The Experts below are selected from a list of 2349 Experts worldwide ranked by ideXlab platform
Yang Liu - One of the best experts on this subject based on the ideXlab platform.
-
muzz thread aware grey box Fuzzing for effective bug hunting in multithreaded programs
2020Co-Authors: Hongxu Chen, Shengjian Guo, Yinxing Xue, Yulei Sui, Cen Zhang, Haijun Wang, Yang LiuAbstract:Grey-box fuzz testing has revealed thousands of vulnerabilities in real-world software owing to its lightweight instrumentation, fast coverage feedback, and dynamic adjusting strategies. However, directly applying grey-box Fuzzing to input-dependent multithreaded programs can be extremely inefficient. In practice, multithreading-relevant bugs are usually buried in sophisticated program flows. Meanwhile, the existing grey-box Fuzzing techniques do not stress thread-interleavings which affect execution states in multithreaded programs. Therefore, mainstream grey-box fuzzers cannot effectively test problematic segments in multithreaded programs despite they might obtain high code coverage statistics. To this end, we propose MUZZ, a new grey-box Fuzzing technique that hunts for bugs in multithreaded programs. MUZZ owns three novel thread-aware instrumentations, namely coverage-oriented instrumentation, thread-context instrumentation, and schedule-intervention instrumentation. During Fuzzing, these instrumentations engender runtime feedback to stress execution states caused by thread interleavings. By leveraging the feedback in the dynamic seed selection and execution strategies, MUZZ preserves more valuable seeds that expose bugs in a multithreading context. We evaluate MUZZ on 12 real-world software programs. Experiments show that MUZZ outperforms AFL in both multithreading-relevant seed generation and concurrency-vulnerability detection. Further, by replaying the target programs against the generated seeds, MUZZ also reveals more concurrency-bugs (e.g., data-races, thread-leaks) than AFL. In total, MUZZ detected 8 new concurrency-vulnerabilities and 19 new concurrency-bugs. At the time of writing, 4 CVE IDs have been assigned to the reported issues.
-
superion grammar aware greybox Fuzzing
2019Co-Authors: Junjie Wang, Bihuan Chen, Lei Wei, Yang LiuAbstract:In recent years, coverage-based greybox Fuzzing has proven itself to be one of the most effective techniques for finding security bugs in practice. Particularly, American Fuzzy Lop (AFL for short) is deemed to be a great success in Fuzzing relatively simple test inputs. Unfortunately, when it meets structured test inputs such as XML and JavaScript, those grammar-blind trimming and mutation strategies in AFL hinder the effectiveness and efficiency. To this end, we propose a grammar-aware coverage-based greybox Fuzzing approach to fuzz programs that process structured inputs. Given the grammar (which is often publicly available) of test inputs, we introduce a grammar-aware trimming strategy to trim test inputs at the tree level using the abstract syntax trees (ASTs) of parsed test inputs. Further, we introduce two grammar-aware mutation strategies (i.e., enhanced dictionary-based mutation and tree-based mutation). Specifically, tree-based mutation works via replacing subtrees using the ASTs of parsed test inputs. Equipped with grammar-awareness, our approach can carry the Fuzzing exploration into width and depth. We implemented our approach as an extension to AFL, named Superion; and evaluated the effectiveness of Superion using large- scale programs (i.e., an XML engine libplist and three JavaScript engines WebKit, Jerryscript and ChakraCore). Our results have demonstrated that Superion can improve the code coverage (i.e., 16.7% and 8.8% in line and function coverage) and bug-finding capability (i.e., 34 new bugs, among which we discovered 22 new vulnerabilities with 19 CVEs assigned and 3.2K USD bug bounty rewards received) over AFL and jsfunfuzz.
