skip to main content
10.1145/3319535.3354249acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

Intriguer: Field-Level Constraint Solving for Hybrid Fuzzing

Published: 06 November 2019 Publication History

Abstract

Hybrid fuzzing, which combines fuzzing and concolic execution, is promising in light of the recent performance improvements in concolic engines. We have observed that there is room for further improvement: symbolic emulation is still slow, unnecessary constraints dominate solving time, resources are overly allocated, and hard-to-trigger bugs are missed. To address these problems, we present a new hybrid fuzzer named Intriguer. The key idea of Intriguer is field-level constraint solving, which optimizes symbolic execution with field-level knowledge. Intriguer performs instruction-level taint analysis and records execution traces without data transfer instructions like mov. Intriguer then reduces the execution traces for tainted instructions that accessed a wide range of input bytes, and infers input fields to build field transition trees. With these optimizations, Intriguer can efficiently perform symbolic emulation for more relevant instructions and invoke a solver for complicated constraints only. Our evaluation results indicate that Intriguer outperforms the state-of-the-art fuzzers: Intriguer found all the bugs in the LAVA-M(5h) benchmark dataset for ground truth performance, and also discovered 43 new security bugs in seven real-world programs. We reported the bugs and received 23 new CVEs.

Supplementary Material

WEBM File (p515-cho.webm)

