Skip to main content
SpringerLink
Log in

Vulnerable Region-Aware Greybox Fuzzing

  • Regular Paper
  • Published:
Journal of Computer Science and Technology Aims and scope Submit manuscript

Abstract

Fuzzing is known to be one of the most effective techniques to uncover security vulnerabilities of large-scale software systems. During fuzzing, it is crucial to distribute the fuzzing resource appropriately so as to achieve the best fuzzing performance under a limited budget. Existing distribution strategies of American Fuzzy Lop (AFL) based greybox fuzzing focus on increasing coverage blindly without considering the metrics of code regions, thus lacking the insight regarding which region is more likely to be vulnerable and deserves more fuzzing resources. We tackle the above drawback by proposing a vulnerable region-aware greybox fuzzing approach. Specifically, we distribute more fuzzing resources towards regions that are more likely to be vulnerable based on four kinds of code metrics. We implemented the approach as an extension to AFL named RegionFuzz. Large-scale experimental evaluations validate the effectiveness and efficiency of RegionFuzz-11 new bugs including three new CVEs are successfully uncovered by RegionFuzz.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Miller B P, Fredriksen L, So B. An empirical study of the reliability of UNIX utilities. Communications of the ACM, 1990, 33(12): 32-44. DOI: https://doi.org/10.1145/96267.96279.

    Article  Google Scholar 

  2. Li J, Zhao B, Zhang C. Fuzzing: A survey. Cybersecurity, 2018, 1(1): Article No. 6. DOI: 10.1186/s42400-018-0002-y.

  3. Sutton M, Greene A, Amini P. Fuzzing: Brute Force Vulnerability Discovery (1st edition). Addison-Wesley Professional, 2007.

  4. Chen C, Cui B, Ma J, Wu R, Guo J, Liu W. A systematic review of fuzzing techniques. Computers & Security, 2018, 75: 118-137. DOI: https://doi.org/10.1016/j.cose.2018.02.002.

    Article  Google Scholar 

  5. Manès V J M, Han H S, Han C, Cha S K, Egele M, Schwartz E J, Woo M. The art, science, and engineering of fuzzing: A survey. IEEE Trans. Software Engineering. DOI: https://doi.org/10.1109/TSE.2019.2946563.

  6. Devarajan G. Unraveling SCADA protocols: Using sulley fuzzer. In Proc. the DEF CON 15 Hacking Conf., August 2007.

  7. Gascon H, Wressnegger C, Yamaguchi F, Arp D, Rieck K. Pulsar: Stateful black-box fuzzing of proprietary network protocols. In Proc. the 11th International Conference on Security and Privacy in Communication Networks, October 2015, pp.330-347. DOI: https://doi.org/10.1007/978-3-319-28865-918.

  8. Ganesh V, Leek T, Rinard M. Taint-based directed white-box fuzzing. In Proc. the 31st Int. Software Engineering, May 2009, pp.474-484. DOI: https://doi.org/10.1109/ICSE.2009.5070546.

  9. Wang T, Wei T, Gu G, Zou W. TaintScope: A checksumaware directed fuzzing tool for automatic software vulnerability detection. In Proc. the 2010 IEEE Symposium on Security and Privacy, May 2010, pp.497-512. DOI: https://doi.org/10.1109/SP.2010.37.

  10. Stephens N, Grosen J, Salls C, Dutcher A, Wang R, Corbetta J, Shoshitaishvili Y, Kruegel C, Vingna G. Driller: Augmenting fuzzing through selective symbolic execution. In Proc. the 23rd Annual Network and Dis- tributed System Security Symposium, February 2016. DOI: 10.14722/ndss.2016.23368.

  11. Godefroid P, Levin M Y, Molnar D. SAGE: Whitebox fuzzing for security testing. Communications of the ACM, 2012, 55(3): 40-44. DOI: https://doi.org/10.1145/2093548.2093564.

    Article  Google Scholar 

  12. Situ L, Wang L, Li X, Guan L, Zhang W, Liu P. Energy distribution matters in greybox fuzzing. In Proc. the 41st Int. Software Engineering: Companion Proceedings, May 2019, pp.270-271. DOI: https://doi.org/10.1109/ICSE-Companion.2019.00109.

