Skip to main content
Springer Nature Link
Log in

CtxFuzz: Discovering Heap-Based Memory Vulnerabilities Through Context Heap Operation Sequence Guided Fuzzing

  • Conference paper
  • First Online:
Theoretical Aspects of Software Engineering (TASE 2024)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14777))

Included in the following conference series:

Abstract

Heap-based memory vulnerabilities are significant contributors to software security and reliability. The presence of these vulnerabilities is influenced by factors such as code coverage, the frequency of heap operations, and the specific execution order. Current fuzzing solutions aim to efficiently detect these vulnerabilities by utilizing static analysis or incorporating feedback on the sequence of heap operations. However, these solutions have limited practical applicability and do not comprehensively address the temporal and spatial aspects of heap operations. In this paper, we propose a dedicated fuzzing technique called CtxFuzz to efficiently discover heap-based temporal and spatial memory vulnerabilities without requiring any domain knowledge. CtxFuzz utilizes context heap operation sequences (the sequences of heap operations such as allocation, deallocation, read, and write that are associated with corresponding heap memory addresses) as a new feedback mechanism to guide the fuzzing process. By doing so, CtxFuzz can explore more heap states and trigger more heap-based memory vulnerabilities, both temporal and spatial. We evaluate CtxFuzz on 9 real-world open-source programs and compare their performance with 5 state-of-the-art fuzzers. The results demonstrate that CtxFuzz outperforms most fuzzers in terms of discovering heap-based memory vulnerabilities. Moreover, Our experiments led to the identification of 10 zero-day vulnerabilities (10 CVEs).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Alsaeed, Z., Young, M.: Finding short slow inputs faster with grammar-based search. In: Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis, pp. 1068–1079 (2023)

    Google Scholar 

  2. Arcuri, A., Briand, L.: A practical guide for using statistical tests to assess randomized algorithms in software engineering. In: Proceedings of the 33rd International Conference on Software Engineering, pp. 1–10 (2011)

    Google Scholar 

  3. Blair, W., et al.: Hotfuzz: discovering temporal and spatial denial-of-service vulnerabilities through guided micro-fuzzing. ACM Trans. Priv. Secur. 25(4), 1–35 (2022)

    Article  MATH  Google Scholar 

  4. Chen, Z., Liu, D., Xiao, J., Wang, H.: All use-after-free vulnerabilities are not created equal: an empirical study on their characteristics and detectability. In: Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses, pp. 623–638 (2023)

    Google Scholar 

  5. Du, C., Cui, Z., Guo, Y., Xu, G., Wang, Z.: Memconfuzz: memory consumption guided fuzzing with data flow analysis. Mathematics 11(5), 1222 (2023)

    Article  Google Scholar 

  6. Farkhani, R.M., Ahmadi, M., Lu, L.: \(\{\)PTAuth\(\}\): temporal memory safety via robust points-to authentication. In: 30th USENIX Security Symposium (USENIX Security 21), pp. 1037–1054 (2021)

    Google Scholar 

  7. Fioraldi, A., Maier, D., Eißfeldt, H., Heuse, M.: AFL++: combining incremental steps of fuzzing research. In: 14th USENIX Workshop on Offensive Technologies (WOOT 20). USENIX Association, August 2020

    Google Scholar 

  8. Klees, G., Ruef, A., Cooper, B., Wei, S., Hicks, M.: Evaluating fuzz testing. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 2123–2138 (2018)

    Google Scholar 

  9. Lemieux, C., Padhye, R., Sen, K., Song, D.: Perffuzz: automatically generating pathological inputs. In: Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis, pp. 254–265 (2018)

    Google Scholar 

  10. Liu, J., An, H., Li, J., Liang, H.: Detecting exploit primitives automatically for heap vulnerabilities on binary programs. arXiv preprint arXiv:2212.13990 (2022)

  11. Lu, F., Tang, M., Bao, Y., Wang, X.: A survey of detection methods for software use-after-free vulnerability. In: Wang, Y., Zhu, G., Han, Q., Zhang, L., Song, X., Lu, Z. (eds.) Data Science. ICPCSEE 2022. CCIS, vol. 1629, pp. 272–297. Springer, Singapore (2022). https://doi.org/10.1007/978-981-19-5209-8_19

  12. Meng, R., Dong, Z., Li, J., Beschastnikh, I., Roychoudhury, A.: Linear-time temporal logic guided greybox fuzzing. In: Proceedings of the 44th International Conference on Software Engineering, pp. 1343–1355. ICSE ’22, Association for Computing Machinery, New York, NY, USA (2022)

    Google Scholar 

  13. Mouzarani, M., Sadeghiyan, B., Zolfaghari, M.: A smart fuzzing method for detecting heap-based buffer overflow in executable codes. In: 2015 IEEE 21st Pacific Rim International Symposium on Dependable Computing (PRDC), pp. 42–49. IEEE (2015)

    Google Scholar 

  14. Mouzarani, M., Sadeghiyan, B., Zolfaghari, M.: A smart fuzzing method for detecting heap-based vulnerabilities in executable codes. Secur. Commun. Netw. 9(18), 5098–5115 (2016)

    Article  MATH  Google Scholar 

  15. Nguyen, M.D., Bardin, S., Bonichon, R., Groz, R., Lemerre, M.: Binary-level directed fuzzing for Use-After-Free vulnerabilities. In: 23rd International Symposium on Research in Attacks. Intrusions and Defenses (RAID 2020), pp. 47–62. USENIX Association, San Sebastian, October 2020