-
superion grammar aware greybox Fuzzing
2018Co-Authors: Junjie Wang, Bihuan Chen, Lei Wei, Yang LiuAbstract:In recent years, coverage-based greybox Fuzzing has proven itself to be one of the most effective techniques for finding security bugs in practice. Particularly, American Fuzzy Lop (AFL for short) is deemed to be a great success in Fuzzing relatively simple test inputs. Unfortunately, when it meets structured test inputs such as XML and JavaScript, those grammar-blind trimming and mutation strategies in AFL hinder the effectiveness and efficiency. To this end, we propose a grammar-aware coverage-based greybox Fuzzing approach to fuzz programs that process structured inputs. Given the grammar (which is often publicly available) of test inputs, we introduce a grammar-aware trimming strategy to trim test inputs at the tree level using the abstract syntax trees (ASTs) of parsed test inputs. Further, we introduce two grammar-aware mutation strategies (i.e., enhanced dictionary-based mutation and tree-based mutation). Specifically, tree-based mutation works via replacing subtrees using the ASTs of parsed test inputs. Equipped with grammar-awareness, our approach can carry the Fuzzing exploration into width and depth. We implemented our approach as an extension to AFL, named Superion; and evaluated the effectiveness of Superion on real-life large-scale programs (a XML engine libplist and three JavaScript engines WebKit, Jerryscript and ChakraCore). Our results have demonstrated that Superion can improve the code coverage (i.e., 16.7% and 8.8% in line and function coverage) and bug-finding capability (i.e., 31 new bugs, among which we discovered 21 new vulnerabilities with 16 CVEs assigned and 3.2K USD bug bounty rewards received) over AFL and jsfunfuzz. We also demonstrated the effectiveness of our grammar-aware trimming and mutation.
Julia Lawall - One of the best experts on this subject based on the ideXlab platform.
-
Fuzzing error handling code in device drivers based on software fault injection
2019Co-Authors: Zuming Jiang, Jiaju Bai, Julia LawallAbstract:Device drivers remain a main source of runtime failures in operating systems. To detect bugs in device drivers, Fuzzing has been commonly used in practice. However, a main limitation of existing Fuzzing approaches is that they cannot effectively test error handling code. Indeed, these Fuzzing approaches require effective inputs to cover target code, but much error handling code in drivers is triggered by occasional errors (such as insufficient memory and hardware malfunctions) that are not related to inputs. In this paper, based on software fault injection, we propose a new Fuzzing approach named FIZZER, to test error handling code in device drivers. At compile time, FIZZER uses static analysis to recommend possible error sites that can trigger error handling code. During driver execution, by analyzing runtime information, it automatically fuzzes error-site sequences for fault injection to improve code coverage. We evaluate FIZZER on 18 device drivers in Linux 4.19, and in total find 22 real bugs. The code coverage is increased by over 15% compared to normal execution without Fuzzing.
Zuming Jiang - One of the best experts on this subject based on the ideXlab platform.
-
Fuzzing error handling code in device drivers based on software fault injection
2019Co-Authors: Zuming Jiang, Jiaju Bai, Julia LawallAbstract:Device drivers remain a main source of runtime failures in operating systems. To detect bugs in device drivers, Fuzzing has been commonly used in practice. However, a main limitation of existing Fuzzing approaches is that they cannot effectively test error handling code. Indeed, these Fuzzing approaches require effective inputs to cover target code, but much error handling code in drivers is triggered by occasional errors (such as insufficient memory and hardware malfunctions) that are not related to inputs. In this paper, based on software fault injection, we propose a new Fuzzing approach named FIZZER, to test error handling code in device drivers. At compile time, FIZZER uses static analysis to recommend possible error sites that can trigger error handling code. During driver execution, by analyzing runtime information, it automatically fuzzes error-site sequences for fault injection to improve code coverage. We evaluate FIZZER on 18 device drivers in Linux 4.19, and in total find 22 real bugs. The code coverage is increased by over 15% compared to normal execution without Fuzzing.
Patrice Godefroid - One of the best experts on this subject based on the ideXlab platform.
-
Fuzzing hack art and science
2020Co-Authors: Patrice GodefroidAbstract:Fuzzing, or Fuzz Testing, is the process of finding security vulnerabilities in input-parsing code by repeatedly testing the parser with modified, or fuzzed, inputs.35 Since the early 2000s, Fuzzing has become a mainstream practice in assessing software security. Thousands of security vulnerabilities have been found while Fuzzing all kinds of software applications for processing documents, images, sounds, videos, network packets, Web pages, among others. These applications must deal with untrusted inputs encoded in complex data formats. For example, the Microsoft Windows operating system supports over 360 file formats and includes millions of lines of code just to handle all of these.
-
deep reinforcement Fuzzing
2018Co-Authors: Konstantin Bottinger, Patrice Godefroid, Rishabh SinghAbstract:Fuzzing is the process of finding security vulnerabilities in input-processing code by repeatedly testing the code with modified inputs. In this paper, we formalize Fuzzing as a reinforcement learning problem using the concept of Markov decision processes. This in turn allows us to apply state-of-the-art deep Q-learning algorithms that optimize rewards, which we define from runtime properties of the program under test. By observing the rewards caused by mutating with a specific set of actions performed on an initial program input, the Fuzzing agent learns a policy that can next generate new higher-reward inputs. We have implemented this new approach, and preliminary empirical evidence shows that reinforcement Fuzzing can outperform baseline random Fuzzing.
