Cited By
View all- Perrone GRomano S(2025)WebAssembly and security: A reviewComputer Science Review10.1016/j.cosrev.2025.10072856(100728)Online publication date: May-2025
Fuzzing@Home: Distributed Fuzzing on Untrusted Heterogeneous Clients
Authors: 
Daehee Jang, Ammar Askar, Insu Yun, Stephen Tong, Yiqin Cai, Taesoo KimAuthors Info & Claims
Pages 1 - 16
Abstract
Fuzzing is a practical technique to automatically find vulnerabilities in software. It is well-suited to running at scale with distributed computing platforms thanks to its parallelizability. Therefore, individual researchers and companies typically setup fuzzing platforms on multiple servers and run fuzzers in parallel. However, as such resources are private, they suffer from financial and physical limits. In this paper, we propose Fuzzing@Home; the first public collaborative fuzzing network, based on heterogeneous machines owned by potentially untrusted users. Using our system, multiple organizations (or individuals) can easily collaborate to fuzz a software of common interest in an efficient way. One can participate and earn economic benefits if the fuzzing network is tied to a bug-bounty program, or simply donate spare computing power as a volunteer.
If the network compensates collaborators, system fairness becomes an issue. In this light, we devise a system to make the fuzzing results verifiable and devise cheat detection techniques to ensure integrity and fairness in collaboration. In terms of performance, we devise a technique to effectively sync the global coverage state, hence minimizing the overhead for verifying computation results. Finally, to increase participation, Fuzzing@Home uses WebAssembly to run fuzzers inside the web browser engine, allowing anyone to instantly join a fuzzing network with a single click on their mobile phone, tablet, or any modern computing device. To evaluate our system, we bootstrapped Fuzzing@Home with 72 open-source projects and ran experimental fuzzing networks for 330 days with 826 collaborators as beta testers.
References
[1]
2019. Proceedings of the 28th USENIX Security Symposium (Security). Santa Clara, CA.
[2]
2019. Proceedings of the 40th IEEE Symposium on Security and Privacy (Oakland). San Francisco, CA.
[3]
aiohttp. 2019. Async http client/server framework. https://github.com/aio-libs/aiohttp.
[4]
David P Anderson, Jeff Cobb, Eric Korpela, Matt Lebofsky, and Dan Werthimer. 2002. SETI@Home: an experiment in public-resource computing. Commun. ACM 45, 11 (2002), 56–61.
[5]
Apple. 2016. Apple Security Bounty. https://developer.apple.com/security-bounty/.
[6]
Marcel Böhme and Brandon Falk. 2020. Fuzzing: On the exponential cost of vulnerability discovery. In Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. 713–724.
[7]
Marcel Böhme, Van-Thuan Pham, and Abhik Roychoudhury. 2016. Coverage-based greybox fuzzing as markov chain. In Proceedings of the 23rd ACM Conference on Computer and Communications Security (CCS). Vienna, Austria.
[8]
Konstantin Böttinger, Patrice Godefroid, and Rishabh Singh. 2018. Deep reinforcement fuzzing. In 2018 IEEE Security and Privacy Workshops (SPW). IEEE, 116–122.
[9]
Bugcrowd. 2011. Bugcrowd: #1 Crowdsourced Cybersecurity Platform. https://www.bugcrowd.com/.
[10]
Yaohui Chen, Mansour Ahmadi, Boyu Wang, Long Lu, 2020. MEUZZ: Smart Seed Scheduling for Hybrid Fuzzing. arXiv preprint arXiv:2002.08568(2020).
[11]
Yuanliang Chen, Yu Jiang, Fuchen Ma, Jie Liang, Mingzhe Wang, Chijin Zhou, Xun Jiao, and Zhuo Su. 2019. Enfuzz: Ensemble fuzzing with seed synchronization among diverse fuzzers, See SEC [1].
[12]
Yaohui Chen, Peng Li, Jun Xu, Shengjian Guo, Rundong Zhou, Yulong Zhang, Long Lu, 2020. SAVIOR: Towards Bug-Driven Hybrid Testing. In Proceedings of the 41th IEEE Symposium on Security and Privacy (Oakland).
