[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
10.1145/3106237.3106295acmconferencesArticle/Chapter ViewAbstractPublication PagesfseConference Proceedingsconference-collections
research-article

Steelix: program-state based binary fuzzing

Published: 21 August 2017 Publication History

Abstract

Coverage-based fuzzing is one of the most effective techniques to find vulnerabilities, bugs or crashes. However, existing techniques suffer from the difficulty in exercising the paths that are protected by magic bytes comparisons (e.g., string equality comparisons). Several approaches have been proposed to use heavy-weight program analysis to break through magic bytes comparisons, and hence are less scalable. In this paper, we propose a program-state based binary fuzzing approach, named Steelix, which improves the penetration power of a fuzzer at the cost of an acceptable slow down of the execution speed. In particular, we use light-weight static analysis and binary instrumentation to provide not only coverage information but also comparison progress information to a fuzzer. Such program state information informs a fuzzer about where the magic bytes are located in the test input and how to perform mutations to match the magic bytes efficiently. We have implemented Steelix and evaluated it on three datasets: LAVA-M dataset, DARPA CGC sample binaries and five real-life programs. The results show that Steelix has better code coverage and bug detection capability than the state-of-the-art fuzzers. Moreover, we found one CVE and nine new bugs.

References

[1]
1999. Tcpdump & Libpcap. (1999). http://www.tcpdump.org. 2001. Libtiff. (2001). http://www.libtiff.org. 2002. Libpng. (2002). http://www.libpng.org. 2003. Gzip. (2003). http://www.gzip.org. 2005. Defense Advanced Research Projects Agency. (2005). http://www.darpa. mil/. 2005. Dyninst API. (2005). http://www.dyninst.org/dyninst. 2006. The Patroit Missile Failure. (2006). https://www.ima.umn.edu/~arnold/ disasters/patriot.html. 2014. American fuzzy lop. (2014). http://lcamtuf.coredump.cx/afl/. 2014. Cyber Grand Challenge. (2014). http://archive.darpa.mil/ cybergrandchallenge/about.html. 2014. Spike fuzzer platform. (2014). http://www.immunitysec.com/. 2015. AFL-dyninst. (2015). https://github.com/vrtadmin/moflow/tree/master/ afl-dyninst. 2015. AFL-QEMU. (2015). http://lcamtuf.coredump.cx/afl/technical_details.txt. 2015. AFLPIN. (2015). https://github.com/mothran/aflpin. 2015. Peach fuzzer platform. (2015). http://www.peachfuzzer.com/products/ peach-platform/. 2015. Sdl Process: Verification. (2015). https://www.microsoft.com/en-us/sdl/ process/verification.aspx. 2016. The bug-o-rama trophy case of AFL. (2016). http://lcamtuf.coredump.cx/ afl/#bugs. 2016. Circumventing fuzzing roadblocks with compiler transformations. (2016).
[2]
https://lafintel.wordpress.com/2016/08/15/ circumventing-fuzzing-roadblocks-with-compiler-transformations/. 2016. DARPA Challenge Binaries on Linux and OS X. (2016). https://github. com/trailofbits/cb-multios/. 2016. Driller Source Code. (2016). https://github.com/shellphish/driller. 2016. IDAPython. (2016). https://www.hex-rays.com/products/ida/support/ idapython_docs/. 2017. Steelix. (2017). https://sites.google.com/site/steelix2017/.
[3]
Brad Arkin. 2009. Adobe Reader and Acrobat Security Initiative. (2009). http: //blogs.adobe.com/security/2009/05/adobe_reader_and_acrobat_secur.html.
[4]
Domagoj Babić, Lorenzo Martignoni, Stephen McCamant, and Dawn Song. 2011. Statically-directed Dynamic Automated Test Generation. In ISSTA. 12–22.
[5]
Marcel Böhme, Van-Thuan Pham, and Abhik Roychoudhury. 2016. Coveragebased Greybox Fuzzing as Markov Chain. In CCS. 1032–1043.
[6]
Sang Kil Cha, Maverick Woo, and David Brumley. 2015. Program-adaptive mutational fuzzing. In SP. 725–741.
[7]
