More Web Proxy on the site http://driver.im/

research-article

Public Access

Hardware Support to Improve Fuzzing Performance and Precision

Authors:

Gururaj Saileshwar,

Taesoo KimAuthors Info & Claims

CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

Pages 2214 - 2228

https://doi.org/10.1145/3460120.3484573

Published: 13 November 2021 Publication History

Abstract

Coverage-guided fuzzing is considered one of the most efficient bug-finding techniques, given its number of bugs reported. However, coverage tracing provided by existing software-based approaches, such as source instrumentation and dynamic binary translation, can incur large overhead. Hindered by the significantly lowered execution speed, it also becomes less beneficial to improve coverage feedback by incorporating additional execution states.

In this paper, we propose SNAP, a customized hardware platform that implements hardware primitives to enhance the performance and precision of coverage-guided fuzzing. By sitting at the bottom of the computer stack, SNAP leverages the existing CPU pipeline and micro-architectural features to provide coverage tracing and rich execution semantics with near-zero cost regardless of source code availability. Prototyped as a synthesized RISC-V BOOM processor on FPGA, SNAP incurs a barely 3.1% tracing overhead on the SPEC benchmarks while achieving a 228x higher fuzzing throughput than the existing software-based solution. Posing only a 4.8% area and 6.5% power overhead, SNAP is highly practical and can be adopted by existing CPU architectures with minimal changes.

References

[1]

Apple. 2020. M1: Apple Neural Engine. https://www.apple.com/newsroom/2020/11/apple-unleashes-m1/.

[2]

ARM. 2009. CoreSight Components Technical Reference Manual. https://developer.arm.com/documentation/ddi0314/h/.

[3]

Cornelius Aschermann, Sergej Schumilo, Tim Blazytko, Robert Gawlik, and Thorsten Holz. 2019. REDQUEEN: Fuzzing with Input-to-State Correspondence. In Proceedings of the 2019 Annual Network and Distributed System Security Symposium (NDSS). San Diego, CA.

[4]

Fabrice Bellard. 2005. QEMU, a fast and portable dynamic translator. In Proceedings of the 2005 USENIX Annual Technical Conference (ATC). Anaheim, CA.

[5]

UC Berkeley. 2016. Rocket Chip Generator. https://github.com/chipsalliance/rocket-chip.

[6]

UC Berkeley. 2017. The Berkeley Out-of-Order RISC-V Processor. https://github.com/riscv-boom/riscv-boom.

[7]

UC Berkeley. 2019. The Branch Predictor (BPD) in RISC-V BOOM. https://docs.boom-core.org/en/latest/sections/branch-prediction/backing-predictor.html.

[8]

David Biancolin, Sagar Karandikar, Donggyu Kim, Jack Koenig, Andrew Waterman, Jonathan Bachrach, and Krste Asanovic. 2019. FASED: FPGA-Accelerated Simulation and Evaluation of DRAM. In Proceedings of the 2019 ACM/SIGDA International Symposium on Field-Programmable Gate Arrays (FPGA '19).

Digital Library

[9]

Marcel Bohme, Valentin Manes, and Sang Kil Cha. 2020. Boosting Fuzzer Efficiency: An Information Theoretic Perspective. In Proceedings of the 28th Joint Meeting of the European Software Engineering Conference (ESEC) and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (FSE). Sacramento, CA.

Digital Library

[10]

Marcel Böhme, Van-Thuan Pham, and Abhik Roychoudhury. 2016. Coverage-based greybox fuzzing as markov chain. In Proceedings of the 23rd ACM Conference on Computer and Communications Security (CCS). Vienna, Austria.

Digital Library

[11]

Derek Bruening and Saman Amarasinghe. 2004. Efficient, transparent, and comprehensive runtime code manipulation. Ph.D. Dissertation. Massachusetts Institute of Technology.

Digital Library

[12]

Peng Chen and Hao Chen. 2018. Angora: Efficient Fuzzing by Principled Search. In Proceedings of the 39th IEEE Symposium on Security and Privacy (Oakland). San Francisco, CA.