  13. Böhme M, Pham V T, Roychoudhury A. Coveragebased greybox fuzzing as Markov chain. IEEE Trans. Software Engineering, 2017, 45(5): 489-506. DOI: https://doi.org/10.1109/TSE.2017.2785841.

    Article  Google Scholar 

  14. Pham V T, Böhme M, Santosa A E, Caciulescu A R, Roychoudhury A. Smart greybox fuzzing. IEEE Transactions on Software Engineering. DOI: https://doi.org/10.1109/TSE.2019.2941681.

  15. Du X, Chen B, Li Y, Guo J, Zhou Y, Liu Y, Jiang Y. Leopard: Identifying vulnerable code for vulnerability assessment through program metrics. In Proc. the 41st Int. Software Engineering, May 2019, pp.60-71. DOI: https://doi.org/10.1109/ICSE.2019.00024.

  16. Li Y, Su Z, Wang L, Li L. Steering symbolic execution to less traveled paths. ACM SIGPLAN Notices, 2013, 48(10): 19-32. DOI: https://doi.org/10.1145/2544173.2509553.

    Article  Google Scholar 

  17. Wang X, Sun J, Chen Z, Zhang P, Wang J, Lin Y. Towards optimal concolic testing. In Proc. the 40th Int. Conf. Software Engineering, May 2018, pp.291-302. DOI: https://doi.org/10.1145/3180155.3180177.

  18. Inozemtseva L, Holmes R. Coverage is not strongly correlated with test suite effectiveness. In Proc. the 36th Int. Conf. Software Engineering, May 2014, pp.435-445. DOI: https://doi.org/10.1145/2568225.2568271.

  19. Petsios T, Zhao J, Keromytis A D, Jana S. Slow- Fuzz: Automated domain-independent detection of algorithmic complexity vulnerabilities. In Proc. the 2017 ACM SIGSAC Conference on Computer and Communications Security, October 2017, pp.2155-2168. DOI: https://doi.org/10.1145/3133956.3134073.

  20. Lemieux C, Sen K. FairFuzz: A targeted mutation strategy for increasing greybox fuzz testing coverage. In Proc. the 33rd ACM/IEEE Int. Automated Soft- ware Engineering, September 2018, pp.475-485. DOI: https://doi.org/10.1145/3238147.3238176.

  21. Böhme M, Pham V T, Nguyen M D, Roychoudhury A. Directed greybox fuzzing. In Proc. the 2017 ACM SIGSAC Conference on Computer and Communications Security, October 2017, pp.2329-2344. DOI: https://doi.org/10.1145/3133956.3134020.

  22. Gan S, Zhang C, Qin X, Tu X, Li K, Pei Z, Chen Z. CollAFL: Path sensitive fuzzing. In Proc. the 2018 IEEE Symposium on Security and Privacy, May 2018, pp.679-696. DOI: https://doi.org/10.1109/SP.2018.00040.

  23. Chen P, Chen H. Angora: Efficient fuzzing by principled search. In Proc. the 2018 IEEE Symposium on Security and Privacy, May 2018, pp.711-725. DOI: https://doi.org/10.1109/SP.2018.00046.

  24. Dolan-Gavitt B, Hulin P, Kirda E, Lee T, Mambretti A, Robertson W, Ulrich F, Whelan R. LAVA: Large-scale automated vulnerability addition. In Proc. the 2016 IEEE Symposium on Security and Privacy, May 2016, pp.110- 121. DOI: https://doi.org/10.1109/SP.2016.15.

  25. Woo M, Cha S K, Gottlieb S, Brumley D. Scheduling blackbox mutational fuzzing. In Proc. the 2013 ACM SIGSAC Conference on Computer & Communications Security, November 2013, pp.511-522. DOI: https://doi.org/10.1145/2508859.2516736.

  26. Böhme M. STADS: Software testing as species discovery. ACM Transactions on Software Engineering and Method- ology, 2018, 27(2): Article No. 7. DOI: https://doi.org/10.1145/3210309.

  27. Situ L Y, Wang L Z, Liu Y, Mao B, Li X. Automatic detection and repair recommendation for missing checks. Journal of Computer Science and Technology, 2019, 34(5): 972-992. DOI: https://doi.org/10.1007/s11390-019-1955-3.

    Article  Google Scholar 

  28. Rawat S, Jain V, Kumar A, Cojocar L, Giuffrida C, Bos H. VUzzer: Application-aware evolutionary fuzzing. In Proc. the 24th Annual Network and Distributed System Security Symposium, February 26-March 1, 2017. DOI: https://doi.org/10.14722/ndss.2017.23404.