References

[1]
2018. GNU Binutils. https://www.gnu.org/software/binutils/index.html
[2]
2018. Libav Open source audio and video processing tools. https://libav.org/
[3]
Marcel Böhme, Van-Thuan Pham, Manh-Dung Nguyen, and Abhik Roychoudhury. 2017. Directed Greybox Fuzzing. In Proc. the ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM.
[4]
Marcel Böhme, Van-Thuan Pham, and Abhik Roychoudhury. 2016. Coveragebased Greybox Fuzzing as Markov Chain. In Proc. the ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, 1032--1043.
[5]
Juan Caballero, Heng Yin, Zhenkai Liang, and Dawn Song. 2007. Polyglot: Automatic Extraction of Protocol Message Format Using Dynamic Binary Analysis. In Proc. the ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, 317--329.
[6]
Sang Kil Cha, Thanassis Avgerinos, Alexandre Rebert, and David Brumley. 2012. Unleashing MAYHEM on Binary Code. In Proc. the IEEE Symposium on Security and Privacy (S&P). IEEE, 380--394.
[7]
Hongxu Chen, Yinxing Xue, Yuekang Li, Bihuan Chen, Xiaofei Xie, Xiuheng Wu, and Yang Liu. 2018. Hawkeye: Towards a Desired Directed Grey-box Fuzzer. In Proc. the ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, 2095--2108.
[8]
Peng Chen and Chen Hao. 2018. Angora: Efficient Fuzzing by Principled Search. In Proc. the IEEE Symposium on Security and Privacy (S&P). IEEE.
[9]
Paolo Milani Comparetti, Gilbert Wondracek, Christopher Kruegel, and Engin Kirda. 2009. Prospex: Protocol Specification Extraction. In Proc. the IEEE Symposium on Security and Privacy (S&P). IEEE, 110--125.
[10]
Weidong Cui, Marcus Peinado, Karl Chen, Helen JWang, and Luis Irun-Briz. 2008. Tupni: Automatic Reverse Engineering of Input Formats. In Proc. the ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, 391--402.
[11]
Brendan Dolan-Gavitt, Patrick Hulin, Engin Kirda, Tim Leek, Andrea Mambretti, Wil Robertson, Frederick Ulrich, and Ryan Whelan. 2016. Lava: Large-scale Automated Vulnerability Addition. In Proc. the IEEE Symposium on Security and Privacy (S&P). IEEE, 110--121.
[12]
Shuitao Gan, Chao Zhang, Xiaojun Qin, Xuwen Tu, Kang Li, Zhongyu Pei, and Zuoning Chen. 2018. CollAFL: Path Sensitive Fuzzing. In Proc. the IEEE Symposium on Security and Privacy (S&P). IEEE, 679--696.
[13]
Vijay Ganesh, Tim Leek, and Martin Rinard. 2009. Taint-based Directed Whitebox Fuzzing. In Proc. the International Conference on Software Engineering (ICSE). 474-- 484.
[14]
Patrice Godefroid, Michael Y Levin, David A Molnar, et al. 2008. Automated Whitebox Fuzz Testing. In Proc. the Network and Distributed System Security Symposium (NDSS), Vol. 8. 151--166.
[15]
Istvan Haller, Asia Slowinska, Matthias Neugschwandtner, and Herbert Bos. 2013. Dowsing for Overflows: A Guided Fuzzer to Find Buffer Boundary Violations. In Proc. the USENIX Security Symposium (SEC). USENIX Association, 49--64.
[16]
Vasileios P Kemerlis, Georgios Portokalidis, Kangkook Jee, and Angelos D Keromytis. 2012. libdft: Practical Dynamic Data Flow Tracking for Commodity Systems. In Acm Sigplan Notices, Vol. 47. ACM, 121--132.
[17]
George Klees, Andrew Ruef, Benji Cooper, Shiyi Wei, and Michael Hicks. 2018. Evaluating Fuzz Testing. In Proc. the ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, 2123--2138.
[18]
Sam Leffler. 1999. LibTIFF--TIFF Library and Utilities. http://www.libtiff.org/
[19]
Yuekang Li, Bihuan Chen, Mahinthan Chandramohan, Shang-Wei Lin, Yang Liu, and Alwen Tiu. 2017. Steelix: Program-state Based Binary Fuzzing. In Proc. the Joint Meeting on Foundations of Software Engineering (FSE). ACM, 627--637.
[20]
Rupak Majumdar and Koushik Sen. 2007. Hybrid Concolic Testing. In Proc. the International Conference on Software Engineering (ICSE). IEEE, 416--426.
[21]
Barton P Miller, Louis Fredriksen, and Bryan So. 1990. An Empirical Study of the Reliability of UNIX Utilities. Commun. ACM 33, 12 (1990), 32--44.
[22]
Jiang Ming, DinghaoWu, Gaoyao Xiao, JunWang, and Peng Liu. 2015. TaintPipe: Pipelined Symbolic Taint Analysis. In Proc. the USENIX Security Symposium (SEC). USENIX Association, 65--80.
[23]
David Molnar, Xue Cong Li, and David Wagner. 2009. Dynamic Test Generation to Find Integer Bugs in x86 Binary Linux Programs. In Proc. the USENIX Security Symposium. USENIX Association.
[24]
Stefan Nagy and Matthew Hicks. 2019. Full-speed Fuzzing: Reducing Fuzzing Overhead through Coverage-guided Tracing. In Proc. the IEEE Symposium on Security and Privacy (S&P). IEEE.
[25]
Brian S Pak. 2012. Hybrid Fuzz testing: Discovering Software Bugs via Fuzzing and Symbolic Execution. School of Computer Science Carnegie Mellon University (2012).
[26]
Hui Peng, Yan Shoshitaishvili, and Mathias Payer. 2018. T-Fuzz: fuzzing by program transformation. In Proc. the IEEE Symposium on Security and Privacy (S&P). IEEE, 697--710.
[27]
Sanjay Rawat, Vivek Jain, Ashish Kumar, Lucian Cojocar, Cristiano Giuffrida, and Herbert Bos. 2017. VUzzer: Application-aware Evolutionary Fuzzing. In Proc. the Network and Distributed System Security Symposium (NDSS).
[28]
Kostya Serebryany. 2017. OSS-Fuzz-Google's continuous fuzzing service for open source software. (2017).
[29]
Nick Stephens, John Grosen, Christopher Salls, Andrew Dutcher, Ruoyu Wang, Jacopo Corbetta, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2016. Driller: Augmenting Fuzzing Through Selective Symbolic Execution. In Proc. the Network and Distributed System Security Symposium (NDSS).
[30]
Tielei Wang, Tao Wei, Guofei Gu, and Wei Zou. 2010. TaintScope: A Checksum- Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection. In Proc. the IEEE Symposium on Security and Privacy (S&P). IEEE, 497--512.
[31]
Tielei Wang, Tao Wei, Zhiqiang Lin, and Wei Zou. 2009. IntScope: Automatically Detecting Integer Overflow Vulnerability in X86 Binary Using Symbolic Execution. In Proc. the Network and Distributed System Security Symposium (NDSS).
[32]
Zhi Wang, Xuxian Jiang, Weidong Cui, Xinyuan Wang, and Mike Grace. 2009. ReFormat: Automatic Reverse Engineering of Encrypted Messages. In European Symposium on Research in Computer Security (ESORICS). 200--215.
[33]
Insu Yun, Sangho Lee, Meng Xu, Yeongjin Jang, and Taesoo Kim. 2018. QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing. In Proc. the USENIX Security Symposium (SEC). USENIX Association, 745--761.
[34]
Michal Zalewski. 2014. American fuzzy lop. http://lcamtuf .coredump.cx/afl/