-
learn fuzz machine learning for input Fuzzing
2017Co-Authors: Patrice Godefroid, Hila Peleg, Rishabh SinghAbstract:Fuzzing consists of repeatedly testing an application with modified, or fuzzed, inputs with the goal of finding security vulnerabilities in input-parsing code. In this paper, we show how to automate the generation of an input grammar suitable for input Fuzzing using sample inputs and neural-network-based statistical machine-learning techniques. We present a detailed case study with a complex input format, namely PDF, and a large complex security-critical parser for this format, namely, the PDF parser embedded in Microsoft's new Edge browser. We discuss (and measure) the tension between conflicting learning and Fuzzing goals: learning wants to capture the structure of well-formed inputs, while Fuzzing wants to break that structure in order to cover unexpected code paths and find bugs. We also present a new algorithm for this learn&fuzz challenge which uses a learnt input probability distribution to intelligently guide where to fuzz inputs.
-
grammar based whitebox Fuzzing
2008Co-Authors: Patrice Godefroid, Adam Kiezun, Michael Y LevinAbstract:Whitebox Fuzzing is a form of automatic dynamic test generation, based on symbolic execution and constraint solving, designed for security testing of large applications. Unfortunately, the current effectiveness of whitebox Fuzzing is limited when testing applications with highly-structured inputs, such as compilers and interpreters. These applications process their inputs in stages, such as lexing, parsing and evaluation. Due to the enormous number of control paths in early processing stages, whitebox Fuzzing rarely reaches parts of the application beyond those first stages.In this paper, we study how to enhance whitebox Fuzzing of complex structured-input applications with a grammar-based specification of their valid inputs. We present a novel dynamic test generation algorithm where symbolic execution directly generates grammar-based constraints whose satisfiability is checked using a custom grammar-based constraint solver. We have implemented this algorithm and evaluated it on a large security-critical application, the JavaScript interpreter of Internet Explorer 7 (IE7). Results of our experiments show that grammar-based whitebox Fuzzing explores deeper program paths and avoids dead-ends due to non-parsable inputs. Compared to regular whitebox Fuzzing, grammar-based whitebox Fuzzing increased coverage of the code generation module of the IE7 JavaScript interpreter from 53% to 81% while using three times fewer tests.
Hongxu Chen - One of the best experts on this subject based on the ideXlab platform.
-
muzz thread aware grey box Fuzzing for effective bug hunting in multithreaded programs
2020Co-Authors: Hongxu Chen, Shengjian Guo, Yinxing Xue, Yulei Sui, Cen Zhang, Haijun Wang, Yang LiuAbstract:Grey-box fuzz testing has revealed thousands of vulnerabilities in real-world software owing to its lightweight instrumentation, fast coverage feedback, and dynamic adjusting strategies. However, directly applying grey-box Fuzzing to input-dependent multithreaded programs can be extremely inefficient. In practice, multithreading-relevant bugs are usually buried in sophisticated program flows. Meanwhile, the existing grey-box Fuzzing techniques do not stress thread-interleavings which affect execution states in multithreaded programs. Therefore, mainstream grey-box fuzzers cannot effectively test problematic segments in multithreaded programs despite they might obtain high code coverage statistics. To this end, we propose MUZZ, a new grey-box Fuzzing technique that hunts for bugs in multithreaded programs. MUZZ owns three novel thread-aware instrumentations, namely coverage-oriented instrumentation, thread-context instrumentation, and schedule-intervention instrumentation. During Fuzzing, these instrumentations engender runtime feedback to stress execution states caused by thread interleavings. By leveraging the feedback in the dynamic seed selection and execution strategies, MUZZ preserves more valuable seeds that expose bugs in a multithreading context. We evaluate MUZZ on 12 real-world software programs. Experiments show that MUZZ outperforms AFL in both multithreading-relevant seed generation and concurrency-vulnerability detection. Further, by replaying the target programs against the generated seeds, MUZZ also reveals more concurrency-bugs (e.g., data-races, thread-leaks) than AFL. In total, MUZZ detected 8 new concurrency-vulnerabilities and 19 new concurrency-bugs. At the time of writing, 4 CVE IDs have been assigned to the reported issues.
