skip to main content
10.1145/3368089.3409769acmconferencesArticle/Chapter ViewAbstractPublication PagesfseConference Proceedingsconference-collections
research-article

CrFuzz: fuzzing multi-purpose programs through input validation

Published: 08 November 2020 Publication History

Abstract

Fuzz testing has been proved its effectiveness in discovering software vulnerabilities. Empowered its randomness nature along with a coverage-guiding feature, fuzzing has been identified a vast number of vulnerabilities in real-world programs. This paper begins with an observation that the design of the current state-of-the-art fuzzers is not well suited for a particular (but yet important) set of software programs. Specifically, current fuzzers have limitations in fuzzing programs serving multiple purposes, where each purpose is controlled by extra options.
This paper proposes CrFuzz, which overcomes this limitation. CrFuzz designs a clustering analysis to automatically predict if a newly given input would be accepted or not by a target program. Exploiting this prediction capability, CrFuzz is designed to efficiently explore the programs with multiple purposes. We employed CrFuzz for three state-of-the-art fuzzers, AFL, QSYM, and MOpt, and CrFuzz-augmented versions have shown 19.3% and 5.68% better path and edge coverage on average. More importantly, during two weeks of long-running experiments, CrFuzz discovered 277 previously unknown vulnerabilities where 212 of those are already confirmed and fixed by the respected vendors. We would like to emphasize that many of these vulnerabilities were discoverd from FFMpeg, ImageMagick, and Graphicsmagick, all of which are targets of Google's OSS-Fuzz project and thus heavily fuzzed for last three years by far. Nevertheless, CrFuzz identified a remarkable number of vulnerabilities, demonstrating its effectiveness of vulnerability finding capability.

Supplementary Material

Auxiliary Teaser Video (fse20main-p1004-p-teaser.mp4)
This is a presentation video of my talk at ESEC/FSE 2020 on our paper accepted in research track. The main contributions of this paper is that we propose CrFuzz, which is an efficient multi-purpose program fuzzer. It can automatically check the validity of input and can be easily equipped to most of generic fuzzers. It uncovered 277 new vulnerabilities in various software programs.
Auxiliary Presentation Video (fse20main-p1004-p-video.mp4)
This is a presentation video of my talk at ESEC/FSE 2020 on our paper accepted in research track. The main contributions of this paper is that we propose CrFuzz, which is an efficient multi-purpose program fuzzer. It can automatically check the validity of input and can be easily equipped to most of generic fuzzers. It uncovered 277 new vulnerabilities in various software programs.

References

[1]
Mopt source code. https://github.com/puppet-meteor/MOpt-AFL.
[2]
Qsym source code. https://github.com/sslab-gatech/qsym.
[3]
American fuzzy lop. http://lcamtuf.coredump.cx/afl/.
[4]
Circumventing fuzzing roadblocks with compiler transformations. https://lafintel.wordpress.com/ 2016 /08/15/circumventing-fuzzing-roadblockswith-compiler-transformations/.
[5]
syzkaller is an unsupervised coverage-guided kernel fuzzer. https://github.com/ google/syzkaller.
[6]
C. Aschermann, T. Frassetto, T. Holz, P. Jauernig, A.-R. Sadeghi, and D. Teuchert. Nautilus: Fishing for deep bugs with grammars. In Proceedings of the 2019 Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb. 2019.
[7]
C. Aschermann, S. Schumilo, T. Blazytko, R. Gawlik, and T. Holz. Redqueen: Fuzzing with input-to-state correspondence. In Proceedings of the 2019 Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb. 2019.
[8]
T. Blazytko, M. Bishop, C. Aschermann, J. Cappos, M. Schlögel, N. Korshun, A. Abbasi, M. Schweighauser, S. Schinzel, S. Schumilo, et al. { GRIMOIRE}: Synthesizing structure while fuzzing. In Proceedings of the 28th USENIX Security Symposium (Security), SANTA CLARA, CA, Aug. 2019.
[9]
M. Böhme, V.-T. Pham, and A. Roychoudhury. Coverage-based greybox fuzzing as markov chain. In Proceedings of the 23rd ACM Conference on Computer and Communications Security (CCS), Vienna, Austria, Oct. 2016.
[10]
M. Böhme, V.-T. Pham, M.-D. Nguyen, and A. Roychoudhury. Directed greybox fuzzing. In Proceedings of the 24th ACM Conference on Computer and Communications Security (CCS), Dallas, TX, Oct.-Nov. 2017.
[11]
H. Chen, Y. Xue, Y. Li, B. Chen, X. Xie, X. Wu, and Y. Liu. Hawkeye: Towards a desired directed grey-box fuzzer. In Proceedings of the 25th ACM Conference on Computer and Communications Security (CCS), Toronto, Canada, Oct. 2018.
[12]
P. Chen and H. Chen. Angora: Eficient fuzzing by principled search. In Proceedings of the 39th IEEE Symposium on Security and Privacy (Oakland), SAN FRANCISCO, CA, May 2018.
[13]
P. Chen, J. Liu, and H. Chen. Matryoshka: fuzzing deeply nested branches. In Proceedings of the 26th ACM Conference on Computer and Communications Security (CCS), London, UK, Nov. 2019.
[14]
Y. Chen, P. Li, J. Xu, S. Guo, R. Zhou, Y. Zhang, T. Wei, and L. Lu. Savior: Towards bug-driven hybrid testing. In Proceedings of the 41st IEEE Symposium on Security and Privacy (Oakland), SAN FRANCISCO, CA, May 2020.
[15]
M. Cho, S. Kim, and T. Kwon. Intriguer: Field-level constraint solving for hybrid fuzzing. In Proceedings of the 26th ACM Conference on Computer and Communications Security (CCS), London, UK, Nov. 2019.
[16]
S. Gan, C. Zhang, X. Qin, X. Tu, K. Li, Z. Pei, and Z. Chen. Collafl: Path sensitive fuzzing. In Proceedings of the 39th IEEE Symposium on Security and Privacy (Oakland), SAN FRANCISCO, CA, May 2018.
[17]
P. Godefroid, H. Peleg, and R. Singh. Learn&fuzz: Machine learning for input fuzzing. In Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE), Urbana-Champaign IL, Sept. 2017.
[18]
C.-C. Hsu, C.-Y. Wu, H.-C. Hsiao, and S.-K. Huang. Instrim: Lightweight instrumentation for coverage-guided fuzzing. In Proceedings of the 2018 Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb. 2018.
[19]
C. Lemieux and K. Sen. Fairfuzz : A targeted mutation strategy for increasing greybox fuzz testing coverage. In Proceedings of the 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE), Montpellier, France, Sept. 2018.
[20]
C. Lemieux, R. Padhye, K. Sen, and D. Song. Perfuzz: Automatically generating pathological inputs. In Proceedings of the 27th International Symposium on Software Testing and Analysis (ISSTA), Amsterdam, The Netherlands, July 2018.
[21]
Y. Li, B. Chen, M. Chandramohan, S.-W. Lin, Y. Liu, and A. Tiu. Steelix: programstate based binary fuzzing. In Proceedings of the 25th ACM SIGSOFT Symposium on the Foundations of Software Engineering (FSE), Paderborn, Germany, Sept. 2017.
[22]
Y. Li, Y. Xue, H. Chen, X. Wu, C. Zhang, X. Xie, H. Wang, and Y. Liu. Cerebro: context-aware adaptive fuzzing for efective vulnerability detection. In Proceedings of the 24th European Software Engineering Conference (ESEC) / 27st ACM SIGSOFT Symposium on the Foundations of Software Engineering (FSE), Tallinn, Estonia, Aug. 2019.
[23]
libfuzzer. libfuzzer. https://llvm.org/docs/LibFuzzer.html.
[24]
C. Lyu, S. Ji, C. Zhang, Y. Li, W.-H. Lee, Y. Song, and R. Beyah. {MOPT}: Optimized mutation scheduling for fuzzers. In Proceedings of the 28th USENIX Security Symposium (Security), SANTA CLARA, CA, Aug. 2019.
[25]
V. J. Manès, S. Kim, and S. K. Cha. Ankou: Guiding grey-box fuzzing towards combinatorial diference. May 2020.
[26]
R. Padhye, C. Lemieux, K. Sen, M. Papadakis, and Y. Le Traon. Semantic fuzzing with zest. In Proceedings of the 28th International Symposium on Software Testing and Analysis (ISSTA), San Jose, CA, July 2014.
[27]
H. Peng, Y. Shoshitaishvili, and M. Payer. T-fuzz: fuzzing by program transformation. In Proceedings of the 39th IEEE Symposium on Security and Privacy (Oakland), SAN FRANCISCO, CA, May 2018.
[28]
T. Petsios, J. Zhao, A. D. Keromytis, and S. Jana. Slowfuzz: Automated domainindependent detection of algorithmic complexity vulnerabilities. In Proceedings of the 24th ACM Conference on Computer and Communications Security (CCS), Dallas, TX, Oct.-Nov. 2017.
[29]
S. Rawat, V. Jain, A. Kumar, L. Cojocar, C. Giufrida, and H. Bos. Vuzzer: Application-aware evolutionary fuzzing. In Proceedings of the 2017 Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb.-Mar. 2017.
[30]
D. She, K. Pei, D. Epstein, J. Yang, B. Ray, and S. Jana. Neuzz: Eficient fuzzing with neural program smoothing. In Proceedings of the 40th IEEE Symposium on Security and Privacy (Oakland), SAN FRANCISCO, CA, May 2019.
[31]
N. Stephens, J. Grosen, C. Salls, A. Dutcher, R. Wang, J. Corbetta, Y. Shoshitaishvili, C. Kruegel, and G. Vigna. Driller: Augmenting fuzzing through selective symbolic execution. In Proceedings of the 2016 Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb. 2016.
[32]
J. Wang, B. Chen, L. Wei, and Y. Liu. Skyfire: Data-driven seed generation for fuzzing. In Proceedings of the 38th IEEE Symposium on Security and Privacy (Oakland), San Jose, CA, May 2017.
[33]
J. Wang, B. Chen, L. Wei, and Y. Liu. Superion: Grammar-aware greybox fuzzing. In Proceedings of the 41st International Conference on Software Engineering (ICSE), QC, Canada, May 2019.
[34]
M. Wang, J. Liang, Y. Chen, Y. Jiang, X. Jiao, H. Liu, X. Zhao, and J. Sun. Safl: increasing and accelerating testing coverage with symbolic execution and guided fuzzing. In Proceedings of the 40th International Conference on Software Engineering (ICSE), Gothenburg, Sweden, May 2018.
[35]
Y. Wang, X. Jia, Y. Liu, K. Zeng, T. Bao, D. Wu, and P. Su. Not all coverage measurements are equal: Fuzzing by coverage accounting for input prioritization. May 2020.
[36]
J. Wei, J. Chen, Y. Feng, K. Ferles, and I. Dillig. Singularity: Pattern fuzzing for worst case complexity. In Proceedings of the 23th European Software Engineering Conference (ESEC) / 26st ACM SIGSOFT Symposium on the Foundations of Software Engineering (FSE), Lake Buena Vista, Florida, Nov. 2018.
[37]
W. You, X. Wang, S. Ma, J. Huang, X. Zhang, X. Wang, and B. Liang. Profuzzer: On-the-fly input type probing for better zero-day vulnerability discovery. In Proceedings of the 40th IEEE Symposium on Security and Privacy (Oakland), SAN FRANCISCO, CA, May 2019.
[38]
I. Yun, S. Lee, M. Xu, Y. Jang, and T. Kim. {QSYM} : A practical concolic execution engine tailored for hybrid fuzzing. In Proceedings of the 27th USENIX Security Symposium (Security), BALTIMORE, MD, Aug. 2018.
[39]
L. Zhao, Y. Duan, H. Yin, and J. Xuan. Send hardest problems my way: Probabilistic path prioritization for hybrid fuzzing. In Proceedings of the 2019 Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb. 2019.
[40]
P. Zong, T. Lv, D. Wang, Z. Deng, R. Liang, and K. Chen. Fuzzguard: Filtering out unreachable inputs in directed grey-box fuzzing through deep learning. Aug. 2020.