[13]

Yaohui Chen, Dongliang Mu, Jun Xu, Zhichuang Sun, Wenbo Shen, Xinyu Xing, Long Lu, and Bing Mao. 2019. Ptrix: Efficient hardware-assisted fuzzing for cots binary. In Proceedings of the 14th ACM Symposium on Information, Computer and Communications Security (ASIACCS). Auckland, New Zealand.

Digital Library

[14]

Leila Delshadtehrani, Sadullah Canakci, Boyou Zhou, Schuyler Eldridge, Ajay Joshi, and Manuel Egele. 2020. PHMon: A Programmable Hardware Monitor and Its Security Use Cases. In Proceedings of the 29th USENIX Security Symposium (Security). Boston, MA.

[15]

Sushant Dinesh, Nathan Burow, Dongyan Xu, and Mathias Payer. 2018. Retrowrite: Statically instrumenting cots binaries for fuzzing and sanitization. In Proceedings of the 41st IEEE Symposium on Security and Privacy (Oakland).

[16]

Andrea Fioraldi, Daniele Cono D'Elia, and Emilio Coppa. 2020 a. WEIZZ: Automatic Grey-box Fuzzing for Structured Binary Formats. In Proceedings of the International Symposium on Software Testing and Analysis (ISSTA). Los Angeles, CA.

Digital Library

[17]

Andrea Fioraldi, Dominik Maier, Heiko Eißfeldt, and Marc Heuse. 2020 b. AFL+: Combining incremental steps of fuzzing research. In Proceedings of the 14th USENIX Workshop on Offensive Technologies (WOOT).

[18]

Shuitao Gan, Chao Zhang, Peng Chen, Bodong Zhao, Xiaojun Qin, Dong Wu, and Zuoning Chen. 2020. GREYONE: Data Flow Sensitive Fuzzing. In Proceedings of the 29th USENIX Security Symposium (Security). Boston, MA.

[19]

Shuitao Gan, Chao Zhang, Xiaojun Qin, Xuwen Tu, Kang Li, Zhongyu Pei, and Zuoning Chen. 2018. CollAFL: Path Sensitive Fuzzing. In Proceedings of the 39th IEEE Symposium on Security and Privacy (Oakland). San Francisco, CA.

[20]

GNU Compiler Collection (GCC). 2012. Gcov is a test coverage program. https://gcc.gnu.org/onlinedocs/gcc/Gcov-Intro.html.

[21]

GNU Project. 2020. GNU Binutils. https://www.gnu.org/software/binutils.

[22]

Google. 2018. syzkaller -- kernel fuzzer. https://github.com/google/syzkaller.

[23]

Google. 2020 a. Cloud TPU: Empowering businesses with Google Cloud AI. https://cloud.google.com/tpu.

[24]

Google. 2020 b. ClusterFuzz. https://google.github.io/clusterfuzz.

[25]

Google. 2020. FuzzBench: Fuzzer benchmarking as a service. https://github.com/google/fuzzbench.

[26]

Google. 2020. Honggfuzz. https://github.com/google/honggfuzz.

[27]

Google. 2020. OSS-Fuzz - Continuous Fuzzing for Open Source Software. https://github.com/google/oss-fuzz.

[28]

Google Project Zero. 2020. WinAFL. https://github.com/googleprojectzero/winafl.

[29]

Matthew R. Guthaus, James E. Stine, Samira Ataei, Brian Chen, Bin Wu, and Mehedi Sarwar. 2016. OpenRAM: An Open-Source Memory Compiler. In Proceedings of the 35th International Conference on Computer-Aided Design (ICCAD).

Digital Library

[30]

IBM. 2016. IBM z13 Technical Guide. https://www.redbooks.ibm.com/redbooks/pdfs/sg248251.pdf.

[31]

Intel. 2011. Intel® 64 and ia-32 architectures software developer's manual. Volume 3B: System programming Guide, Part 2 (2011).

[32]

Intel. 2011. Intel BTS: Real time instruction trace. https://www.intel.com/content/dam/www/public/us/en/documents/reference-guides/real-time-instruction-trace-atom-reference.pdf.