[13]
Heming Cui, Jiri Simsa, Yi-Hong Lin, Hao Li, Ben Blum, Xinan Xu, Junfeng Yang, Garth A Gibson, and Randal E Bryant. 2013. Parrot: a practical runtime for deterministic, stable, and reliable threads. In Proceedings of the 24th ACM Symposium on Operating Systems Principles (SOSP). Farmington, PA.
[14]
Brendan Dolan-Gavitt, Patrick Hulin, Engin Kirda, Tim Leek, Andrea Mambretti, Wil Robertson, Frederick Ulrich, and Ryan Whelan. 2016. Lava: Large-scale automated vulnerability addition. In Proceedings of the 37th IEEE Symposium on Security and Privacy (Oakland). San Jose, CA.
[15]
Wenliang Du, Jing Jia, Manish Mangal, and Mummoorthy Murugesan. 2004. Uncheatable grid computing. In 24th International Conference on Distributed Computing Systems, 2004. Proceedings. IEEE, 4–11.
[16]
Emscripten. 2015. Debugging with Sanitizers. https://emscripten.org/docs/debugging/Sanitizers.html.
[17]
Dennis Fisher. 2015. Vupen Founder Launches New Zero-Day Acquisition Firm Zerodium.
[18]
FuzzBuzz. 2019. FuzzBuzz: Fuzzing on autopilot. https://fuzzbuzz.io/.
[19]
Fuzzit. 2019. Fuzzit - Continuous Fuzzing Made Simple. https://fuzzit.dev/.
[20]
Patrice Godefroid, Adam Kiezun, and Michael Y Levin. 2008. Grammar-based whitebox fuzzing. In Proceedings of the 2008 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). Tucson, AZ.
[21]
Patrice Godefroid, Hila Peleg, and Rishabh Singh. 2017. Learn&fuzz: Machine learning for input fuzzing. In Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE). Urbana-Champaign, IL.
[22]
Philippe Golle and Ilya Mironov. 2001. Uncheatable distributed computations. In Cryptographers’ Track at the RSA Conference. Springer, 425–440.
[23]
Google. 2010. Google Vulnerability Reward Program. https://www.google.com/about/appsecurity/reward-program/.
[24]
Google. 2019. ClusterFuzz: a scalable fuzzing infrastructure. https://github.com/google/clusterfuzz.
[25]
Andreas Haas, Andreas Rossberg, Derek L Schuff, Ben L Titzer, Michael Holman, Dan Gohman, Luke Wagner, Alon Zakai, and JF Bastien. 2017. Bringing the web up to speed with WebAssembly. In Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and Implementation. 185–200.
[26]
hackerone. 2012. HackerOne. https://www.hackerone.com/.
[27]
Christian Holler, Kim Herzig, and Andreas Zeller. 2012. Fuzzing with code fragments. In Proceedings of the 21st USENIX Security Symposium (Security). Bellevue, WA.
[28]
Markus Jakobsson and Ari Juels. 1999. Proofs of work and bread pudding protocols. In Secure information networks. Springer, 258–272.
[29]
Thomas Kerber, Aggelos Kiayias, Markulf Kohlweiss, and Vassilis Zikas. 2019. Ouroboros crypsinous: Privacy-preserving proof-of-stake, See SP1 [2].
[30]
Omar S. Navarro Leija, Kelly Shiptoski, Ryan G. Scott, Baojun Wang, Nicholas Renner, Ryan R. Newton, and Joseph Devietti. 2020. Reproducible Containers. In Proceedings of the 25th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS). Lausanne, Switzerland.
[31]
Vivian Lim, Laurie Rubel, Lauren Shookhoff, Mathew Sullivan, and Sarah Williams. 2016. The lottery is a mathematics powerball. Mathematics Teaching in the Middle School 21, 9 (2016), 526–532.
