skip to main content
10.1145/3658644.3690278acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

Fuzz to the Future: Uncovering Occluded Future Vulnerabilities via Robust Fuzzing

Published: 09 December 2024 Publication History

Abstract

The security landscape of software systems has witnessed considerable advancements through dynamic testing methodologies, especially fuzzing. Traditionally, fuzzing involves a sequential, cyclic process where software is tested to identify crashes. These crashes are then triaged and patched, leading to subsequent cycles that uncover further vulnerabilities. While effective, this method is not efficient as each cycle potentially reveals new issues previously obscured by earlier crashes, thus resulting in vulnerabilities being discovered sequentially.
In this paper, we present a solution to identify occluded future vulnerabilities - vulnerabilities that are hard or impossible to trigger due to current vulnerabilities occluding the triggering path. We introduce robust fuzzing, a novel technique that enables fuzzers probe beyond the immediate crash location and uncover new vulnerabilities or variants of known ones. We implemented robust fuzzing in FlakJack, a pioneering fuzzing add-on that leverages binary patching to proactively identify occluded future vulnerabilities hidden behind current crashes. By enabling fuzzers to bypass immediate crash points and delve deeper into the software, FlakJack not only accelerates the vulnerability discovery process but also significantly enhances the efficacy of software testing. With the help of FlakJack, we found 28 new vulnerabilities in projects that have been extensively tested through the OSS-Fuzz project. This approach promises a transformative shift in how vulnerabilities are identified and managed, aiming to shorten the time span of vulnerability discovery over the long term.