[33]

Intel. 2013. Intel processor trace decoder library. https://github.com/intel/libipt.

[34]

Intel. 2020 a. 10th Generation Intel Core Processor Families. https://www.intel.com/content/www/us/en/products/docs/processors/core/10th-gen-core-families-datasheet-vol-1.html.

[35]

Intel. 2020 b. 11th Generation Intel Core Processor (UP3 and UP4). https://cdrdv2.intel.com/v1/dl/getContent/631121.

[36]

James R. 2013. Processor Tracing. https://software.intel.com/content/www/us/en/develop/blogs/processor-tracing.html.

[37]

Simon Kagstrom. 2015. Kcov is a FreeBSD/Linux/OSX code coverage tester. https://github.com/SimonKagstrom/kcov.

[38]

Michael Kan. 2021. Intel to Build Chips for Other Companies With New Foundry Business. https://in.pcmag.com/processors/141636/intel-to-build-chips-for-other-companies-with-new-foundry-business.

[39]

Sagar Karandikar, Howard Mao, Donggyu Kim, David Biancolin, Alon Amid, Dayeol Lee, Nathan Pemberton, Emmanuel Amaro, Colin Schmidt, Aditya Chopra, Qijing Huang, Kyle Kovacs, Borivoje Nikolic, Randy Katz, Jonathan Bachrach, and Krste Asanović. 2018. FireSim: FPGA-accelerated Cycle-exact Scale-out System Simulation in the Public Cloud. In Proceedings of the 45th Annual International Symposium on Computer Architecture (ISCA '18).

Digital Library

[40]

George Klees, Andrew Ruef, Benji Cooper, Shiyi Wei, and Michael Hicks. 2018. Evaluating Fuzz Testing. In Proceedings of the 25th ACM Conference on Computer and Communications Security (CCS). Toronto, ON, Canada.

Digital Library

[41]

lafintel. 2016. LAF LLVM Passes. https://gitlab.com/laf-intel/laf-llvm-pass.

[42]

Caroline Lemieux and Koushik Sen. 2018. FairFuzz: A targeted mutation strategy for increasing greybox fuzz testing coverage. In Proceedings of the 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE). Corum, France.

Digital Library

[43]

LLVM Project. 2020. libFuzzer - a library for coverage-guided fuzz testing. https://llvm.org/docs/LibFuzzer.html.

[44]

Chi-Keung Luk, Robert Cohn, Robert Muth, Harish Patil, Artur Klauser, Geoff Lowney, Steven Wallace, Vijay Janapa Reddi, and Kim Hazelwood. 2005. Pin: building customized program analysis tools with dynamic instrumentation. Acm sigplan notices, Vol. 40, 6 (2005), 190--200.

[45]

Chenyang Lyu, Shouling Ji, Chao Zhang, Yuwei Li, Wei-Han Lee, Yu Song, and Raheem Beyah. 2019. MOPT: Optimized mutation scheduling for fuzzers. In Proceedings of the 28th USENIX Security Symposium (Security). Santa Clara, CA.

[46]

Valentin Manes, Soomin Kim, and Sang Kil Cha. 2020. Ankou: Guiding Grey-box Fuzzing towards Combinatorial Difference. In Proceedings of the 42th International Conference on Software Engineering (ICSE). Seoul, South Korea.

Digital Library

[47]

Microsoft Security Response Center (MSRC). 2020. OneFuzz. https://github.com/microsoft/onefuzz.

[48]

Stefan Nagy and Matthew Hicks. 2019. Full-speed fuzzing: Reducing fuzzing overhead through coverage-guided tracing. In Proceedings of the 40th IEEE Symposium on Security and Privacy (Oakland). San Francisco, CA.

[49]

Anh-Quynh Nguyen and Hoang-Vu Dang. 2014. Unicorn: Next Generation CPU Emulator Framework. In Black Hat USA Briefings (Black Hat USA). Las Vegas, NV.