    Google Scholar 

  16. Novark, G., Berger, E.D.: Dieharder: securing the heap. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 573–584 (2010)

    Google Scholar 

  17. Petsios, T., Zhao, J., Keromytis, A.D., Jana, S.: Slowfuzz: automated domain-independent detection of algorithmic complexity vulnerabilities. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 2155–2168 (2017)

    Google Scholar 

  18. Sarda, S., Pandey, M.: LLVM Essentials. Packt Publishing Ltd., Birmingham (2015)

    Google Scholar 

  19. Serebryany, K., Bruening, D., Potapenko, A., Vyukov, D.: Addresssanitizer: a fast address sanity checker. In: 2012 USENIX Annual Technical Conference (USENIX ATC 12), pp. 309–318 (2012)

    Google Scholar 

  20. Simpson, M.S., Barua, R.K.: Memsafe: ensuring the spatial and temporal memory safety of c at runtime. Softw. Pract. Exp. 43(1), 93–128 (2013)

    Google Scholar 

  21. Tu, H.: Boosting symbolic execution for heap-based vulnerability detection and exploit generation. In: 2023 IEEE/ACM 45th International Conference on Software Engineering: Companion Proceedings (ICSE-Companion), pp. 218–220. IEEE (2023)

    Google Scholar 

  22. Van Der Kouwe, E., Nigade, V., Giuffrida, C.: Dangsan: scalable use-after-free detection. In: Proceedings of the Twelfth European Conference on Computer Systems, pp. 405–419 (2017)

    Google Scholar 

  23. Wang, H., et al.: Typestate-guided fuzzer for discovering use-after-free vulnerabilities. In: Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering, pp. 999–1010. ICSE ’20, Association for Computing Machinery, New York, NY, USA (2020)

    Google Scholar 

  24. Wang, W., Fan, M., Yu, A., Meng, D.: Towards heap-based memory corruption discovery. In: 2021 17th International Conference on Mobility, Sensing and Networking (MSN), pp. 502–511. IEEE (2021)

    Google Scholar 

  25. Wang, Y., et al.: Not all coverage measurements are equal: fuzzing by coverage accounting for input prioritization. In: NDSS (2020)

    Google Scholar 

  26. Wen, C., et al.: Memlock: memory usage guided fuzzing. In: Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering, pp. 765–777. ICSE ’20, Association for Computing Machinery, New York, NY, USA (2020)

    Google Scholar 

  27. Younan, Y., Joosen, W., Piessens, F.: Efficient protection against heap-based buffer overflows without resorting to magic. In: Ning, P., Qing, S., Li, N. (eds.) ICICS 2006. LNCS, vol. 4307, pp. 379–398. Springer, Heidelberg (2006). https://doi.org/10.1007/11935308_27

    Chapter  MATH  Google Scholar 

  28. Yu, Y., et al.: HTFuzz: heap operation sequence sensitive fuzzing. In: Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering. ASE ’22, Association for Computing Machinery, New York, NY, USA (2023)

    Google Scholar 

  29. Zalewski, M.: American fuzzy lop (afl) fuzzer (2013). http://lcamtuf.coredump.cx/afl/

  30. Zhang, G., Wang, P.F., Yue, T., Kong, X.D., Zhou, X., Lu, K.: Ovaflow: detecting memory corruption bugs with fuzzing-based taint inference. J. Comput. Sci. Technol. 37(2), 405–422 (2022)

    Article  Google Scholar 

  31. Zhang, T., Lee, D., Jung, C.: Bogo: buy spatial memory safety, get temporal memory safety (almost) free. In: Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 631–644 (2019)

    Google Scholar 

  32. Zhang, Y., Pang, C., Portokalidis, G., Triandopoulos, N., Xu, J.: Debloating address sanitizer. In: 31st USENIX Security Symposium (USENIX Security 22), pp. 4345–4363 (2022)

    Google Scholar 

Download references

Acknowledgements

The authors would like to thank the anonymous reviewers for their constructive comments. This work was supported in part by the National Natural Science Foundation of China (Nos. 62372304, 62302375, 62192734), the China Postdoctoral Science Foundation funded project (No. 2023M723736), and the Fundamental Research Funds for the Central Universities.

Author information

Authors and Affiliations

  1. College of Computer Science and Software Engineering, Shenzhen University, Shenzhen, China

    Jiacheng Jiang

  2. Guangzhou Institute of Technology, Xidian University, Xi’an, China

    Cheng Wen & Shengchao Qin

Authors
  1. Jiacheng Jiang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Cheng Wen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Shengchao Qin
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Cheng Wen or Shengchao Qin .

Editor information

Editors and Affiliations

  1. National University of Singapore, Singapore, Singapore

    Wei-Ngan Chin

  2. Shenzhen University, Guangdong, China

    Zhiwu Xu

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Jiang, J., Wen, C., Qin, S. (2024). CtxFuzz: Discovering Heap-Based Memory Vulnerabilities Through Context Heap Operation Sequence Guided Fuzzing. In: Chin, WN., Xu, Z. (eds) Theoretical Aspects of Software Engineering. TASE 2024. Lecture Notes in Computer Science, vol 14777. Springer, Cham. https://doi.org/10.1007/978-3-031-64626-3_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-64626-3_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-64625-6

  • Online ISBN: 978-3-031-64626-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics