Abstract
Software is usually built on top of shared libraries. Vulnerabilities that lie in those dependencies may have huge impact on multiple software. ICU (International Components for Unicode) is one of the most widely used common components in modern software, providing Unicode and Globalization support. ICU is used in a wide range of software from over 70 companies and organizations, including very popular software such as Chrome, Android, macOS, iOS, Windows 10, Edge, Firefox.
In this paper, we proposed a fuzzing method to discover vulnerabilities in ICU library that are reachable from upper layer application software. We also built a prototype named ICUFuzzer to uncover triggerable bugs in browsers’ JavaScript Engine, with which we have detected three zero-day vulnerabilities affecting popular browsers like Chrome, Safari and Firefox. According to our further analysis, one of the bugs can be exploited to leak sensitive memory informations to bypass mitigations like ASLR and PIE.
This work was partially supported by the National Natural Science Foundation of China (Grant No. 61472209 and No. 61772308), Tsinghua University Initiative Scientific Research Program (Grant No. 20151080436), the CCF-NSFOCUS Kunpeng Award, and the Young Talent Development Program by CCF.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Miller, B.P., Fredriksen, L., So, B.: An empirical study of the reliability of UNIX utilities. Commun. ACM 33(12), 32–44 (1990)
Haller, I., Slowinska, A., Neugschwandtner, M., et al.: Dowsing for overflows: a guided fuzzer to find buffer boundary violations. In: USENIX Security Symposium, pp. 49–64 (2013)
Neugschwandtner, M., Milani Comparetti, P., Haller, I., et al.: The BORG: nanoprobing binaries for buffer overreads. In: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy, pp. 87–97. ACM (2015)
Ganesh, V., Leek, T., Rinard, M.: Taint-based directed whitebox fuzzing. In: Proceedings of the 31st International Conference on Software Engineering, pp. 474–484. IEEE Computer Society (2009)
Drewry, W., Ormandy, T.: Flayer: exposing application internals. WOOT 7, 1–9 (2007)
Wang, T., Wei, T., Gu, G., et al.: TaintScope: a checksum-aware directed fuzzing tool for automatic software vulnerability detection. In: IEEE symposium on Security and privacy (SP), pp. 497–512. IEEE (2010)
Caselden, D., Bazhanyuk, A., Payer, M., et al.: Transformation-aware Exploit Generation using a HI-CFG. Department of Electrical Engineering and Computer Science, California University, Berkeley (2013)
Godefroid, P., Klarlund, N., Sen, K.: DART: directed automated random testing. In: ACM Sigplan Notices, vol. 40, no. 6, pp. 213–223 (2005)
Godefroid, P., Levin, M.Y., Molnar, D.: SAGE: whitebox fuzzing for security testing. Commun. ACM 55(3), 40–44 (2012)
ICU - International Components for Unicode. http://site.icu-project.org/
ECMAScript Internationalization API Specification. https://www.ecma-international.org/ecma-402/1.0/
Document for Intl object from MDN. https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects
RFC 5646 - Tags for Identifying Languages. https://tools.ietf.org/html/rfc5646
IANA Language Subtag Registry. https://www.iana.org/assignments/language-subtag-registry/language-subtag-registry
Yang, K., Zhuge, J., Wang, Y., et al.: IntentFuzzer: detecting capability leaks of android applications. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, pp. 531–536. ACM (2014)
Jayaraman, K., Harvison, D., Ganesh, V., et al.: jFuzz: a concolic whitebox fuzzer for Java (2009)
Voyiatzis, A.G., Katsigiannis, K., Koubias, S.: A Modbus/TCP fuzzer for testing internetworked industrial systems. In: 2015 IEEE 20th Conference on Emerging Technologies & Factory Automation (ETFA), pp. 1–6. IEEE (2015)
Chen, J., Diao, W., Zhao, Q., et al.: IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing
libFuzzer - a library for coverage-guided fuzz testing. https://llvm.org/docs/LibFuzzer.html
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Yang, K., Deng, Y., Zhang, C., Zhuge, J., Duan, H. (2018). ICUFuzzer: Fuzzing ICU Library for Exploitable Bugs in Multiple Software. In: Chen, L., Manulis, M., Schneider, S. (eds) Information Security. ISC 2018. Lecture Notes in Computer Science(), vol 11060. Springer, Cham. https://doi.org/10.1007/978-3-319-99136-8_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-99136-8_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-99135-1
Online ISBN: 978-3-319-99136-8
eBook Packages: Computer ScienceComputer Science (R0)