Fuzzing Error Handling Code in Device Drivers Based on Software Fault Injection

Jiang, Zu-Ming; Bai, Jia-Ju; Lawall, Julia; Hu, Shi‐Min

doi:10.1109/issre.2019.00022

Cited by 21 publications

(20 citation statements)

References 36 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…One potential solution is to use dynamic Principal Component Analysis [191] to reduce the dimensionality of the dataset [118]. Other solutions to improve the sensitivity of edge coverage include path hash [198], calling context [37,87,171], multilevel coverage [88], and code complexity [105], which add extra information for the edge coverage.…”

Section: Diverse Information For Fitnessmentioning

confidence: 99%

Fuzzing: A Survey for Roadmap

et al. 2022

View full text Add to dashboard Cite

Fuzz testing (fuzzing) has witnessed its prosperity in detecting security flaws recently. It generates a large number of test cases and monitors the executions for defects. Fuzzing has detected thousands of bugs and vulnerabilities in various applications. Although effective, there lacks systematic analysis of gaps faced by fuzzing. As a technique of defect detection, fuzzing is required to narrow down the gaps between the entire input space and the defect space. Without limitation on the generated inputs, the input space is infinite. However, defects are sparse in an application, which indicates that the defect space is much smaller than the entire input space. Besides, because fuzzing generates numerous test cases to repeatedly examine targets, it requires fuzzing to perform in an automatic manner. Due to the complexity of applications and defects, it is challenging to automatize the execution of diverse applications. In this paper, we systematically review and analyze the gaps as well as their solutions, considering both breadth and depth. This survey can be a roadmap for both beginners and advanced developers to better understand fuzzing.

show abstract

Section: Diverse Information For Fitnessmentioning

confidence: 99%

Fuzzing: A Survey for Roadmap

et al. 2022

View full text Add to dashboard Cite

show abstract

“…Some approaches [20,44,60,71] use coverage-guided fuzzing to test infrequently-executed code, by automatically mutating and generating system calls according to code coverage. Some approaches [6,18,41,62] perform software fault injection to test error handling code, by deliberately corrupting the return values of kernel-interface calls. By using exact runtime information about OS execution, dynamic analysis can effectively reduce false positives in bug detection.…”

Section: Dynamic Analysismentioning

confidence: 99%

Path-sensitive and alias-aware typestate analysis for detecting OS bugs

Bai

Sui

et al. 2022

Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems

Self Cite

View full text Add to dashboard Cite

Operating system (OS) is the cornerstone for modern computer systems. It manages devices and provides fundamental service for user-level applications. Thus, detecting bugs in OSes is important to improve reliability and security of computer systems. Static typestate analysis is a common technique for detecting different types of bugs, but it is often inaccurate or unscalable for large-size OS code, due to imprecision of identifying alias relationships as well as high costs of typestate tracking and path-feasibility validation.In this paper, we present PATA, a novel path-sensitive and aliasaware typestate analysis framework to detect OS bugs. To improve the precision of identifying alias relationships in OS code, PATA performs a path-based alias analysis based on control-flow paths and access paths. With these alias relationships, PATA reduces the costs of typestate tracking and path-feasibility validation, to boost the efficiency of path-sensitive typestate analysis for bug detection. We have evaluated PATA on the Linux kernel and three popular IoT OSes (Zephyr, RIOT and TencentOS-tiny) to detect three common types of bugs (null-pointer dereferences, uninitializedvariable accesses and memory leaks). PATA finds 574 real bugs with a false positive rate of 28%. 206 of these bugs have been confirmed by the developers of the four OSes. We also compare PATA to seven state-of-the-art static approaches (Cppcheck, Coccinelle, Smatch, CSA, Infer, Saber and SVF). PATA finds many real bugs missed by them, with a lower false positive rate. CCS CONCEPTS• Software and its engineering → Software defect analysis; • Security and privacy → Operating systems security.

show abstract

“…GREYONE [14] utilized lightweight dynamic taint analysis to evaluate the constraint conformance on all tainted untouched branches, and prioritizing seeds which could reach these branches. FIFUZZ [15] proposed a context-sensitive SFI-based approach to guide fuzzing exploring error handling code.…”

Section: Seed Selectionmentioning

confidence: 99%

StFuzzer: Contribution-Aware Coverage-Guided Fuzzing for Smart Devices

Yang¹,

Xin-guo²,

Lu³

et al. 2021

Security and Communication Networks

View full text Add to dashboard Cite

The root cause of the insecurity for smart devices is the potential vulnerabilities in smart devices. There are many approaches to find the potential bugs in smart devices. Fuzzing is the most effective vulnerability finding technique, especially the coverage-guided fuzzing. The coverage-guided fuzzing identifies the high-quality seeds according to the corresponding code coverage triggered by these seeds. Existing coverage-guided fuzzers consider that the higher the code coverage of seeds, the greater the probability of triggering potential bugs. However, in real-world applications running on smart devices or the operation system of the smart device, the logic of these programs is very complex. Basic blocks of these programs play a different role in the process of application exploration. This observation is ignored by existing seed selection strategies, which reduces the efficiency of bug discovery on smart devices. In this paper, we propose a contribution-aware coverage-guided fuzzing, which estimates the contributions of basic blocks for the process of smart device exploration. According to the control flow of the target on any smart device and the runtime information during the fuzzing process, we propose the static contribution of a basic block and the dynamic contribution built on the execution frequency of each block. The contribution-aware optimization approach does not require any prior knowledge of the target device, which ensures our optimization adapting gray-box fuzzing and white-box fuzzing. We designed and implemented a contribution-aware coverage-guided fuzzer for smart devices, called StFuzzer. We evaluated StFuzzer on four real-world applications that are often applied on smart devices to demonstrate the efficiency of our contribution-aware optimization. The result of our trials shows that the contribution-aware approach significantly improves the capability of bug discovery and obtains better execution speed than state-of-the-art fuzzers.

show abstract

Fuzzing Error Handling Code in Device Drivers Based on Software Fault Injection

Cited by 21 publications

References 36 publications

Fuzzing: A Survey for Roadmap

Fuzzing: A Survey for Roadmap

Path-sensitive and alias-aware typestate analysis for detecting OS bugs

StFuzzer: Contribution-Aware Coverage-Guided Fuzzing for Smart Devices

Contact Info

Product

Resources

About