[50]

Nvidia. 2020. NVIDIA DRIVE AGX ORIN: Advanced, Software-Defined Platform for Autonomous Machines. https://www.nvidia.com/en-us/self-driving-cars/drive-platform/hardware/.

[51]

Van-Thuan Pham, Marcel Bohme, Andrew Santosa, Alexandru Caciulescu, and Abhik Roychoudhury. 2019. Smart Greybox Fuzzing. In IEEE Transactions on Software Engineering.

[52]

Sanjay Rawat, Vivek Jain, Ashish Kumar, Lucian Cojocar, Cristiano Giuffrida, and Herbert Bos. 2017. Vuzzer: Application-aware evolutionary fuzzing. In Proceedings of the 2017 Annual Network and Distributed System Security Symposium (NDSS). San Diego, CA.

[53]

Sergej Schumilo, Cornelius Aschermann, Robert Gawlik, Sebastian Schinzel, and Thorsten Holz. 2017. KAFL: Hardware-assisted feedback fuzzing for OS kernels. In Proceedings of the 26th USENIX Security Symposium (Security). Vancouver, BC, Canada.

[54]

SiFive Inc. 2017. The RISC-V Instruction Set Manual. https://riscv.org//wp-content/uploads/2017/05/riscv-spec-v2.2.pdf.

[55]

J. E. Stine, I. Castellanos, M. Wood, J. Henson, F. Love, W. R. Davis, P. D. Franzon, M. Bucher, S. Basavarajaiah, J. Oh, and R. Jenkal. 2007. FreePDK: An Open-Source Variation-Aware Design Kit. In 2007 IEEE International Conference on Microelectronic Systems Education (MSE'07).

[56]

Synopsys. 2020. DC Ultra. https://www.synopsys.com/implementation-and-signoff/rtl-synthesis-test/dc-ultra.html.

[57]

Cisco Talos. 2014. AFL-Dyninst: AFL fuzzing blackbox binaries. https://github.com/Cisco-Talos/moflow/tree/master/afl-dyninst.

[58]

TechPowerUp. 2020. RISC-V Processor Achieves 5 GHz Frequency at Just 1 Watt of Power. https://www.techpowerup.com/275463/risc-v-processor-achieves-5-ghz-frequency-at-just-1-watt-of-power.

[59]

Renju Thomas, Manoj Franklin, Chris Wilkerson, and Jared Stark. 2003. Improving Branch Prediction by Dynamic Dataflow-based Identification of Correlated Branches from a Large Global History. In Proceedings of the 30th ACM/IEEE International Symposium on Computer Architecture (ISCA). San Diego, CA, USA.

Digital Library

[60]

Tielei Wang, Tao Wei, Guofei Gu, and Wei Zou. 2010. TaintScope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection. In Proceedings of the 31th IEEE Symposium on Security and Privacy (Oakland). Oakland, CA.

Digital Library

[61]

Michal Zalewski. 2014. american fuzzy lop. http://lcamtuf.coredump.cx/afl/.

[62]

Michal Zalewski. 2019. Fast LLVM-based instrumentation for afl-fuzz. https://github.com/google/AFL/blob/master/llvm_mode/README.llvm.

[63]

Google Project Zero. 2020. TinyInst: A lightweight dynamic instrumentation library. https://github.com/googleprojectzero/TinyInst.

[64]

Gen Zhang, Xu Zhou, Yingqi Luo, Xugang Wu, and Erxue Min. 2018. PTfuzz: Guided fuzzing with processor trace feedback. In IEEE Access (vol. 6).

[65]

Jerry Zhao, Korpan Ben, Gonzalez Abraham, and Asanovic Krste. 2020. SonicBOOM: The 3rd Generation Berkeley Out-of-Order Machine. In Fourth Workshop on Computer Architecture Research with RISC-V.

