Fuzzing Symbolic Expressions

Borzacchiello, Luca; Coppa, Emilio; Demetrescu, Camil

doi:10.1109/icse43902.2021.00071

Cited by 18 publications

(3 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Magic values involve multi-byte comparisons, while traditional structure-blind mutators treat the input as a byte stream, making it highly improbable to match all the involved bytes. Potential solutions include using specialized feedback for partial progress in comparisons [2,27] employing concolic execution for white-box fuzzing [12,50], or techniques that extract comparison operands to replace input segments [4,40]. Checksums, often used for validation in binary formats, pose even greater difficulty.…”

Section: Modern Fuzzing Advancementsmentioning

confidence: 99%

CrabSandwich: Fuzzing Rust with Rust (Registered Report)

Crump,

Zhang,

Asif

et al. 2023

Proceedings of the 2nd International Fuzzing Workshop

View full text Add to dashboard Cite

The Rust programming language is one of the fastest-growing programming languages, thanks to its unique blend of high performance execution and memory safety. Still, programs implemented in Rust can contain critical bugs. Apart from logic bugs and crashes, code in unsafe blocks can still trigger memory corruptions. To find these, the community uses traditional fuzzers like LibFuzzer or AFL ++ , in combination with Rust-specific macros. Of course, the fuzzers themselves are still written in memory-unsafe languages.In this paper, we explore the possibility of replacing the input generators with Rust, while staying compatible to existing harnesses. Based on the Rust fuzzer library LibAFL, we develop CrabSandwich, a drop-in replacement for the C ++ component of cargo-fuzz. We evaluate our tool, written in Rust, against the original fuzzer LibFuzzer. We show that we are not only able to successfully fuzz all three targets we tested with CrabSandwich, but outperform cargofuzz in bug coverage. During our preliminary evaluation, we already manage to uncover new bugs in the pdf crate that could not be found by cargo-fuzz, proving the real-world applicability of our approach, and giving us high hopes for the planned follow-up evaluations. CCS CONCEPTS• Security and privacy → Software security engineering.

show abstract

Section: Modern Fuzzing Advancementsmentioning

confidence: 99%

CrabSandwich: Fuzzing Rust with Rust (Registered Report)

Crump,

Zhang,

Asif

et al. 2023

Proceedings of the 2nd International Fuzzing Workshop

View full text Add to dashboard Cite

show abstract

“…It pays more attention to the mutation methods, such as input structurebased mutation [6] and generation strategy based on deep learning [47]. e white-box fuzzing consists in constructing test cases based on the internal logic of the programs and maximizing the code coverage by using dynamic symbol execution [48,49] and taint analysis [50]. SAGE [51] is one of the representative tools.…”

Section: Related Workmentioning

confidence: 99%

Model-Based Grey-Box Fuzzing of Network Protocols

Pan¹,

Lin²,

Ji³

et al. 2022

Security and Communication Networks

View full text Add to dashboard Cite

The widely used network protocols play a crucial role in various systems. However, the protocol vulnerabilities caused by the design of the network protocol or its implementation by programmers lead to multiple security incidents and substantial losses. Hence, it is important to study the protocol fuzzing in order to ensure its correctness. However, the challenges of protocol fuzzing are the mutation of protocol messages and the deep interactivity of the protocol implementation. This paper proposes a model-based grey-box fuzzing approach for protocol implementations, including the server-side and client-side. The proposed method is divided into two phases: automata learning based on the minimally adequate teacher (MAT) framework and grey-box fuzzing guided by the learned model and code coverage. The StateFuzzer tool used for evaluation is presented to demonstrate the validity and feasibility of the proposed approach. The server-side fuzzing can achieve similar or higher code coverage and vulnerability discovery capability than those of AFLNET and StateAFL. Considering the client, the results show that it achieves 1.5X branch coverage (on average) compared with the default AFL, and 1.3X branch coverage compared with AFLNET and StateAFL, using the typical implementations such as OpenSSL, LibreSSL, and Live555. The StateFuzzer identifies a new memory corruption bug in Live555 (2021-08-25) and 14 distinct discrepancies based on differential testing.

show abstract

“…Droidscope and TaintDroid [44,19] are among the first approaches to have adopted this technique. Subsequent works built upon and improved TaintDroid [34,43,42] by using, e.g., concolic execution [14,12,11]. Unfortunately, a challenge is how to generate the right executions that will reach a function.…”

Section: Background and Related Workmentioning

confidence: 99%

Reach Me if You Can: On Native Vulnerability Reachability in Android Apps

Borzacchiello

Coppa

Maiorca

et al. 2022

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Android applications ship with several native C/C++ libraries. Research on Android security has revealed that these libraries often come from third-party components that are not kept up to date by developers, possibly posing security concerns. To assess if known vulnerabilities in these libraries constitute an immediate security problem, we need to understand whether vulnerable functions could be reached when apps are executed (we refer to this problem as function reachability). In this paper, we propose DroidReach, a novel, static approach to assess the reachability of native function calls in Android apps. Our framework addresses the limitations of state-of-the-art approaches by employing a combination of heuristics and symbolic execution, allowing for a more accurate reconstruction of the Inter-procedural Control-Flow Graphs (ICFGs). On the top 500 applications from the Google Play Store, DroidReach can detect a significantly higher number of paths in comparison to previous works. Finally, two case studies show how DroidReach can be used as a valuable vulnerability assessment tool.

show abstract

Fuzzing Symbolic Expressions

Cited by 18 publications

References 29 publications

CrabSandwich: Fuzzing Rust with Rust (Registered Report)

CrabSandwich: Fuzzing Rust with Rust (Registered Report)

Model-Based Grey-Box Fuzzing of Network Protocols

Reach Me if You Can: On Native Vulnerability Reachability in Android Apps

Contact Info

Product

Resources

About