References

[1]
2014. binutils #17531 fix. Commit ID 058037d3a16 changeset.
[2]
2014. binutils issue #17531. https://sourceware.org/bugzilla/show_ bug.cgi?id=17531#c57.
[3]
2016. binutils issue #20439. https://sourceware.org/bugzilla/show_ bug.cgi?id=20439.
[4]
angr team. 2015. Phuzzer. https://github.com/angr/phuzzer/.
[5]
angr team. 2016. Patcherex. https://github.com/angr/patcherex/.
[6]
Cornelius Aschermann, Sergej Schumilo, Tim Blazytko, Robert Gawlik, and Thorsten Holz. 2019. REDQUEEN: Fuzzing with Input-to-State Correspondence. In 26th Annual Network and Distributed System Security Symposium, NDSS 2019, San Diego, California, USA, February 24--27, 2019. The Internet Society. https://www.ndss-symposium.org/ndsspaper/ redqueen-fuzzing-with-input-to-state-correspondence/
[7]
Zuk Avraham. 2015. Experts Found a Unicorn in the Heart of Android. https://www.zimperium.com/blog/experts-found-a-unicorn-inthe- heart-of-android/.
[8]
Sofia Bekrar, Chaouki Bekrar, Roland Groz, and Laurent Mounier. 2012. A Taint Based Approach for Smart Fuzzing. In Fifth IEEE International Conference on Software Testing, Verification and Validation, ICST 2012, Montreal, QC, Canada, April 17--21, 2012. IEEE Computer Society. https: //doi.org/10.1109/ICST.2012.182
[9]
Peng Chen and Hao Chen. 2018. Angora: Efficient Fuzzing by Principled Search. In 2018 IEEE Symposium on Security and Privacy (SP). https://doi.org/10.1109/SP.2018.00046
[10]
Code Intelligence Christian Holler. 2022. Dos and Don'ts when Introducing New Fuzzing Tools. https://www.code-intelligence.com/blog/ implementing-fuzzing-tools
[11]
Xpdf Community. 2024. Xpdf Fuzzing Harness Issue. https://github. com/google/oss-fuzz/issues/11711
[12]
AFL developers. 2019. AFL instrumenting how to. https://aflplus. plus/docs/fuzzing_in_depth/.
[13]
Brendan Dolan-Gavitt, Patrick Hulin, Engin Kirda, Tim Leek, Andrea Mambretti, Wil Robertson, Frederick Ulrich, and Ryan Whelan. 2016. LAVA: Large-Scale Automated Vulnerability Addition. In 2016 IEEE Symposium on Security and Privacy (SP). https://doi.org/10.1109/SP. 2016.15
[14]
Joshua Drake. 2015. Stagefright: Scary Code in the Heart of Android. (2015). Slideshow presented at Blackhat USA 2015.
[15]
Joshua J. Drake. 2016. Stagefright: An Android Exploitation Case Study. USENIX Association.
[16]
Will Drewry and Tavis Ormandy. 2007. Flayer: Exposing Application Internals. In First USENIX Workshop on Offensive Technologies, WOOT '07, Boston, MA, USA, August 6, 2007. USENIX Association. https://www.usenix.org/conference/woot-07/flayer-exposingapplication- internals
[17]
Khashayar Etemadi, Nicolas Harrand, Simon Larsen, Haris Adzemovic, Henry Luong Phu, Ashutosh Verma, Fernanda Madeiral, Douglas Wikström, and Martin Monperrus. 2022. Sorald: Automatic patch suggestions for sonarqube static analysis violations. IEEE Transactions on Dependable and Secure Computing (2022).
[18]
Andrea Fioraldi, Dominik Christian Maier, Heiko Eißfeldt, and Marc Heuse. 2020. AFL: Combining Incremental Steps of Fuzzing Research. In 14th USENIX Workshop on Offensive Technologies, WOOT 2020, August 11, 2020. USENIX Association. https://www.usenix.org/ conference/woot20/presentation/fioraldi
[19]
Michael Fu and Chakkrit Tantithamthavorn. 2022. Linevul: A transformer-based line-level vulnerability prediction. In Proceedings of the 19th International Conference on Mining Software Repositories.
[20]
Michael Fu, Chakkrit Tantithamthavorn, Trung Le, Van Nguyen, and Dinh Phung. 2022. VulRepair: a T5-based automated software vulnerability repair. In Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (Singapore, Singapore) (ESEC/FSE 2022). Association for Computing Machinery, New York, NY, USA. https: //doi.org/10.1145/3540250.3549098
[21]
Gallopsled. 2013. pwntools. http://pwntools.com/.
[22]
Vijay Ganesh, Tim Leek, and Martin C. Rinard. 2009. Taint-Based Directed Whitebox Fuzzing. In 31st International Conference on Software Engineering, ICSE 2009, May 16--24, 2009, Vancouver, Canada, Proceedings. IEEE. https://doi.org/10.1109/ICSE.2009.5070546
[23]