Cited By

Yue TJin YZhang FNing ZWang PZhou XLu K(2024)Efficiently Rebuilding Coverage in Hardware-Assisted Greybox FuzzingProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678933(450-464)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678933
Meisel FSpang CVolz DKoch A(2024)TaPaFuzzJournal of Systems Architecture: the EUROMICRO Journal10.1016/j.sysarc.2024.103288156:COnline publication date: 1-Nov-2024
https://dl.acm.org/doi/10.1016/j.sysarc.2024.103288
Gridin IMichalas A(2024)Point Intervention: Improving ACVP Test Vector Generation Through Human Assisted FuzzingInformation and Communications Security10.1007/978-981-97-8801-9_3(43-62)Online publication date: 27-Aug-2024
https://dl.acm.org/doi/10.1007/978-981-97-8801-9_3
Show More Cited By

Index Terms

Hardware Support to Improve Fuzzing Performance and Precision
1. Security and privacy
  1. Software and application security
    1. Domain-specific security and privacy architectures
    2. Software security engineering

Recommendations

Support for speculative execution in high-performance processors
Support for Speculative Execution in High-Performance Processors
ReForker: Patching x86_64 Binaries with the Fork Server to Improve Hardware-Assisted Fuzzing through Trampoline-Based Binary Rewriting
CNCIT '23: Proceedings of the 2023 2nd International Conference on Networks, Communications and Information Technology

Coverage-based Greybox Fuzzing (CGF) is an efficient technique for detecting software vulnerabilities. However, efficient compile-time instrumentation utilized by some fuzzers is not available in testing closed-source binary. Therefore, researchers have ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

November 2021

3558 pages

ISBN:9781450384544

DOI:10.1145/3460120

General Chairs:
Yongdae Kim
KAIST, Republic of Korea
,
Jong Kim
POSTECH, Republic of Korea
,
Program Chairs:
Giovanni Vigna
University of California, Santa Barbara / VMware, USA
,
Elaine Shi
Carnegie Mellon University, USA

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 November 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

NSF
ONR

Conference

CCS '21

Sponsor:

SIGSAC

CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security

November 15 - 19, 2021

Virtual Event, Republic of Korea

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
1,055
Total Downloads

Downloads (Last 12 months)473
Downloads (Last 6 weeks)62

Reflects downloads up to 06 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Yue TJin YZhang FNing ZWang PZhou XLu K(2024)Efficiently Rebuilding Coverage in Hardware-Assisted Greybox FuzzingProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678933(450-464)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678933
Meisel FSpang CVolz DKoch A(2024)TaPaFuzzJournal of Systems Architecture: the EUROMICRO Journal10.1016/j.sysarc.2024.103288156:COnline publication date: 1-Nov-2024
https://dl.acm.org/doi/10.1016/j.sysarc.2024.103288
Gridin IMichalas A(2024)Point Intervention: Improving ACVP Test Vector Generation Through Human Assisted FuzzingInformation and Communications Security10.1007/978-981-97-8801-9_3(43-62)Online publication date: 27-Aug-2024
https://dl.acm.org/doi/10.1007/978-981-97-8801-9_3
Bars NSchloegel MScharnowski TSchiller NHolz TCalandrino JTroncoso C(2023)FuzztructionProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620341(1847-1864)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620341
Chen YZhong RYang YHu HWu DLee WCalandrino JTroncoso C(2023)µFUZZProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620312(1325-1342)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620312
Wang JZhang QRong HXu GKim MChandra SBlincoe KTonella P(2023)Leveraging Hardware Probes and Optimizations for Accelerating Fuzz Testing of Heterogeneous ApplicationsProceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3611643.3616318(1101-1113)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3611643.3616318
Plöger SMeier MSmith M(2023)A Usability Evaluation of AFL and libFuzzer with CS StudentsProceedings of the 2023 CHI Conference on Human Factors in Computing Systems10.1145/3544548.3581178(1-18)Online publication date: 19-Apr-2023
https://dl.acm.org/doi/10.1145/3544548.3581178
Mantu RChiroiu MTăpus N(2023)Network Fuzzing: State of the art2023 24th International Conference on Control Systems and Computer Science (CSCS)10.1109/CSCS59211.2023.00030(136-143)Online publication date: May-2023
https://doi.org/10.1109/CSCS59211.2023.00030

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents