research-article

NestFuzz: Enhancing Fuzzing with Comprehensive Understanding of Input Processing Logic

Authors:

Guangliang Yang,

Min YangAuthors Info & Claims

CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

Pages 1272 - 1286

https://doi.org/10.1145/3576915.3623103

Published: 21 November 2023 Publication History

Abstract

Fuzzing is one of the most popular and practical techniques for security analysis. In this work, we aim to address the critical problem of high-quality input generation with a novel input-aware fuzzing approach called NestFuzz. NestFuzz can universally and automatically model input format specifications and generate valid input.

The key observation behind NestFuzz is that the code semantics of the target program always highly imply the required input formats. Hence, NestFuzz applies fine-grained program analysis to understand the input processing logic, especially the dependencies across different input fields and substructures. To this end, we design a novel data structure, namely Input Processing Tree, and a new cascading dependency-aware mutation strategy to drive the fuzzing.

Our evaluation of 20 intensively-tested popular programs shows that NestFuzz is effective and practical. In comparison with the state-of-the-art fuzzers (AFL, AFLFast, AFL++, MOpt, AFLSmart, WEIZZ, ProFuzzer, and TIFF), NestFuzz achieves outperformance in terms of both code coverage and security vulnerability detection. NestFuzz finds 46 vulnerabilities that are both unique and serious. Until the moment this paper is written, 39 have been confirmed and 37 have been assigned with CVE-ids.

References

[1]

2023. Automatically inferring file syntax with afl-analyze. Retrieved 2023-05-05 from https://lcamtuf.blogspot.com/2016/02/say-hello-to-afl-analyze.html

[2]

2023. Bento4. Retrieved 2023-05-05 from https://github.com/axiomatic-systems/ Bento4

[3]

2023. ELF Linux manual page. Retrieved 2023-05-05 from https://man7.org/linux/ man-pages/man5/elf.5.html

[4]

2023. ImageMagick. Retrieved 2023-05-05 from https://github.com/ImageMagick/ ImageMagick

[5]

2023. LLVM dataFlowSanitizer. Retrieved 2023-05-05 from https://clang.llvm. org/docs/DataFlowSanitizer.html

[6]

2023. Memory leak in Binutils. Retrieved 2023-05-05 from https://sourceware. org/bugzilla/show_bug.cgi?id=29925

[7]

2023. Peach. Retrieved 2023-05-05 from https://gitlab.com/peachtech/peach- fuzzer-community

[8]

Cornelius Aschermann, Sergej Schumilo, Tim Blazytko, Robert Gawlik, and Thorsten Holz. 2019. REDQUEEN: Fuzzing with Input-to-State Correspondence. In NDSS, Vol. 19. 1--15.

[9]

Fabrice Bellard. 2005. QEMU, a fast and portable dynamic translator. In USENIX annual technical conference, FREENIX Track, Vol. 41. Califor-nia, USA, 46.

[10]

Marcel Böhme, Van-Thuan Pham, and Abhik Roychoudhury. 2016. Coverage-based greybox fuzzing as markov chain. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. 1032--1043.

Digital Library

[11]

Juan Caballero, Heng Yin, Zhenkai Liang, and Dawn Song. 2007. Polyglot: Automatic extraction of protocol message format using dynamic binary analysis. In Proceedings of the 14th ACM conference on Computer and communications security. 317--329.

Digital Library

[12]

Oliver Chang, Jonathan Metzman, Max Moroz, Martin Barbella, and Abhishek Arya. 2016. OSS-Fuzz: Continuous Fuzzing for Open Source Software. URL: https://github. com/google/ossfuzz (2016).

[13]

Peng Chen and Hao Chen. 2018. Angora: Efficient fuzzing by principled search. In 2018 IEEE Symposium on Security and Privacy (SP). IEEE, 711--725.

[14]

Peng Chen, Jianzhong Liu, and Hao Chen. 2019. Matryoshka: fuzzing deeply nested branches. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 499--513.

Digital Library

[15]

Weidong Cui, Jayanthkumar Kannan, and Helen J Wang. 2007. Discoverer: Automatic Protocol Reverse Engineering from Network Traces. In USENIX Security Symposium. 1--14.

Digital Library

[16]

Weidong Cui, Marcus Peinado, Karl Chen, Helen J Wang, and Luis Irun-Briz. 2008. Tupni: Automatic reverse engineering of input formats. In Proceedings of the 15th ACM conference on Computer and communications security. 391--402.

Digital Library

[17]

Andrea Fioraldi, Daniele Cono D'Elia, and Emilio Coppa. 2020a. WEIZZ: Automatic grey-box fuzzing for structured binary formats. In Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis. 1--13.

Digital Library

[18]

Andrea Fioraldi, Dominik Maier, Heiko Eiβfeldt, and Marc Heuse. 2020b. {AFL++}: Combining incremental steps of fuzzing research. In 14th USENIX Workshop on Offensive Technologies (WOOT 20).

[19]

Shuitao Gan, Chao Zhang, Peng Chen, Bodong Zhao, Xiaojun Qin, Dong Wu, and Zuoning Chen. 2020. GREYONE: Data Flow Sensitive Fuzzing. In USENIX Security Symposium. 2577--2594.

[20]

Vivek Jain, Sanjay Rawat, Cristiano Giuffrida, and Herbert Bos. 2018. TIFF: using input type inference to improve fuzzing. In Proceedings of the 34th Annual Computer Security Applications Conference. 505--517.

Digital Library

[21]

Min Gyung Kang, Stephen McCamant, Pongsin Poosankam, and Dawn Song. 2011. Dta: dynamic taint analysis with targeted control-flow propagation. In NDSS.

[22]

Chris Lattner and Vikram Adve. 2004. LLVM: A compilation framework for lifelong program analysis & transformation. In International symposium on code generation and optimization, 2004. CGO 2004. IEEE, 75--86.

[23]

Jong Hyup Lee, Thanassis Avgerinos, and David Brumley. 2011. TIE: Principled reverse engineering of types in binary programs. (2011).

[24]

Yuwei Li, Shouling Ji, Yuan Chen, Sizhuang Liang, Wei-Han Lee, Yueyao Chen, Chenyang Lyu, Chunming Wu, Raheem Beyah, Peng Cheng, et al. 2021. UNIFUZZ: A Holistic and Pragmatic Metrics-Driven Platform for Evaluating Fuzzers. In USENIX Security Symposium. 2777--2794.

[25]

Jie Liang, Mingzhe Wang, Chijin Zhou, Zhiyong Wu, Yu Jiang, Jianzhong Liu, Zhe Liu, and Jiaguang Sun. 2022. PATA: Fuzzing with path aware taint analysis. In 2022 IEEE Symposium on Security and Privacy (SP). IEEE, 1--17.

[26]

Zhiqiang Lin, Xiangyu Zhang, and Dongyan Xu. 2010. Automatic reverse engineering of data structures from binary execution. In Proceedings of the 11th Annual Information Security Symposium. 1--1.

Digital Library

[27]

Chi-Keung Luk, Robert Cohn, Robert Muth, Harish Patil, Artur Klauser, Geoff Lowney, Steven Wallace, Vijay Janapa Reddi, and Kim Hazelwood. 2005. Pin: building customized program analysis tools with dynamic instrumentation. Acm sigplan notices, Vol. 40, 6 (2005), 190--200.

[28]

Chenyang Lyu, Shouling Ji, Chao Zhang, Yuwei Li, Wei-Han Lee, Yu Song, and Raheem Beyah. 2019. MOPT: Optimized Mutation Scheduling for Fuzzers. In USENIX Security Symposium. 1949--1966.

[29]

Jonathan Metzman, László Szekeres, Laurent Simon, Read Sprabery, and Abhishek Arya. 2021. Fuzzbench: an open fuzzer benchmarking platform and service. In Proceedings of the 29th ACM joint meeting on European software engineering conference and symposium on the foundations of software engineering. 1393--1403.

Digital Library

[30]

M.Zalewski. [n.,d.]. American fuzzy lop. http://lcamtuf.coredump.cx/afl/. 2023.

[31]

Van-Thuan Pham, Marcel Böhme, Andrew E Santosa, Alexandru Rua zvan Cua ciulescu, and Abhik Roychoudhury. 2019. Smart greybox fuzzing. IEEE Transactions on Software Engineering, Vol. 47, 9 (2019), 1980--1997.

[32]

Sebastian Poeplau and Aurélien Francillon. 2020. Symbolic execution with SymCC: Don't interpret, compile!. In Proceedings of the 29th USENIX Conference on Security Symposium. 181--198.

[33]

Sebastian Poeplau and Aurélien Francillon. 2021. SymQEMU: Compilation-based symbolic execution for binaries. In NDSS.

[34]

Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitriy Vyukov. 2012. {AddressSanitizer}: A fast address sanity checker. In 2012 USENIX annual technical conference (USENIX ATC 12). 309--318.

[35]

Ji Shi, Zhun Wang, Zhiyao Feng, Yang Lan, Shisong Qin, Wei You, Wei Zou, Mathias Payer, and Chao Zhang. [n.,d.]. AIFORE: Smart Fuzzing Based on Automatic Input Format Reverse Engineering. ([n.,d.]).

[36]

Asia Slowinska, Traian Stancescu, and Herbert Bos. 2011. Howard: A Dynamic Excavator for Reverse Engineering Data Structures. In NDSS.

[37]

Rui Wang, XiaoFeng Wang, Kehuan Zhang, and Zhuowei Li. 2008. Towards automatic reverse engineering of software security configurations. In Proceedings of the 15th ACM conference on Computer and communications security. 245--256.

