Dissecting American Fuzzy Lop: A FuzzBench Evaluation

Fioraldi, Andrea; Mantovani, Alessandro; Maier, Dominik; Balzarotti, Davide

doi:10.1145/3580596

Cited by 17 publications

(5 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…FuzzBench targets realworld programs, pinning specific versions for reproducibility and result validation [17]. We select the 'type: bug' configuration of FuzzBench, a choice made also in other recent bug-oriented studies [49], [50], [51]. We study different dimensions of our approach for the following research questions:…”

Section: Discussionmentioning

confidence: 99%

Predictive Context-sensitive Fuzzing

Borrello,

Fioraldi,

D'Elia

et al. 2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Coverage-guided fuzzers expose bugs by progressively mutating testcases to drive execution to new program locations. Code coverage is currently the most effective and popular exploration feedback. For several bugs, though, also how execution reaches a buggy program location may matter: for those, only tracking what code a testcase exercises may lead fuzzers to overlook interesting program states. Unfortunately, context-sensitive coverage tracking comes with an inherent state explosion problem. Existing attempts to implement contextsensitive coverage-guided fuzzers struggle with it, experiencing non-trivial issues for precision (due to coverage collisions) and performance (due to context tracking and queue/map explosion).In this paper, we show that a much more effective approach to context-sensitive fuzzing is possible. First, we propose function cloning as a backward-compatible instrumentation primitive to enable precise (i.e., collision-free) context-sensitive coverage tracking. Then, to tame the state explosion problem, we argue to account for contextual information only when a fuzzer explores contexts selected as promising. We propose a prediction scheme to identify one pool of such contexts: we analyze the data-flow diversity of the incoming argument values at call sites, exposing to the fuzzer a contextually refined clone of the callee if the latter sees incoming abstract objects that its uses at other sites do not.Our work shows that, by applying function cloning to program regions that we predict to benefit from context-sensitivity, we can overcome the aforementioned issues while preserving, and even improving, fuzzing effectiveness. On the FuzzBench suite, our approach largely outperforms state-of-the-art coverageguided fuzzing embodiments, unveiling more and different bugs without incurring explosion or other apparent inefficiencies. On these heavily tested subjects, we also found 8 enduring security issues in 5 of them, with 6 CVE identifiers issued.

show abstract

Section: Discussionmentioning

confidence: 99%

Predictive Context-sensitive Fuzzing

Borrello,

Fioraldi,

D'Elia

et al. 2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Limit the priority score ∋ ( p S of the decision objective to between 1 and 10, and match the corresponding weights based on the importance of the evaluation factor attributes of the highway route plan. Map the influence index 18 ÃA of the criterion layer to the priority score of the decision-maker, and add input index attributes through the inference module of the model to obtain the membership function and fuzzy rules corresponding to each language value [5]. After mapping, obtain the fuzzy calculation result.…”

Section: A Multilevel Comprehensive Fuzzy Evaluation Model For Highwa...mentioning

confidence: 99%

A multilevel comprehensive fuzzy evaluation algorithm for highway route schemes considering operating speed and association rules

Chen

2024

International Conference on Smart Transportation and City Engineering (STCE 2023)

View full text Add to dashboard Cite

This paper proposes a multi-level comprehensive fuzzy evaluation algorithm for highway route schemes that considers operating speed and association rules. By mining multiple evaluation factors of the route plan through association rules, an evaluation index system is constructed. In order to improve the efficiency of the algorithm, the evaluation factor data is preprocessed. According to the fuzzy decision algorithm, the route schemes are sorted and multi-level comprehensive fuzzy evaluation is achieved. The experimental results show that the proposed multi-level comprehensive fuzzy evaluation algorithm can obtain accurate and efficient evaluation of route schemes while considering running speed and association rules. This algorithm has practical application value in fields such as transportation and tourism planning, and can provide users with personalized travel experiences.

show abstract

“…Graybox fuzzing [17,28,45], on the other hand, uses only lightweight code instrumentationusually to trace code coverage -to produce feedback that is used to evaluate the quality of a test case that is kept for further mutations if "interesting". This approach has become the leading technique to discover vulnerabilities in modern codebases, thanks to the popularity of AFL [19,51] and Google's OSS-Fuzz [1] being a prime example of a large-scale deployment of graybox fuzzing.…”

Section: Fuzz Testingmentioning

confidence: 99%

CrabSandwich: Fuzzing Rust with Rust (Registered Report)

Crump,

Zhang,

Asif

et al. 2023

Proceedings of the 2nd International Fuzzing Workshop

Self Cite

View full text Add to dashboard Cite

The Rust programming language is one of the fastest-growing programming languages, thanks to its unique blend of high performance execution and memory safety. Still, programs implemented in Rust can contain critical bugs. Apart from logic bugs and crashes, code in unsafe blocks can still trigger memory corruptions. To find these, the community uses traditional fuzzers like LibFuzzer or AFL ++ , in combination with Rust-specific macros. Of course, the fuzzers themselves are still written in memory-unsafe languages.In this paper, we explore the possibility of replacing the input generators with Rust, while staying compatible to existing harnesses. Based on the Rust fuzzer library LibAFL, we develop CrabSandwich, a drop-in replacement for the C ++ component of cargo-fuzz. We evaluate our tool, written in Rust, against the original fuzzer LibFuzzer. We show that we are not only able to successfully fuzz all three targets we tested with CrabSandwich, but outperform cargofuzz in bug coverage. During our preliminary evaluation, we already manage to uncover new bugs in the pdf crate that could not be found by cargo-fuzz, proving the real-world applicability of our approach, and giving us high hopes for the planned follow-up evaluations. CCS CONCEPTS• Security and privacy → Software security engineering.

show abstract

Dissecting American Fuzzy Lop: A FuzzBench Evaluation

Cited by 17 publications

References 26 publications

Predictive Context-sensitive Fuzzing

Predictive Context-sensitive Fuzzing

A multilevel comprehensive fuzzy evaluation algorithm for highway route schemes considering operating speed and association rules

CrabSandwich: Fuzzing Rust with Rust (Registered Report)

Contact Info

Product

Resources

About