[32]
Chenyang Lyu, Shouling Ji, Chao Zhang, Yuwei Li, Wei-Han Lee, Yu Song, and Raheem Beyah. 2019. MOPT: Optimized Mutation Scheduling for Fuzzers, See SEC [1].
[33]
Microsoft. 2016. Microsoft Security Risk Detection. https://www.microsoft.com/en-us/security-risk-detection/.
[34]
David Molnar, Xue Cong Li, and David A Wagner. 2009. Dynamic Test Generation to Find Integer Bugs in x86 Binary Linux Programs. In Proceedings of the 18th USENIX Security Symposium (Security). Montreal, Canada.
[35]
Pablo Montesinos, Matthew Hicks, Samuel T King, and Josep Torrellas. 2009. Capo: a software-hardware interface for practical deterministic multiprocessor replay. In Proceedings of the 14th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS). Washington, DC.
[36]
Satoshi Nakamoto. 2008. Bitcoin: A Peer-to-Peer Electronic Cash System. https://nakamotoinstitute.org/bitcoin/.
[37]
NVIDIA. 2020. Virus War Goes Viral: Folding@home Gets 1.5+ Exaflops to Fight COVID-19. https://blogs.nvidia.com/blog/2020/04/01/foldingathome-exaflop-coronavirus/.
[38]
Sebastian Österlund, Elia Geretto, Andrea Jemmett, Emre Güler, Philipp Görz, Thorsten Holz, Cristiano Giuffrida, and Herbert Bos. 2021. Collabfuzz: A framework for collaborative fuzzing. In Proceedings of the 14th European Workshop on Systems Security. 1–7.
[39]
Sebastian Osterlund, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida. 2020. ParmeSan: Sanitizer-guided Greybox Fuzzing. In Proceedings of the 29th USENIX Security Symposium (Security). Boston, MA.
[40]
V. Pham, M. Boehme, A. E. Santosa, A. R. Caciulescu, and A. Roychoudhury. 2019. Smart Greybox Fuzzing. IEEE Transactions on Software Engineering(2019), 1–1.
[41]
Mohit Rajpal, William Blum, and Rishabh Singh. 2017. Not all bytes are equal: Neural byte sieve for fuzzing. arXiv preprint arXiv:1711.04596(2017).
[42]
Subhajit Roy, Awanish Pandey, Brendan Dolan-Gavitt, and Yu Hu. 2018. Bug synthesis: challenging bug-finding tools with deep faults. In Proceedings of the 26th European Software Engineering Conference (ESEC) and ACM SIGSOFT Symposium on the Foundations of Software Engineering (FSE). Lake Buena Vista, FL.
[43]
Fan Sang, Daehee Jang, Ming-Wei Shih, and Taesoo Kim. 2019. P2FAAS: Toward Privacy-Preserving Fuzzing as a Service. arXiv preprint arXiv:1909.11164(2019).
[44]
Kostya Serebryany. 2017. OSS-Fuzz - Google’s continuous fuzzing service for open source software. In Proceedings of the 26th USENIX Security Symposium (Security). Vancouver, Canada.
[45]
Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitriy Vyukov. 2012. AddressSanitizer: A fast address sanity checker. In Proceedings of the 2012 USENIX Annual Technical Conference (ATC). Boston, MA.
[46]
Dongdong She, Kexin Pei, Dave Epstein, Junfeng Yang, Baishakhi Ray, and Suman Jana. 2019. NEUZZ: Efficient fuzzing with neural program smoothing, See SP1 [2].
[47]
Shiqi Shen, Shweta Shinde, Soundarya Ramesh, Abhik Roychoudhury, and Prateek Saxena. 2019. Neuro-Symbolic Execution: Augmenting Symbolic Execution with Neural Constraints. In Proceedings of the 2019 Annual Network and Distributed System Security Symposium (NDSS). San Diego, CA.
[48]
Yan Shoshitaishvili, Michael Weissbacher, Lukas Dresel, Christopher Salls, Ruoyu Wang, Christopher Kruegel, and Giovanni Vigna. 2017. Rise of the hacrs: Augmenting autonomous cyber reasoning systems with human assistance. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 347–362.
