Cupid : Automatic Fuzzer Selection for Collaborative Fuzzing

Güler, Emre; Görz, Philipp; Geretto, Elia; Jemmett, Andrea; Bos, Herbert; Giuffrida, Cristiano; Holz, Thorsten

doi:10.1145/3427228.3427266

Cited by 15 publications

(7 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Future work UltraFuzz is implemented on top of vanilla AFL, and we focus on improving the performance of fuzzing by optimizing the parallel scheme, such as the centralized dynamic scheduling and hierarchical information-sharing. Ul-traFuzz can integrate with works from an orthogonal direction, such as improving execution speed [45][46][47][48], optimizing mutation strategy [16][17][18]28] and power scheduling [20,21], or improving the diversity by taking advantage of different fuzzers [34,49]. We leave these as future work.…”

Section: Discussionmentioning

confidence: 99%

UltraFuzz: Towards Resource-Saving in Distributed Fuzzing

Zhou

Wang

Liu

et al. 2023

IIEEE Trans. Software Eng.

View full text Add to dashboard Cite

Recent research has sought to improve fuzzing performance via parallel computing. However, researchers focus on improving efficiency while ignoring the increasing cost of testing resources. Parallel fuzzing in the distributed environment amplifies the resource-wasting problem caused by the random nature of fuzzing. In the parallel mode, owing to the lack of an appropriate task dispatching scheme and timely fuzzing status synchronization among different fuzzing instances, task conflicts and workload imbalance occur, making the resourcewasting problem severe. In this paper, we design UltraFuzz, a fuzzer for resource-saving in distributed fuzzing. Based on centralized dynamic scheduling, UltraFuzz can dispatch tasks and schedule power globally and reasonably to avoid resourcewasting. Besides, UltraFuzz can elastically allocate computing power for fuzzing and seed evaluation, thereby avoiding the potential bottleneck of seed evaluation that blocks the fuzzing process. UltraFuzz was evaluated using real-world programs, and the results show that with the same testing resource, UltraFuzz outperforms state-of-the-art tools, such as AFL, AFL-P, PAFL, and EnFuzz. Most importantly, the experiment reveals certain results that seem counter-intuitive, namely that parallel fuzzing can achieve "super-linear acceleration" when compared with single-core fuzzing. We conduct additional experiments to reveal the deep reasons behind this phenomenon and dig deep into the inherent advantages of parallel fuzzing over serial fuzzing, including the global optimization of seed energy scheduling and the escape of local optimal seed. Additionally, 24 real-world vulnerabilities were discovered using UltraFuzz.

show abstract

Section: Discussionmentioning

confidence: 99%

UltraFuzz: Towards Resource-Saving in Distributed Fuzzing

Zhou

Wang

Liu

et al. 2023

IIEEE Trans. Software Eng.

View full text Add to dashboard Cite

show abstract

“…All the fuzzers supported by autofz are AFL [51], AFLFast [6,7], MOpt [31], FairFuzz [28], LearnAFL [49], QSYM [50], Angora [9], Redqueen [3], Radamsa [24], LAF-INTEL [1], and libFuzzer [41]. We utilize the modified version of libFuzzer excerpted from [22] because it does not support seed synchronization. Also, we use the implementation provided by [17] for Radamsa, Redqueen, and LAF-INTEL.…”

Section: Discussionmentioning

confidence: 99%

“…ENFUZZ [10] first demonstrated that deploying various types of fuzzers together allows it to achieve better code coverage. Recently, CUPID [22] showcased that offline analysis with a training set, including empirically collected representative branches, is able to predict target-independent fuzzer combinations. In addition to fuzzer selection, COLLAB-FUZZ [53] illustrates the importance of test case scheduling policies in seed synchronization among the selected fuzzers.…”

Section: Related Workmentioning

confidence: 99%

“…The evaluation of the benchmark helps users to understand which fuzzers are favorable for fuzzing different types of binaries. Recently, collaborative fuzzing [10,22,53] has showcased that cooperating different combinations of fuzzers sometimes outperforms individual fuzzers thanks to their corpus sharing. However, this still imposes the burden of selecting what fuzzers to put into an ensemble.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

autofz: Automated Fuzzer Composition at Runtime

Fu¹,

Lee²,

Kim³

2023

Preprint

View full text Add to dashboard Cite

Fuzzing has gained in popularity for software vulnerability detection by virtue of the tremendous effort to develop a diverse set of fuzzers. Thanks to various fuzzing techniques, most of the fuzzers have been able to demonstrate great performance on their selected targets. However, paradoxically, this diversity in fuzzers also made it difficult to select fuzzers that are best suitable for complex real-world programs, which we call selection burden. Communities attempted to address this problem by creating a set of standard benchmarks to compare and contrast the performance of fuzzers for a wide range of applications, but the result was always a suboptimal decision-the best performing fuzzer on average does not guarantee the best outcome for the target of a user's interest.To overcome this problem, we propose an automated, yet non-intrusive meta-fuzzer, called autofz 1 , to maximize the benefits of existing state-of-the-art fuzzers via dynamic composition. To an end user, this means that, instead of spending time on selecting which fuzzer to adopt (similar in concept to hyperparameter tuning in ML), one can simply put all of the available fuzzers to autofz (similar in concept to AutoML), and achieve the best, optimal result. The key idea is to monitor the runtime progress of the fuzzers, called trends (similar in concept to gradient descent), and make a fine-grained adjustment of resource allocation (e.g., CPU time) of each fuzzer. This is a stark contrast to existing approaches that statically combine a set of fuzzers, or via exhaustive pre-training per target program-autofz deduces a suitable set of fuzzers of the active workload in a fine-grained manner at runtime. Our evaluation shows that, given the same amount of computation resources, autofz outperforms any best-performing individual fuzzers in 11 out of 12 available benchmarks and beats the best, collaborative fuzzing approaches in 19 out of 20 benchmarks without any prior knowledge in terms of coverage. Moreover, on average, autofz found 152% more bugs than individual fuzzers on UNIFUZZ and FTS, and 415% more bugs than collaborative fuzzing on UNIFUZZ.

show abstract

“…Such a trend is common for fuzzer specializations: for example, also Token-level AFL [55] finds diverse and more bugs than prior concepts, missing a few for the same reasons. The ability to find different bugs is a pillar for initiatives like OSS-Fuzz that stack different fuzzers and motivates recent research on ensemble fuzzing [56], [57]. The inclusion relations of Figure 3 are meant to show such differences, which may be overlooked if one looks at bug counts only.…”

Section: A Rq1: Effectiveness In Bug Findingmentioning

confidence: 99%

Predictive Context-sensitive Fuzzing

Borrello,

Fioraldi,

D'Elia

et al. 2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Coverage-guided fuzzers expose bugs by progressively mutating testcases to drive execution to new program locations. Code coverage is currently the most effective and popular exploration feedback. For several bugs, though, also how execution reaches a buggy program location may matter: for those, only tracking what code a testcase exercises may lead fuzzers to overlook interesting program states. Unfortunately, context-sensitive coverage tracking comes with an inherent state explosion problem. Existing attempts to implement contextsensitive coverage-guided fuzzers struggle with it, experiencing non-trivial issues for precision (due to coverage collisions) and performance (due to context tracking and queue/map explosion).In this paper, we show that a much more effective approach to context-sensitive fuzzing is possible. First, we propose function cloning as a backward-compatible instrumentation primitive to enable precise (i.e., collision-free) context-sensitive coverage tracking. Then, to tame the state explosion problem, we argue to account for contextual information only when a fuzzer explores contexts selected as promising. We propose a prediction scheme to identify one pool of such contexts: we analyze the data-flow diversity of the incoming argument values at call sites, exposing to the fuzzer a contextually refined clone of the callee if the latter sees incoming abstract objects that its uses at other sites do not.Our work shows that, by applying function cloning to program regions that we predict to benefit from context-sensitivity, we can overcome the aforementioned issues while preserving, and even improving, fuzzing effectiveness. On the FuzzBench suite, our approach largely outperforms state-of-the-art coverageguided fuzzing embodiments, unveiling more and different bugs without incurring explosion or other apparent inefficiencies. On these heavily tested subjects, we also found 8 enduring security issues in 5 of them, with 6 CVE identifiers issued.

show abstract

Cupid : Automatic Fuzzer Selection for Collaborative Fuzzing

Cited by 15 publications

References 13 publications

UltraFuzz: Towards Resource-Saving in Distributed Fuzzing

UltraFuzz: Towards Resource-Saving in Distributed Fuzzing

autofz: Automated Fuzzer Composition at Runtime

Predictive Context-sensitive Fuzzing

Contact Info

Product

Resources

About