Digital Library

[38]

Tielei Wang, Tao Wei, Guofei Gu, and Wei Zou. 2010. TaintScope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection. In 2010 IEEE Symposium on Security and Privacy. IEEE, 497--512.

Digital Library

[39]

Website. [n.,d.]. 010 Editor. https://www.sweetscape.com/010editor/. 2022.

[40]

Gilbert Wondracek, Paolo Milani Comparetti, Christopher Kruegel, Engin Kirda, and Scuola Superiore S Anna. 2008. Automatic Network Protocol Analysis. In NDSS, Vol. 8. Citeseer, 1--14.

[41]

Meng Xu, Sanidhya Kashyap, Hanqing Zhao, and Taesoo Kim. 2020. Krace: Data race fuzzing for kernel file systems. In 2020 IEEE Symposium on Security and Privacy (SP). IEEE, 1643--1660.

[42]

Wei You, Xuwei Liu, Shiqing Ma, David Perry, Xiangyu Zhang, and Bin Liang. 2019a. SLF: Fuzzing without valid seed inputs. In 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE). IEEE, 712--723.

Digital Library

[43]

Wei You, Xueqiang Wang, Shiqing Ma, Jianjun Huang, Xiangyu Zhang, XiaoFeng Wang, and Bin Liang. 2019b. Profuzzer: On-the-fly input type probing for better zero-day vulnerability discovery. In 2019 IEEE symposium on security and privacy (SP). IEEE, 769--786.

[44]

Insu Yun, Sangho Lee, Meng Xu, Yeongjin Jang, and Taesoo Kim. 2018. QSYM: A practical concolic execution engine tailored for hybrid fuzzing. In 27th USENIX Security Symposium (USENIX Security 18). 745--761.

Cited By

Qian CPang LKuang XQin JZang YZhao QZhang J(2024)BSP: Branch Splitting for Unsolvable Path Hybrid FuzzingElectronics10.3390/electronics1324493513:24(4935)Online publication date: 13-Dec-2024
https://doi.org/10.3390/electronics13244935
Schloegel MBars NSchiller NBernhard LScharnowski TCrump AAle-Ebrahim ABissantz NMuench MHolz T(2024)SoK: Prudent Evaluation Practices for Fuzzing2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00137(1974-1993)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00137

Index Terms

NestFuzz: Enhancing Fuzzing with Comprehensive Understanding of Input Processing Logic
1. Security and privacy
  1. Software and application security

Recommendations

Poster: YFuzz: Data-Driven Fuzzing
CCS '24: Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security

Code coverage is an effective objective for guiding fuzzers to explore code and identify bugs, and it has been a key factor in the success of greybox fuzzing. However, code coverage has a critical limitation: coverage-guided fuzzers can miss bugs even ...
Accelerating Fuzzing through Prefix-Guided Execution

Coverage-guided fuzzing is one of the most effective approaches for discovering software defects and vulnerabilities. It executes all mutated tests from seed inputs to expose coverage-increasing tests. However, executing all mutated tests incurs ...
Same Coverage, Less Bloat: Accelerating Binary-only Fuzzing with Coverage-preserving Coverage-guided Tracing
CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

Coverage-guided fuzzing's aggressive, high-volume testing has helped reveal tens of thousands of software security flaws. While executing billions of test cases mandates fast code coverage tracing, the nature of binary-only targets leads to reduced ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

November 2023

3722 pages

ISBN:9798400700507

DOI:10.1145/3576915

General Chairs:
Weizhi Meng
Technical University of Denmark
,
Christian D. Jensen
Technical University of Denmark
,
Program Chairs:
Cas Cremers
CISPA Helmholtz Center for Information Security
,
Engin Kirda
Khoury College of Computer Sciences

Copyright © 2023 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 November 2023

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Shanghai Pilot Program for Basic Research - FuDan University
Funding of Ministry of Industry and Information Technology of the People?s Republic of China
Shanghai Rising-Star Program
National Natural Science Foundation of China
National Key Research and Development Program

Conference

CCS '23

Sponsor:

SIGSAC

CCS '23: ACM SIGSAC Conference on Computer and Communications Security

November 26 - 30, 2023

Copenhagen, Denmark

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
871
Total Downloads

Downloads (Last 12 months)482
Downloads (Last 6 weeks)22

Reflects downloads up to 03 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Qian CPang LKuang XQin JZang YZhao QZhang J(2024)BSP: Branch Splitting for Unsolvable Path Hybrid FuzzingElectronics10.3390/electronics1324493513:24(4935)Online publication date: 13-Dec-2024
https://doi.org/10.3390/electronics13244935
Schloegel MBars NSchiller NBernhard LScharnowski TCrump AAle-Ebrahim ABissantz NMuench MHolz T(2024)SoK: Prudent Evaluation Practices for Fuzzing2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00137(1974-1993)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00137

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten