REDQUEEN: Fuzzing with Input-to-State Correspondence.
Reads0
Chats0
TLDR
The prototype implementation of REDQUEEN, a lightweight, yet very effective alternative to taint tracking and symbolic execution to facilitate and optimize state-of-the-art feedback fuzzing that easily scales to large binary applications and unknown environments, is introduced.Abstract:
Automated software testing based on fuzzing has experienced a revival in recent years. Especially feedback-driven fuzzing has become well-known for its ability to efficiently perform randomized testing with limited input corpora. Despite a lot of progress, two common problems are magic numbers and (nested) checksums. Computationally expensive methods such as taint tracking and symbolic execution are typically used to overcome such roadblocks. Unfortunately, such methods often require access to source code, a rather precise description of the environment (e.g., behavior of library calls or the underlying OS), or the exact semantics of the platform’s instruction set. In this paper, we introduce a lightweight, yet very effective alternative to taint tracking and symbolic execution to facilitate and optimize state-of-the-art feedback fuzzing that easily scales to large binary applications and unknown environments. We observe that during the execution of a given program, parts of the input often end up directly (i.e., nearly unmodified) in the program state. This input-to-state correspondence can be exploited to create a robust method to overcome common fuzzing roadblocks in a highly effective and efficient manner. Our prototype implementation, called REDQUEEN, is able to solve magic bytes and (nested) checksum tests automatically for a given binary executable. Additionally, we show that our techniques outperform various state-of-the-art tools on a wide variety of targets across different privilege levels (kernel-space and userland) with no platform-specific code. REDQUEEN is the first method to find more than 100% of the bugs planted in LAVA-M across all targets. Furthermore, we were able to discover 65 new bugs and obtained 16 CVEs in multiple programs and OS kernel drivers. Finally, our evaluation demonstrates that REDQUEEN is fast, widely applicable and outperforms concurrent approaches by up to three orders of magnitude.read more
Citations
More filters
Proceedings Article
AFL++ : Combining Incremental Steps of Fuzzing Research.
TL;DR: AFL++ is presented, a community-driven opensource tool that incorporates state-of-the-art fuzzing research to make the research comparable, reproducible, combinable and — most importantly – useable.
Posted Content
The Art, Science, and Engineering of Fuzzing: A Survey
Valentin J. M. Manès,HyungSeok Han,Choongwoo Han,Sang Kil Cha,Manuel Egele,Edward J. Schwartz,Maverick Woo +6 more
TL;DR: This paper presents a unified, general-purpose model of fuzzing together with a taxonomy of the current fuzzing literature, and methodically explores the design decisions at every stage of the model fuzzer by surveying the related literature and innovations in the art, science, and engineering that make modern-day fuzzers effective.
Journal ArticleDOI
The Art, Science, and Engineering of Fuzzing: A Survey
Valentin J. M. Manès,HyungSeok Han,Choongwoo Han,Sang Kil Cha,Manuel Egele,Edward J. Schwartz,Maverick Woo +6 more
TL;DR: In this article, a unified, general-purpose model of fuzzing together with a taxonomy of the current fuzzing literature is presented, and the design decisions at every stage of the model fuzzer by surveying the related literature and innovations in the art, science, and engineering that make modern-day fuzzers effective.
Proceedings Article
{GREYONE}: Data Flow Sensitive Fuzzing
TL;DR: A data flow sensitive fuzzing solution that outperforms various state-of-the-art fuzzers in terms of both code coverage and vulnerability discovery, and uses a novel input prioritization model to determine which branch to explore, which bytes to Mutate and how to mutate.
Proceedings ArticleDOI
Not All Coverage Measurements Are Equal: Fuzzing by Coverage Accounting for Input Prioritization.
TL;DR: This work proposes coverage accounting, a novel approach that evaluates coverage by security impacts, and designs a new scheme to prioritize fuzzing inputs and develops TortoiseFuzz, a greybox fuzzer for finding memory corruption vulnerabilities.
References
More filters
Journal ArticleDOI
Pin: building customized program analysis tools with dynamic instrumentation
Chi-Keung Luk,Robert Cohn,Robert Muth,Harish Patil,Artur Klauser,Geoff Lowney,Steven Wallace,Vijay Janapa Reddi,Kim Hazelwood +8 more
TL;DR: The goals are to provide easy-to-use, portable, transparent, and efficient instrumentation, and to illustrate Pin's versatility, two Pintools in daily use to analyze production software are described.
Proceedings ArticleDOI
KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs
TL;DR: A new symbolic execution tool, KLEE, capable of automatically generating tests that achieve high coverage on a diverse set of complex and environmentally-intensive programs, and significantly beat the coverage of the developers' own hand-written test suite is presented.
Proceedings Article
QEMU, a fast and portable dynamic translator
TL;DR: QEMU supports full system emulation in which a complete and unmodified operating system is run in a virtual machine and Linux user mode emulation where a Linux process compiled for one target CPU can be run on another CPU.
Proceedings Article
Automated Whitebox Fuzz Testing.
TL;DR: This work presents an alternative whitebox fuzz testing approach inspired by recent advances in symbolic execution and dynamic test generation, and implemented this algorithm in SAGE (Scalable, Automated, Guided Execution), a new tool employing x86 instruction-level tracing and emulation for white box fuzzing of arbitrary file-reading Windows applications.
Book ChapterDOI
DART: directed automated random testing
TL;DR: Direct automated random testing is described, an efficient approach which combines random and symbolic testing, and several heuristic search strategies are presented, including a novel strategy guided by the control flow graph of the program under test.