Kyle Dewey, Jared Roesch, and Ben Hardekopf. 2014. Language Fuzzing Using Constraint Logic Programming. In ASE. 725–730.
[8]
Brendan Dolan-Gavitt, Patrick Hulin, Engin Kirda, Tim Leek, Andrea Mambretti, Wil Robertson, Frederick Ulrich, and Ryan Whelan. 2016. LAVA: Large-Scale Automated Vulnerability Addition. In SP. 110–121.
[9]
Chris Evans, Matt Moore, and Tavis Ormandy. 2011. Google online security blog – Fuzzing at scale. (2011).
[10]
https://security.googleblog.com/2011/08/ fuzzing-at-scale.html.
[11]
Vijay Ganesh, Tim Leek, and Martin Rinard. 2009. Taint-based directed whitebox fuzzing. In ICSE. 474–484.
[12]
Patrice Godefroid, Adam Kiezun, and Michael Y Levin. 2008. Grammar-based whitebox fuzzing. In PLDI. 206–215.
[13]
Patrice Godefroid, Michael Y. Levin, and David Molnar. 2008. Automated whitebox fuzz testing. In NDSS.
[14]
Patrice Godefroid, Michael Y. Levin, and David Molnar. 2012. SAGE: Whitebox Fuzzing for Security Testing. Commun. ACM 55, 3 (2012), 40–44.
[15]
Istvan Haller, Asia Slowinska, Matthias Neugschwandtner, and Herbert Bos. 2013. Dowsing for Overflows: A Guided Fuzzer to Find Buffer Boundary Violations. In USENIX Security. 49–64.
[16]
Niranjan Hasabnis and R. Sekar. 2016. Lifting Assembly to Intermediate Representation: A Novel Approach Leveraging Compilers. In ASPLOS. 311–324.
[17]
Christian Holler, Kim Herzig, and Andreas Zeller. 2012. Fuzzing with code fragments. In USENIX Security. 445–458.
[18]
Ulf Kargén and Nahid Shahmehri. 2015. Turning programs against each other: high coverage fuzz-testing using binary-code mutation and dynamic slicing. In FSE. 782–792.
[19]
Barton P. Miller, Louis Fredriksen, and Bryan So. 1990. An Empirical Study of the Reliability of UNIX Utilities. Commun. ACM 33, 12 (1990), 32–44.
[20]
Matthias Neugschwandtner, Paolo Milani Comparetti, Istvan Haller, and Herbert Bos. 2015. The BORG: Nanoprobing Binaries for Buffer Overreads. In CODASPY. 87–97.
[21]
Van-Thuan Pham, Marcel Böhme, and Abhik Roychoudhury. 2016. Model-based whitebox fuzzing for program binaries. In ASE. 543–553.
[22]
Sanjay Rawat, Vivek Jain, Ashish Kumar, Lucian Cojocar, Cristiano Giuffrida, and Herbert Bos. 2017. VUzzer: Application-aware Evolutionary Fuzzing. In NDSS.
[23]
Alexandre Rebert, Sang Kil Cha, Thanassis Avgerinos, Jonathan Foote, David Warren, Gustavo Grieco, and David Brumley. 2014. Optimizing seed selection for fuzzing. In USENIX Security. 861–875.
[24]
Jesse Ruderman. 2007. Introducing jsfunfuzz. (2007). http://www.squarefree. com/2007/08/02/introducing-jsfunfuzz
[25]
Yan Shoshitaishvili, Ruoyu Wang, Christopher Salls, Nick Stephens, Mario Polino, Andrew Dutcher, John Grosen, Siji Feng, Christophe Hauser, Christopher Kruegel, and Giovanni Vigna. 2016. SoK: (State of) The Art of War: Offensive Techniques in Binary Analysis. In S&P. 138–157.
[26]
Nick Stephens, John Grosen, Christopher Salls, Andrew Dutcher, Ruoyu Wang, Jacopo Corbetta, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2016. Driller: Augmenting Fuzzing Through Selective Symbolic Execution. In NDSS.
[27]
Spandan Veggalam, Sanjay Rawat, Istvan Haller, and Herbert Bos. 2016. IFuzzer: An Evolutionary Interpreter Fuzzer Using Genetic Programming. In ESORICS. 581–601.
[28]
Joachim Viide, Aki Helin, Marko Laakso, Pekka Pietikäinen, Mika Seppänen, Kimmo Halunen, Rauli Puuperä, and Juha Röning. 2008. Experiences with Model Inference Assisted Fuzzing. In WOOT. 2:1–2:6.
[29]
Junjie Wang, Bihuan Chen, Lei Wei, and Yang Liu. 2017. Skyfire: Data-Driven Seed Generation for Fuzzing. In SP. 579–594.
[30]
Tielei Wang, Tao Wei, Guofei Gu, and Wei Zou. 2010. TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection. In SP. 497–512.
[31]
Maverick Woo, Sang Kil Cha, Samantha Gottlieb, and David Brumley. 2013. Scheduling black-box mutational fuzzing. In CCS. 511–522.

