Jie Liang
ABSTRACT
Researchers have proposed many optimizations to improve the efficiency of fuzzing, and most optimized strategies work very well on their targets when running in single mode with instantiating one fuzzer instance. However, in real industrial practice, most fuzzers run in parallel mode with instantiating multiple fuzzer instances, and those optimizations unfortunately fail to maintain the efficiency improvements.
In this paper, we present PAFL, a framework that utilizes efficient guiding information synchronization and task division to extend those existing fuzzing optimizations of single mode to industrial parallel mode. With an additional data structure to store the guiding information, the synchronization ensures the information is shared and updated among different fuzzer instances timely. Then, the task division promotes the diversity of fuzzer instances by splitting the fuzzing task into several sub-tasks based on branch bitmap. We first evaluate PAFL using 12 different real-world programs from Google fuzzer-test-suite. Results show that in parallel mode, two AFL improvers–AFLFast and FairFuzz do not outperform AFL, which is different from the case in single mode. However, when augmented with PAFL, the performance of AFLFast and FairFuzz in parallel mode improves. They cover 8% and 17% more branches, trigger 79% and 52% more unique crashes. For further evaluation on more widely-used software systems from GitHub, optimized fuzzers augmented with PAFL find more real bugs, and 25 of which are security-critical vulnerabilities registered as CVEs in the US National Vulnerability Database.
- 2015. Microsoft Security Risk Detection ("Project Springfield"). https://www. microsoft.com/en-us/research/project/project-springfield/. (2015). {Online; accessed 26-January-2018}. 2016. Continuous fuzzing for open source software. https://opensource. googleblog.com/2016/12/announcing-oss-fuzz-continuous-fuzzing.html. (2016).Google Scholar
- {Online; accessed 26-January-2018}. 2016. Google. Honggfuzz. http://honggfuzz.com/. (2016). 2017. libFuzzer in Chrome. https://chromium.googlesource.com/chromium/src/ +/master/testing/libfuzzer/README.md. (2017). {Online; accessed 12-November- 2017}. 2017. OSS-Fuzz: Five months later, and rewarding projects. https://security. googleblog.com/2017/05/oss-fuzz-five-months-later-and.html. (2017). {Online; accessed 16-May-2018}.Google Scholar
- Marcel Böhme, Van-Thuan Pham, and Abhik Roychoudhury. 2016. Coveragebased greybox fuzzing as markov chain. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1032–1043. Google ScholarDigital Library
- Sang Kil Cha, Thanassis Avgerinos, Alexandre Rebert, and David Brumley. 2012. Unleashing mayhem on binary code. In Security and Privacy (SP), 2012 IEEE Symposium on. IEEE, 380–394. Google ScholarDigital Library
- Yuanliang Chen, Yu Jiang, Jie Liang, Mingzhe Wang, and Xun Jiao. 2018. EnFuzz: From Ensemble Learning to Ensemble Fuzzing. arXiv preprint arXiv:1807.00182 (2018).Google Scholar
- Shuitao Gan, Chao Zhang, Xiaojun Qin, Xuwen Tu, Kang Li, Zhongyu Pei, and Zuoning Chen. {n. d.}. CollAFL: Path Sensitive Fuzzing. In CollAFL: Path Sensitive Fuzzing. IEEE, 0.Google Scholar
- Sam Hocevar. 2007. zzuf - multi-purpose fuzzer. http://caca.zoy.org/wiki/zzuf. (2007). {Online; accessed 26-January-2018}.Google Scholar
- Rahul Johari and Pankaj Sharma. 2012. A survey on web application vulnerabilities (SQLIA, XSS) exploitation and security engine for SQL injection. In Communication Systems and Network Technologies (CSNT), 2012 International Conference on. IEEE, 453–458. Google ScholarDigital Library
- T Kavitha and D Sridharan. 2010. Security vulnerabilities in wireless sensor networks: A survey. Journal of information Assurance and Security 5, 1 (2010), 31–44.Google Scholar
- Diallo Abdoulaye Kindy and Al-Sakib Khan Pathan. 2011. A survey on SQL injection: Vulnerabilities, attacks, and prevention techniques. In Consumer Electronics (ISCE), 2011 IEEE 15th International Symposium on. IEEE, 468–471.Google ScholarCross Ref
- Caroline Lemieux and Koushik Sen. 2017. FairFuzz: Targeting Rare Branches to Rapidly Increase Greybox Fuzz Testing Coverage. arXiv preprint arXiv:1709.07101 (2017).Google Scholar
- Jie Liang, Mingzhe Wang, Yuanliang Chen, Yu Jiang, and Renwei Zhang. 2018. Fuzz testing in practice: Obstacles and solutions. In 2018 IEEE 25th International Conference on Software Analysis, Evolution and Reengineering (SANER). IEEE, 562–566.Google ScholarCross Ref
- Charlie Miller, Zachary NJ Peterson, et al. 2007. Analysis of mutation and generation-based fuzzing. Independent Security Evaluators, Tech. Rep 4 (2007).Google Scholar
- Sanjay Rawat, Vivek Jain, Ashish Kumar, Lucian Cojocar, Cristiano Giuffrida, and Herbert Bos. 2017. Vuzzer: Application-aware evolutionary fuzzing. In Proceedings of the Network and Distributed System Security Symposium (NDSS).Google ScholarCross Ref
- Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitriy Vyukov. 2012. AddressSanitizer: A Fast Address Sanity Checker.. In USENIX Annual Technical Conference. 309–318. Google ScholarDigital Library
- Mingzhe Wang, Jie Liang, Yuanliang Chen, Yu Jiang, Xun Jiao, Han Liu, Xibin Zhao, and Jiaguang Sun. 2018. SAFL: increasing and accelerating testing coverage with symbolic execution and guided fuzzing. In Proceedings of the 40th International Conference on Software Engineering: Companion Proceeedings. ACM, 61–64. Google ScholarDigital Library
- Wen Xu, Sanidhya Kashyap, Changwoo Min, and Taesoo Kim. 2017. Designing New Operating Primitives to Improve Fuzzing Performance. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2313–2328. Google ScholarDigital Library
- Michal Zalewski. 2015. American fuzzy lop. (2015). Abstract 1 Introduction 2 BACKGROUND 3 PAFL Design 3.1 Information Synchronization Mechanism 3.2 Task Division Mechanism 4 Evaluation 4.1 Google Benchmark Evaluation 4.2 GitHub CVE Mining 5 Discussion 6 Conclusion ReferencesGoogle Scholar
Index Terms
- PAFL: extend fuzzing optimizations of single mode to industrial parallel mode
Recommendations
Grey-box concolic testing on binary code
ICSE '19: Proceedings of the 41st International Conference on Software EngineeringWe present grey-box concolic testing, a novel path-based test case generation method that combines the best of both white-box and grey-box fuzzing. At a high level, our technique systematically explores execution paths of a program under test as in ...
Accelerating Fuzzing through Prefix-Guided Execution
Coverage-guided fuzzing is one of the most effective approaches for discovering software defects and vulnerabilities. It executes all mutated tests from seed inputs to expose coverage-increasing tests. However, executing all mutated tests incurs ...
Violating Assumptions with Fuzzing
Boundary conditions are important because significant subsets of boundary condition failures are security failures. As such, the boundary conditions we don't test today are the security patches we'll have to issue tomorrow. An effective way to limit ...
Comments