Cited By

View all
  • (2024)WhiteFox: White-Box Compiler Fuzzing Empowered by Large Language ModelsProceedings of the ACM on Programming Languages10.1145/36897368:OOPSLA2(709-735)Online publication date: 8-Oct-2024
  • (2024)Directed Fuzzing Based on Bottleneck DetectionProceedings of the 2024 5th International Conference on Computing, Networks and Internet of Things10.1145/3670105.3670111(32-37)Online publication date: 24-May-2024
  • (2024)Better Pay Attention Whilst FuzzingIEEE Transactions on Software Engineering10.1109/TSE.2023.333812950:2(190-208)Online publication date: Feb-2024
  • Show More Cited By

Index Terms

  1. Intriguer: Field-Level Constraint Solving for Hybrid Fuzzing

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security
    November 2019
    2755 pages
    ISBN:9781450367479
    DOI:10.1145/3319535
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 06 November 2019

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. constraint solving
    2. fuzzing
    3. hybrid fuzzing

    Qualifiers

    • Research-article

    Funding Sources

    Conference

    CCS '19
    Sponsor:

    Acceptance Rates

    CCS '19 Paper Acceptance Rate 149 of 934 submissions, 16%;
    Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

    Upcoming Conference

    CCS '25

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)102
    • Downloads (Last 6 weeks)17
    Reflects downloads up to 22 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)WhiteFox: White-Box Compiler Fuzzing Empowered by Large Language ModelsProceedings of the ACM on Programming Languages10.1145/36897368:OOPSLA2(709-735)Online publication date: 8-Oct-2024
    • (2024)Directed Fuzzing Based on Bottleneck DetectionProceedings of the 2024 5th International Conference on Computing, Networks and Internet of Things10.1145/3670105.3670111(32-37)Online publication date: 24-May-2024
    • (2024)Better Pay Attention Whilst FuzzingIEEE Transactions on Software Engineering10.1109/TSE.2023.333812950:2(190-208)Online publication date: Feb-2024
    • (2024)Everything is Good for Something: Counterexample-Guided Directed Fuzzing via Likely Invariant Inference2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00142(1956-1973)Online publication date: 19-May-2024
    • (2024)SoK: Prudent Evaluation Practices for Fuzzing2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00137(1974-1993)Online publication date: 19-May-2024
    • (2024)Titan : Efficient Multi-target Directed Greybox Fuzzing2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00059(1849-1864)Online publication date: 19-May-2024
    • (2024)PBFuzz: Potential-aware Branch-oriented Hybrid Fuzzing2024 4th International Symposium on Computer Technology and Information Science (ISCTIS)10.1109/ISCTIS63324.2024.10699190(608-614)Online publication date: 12-Jul-2024
    • (2024)Automated Hybrid Fuzzing of Web APIs2024 IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW)10.1109/ICSTW60967.2024.00057(283-292)Online publication date: 27-May-2024
    • (2024)Machine Learning-Based Fuzz Testing Techniques: A SurveyIEEE Access10.1109/ACCESS.2023.334765212(14437-14454)Online publication date: 2024
    • (2024)Grammar-aware test case trimming for efficient hybrid fuzzingJournal of King Saud University - Computer and Information Sciences10.1016/j.jksuci.2024.10192036:1(101920)Online publication date: Jan-2024
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media