Full-Speed Fuzzing: Reducing Fuzzing Overhead through Coverage-Guided Tracing

Nagy, Stefan; Hicks, Matthew

doi:10.1109/sp.2019.00069

Cited by 102 publications

(43 citation statements)

References 37 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To address this issue, we discard dynamic binary instrumentation in favor of fullspeed fuzzing [47] to collect code coverage. Fullspeed fuzzing does not introduce any overhead except when the fuzzer discovers a new basic block.…”

Section: B Reliable Instrumentationmentioning

confidence: 99%

WINNIE : Fuzzing Windows Applications with Harness Synthesis and Fast Cloning

Jung

Tong²,

Hong³

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Fuzzing is an emerging technique to automatically validate programs and uncover bugs. It has been widely used to test many programs and has found thousands of security vulnerabilities. However, existing fuzzing efforts are mainly centered around Unix-like systems, as Windows imposes unique challenges for fuzzing: a closed-source ecosystem, the heavy use of graphical interfaces and the lack of fast process cloning machinery. In this paper, we propose two solutions to address the challenges Windows fuzzing faces. Our system, WINNIE, first tries to synthesize a harness for the application, a simple program that directly invokes target functions, based on sample executions. It then tests the harness, instead of the original complicated program, using an efficient implementation of fork on Windows. Using these techniques, WINNIE can bypass irrelevant GUI code to test logic deep within the application. We used WINNIE to fuzz 59 closed-source Windows binaries, and it successfully generated valid fuzzing harnesses for all of them. In our evaluation, WINNIE can support 2.2× more programs than existing Windows fuzzers could, and identified 3.9× more program states and achieved 26.6× faster execution. In total, WINNIE found 61 unique bugs in 32 Windows binaries.

show abstract

Section: B Reliable Instrumentationmentioning

confidence: 99%

WINNIE : Fuzzing Windows Applications with Harness Synthesis and Fast Cloning

Jung

Tong²,

Hong³

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Jia et al [19] find some limitations in the algorithm of AFL. To reduce fuzzing overhead, UnTracer [27] proposes coverageguided tracing to trace only coverage-increasing test cases. Coverageincreasing test cases can self-report when a test case produces new coverage.…”

Section: Related Workmentioning

confidence: 99%

PathAFL: Path-Coverage Assisted Fuzzing

Yan

et al. 2020

Proceedings of the 15th ACM Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

Fuzzing is an effective method to find software bugs and vulnerabilities. One of the most useful techniques is the coverage-guided fuzzing, whose key element is the tracing code coverage information. Existing coverage-guided fuzzers generally use the the number of basic blocks or edges explored to measure code coverage. Path-coverage can provide more accurate coverage information than basic block and edge coverage. However, the number of paths grows exponentially as the size of a program increases. It is almost impossible to trace all the paths of a real-world application. In this paper, we propose a fuzzing solution named PathAFL, which assists a fuzzer by path identification. It can effectively identify and utilize the important h-path, which is a new path but whose edges have all been touched previously. First, PathAFL only inserts one assembly instruction to AFL's original code to calculate the path hash, and uses a selective instrumentation strategy to reduce the tracing granularity of an execution path. Second, we design a fast filtering algorithm to choose higher weight paths from a large number of h-paths and add them to the seed queue. Third, both the seed selection algorithm and the power schedule are implemented based on the path weight. Finally we implemented PathAFL based on the popular fuzzer AFL and evaluated it on 10 well-fuzzed benchmark programs. In 24 hours, PathAFL explored 38% more paths and 9.3% more edges than AFL. Compared with CollAFL-x, the number is 25% and 5.9% correspondingly. Moreover, PathAFL found the more bugs on the LAVA-M dataset, even four unlisted bugs. The results show that PathAFL outperforms the previous fuzzers in terms of both code coverage and bug discovery. In well-tested programs, PathAFL found 8 new security bugs with 6 CVEs assigned.

show abstract

“…Considering the lack of dynamic analysis technology for IoT-based services, this paper applies static analysis technology and Linux ptrace system call to obtain dynamic firmware information, including the execution time of functions, sample execution path, etc, at runtime. This information can be applied to aid performance analysis [29] and dynamic security detection [10,17,25,27] for IoT-based services.…”

mentioning

confidence: 99%

Firmware code instrumentation technology for internet of things-based services

Chen

et al. 2020

World Wide Web

View full text Add to dashboard Cite

With the rapid development of electronic and information technology, Internet of Things (IoT) devices have become extensively utilised in various fields. Increasing attention has been paid to the performance and security analysis of IoT-based services. Dynamic instrumentation is a common process in software analysis for acquiring runtime information. However, due to the limited software and hardware resources in IoT devices, most dynamic instrumentation tools do not support IoT-based services. In this paper, we provide an analysis tool, IoTDIT, to solve the current problem of runtime detection in IoT-based services. IoTDIT employs static analysis and ptrace system calls to obtain dynamic firmware information, which can aid in firmware performance analysis and security detection. We perform experiments to verify the performance and effectiveness of the proposed instrumentation tool.

show abstract

Full-Speed Fuzzing: Reducing Fuzzing Overhead through Coverage-Guided Tracing

Cited by 102 publications

References 37 publications

WINNIE : Fuzzing Windows Applications with Harness Synthesis and Fast Cloning

WINNIE : Fuzzing Windows Applications with Harness Synthesis and Fast Cloning

PathAFL: Path-Coverage Assisted Fuzzing

Firmware code instrumentation technology for internet of things-based services

Contact Info

Product

Resources

About