István Haller, Asia Slowinska, Matthias Neugschwandtner, and Herbert Bos. 2013. Dowsing for Overflows: A Guided Fuzzer to Find Buffer Boundary Violations. In Proceedings of the 22th USENIX Security Symposium,Washington, DC, USA, August 14--16, 2013. USENIX Association. https://www.usenix.org/conference/usenixsecurity13/technicalsessions/ papers/haller
[24]
haproxy community. 2023. haproxy Fuzzing Harness Issue. https://github.com/haproxy/haproxy/issues/2178#issuecomment- 1584464122
[25]
Ahmad Hazimeh, Adrian Herrera, and Mathias Payer. 2020. Magma: A Ground-Truth Fuzzing Benchmark. Proc. ACM Meas. Anal. Comput. Syst. (nov 2020). https://doi.org/10.1145/3428334
[26]
Marc Heuse. 2020. AFL LTO mode instrumentation. https://github.com/AFLplusplus/AFLplusplus/blob/stable/ instrumentation/README.lto.md.
[27]
Zhiyuan Jiang, Shuitao Gan, Adrian Herrera, Flavio Toffalini, Lucio Romerio, Chaojing Tang, Manuel Egele, Chao Zhang, and Mathias Payer. 2022. Evocatio: Conjuring Bug Capabilities from a Single PoC. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, CCS 2022, Los Angeles, CA, USA, November 7--11, 2022. ACM. https://doi.org/10.1145/3548606.3560575
[28]
Ilias Kalouptsoglou, Miltiadis Siavvas, Dimitrios Tsoukalas, and Dionysios Kehagias. 2020. Cross-project vulnerability prediction based on software metrics and deep learning. In Computational Science and Its Applications--ICCSA 2020: 20th International Conference, Cagliari, Italy, July 1--4, 2020, Proceedings, Part IV 20. Springer.
[29]
George Klees, Andrew Ruef, Benji Cooper, Shiyi Wei, and Michael Hicks. 2018. Evaluating Fuzz Testing. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (New York, NY, USA). Association for Computing Machinery. https://doi. org/10.1145/3243734.3243804
[30]
Yuwei Li, Shouling Ji, Yuan Chen, Sizhuang Liang, Wei-Han Lee, Yueyao Chen, Chenyang Lyu, Chunming Wu, Raheem Beyah, Peng Cheng, Kangjie Lu, and Ting Wang. 2021. UNIFUZZ: A Holistic and Pragmatic Metrics-Driven Platform for Evaluating Fuzzers. In 30th USENIX Security Symposium, USENIX Security 2021, August 11- 13, 2021. USENIX Association. https://www.usenix.org/conference/ usenixsecurity21/presentation/li-yuwei
[31]
Fan Long, Peter Amidon, and Martin Rinard. 2017. Automatic inference of code transforms for patch generation. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering.
[32]
Fan Long and Martin Rinard. 2016. Automatic patch generation by learning correct code. In Proceedings of the 43rd Annual ACM SIGPLANSIGACT Symposium on Principles of Programming Languages.
[33]
Sergey Mechtaev, Jooyong Yi, and Abhik Roychoudhury. 2016. Angelix: Scalable multiline program patch synthesis via symbolic analysis. In Proceedings of the 38th international conference on software engineering.
[34]
Barton P. Miller, Lars Fredriksen, and Bryan So. 1990. An Empirical Study of the Reliability of UNIX Utilities. Communications of The Acm (1990). https://doi.org/10.1145/96267.96279
[35]
Balázs Mosolygó, Norbert Vándor, Gábor Antal, Péter Heged's, and Rudolf Ferenc. 2021. Towards a prototype based explainable javascript vulnerability prediction model. In 2021 International conference on code quality (ICCQ). IEEE.
[36]
NIST. [n. d.]. National Vulnerability Database. https://nvd.nist.gov/.
[37]
Fei Peng, Zhui Deng, Xiangyu Zhang, Dongyan Xu, Zhiqiang Lin, and Zhendong Su. 2014. X-Force: Force-Executing Binary Programs for Security Applications. In 23rd USENIX Security Symposium (USENIX Security . USENIX Association, San Diego, CA. https://www.usenix.org/ conference/usenixsecurity14/technical-sessions/presentation/peng
[38]
Hui Peng, Yan Shoshitaishvili, and Mathias Payer. 2018. T-Fuzz: fuzzing by program transformation. In 2018 IEEE Symposium on Security and Privacy (SP). IEEE.
[39]
Pernosco. 2014. Record and Replay Framework. https://github.com/rrdebugger/ rr.
[40]
Sanjay Rawat, Vivek Jain, Ashish Kumar, Lucian Cojocar, Cristiano Giuffrida, and Herbert Bos. 2017. VUzzer: Applicationaware Evolutionary Fuzzing. In 24th Annual Network and Distributed System Security Symposium, NDSS 2017, San Diego, California, USA, February 26 - March 1, 2017. The Internet Society. https://www.ndss-symposium.org/ndss2017/ndss-2017- programme/vuzzer-application-aware-evolutionary-fuzzing/
