Abstract
Whitebox fuzzing (a.k.a. concolic testing) has been shown to be an effective bug finding technique on its own as well as in combination with coverage-guided greybox fuzzing. However, there is currently a lack of whitebox fuzzers operating above the binary code level. We present KLUZZER, a whitebox fuzzer targeting LLVM bitcode, and thus can be easily combined with the widely deployed LLVM’s coverage-guided greybox fuzzer LibFuzzer. Experimental evaluation on a set of benchmarks shows encouraging results.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Angr - a powerful and user-friendly binary analysis platform. https://github.com/angr/angr
LibFuzzer - a library for coverage-guided fuzz testing. https://llvm.org/docs/LibFuzzer.html
Cadar, C., Dunbar, D., Engler, D.R.: KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: USENIX OSDI, pp. 209–224 (2008)
Cha, S.K., Avgerinos, T., Rebert, A., Brumley, D.: Unleashing mayhem on binary code. In: IEEE Symposium on Security and Privacy, pp. 380–394 (2012)
Chen, P., Chen, H.: Angora: efficient fuzzing by principled search. In: IEEE Symposium on Security and Privacy, pp. 711–725 (2018)
Chipounov, V., Kuznetsov, V., Candea, G.: S2E: a platform for in-vivo multi-path analysis of software systems. In: ASPLOS, pp. 265–278 (2011)
de Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78800-3_24
Fietkau, J., Shastry, B.: KleeFL - seeding fuzzers with symbolic execution. In: USENIX Security (Poster presentation) (2017)
Ganesh, V., Dill, D.L.: A decision procedure for bit-vectors and arrays. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 519–531. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73368-3_52
Godefroid, P., Levin, M.Y., Molnar, D.A.: Automated whitebox fuzz testing. In: NDSS (2008)
Marinescu, P.D., Cadar, C.: Make test-zesti: a symbolic execution solution for improving regression testing. In: ICSE, pp. 716–726 (2012)
Martignoni, L., McCamant, S., Poosankam, P., Song, D., Maniatis, P.: Path-exploration lifting: hi-fi tests for lo-fi emulators. In: ASPLOS, pp. 337–348 (2012)
Ruhstaller, M., Chang, O.: A new chapter for OSS-Fuzz. https://security.googleblog.com/2018/11/a-new-chapter-for-oss-fuzz.html
Stephens, N., et al.: Driller: augmenting fuzzing through selective symbolic execution. In: NDSS (2016)
Wang, M., et al.: SAFL: increasing and accelerating testing coverage with symbolic execution and guided fuzzing. In: ICSE, pp. 61–64 (2018)
Yun, I., Lee, S., Xu, M., Jang, Y., Kim, T.: QSYM : a practical concolic execution engine tailored for hybrid fuzzing. In: USENIX Security, pp. 745–761 (2018)
Zalewski, M.: American fuzzy lop (AFL) white paper. http://lcamtuf.coredump.cx/afl/technical_details.txt
Zhao, L., Duan, Y., Yin, H., Xuan, J.: Send hardest problems my way: probabilistic path prioritization for hybrid fuzzing. In: NDSS (2019)
Acknowledgment
This work was supported by the Central Research Development Fund of the University of Bremen.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Le, H.M. (2019). KLUZZER: Whitebox Fuzzing on Top of LLVM. In: Chen, YF., Cheng, CH., Esparza, J. (eds) Automated Technology for Verification and Analysis. ATVA 2019. Lecture Notes in Computer Science(), vol 11781. Springer, Cham. https://doi.org/10.1007/978-3-030-31784-3_14
Download citation
DOI: https://doi.org/10.1007/978-3-030-31784-3_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-31783-6
Online ISBN: 978-3-030-31784-3
eBook Packages: Computer ScienceComputer Science (R0)