Cited By

View all
  • (2024)sqlFuzz: Directed Fuzzing for SQL Injection VulnerabilityElectronics10.3390/electronics1315294613:15(2946)Online publication date: 26-Jul-2024
  • (2024)DocFuzz: A Directed Fuzzing Method Based on a Feedback Mechanism MutatorInternational Journal of Intelligent Systems10.1155/int/79317922024:1Online publication date: 11-Dec-2024
  • (2024)When Compiler Optimizations Meet Symbolic Execution: An Empirical StudyProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670372(4212-4225)Online publication date: 2-Dec-2024
  • Show More Cited By

Index Terms

  1. Steelix: program-state based binary fuzzing

    Recommendations

    Comments

    Please enable JavaScript to view thecomments powered by Disqus.

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    ESEC/FSE 2017: Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering
    August 2017
    1073 pages
    ISBN:9781450351058
    DOI:10.1145/3106237
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 21 August 2017

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. binary fuzzing
    2. binary instrumentation
    3. coverage-based fuzzing

    Qualifiers

    • Research-article

    Funding Sources

    Conference

    ESEC/FSE'17
    Sponsor:

    Acceptance Rates

    Overall Acceptance Rate 112 of 543 submissions, 21%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)108
    • Downloads (Last 6 weeks)13
    Reflects downloads up to 14 Dec 2024

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)sqlFuzz: Directed Fuzzing for SQL Injection VulnerabilityElectronics10.3390/electronics1315294613:15(2946)Online publication date: 26-Jul-2024
    • (2024)DocFuzz: A Directed Fuzzing Method Based on a Feedback Mechanism MutatorInternational Journal of Intelligent Systems10.1155/int/79317922024:1Online publication date: 11-Dec-2024
    • (2024)When Compiler Optimizations Meet Symbolic Execution: An Empirical StudyProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670372(4212-4225)Online publication date: 2-Dec-2024
    • (2024)MicroFuzz: An Efficient Fuzzing Framework for MicroservicesProceedings of the 46th International Conference on Software Engineering: Software Engineering in Practice10.1145/3639477.3639723(216-227)Online publication date: 14-Apr-2024
    • (2024)FuzzInMem: Fuzzing Programs via In-memory StructuresProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639172(1-13)Online publication date: 20-May-2024
    • (2024)BinaryAI: Binary Software Composition Analysis via Intelligent Binary Source Code MatchingProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639100(1-13)Online publication date: 20-May-2024
    • (2024)Fine-grained Coverage-based FuzzingACM Transactions on Software Engineering and Methodology10.1145/358715833:5(1-41)Online publication date: 4-Jun-2024
    • (2024)A Survey of Software Dynamic Analysis MethodsProgramming and Computing Software10.1134/S036176882401007950:1(90-114)Online publication date: 1-Feb-2024
    • (2024)Code Comment Inconsistency Detection Based on Confidence LearningIEEE Transactions on Software Engineering10.1109/TSE.2024.335848950:3(598-617)Online publication date: Mar-2024
    • (2024)Better Pay Attention Whilst FuzzingIEEE Transactions on Software Engineering10.1109/TSE.2023.333812950:2(190-208)Online publication date: Feb-2024
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media