMPL Volume 3, Issue OOPSLA

Permissions

Request permissions for this article.

Check for updates

Badges

Author Tags

  1. domain-specific fuzzing
  2. frameworks
  3. fuzz testing
  4. waypoints

Qualifiers

  • Research-article

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)568
  • Downloads (Last 6 weeks)85
Reflects downloads up to 13 Dec 2024

Other Metrics

Citations

Cited By

View all
  • (2024)Directed or Undirected: Investigating Fuzzing Strategies in a CI/CD Setup (Registered Report)Proceedings of the 3rd ACM International Fuzzing Workshop10.1145/3678722.3685532(33-41)Online publication date: 13-Sep-2024
  • (2024)Tree-Based versus Hybrid Graphical-Textual Model Editors: An Empirical Study of Testing SpecificationsProceedings of the ACM/IEEE 27th International Conference on Model Driven Engineering Languages and Systems10.1145/3640310.3674102(80-91)Online publication date: 22-Sep-2024
  • (2024)FuzzInMem: Fuzzing Programs via In-memory StructuresProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639172(1-13)Online publication date: 20-May-2024
  • (2024)Fine-grained Coverage-based FuzzingACM Transactions on Software Engineering and Methodology10.1145/358715833:5(1-41)Online publication date: 4-Jun-2024
  • (2024)Instiller: Toward Efficient and Realistic RTL FuzzingIEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems10.1109/TCAD.2024.336031843:7(2177-2190)Online publication date: Jul-2024
  • (2024)Fuzzing, Symbolic Execution, and Expert Guidance for Better TestingIEEE Software10.1109/MS.2023.323798141:1(98-104)Online publication date: 1-Jan-2024
  • (2024)Integrated Approach for High-quality Software Development of Upgradeable Vehicles2024 Stuttgart International Symposium on Automotive and Engine Technology10.1007/978-3-658-45010-6_13(202-217)Online publication date: 30-Jun-2024
  • (2024)SandPuppy: Deep-State Fuzzing Guided by Automatic Detection of State-Representative VariablesDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-031-64171-8_12(227-250)Online publication date: 9-Jul-2024
  • (2023)Towards Better Semantics Exploration for Browser FuzzingProceedings of the ACM on Programming Languages10.1145/36228197:OOPSLA2(604-631)Online publication date: 16-Oct-2023
  • (2023)The Human Side of Fuzzing: Challenges Faced by Developers during Fuzzing ActivitiesACM Transactions on Software Engineering and Methodology10.1145/361166833:1(1-26)Online publication date: 23-Nov-2023
  • Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Login options

Full Access

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media