[49]
Sudarshan M Srinivasan, Srikanth Kandula, Christopher R Andrews, Yuanyuan Zhou, 2004. Flashback: A lightweight extension for rollback and deterministic replay for software debugging. In Proceedings of the 2004 USENIX Annual Technical Conference (ATC). Boston, MA.
[50]
Nick Stephens, John Grosen, Christopher Salls, Andrew Dutcher, Ruoyu Wang, Jacopo Corbetta, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2016. Driller: Augmenting Fuzzing Through Selective Symbolic Execution. In Proceedings of the 2016 Annual Network and Distributed System Security Symposium (NDSS). San Diego, CA.
[51]
Paul Van De Zande. 2001. The Day DES Died. SANS Institute, Jul.
[52]
Rijnard van Tonder, John Kotheimer, and Claire Le Goues. 2018. Semantic crash bucketing. In Proceedings of the 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE). Montpellier, France.
[53]
Junjie Wang, Bihuan Chen, Lei Wei, and Yang Liu. 2017. Skyfire: Data-driven seed generation for fuzzing. In Proceedings of the 38th IEEE Symposium on Security and Privacy (Oakland). San Jose, CA.
[54]
Maverick Woo, Sang Kil Cha, Samantha Gottlieb, and David Brumley. 2013. Scheduling black-box mutational fuzzing. In Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS). Berlin, Germany.
[55]
Wen Xu, Sanidhya Kashyap, Changwoo Min, and Taesoo Kim. 2017. Designing new operating primitives to improve fuzzing performance. In Proceedings of the 24th ACM Conference on Computer and Communications Security (CCS). Dallas, TX.
[56]
Jiaxi Ye, Bin Zhang, Ruilin Li, Chao Feng, and Chaojing Tang. 2019. Program state sensitive parallel fuzzing for real world software. IEEE Access 7(2019), 42557–42564.
[57]
Insu Yun, Sangho Lee, Meng Xu, Yeongjin Jang, and Taesoo Kim. 2018. QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing. In Proceedings of the 27th USENIX Security Symposium (Security). Baltimore, MD.
[58]
Zero Day Initiative. 2007. Welcome To Pwn2Own 2020 - The schedule and live results. https://www.thezdi.com/blog/2020/3/17/welcome-to-pwn2own-2020-the-schedule-and-live-results.
Index Terms
- Fuzzing@Home: Distributed Fuzzing on Untrusted Heterogeneous Clients
Recommendations
Fuzzing for CPS Mutation Testing
ASE '23: Proceedings of the 38th IEEE/ACM International Conference on Automated Software EngineeringMutation testing can help reduce the risks of releasing faulty software. For such reason, it is a desired practice for the development of embedded software running in safety-critical cyber-physical systems (CPS). Unfortunately, state-of-the-art test data ...
Online Model-Based Behavioral Fuzzing
ICSTW '13: Proceedings of the 2013 IEEE Sixth International Conference on Software Testing, Verification and Validation WorkshopsFuzz testing or fuzzing is interface robustness testing by stressing the interface of a system under test (SUT) with invalid input data. It aims at finding security-relevant weaknesses in the implementation that may result in a crash of the system-under-...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
October 2022
536 pages
ISBN:9781450397049
DOI:10.1145/3545948
Copyright © 2022 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 26 October 2022
Check for updates
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
RAID 2022
RAID 2022: 25th International Symposium on Research in Attacks, Intrusions and Defenses
October 26 - 28, 2022
Limassol, Cyprus
Acceptance Rates
Overall Acceptance Rate 43 of 173 submissions, 25%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 337Total Downloads
- Downloads (Last 12 months)62
- Downloads (Last 6 weeks)5
Reflects downloads up to 05 Mar 2025
Other Metrics
Citations
Cited By
View all- Perrone GRomano S(2025)WebAssembly and security: A reviewComputer Science Review10.1016/j.cosrev.2025.10072856(100728)Online publication date: May-2025
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign inFull Access
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML Format