Smart Greybox Fuzzing

Coverage-based greybox fuzzing (CGF) is one of the most successful approaches for automated vulnerability detection. Given a seed file (as a sequence of bits), a CGF randomly flips, deletes or copies some bits to generate new files. CGF iteratively constructs (and fuzzes) a seed corpus by retaining...

Full description

Saved in:
Bibliographic Details
Published in:IEEE transactions on software engineering 2021-09, Vol.47 (9), p.1980-1997
Main Authors: Pham, Van-Thuan, Bohme, Marcel, Santosa, Andrew E., Caciulescu, Alexandru Razvan, Roychoudhury, Abhik
Format: Article
Language:English
Subjects:
automated testing
Computer bugs
Dictionaries
file format
Fuzzing
grammar
input structure
Libraries
Mutation
Open area test sites
Schedules
smart fuzzing
Vulnerability detection
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Coverage-based greybox fuzzing (CGF) is one of the most successful approaches for automated vulnerability detection. Given a seed file (as a sequence of bits), a CGF randomly flips, deletes or copies some bits to generate new files. CGF iteratively constructs (and fuzzes) a seed corpus by retaining those generated files which enhance coverage. However, random bitflips are unlikely to produce valid files (or valid chunks in files), for applications processing complex file formats. In this work, we introduce smart greybox fuzzing (SGF) which leverages a high-level structural representation of the seed file to generate new files. We define innovative mutation operators that work on the virtual file structure rather than on the bit level which allows SGF to explore completely new input domains while maintaining file validity. We introduce a novel validity-based power schedule that enables SGF to spend more time generating files that are more likely to pass the parsing stage of the program, which can expose vulnerabilities much deeper in the processing logic. Our evaluation demonstrates the effectiveness of SGF. On several libraries that parse complex chunk-based files, our tool AFLsmart achieves substantially more branch coverage (up to 87 percent improvement) and exposes more vulnerabilities than baseline AFL. Our tool AFLsmart discovered 42 zero-day vulnerabilities in widely-used, well-tested tools and libraries; 22 CVEs were assigned.
ISSN:0098-5589
1939-3520
DOI:10.1109/TSE.2019.2941681