Skip to main content

Advertisement

SpringerLink
Log in

ovAFLow: Detecting Memory Corruption Bugs with Fuzzing-Based Taint Inference

  • Regular Paper
  • Published:
Journal of Computer Science and Technology Aims and scope Submit manuscript

Abstract

Grey-box fuzzing is an effective technology to detect software vulnerabilities, such as memory corruption. Previous fuzzers in detecting memory corruption bugs either use heavy-weight analysis, or use techniques which are not customized for memory corruption detection. In this paper, we propose a novel memory bug guided fuzzer, ovAFLow. To begin with, we broaden the memory corruption targets where we frequently identify bugs. Next, ovAFLow utilizes light-weight and effective methods to build connections between the fuzzing inputs and these corruption targets. Based on the connection results, ovAFLow uses customized techniques to direct the fuzzing process closer to memory corruption. We evaluate ovAFLow against state-of-the-art fuzzers, including AFL (american fuzzy lop), AFLFast, FairFuzz, QSYM, Angora, TIFF, and TortoiseFuzz. The evaluation results show better vulnerability detection ability of ovAFLow, and the performance overhead is acceptable. Moreover, we identify 12 new memory corruption bugs and two CVEs (common vulnerability exposures) with the help of ovAFLow.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Miller B P, Fredriksen L, So B. An empirical study of the reliability of UNIX utilities. Communications of the ACM, 1990, 33(12): 32-44. DOI: https://doi.org/10.1145/96267.96279.

    Article  Google Scholar 

  2. Böhme M, Pham V T, Roychoudhury A. Coverage-based Greybox Fuzzing as Markov chain. IEEE Transactions on Software Engineering, 2017, 45(5): 489-506. DOI: https://doi.org/10.1109/TSE.2017.2785841.

    Article  Google Scholar 

  3. Rawat S, Jain V, Kumar A, Cojocar L, Giuffrida C, Bos H. VUzzer: Application-aware evolutionary fuzzing. In Proc. the 24th Annual Network and Distributed System Security Symposium, Feb. 26-Mar. 1, 2017. DOI: 10.14722/ndss.2017.23404.

  4. Chen P, Chen H. Angora: Efficient fuzzing by principled search. In Proc. the 2018 IEEE Symposium on Security and Privacy, May 2018, pp.711-725. DOI: https://doi.org/10.1109/SP.2018.00046.

  5. Yun I, Lee S, Xu M, Jang Y, Kim T. QSYM: A practical concolic execution engine tailored for hybrid fuzzing. In Proc. the 2018 USENIX Security Symposium, Aug. 2018, pp.745-761.

  6. Lemieux C, Sen K. FairFuzz: A targeted mutation strategy for increasing greybox fuzz testing coverage. In Proc. the 2018 ACM/IEEE International Conference on Automated Software Engineering, Sept. 2018, pp.475-485. DOI: 10.1145/3238147.3238176.

  7. Li Y, Ji S, Lv C, Chen Y, Chen J, Gu Q, Wu C. VFuzz: Vulnerability-oriented evolutionary fuzzing. arXiv:1-901.01142, 2019. https://arxiv.org/abs/1901.01142, Sept. 2021.

  8. Wang Y, Jia X, Liu Y, Zeng K, Bao T, Wu D, Su P. Not all coverage measurements are equal: Fuzzing by coverage accounting for input prioritization. In Proc. the 2020 Network and Distributed System Security Symposium, Feb. 2020. DOI: https://doi.org/10.14722/ndss.2020.24422.

  9. Jain V, Rawat S, Giuffrida C, Bos H. TIFF: Using input type inference to improve fuzzing. In Proc. the 2018 Annual Computer Security Applications Conference, Dec. 2018, pp.505-517. DOI: https://doi.org/10.1145/3274694.3274746.

  10. Coppik N, Schwahn O, Suri N. MemFuzz: Using memory accesses to guide fuzzing. In Proc. the 2019 IEEE Conference on Software Testing, Validation and Verification, Apr. 2019, pp.48-58. DOI: 10.1109/ICST.2019.00015.

  11. Gan S, Zhang C, Qin X, Tu X, Li K, Pei Z, Chen Z. CollAFL: Path sensitive fuzzing. In Proc. the 2018 IEEE Symposium on Security and Privacy, May 2018, pp.679-696. DOI: https://doi.org/10.1109/SP.2018.00040.

  12. Zhou C, Wang M, Liang J, Liu Z, Jiang Y. Zeror: Speed up fuzzing with coverage-sensitive tracing and scheduling. In Proc. the 2020 IEEE/ACM International Conference on Automated Software Engineering, Sept. 2020, pp.858-870. DOI: 10.1145/3324884.3416572.

  13. Nagy S, Hicks M. Full-speed fuzzing: Reducing fuzzing overhead through coverage-guided tracing. In Proc. the 2019 IEEE Symposium on Security and Privacy, May 2019, pp.787-802. DOI: https://doi.org/10.1109/SP.2019.00069.