Cited By

View all
  • (2024)ProphetFuzz: Fully Automated Prediction and Fuzzing of High-Risk Option Combinations with Only Documentation via Large Language ModelProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690231(735-749)Online publication date: 2-Dec-2024
  • (2024)OSmart: Whitebox Program Option FuzzingProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690228(705-719)Online publication date: 2-Dec-2024
  • (2024)SoK: Prudent Evaluation Practices for Fuzzing2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00137(1974-1993)Online publication date: 19-May-2024
  • Show More Cited By

Index Terms

  1. CrFuzz: fuzzing multi-purpose programs through input validation

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    ESEC/FSE 2020: Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering
    November 2020
    1703 pages
    ISBN:9781450370431
    DOI:10.1145/3368089
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 08 November 2020

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. Coverage-guided fuzzing
    2. Fuzz testing

    Qualifiers

    • Research-article

    Conference

    ESEC/FSE '20
    Sponsor:

    Acceptance Rates

    Overall Acceptance Rate 112 of 543 submissions, 21%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)60
    • Downloads (Last 6 weeks)4
    Reflects downloads up to 20 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)ProphetFuzz: Fully Automated Prediction and Fuzzing of High-Risk Option Combinations with Only Documentation via Large Language ModelProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690231(735-749)Online publication date: 2-Dec-2024
    • (2024)OSmart: Whitebox Program Option FuzzingProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690228(705-719)Online publication date: 2-Dec-2024
    • (2024)SoK: Prudent Evaluation Practices for Fuzzing2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00137(1974-1993)Online publication date: 19-May-2024
    • (2024)Enhancing Black-box Compiler Option Fuzzing with LLM through Command Feedback2024 IEEE 35th International Symposium on Software Reliability Engineering (ISSRE)10.1109/ISSRE62328.2024.00039(319-330)Online publication date: 28-Oct-2024
    • (2023)CarpetFuzzProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620345(1919-1936)Online publication date: 9-Aug-2023
    • (2022)SpecDoctorProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560578(1473-1487)Online publication date: 7-Nov-2022
    • (2022)Fuzzing: A Survey for RoadmapACM Computing Surveys10.1145/351234554:11s(1-36)Online publication date: 9-Sep-2022
    • (2022)DeltaFuzz: Historical Version Information Guided Fuzz TestingJournal of Computer Science and Technology10.1007/s11390-021-1663-737:1(29-49)Online publication date: 31-Jan-2022

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media