  29. Klees G, Ruef A, Cooper B, Wei S, Hichk M. Evaluating fuzz testing. In Proc. the 2018 ACM SIGSAC Conference on Computer and Communications Security, October 2018, pp.2123-2138. DOI: https://doi.org/10.1145/3243734.3243804.

  30. Wang Y, Jia X, Liu Y, Zeng K, Bao T, Wu D, Su P. Not all coverage measurements are equal: Fuzzing by coverage accounting for input prioritization. In Proc. the 27th Annual Network and Distributed System Security Symposium, February 2020. DOI: https://doi.org/10.14722/ndss.2020.24422.

  31. Chen H, Xue Y, Li Y, Chen B, Xie X, Wu X, Liu Y. Hawkeye: Towards a desired directed grey-box fuzzer. In Proc. the 2018 ACM SIGSAC Conference on Computer and Communications Security, October 2018, pp.2095- 2108. DOI: https://doi.org/10.1145/3243734.3243849.

  32. Vargha A, Delaney H D. A critique and improvement of the CL common language effect size statistics of McGraw and Wong. Journal of Educational and Behavioral Statistics, 2000, 25(2): 101-132. DOI: https://doi.org/10.3102/10769986025002101.

    Article  Google Scholar 

  33. Arcuri A, Briand L. A hitchhiker's guide to statistical tests for assessing randomized algorithms in software engineering. Software Testing, Verification and Reliability, 2014, 24(3): 219-250. DOI: https://doi.org/10.1002/stvr.1486.

    Article  Google Scholar 

  34. Li Y, Chen B, Chandramohan M, Lin S W, Liu Y, Tiu A. Steelix: Program-state based binary fuzzing. In Proc. the 11th Joint Meeting on Foundations of Software Engineering, August 2017, pp.627-637. DOI: https://doi.org/10.1145/3106237.3106295.

  35. Serebryany K, Bruening D, Potapenko A, Vyukov D. AddressSanitizer: A fast address sanity checker. In Proc. the 2012 USENIX Annual Technical Conference, June 2012, pp.309-318.

  36. Stepanov E, Serebryany K. MemorySanitizer: Fast detector of uninitialized memory use in C++. In Proc. the 13th Annual IEEE/ACM International Symposium on Code Gene- ration and Optimization, February 2015, pp.46-55. DOI: https://doi.org/10.1109/CGO.2015.7054186.

  37. Serebryany K, Iskhodzhanov T. ThreadSanitizer: Data race detection in practice. In Proc. the Workshop on Binary Instrumentation and Applications, December 2009, pp.62-71. DOI: https://doi.org/10.1145/1791194.1791203.

  38. Li Y, Xue Y, Chen H, Wu, X, Zhang C, Xie X, Wang H, Liu Y. Cerebro: Context-aware adaptive fuzzing for effective vulnerability detection. In Proc. the 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, August 2019, pp.533-544. DOI: https://doi.org/10.1145/3338906.3338975.

Download references

Author information

Authors and Affiliations

  1. State Key Laboratory for Novel Software Technology, Nanjing University, Nanjing, 210023, China

    Ling-Yun Situ, Zhi-Qiang Zuo, Lin-Zhang Wang & Xuan-Dong Li

  2. School of Information Management, Nanjing University, Nanjing, 210023, China

    Ling-Yun Situ & Jin Shi

  3. Department of Computer Science, University of Georgia, Athens, GA, 30602, USA

    Le Guan

  4. College of Information Sciences and Technology, Pennsylvania State University, State College, PA, 16802, USA

    Peng Liu

Authors
  1. Ling-Yun Situ
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Zhi-Qiang Zuo
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Le Guan
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Lin-Zhang Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Xuan-Dong Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Jin Shi
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Peng Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Zhi-Qiang Zuo or Lin-Zhang Wang.

Supplementary Information

ESM 1

(PDF 1117 kb)

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Situ, LY., Zuo, ZQ., Guan, L. et al. Vulnerable Region-Aware Greybox Fuzzing. J. Comput. Sci. Technol. 36, 1212–1228 (2021). https://doi.org/10.1007/s11390-021-1196-0

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11390-021-1196-0

Keywords

Search

Navigation