  14. Zhang C, Dong W Y, Ren Y Z. INSTRCR: Lightweight instrumentation optimization based on coverage-guided fuzz testing. In Proc. the 2nd IEEE International Conference on Computer and Communication Engineering Technology, Aug. 2019, pp.74-78. DOI: https://doi.org/10.1109/CCET48361.2019.8989335.

  15. Jia X, Zhang C, Su P, Yang Y, Huang H, Feng D. Towards efficient heap overow discovery. In Proc. the 2017 USENIX Security Symposium, Aug. 2017, pp.989-1006.

  16. Qin F, Lu S, Zhou, Y. SafeMem: Exploiting ECC-memory for detecting memory leaks and memory corruption during production runs. In Proc. the 2005 International Symposium on High-Performance Computer Architecture, Feb. 2005, pp.291-302. DOI: https://doi.org/10.1109/HPCA.2005.29.

  17. Gan S, Zhang C, Chen P, Zhao B, Qin X, Wu D, Chen Z. GREYONE: Data ow sensitive fuzzing. In Proc. the 2020 U SENIX Security Symposium, Aug. 2020, pp.2577-2594.

  18. You W, Wang X, Ma S, Huang J, Zhang X, Wang X, Liang B. ProFuzzer: On-the-y input type probing for better zeroday vulnerability discovery. In Proc. the 2019 IEEE Symposium on Security and Privacy, May 2019, pp.769-786. DOI: https://doi.org/10.1109/SP.2019.00057.

  19. You W, Liu X, Ma S, Perry D, Zhang X, Liang B. SLF: Fuzzing without valid seed inputs. In Proc. the 2019 IEEE/ACM International Conference on Software Engineering, May 2019, pp.712-723. DOI: https://doi.org/10.1109/ICSE.2019.00080.

  20. Dolan-Gavitt B, Hulin P, Kirda E, Leek T, Mambretti A, Robertson W, Whelan R. LAVA: Large-scale automated vulnerability addition. In Proc. the 2016 IEEE Symposium on Security and Privacy, May 2016, pp.110-121. DOI: https://doi.org/10.1109/SP.2016.15.

  21. Aho A V, Sethi R, Ullman J D. Compilers, Principles, Techniques, and Tools (1st edition). Addison Wesley, 1986.

  22. Zhang G, Zhou X, Luo Y, Wu X, Min E. PTfuzz: Guided fuzzing with processor trace feedback. IEEE Access, 2018, 6: 37302-37313. DOI: https://doi.org/10.1109/ACCESS.2018.2851237.

    Article  Google Scholar 

  23. Lyu C, Ji S, Zhang C, Li Y, Lee W H, Song Y, Beyah R. MOPT: Optimized mutation scheduling for fuzzers. In Proc. the 2019 USENIX Security Symposium, Aug. 2019, pp.1949-1966.

  24. Yue T, Wang P, Tang Y, Wang E, Yu B, Lu K, Zhou X. EcoFuzz: Adaptive energy-saving greybox fuzzing as a variant of the adversarial multi-armed bandit. In Proc. the 2020 USENIX Security Symposium, Aug. 2020, pp.2307-2324.

  25. Serebryany K, Bruening D, Potapenko A, Vyukov D. AddressSanitizer: A fast address sanity checker. In Proc. the 2012 USENIX Security Symposium, Aug. 2012, pp.309-318.

  26. Wen C, Wang H, Li Y, Qin S, Liu Y, Xu Z, Liu T. MemLock: Memory usage guided fuzzing. In Proc. the 2020 ACM/IEEE International Conference on Software Engineering, July 2020, pp.765-777. DOI: 10.1145/3377811.3380396.

  27. Wang H, Xie X, Li Y,Wen C, Li Y, Liu Y, Sui Y. Typestateguided fuzzer for discovering use-after-free vulnerabilities. In Proc. the 2020 ACM/IEEE International Conference on Software Engineering, July 2020, pp.999-1010. DOI: 10.1145/3377811.3380386.

  28. Böhme M, Pham V T, Nguyen M D, Roychoudhury A. Directed Greybox Fuzzing. In Proc. the 2017 ACM SIGSAC Conference on Computer and Communications Security, Oct. 30-Nov. 03, 2017, pp.2329-2344. DOI: [29]1145/3133956.3134020.

Download references

Author information

Authors and Affiliations

  1. College of Computer Science and Technology, National University of Defense Technology, Changsha, 410073, China

    Gen Zhang, Peng-Fei Wang, Tai Yue, Xiang-Dong Kong, Xu Zhou & Kai Lu

Authors
  1. Gen Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Peng-Fei Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Tai Yue
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Xiang-Dong Kong
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Xu Zhou
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Kai Lu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Gen Zhang.

Supplementary Information

ESM 1

(PDF 151 kb)

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Zhang, G., Wang, PF., Yue, T. et al. ovAFLow: Detecting Memory Corruption Bugs with Fuzzing-Based Taint Inference. J. Comput. Sci. Technol. 37, 405–422 (2022). https://doi.org/10.1007/s11390-021-1600-9

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11390-021-1600-9

Keywords

Search

Navigation