Skip to main content
SpringerLink
Log in

WhirlingFuzzwork: a taint-analysis-based API in-memory fuzzing framework

  • Methodologies and Application
  • Published:
Soft Computing Aims and scope Submit manuscript

Abstract

Fuzz testing is widely used as an automatic solution for discovering vulnerabilities in binary programs that process files. Restricted by their high blindness and low code path coverage, fuzzing tests typically provide quite low efficiencies. In this paper, a novel API in-memory fuzz testing technique for eliminating the blindness of existing techniques is discussed. This technique employs dynamic taint analyses to locate the routines and instructions that belong to the target binary executables, and it consists of parsing and processing the input data. Within the testing phase, binary instrumentation is used to construct loops around such routines, in which the contained taint memory values are mutated in each loop. According to experiments using the prototype tool, this technique could effectively detect defects such as stack overflows. Compared with traditional fuzzing tools, this API in-memory fuzzing eliminated the bottleneck of interrupting execution paths and gained a greater than 95 % enhancement in execution speed.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11

Similar content being viewed by others

References

  • Aitel D (2002) The advantages of block-based protocol analysis for security testing. Immunity Inc, pp 105–106

  • Amini P (2006) Paimei-reverse engineering framework. In: RECON06: reverse engineering conference, Montreal, Canada

  • Barham P, Dragovic B, Fraser K, Hand S, Harris T, Ho A, Neugebauer R, Pratt I, Warfield A (2003) Xen and the art of virtualization. ACM SIGOPS Op Syst Rev 37(5):164–177

    Article  Google Scholar 

  • Bellard F (2005) Qemu, a fast and portable dynamic translator. In: USENIX annual technical conference, FREENIX track, pp 41–46

  • Bhansali S, Chen WK, De Jong S, Edwards A, Murray R, Drinić M, Mihočka D, Chau J (2006) Framework for instruction-level tracing and analysis of program executions. In: Proceedings of the 2nd international conference on virtual execution environments, pp 154–163. ACM

  • Corelan Team (2010) In memory fuzzing. https://www.corelan.be/index.php/2010/10/20/in-memory-fuzzing/

  • Cui B, Wang F, Guo T, Dong G, Zhao B (2013) Flowwalker: a fast and precise off-line taint analysis framework. In: Emerging intelligent data and web technologies (EIDWT), 2013 fourth international conference on, pp 583–588. IEEE

  • Dunlap GW, Lucchetti DG, Fetterman MA, Chen PM (2008) Execution replay of multiprocessor virtual machines. In: Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on virtual execution environments, pp 121–130. ACM

  • Hex-Rays SA (2014) Ida pro disassembler. https://www.hex-rays.com/products/ida/

  • Laadan O, Viennot N, Nieh J (2010) Transparent, lightweight application execution replay on commodity multiprocessor operating systems. In: ACM SIGMETRICS performance evaluation review, vol 38, pp 155–166. ACM

  • Luk CK, Cohn R, Muth R, Patil H, Klauser A, Lowney G, Wallace S, Reddi VJ, Hazelwood K (2005) Pin: building customized program analysis tools with dynamic instrumentation. ACM Sigplan Notices 40(6):190–200

  • Michael E, Seth H (2014) Peach-cross-platform smart fuzzer. http://sourceforge.net/projects/peachfuzz/

  • Newsome J, Song D (2006) Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software

  • Patil H, Pereira C, Stallcup M, Lueck G, Cownie J (2010) Pinplay: a framework for deterministic replay and reproducible analysis of parallel programs. In: Proceedings of the 8th annual IEEE/ACM international symposium on code generation and optimization, pp 2–11. ACM

  • Ren S, Li C, Tan L, Xiao Z (2015) Samsara: efficient deterministic replay with hardware virtualization extensions. In: Proceedings of the 6th Asia-Pacific workshop on systems, p 9. ACM

  • Radamsa A (2010) https://www.ee.oulu.fi/research/ouspg/Radamsa

  • Ryndin M, Gaisaryan SS (2012) Deterministic replay of program execution based on valgrind framework. In: Proceedings of the spring/summer young researchers colloquium on software engineering, p 6

  • Schwartz EJ, Avgerinos T, Brumley D (2010) All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In: Security and privacy (SP), 2010 IEEE symposium on, pp 317–331. IEEE

  • Srinivasan SM, Kandula S, Andrews CR, Zhou Y (2004) Flashback: a lightweight extension for rollback and deterministic replay for software debugging. In: USENIX annual technical conference, general track, pp 29–44. Boston, MA, USA

  • Sutton M, Greene A (2005) The art of file format fuzzing. In: Blackhat USA conference

  • Sutton M, Greene A, Amini P (2007) Fuzzing: brute force vulnerability discovery. Pearson Education

  • Wang T, Wei T, Gu G, Zou W (2010) Taintscope: a checksum-aware directed fuzzing tool for automatic software vulnerability detection. In: Security and privacy (SP), 2010 IEEE symposium on, pp 497–512. IEEE

  • Wang Y, Patil H, Pereira C, Lueck G, Gupta R, Neamtiu L (2014) Drdebug: deterministic replay based cyclic debugging with dynamic slicing. In: Proceedings of annual IEEE/ACM international symposium on code generation and optimization, p 98. ACM

Download references

Acknowledgments

The research did not involve human participants or animals. The sources of funding include National Natural Science Foundation of China (No. 61272493). There are no potential conflicts of interests.

Author information

Authors and Affiliations

  1. Beijing University of Posts and Telecommunications and National Engineering Laboratory for Mobile Network Security, Beijing, China

    Baojiang Cui

  2. Security Department, Alibaba Group, Hangzhou, China

    Fuwei Wang

  3. China Information Technology Security Evaluation Center, Beijing, China

    Yongle Hao

  4. School of Telecommunications Engineering, Xidian University, Xi’an, China

    Xiaofeng Chen

Authors
  1. Baojiang Cui
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Fuwei Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yongle Hao
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Xiaofeng Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Baojiang Cui.

Ethics declarations

Compliance with ethical standards

On behalf of, and having obtained permission from all the authors, I declare that: the material has not bee published in whole or in part elsewhere; the paper is not currently being considered for publication elsewhere; all authors have been personally and actively involved in substantive work leading to the report, and will hold themselves jointly and individually responsible for its content.

Conflict of interest

The authors declare that they have no confilict of interest.

Additional information

Communicated by V. Loia.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Cui, B., Wang, F., Hao, Y. et al. WhirlingFuzzwork: a taint-analysis-based API in-memory fuzzing framework. Soft Comput 21, 3401–3414 (2017). https://doi.org/10.1007/s00500-015-2017-6

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00500-015-2017-6

Keywords

Search

Navigation