[41]
Kostya Serebryany. 2017. OSS-Fuzz - Google's Continuous Fuzzing Service for Open Source Software. In 26th USENIX Security Symposium, USENIX Security 2017, Vancouver, BC, Canada, August 16- 18, 2017. USENIX Association. https://www.usenix.org/conference/ usenixsecurity17/technical-sessions/presentation/serebryany
[42]
Alexey Smirnov and Tzi-cker Chiueh. 2005. DIRA: Automatic Detection, Identification and Repair of Control-Hijacking Attacks. In Proceedings of the Network and Distributed System Security Symposium, NDSS 2005, San Diego, California, USA. The Internet Society. https://www.ndss-symposium.org/ndss2005/dira-automaticdetection- identification-and-repair-control-hijacking-attacks/
[43]
Rijnard van Tonder and Claire Le Goues. 2018. Static automated program repair for heap properties. In Proceedings of the 40th International Conference on Software Engineering (Gothenburg, Sweden) (ICSE '18). Association for Computing Machinery, New York, NY, USA. https://doi.org/10.1145/3180155.3180250
[44]
Ruoyu Wang, Yan Shoshitaishvili, Antonio Bianchi, Aravind Machiry, John Grosen, Paul Grosen, Christopher Kruegel, and Giovanni Vigna. 2017. Ramblr: Making Reassembly Great Again. In 24th Annual Network and Distributed System Security Symposium, NDSS 2017, San Diego, California, USA, February 26 - March 1, 2017. The Internet Society. https://www.ndss-symposium.org/ndss2017/ndss-2017- programme/ramblr-making-reassembly-great-again/
[45]
Tielei Wang, Tao Wei, Guofei Gu, and Wei Zou. 2010. TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection. In 31st IEEE Symposium on Security and Privacy, S&P 2010, 16--19 May 2010, Berleley/Oakland, California, USA. IEEE Computer Society. https://doi.org/10.1109/SP.2010.37
[46]
Mark A Williams, Roberto Camacho Barranco, Sheikh Motahar Naim, Sumi Dey, M Shahriar Hossain, and Monika Akbar. 2020. A vulnerability analysis and prediction framework. Computers & Security 92 (2020), 101751.
[47]
Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, and Christopher Bookholt. 2005. Automatic diagnosis and response to memory corruption vulnerabilities. In Proceedings of the 12th ACM Conference on Computer and Communications Security, CCS 2005, Alexandria, VA, USA, November 7--11, 2005. ACM, 223--234. https://doi.org/10.1145/ 1102120.1102151
[48]
Carter Yagemann, Matthew Pruett, Simon P. Chung, Kennon Bittick, Brendan Saltaformaggio, and Wenke Lee. 2021. ARCUS: Symbolic Root Cause Analysis of Exploits in Production Systems. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association. https://www.usenix.org/conference/usenixsecurity21/presentation/yagemann
[49]
Xin Zhou, Kisub Kim, Bowen Xu, Donggyun Han, and David Lo. 2024. Out of Sight, Out of Mind: Better Automatic Vulnerability Repair by Broadening Input Ranges and Sources. In Proceedings of the IEEE/ACM 46th International Conference on Software Engineering (Lisbon, Portugal). Association for Computing Machinery, New York, NY, USA. https://doi.org/10.1145/3597503.3639222

Index Terms

  1. Fuzz to the Future: Uncovering Occluded Future Vulnerabilities via Robust Fuzzing

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    CCS '24: Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security
    December 2024
    5188 pages
    ISBN:9798400706363
    DOI:10.1145/3658644
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 09 December 2024

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. binary analysis
    2. fuzzing
    3. software security

    Qualifiers

    • Research-article

    Funding Sources

    Conference

    CCS '24
    Sponsor:

    Acceptance Rates

    Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

    Upcoming Conference

    CCS '25

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • 0
      Total Citations
    • 178
      Total Downloads
    • Downloads (Last 12 months)178
    • Downloads (Last 6 weeks)48
    Reflects downloads up to 13 Feb 2025

    Other Metrics

    Citations

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media