HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Guided Micro-Fuzzing

Blair, W; Mambretti, Andrea; Arshad, Sajjad; Weissbacher, Michael; Robertson, William; Kirda, Engin; Egele, Manuel

doi:10.14722/ndss.2020.24415

Cited by 15 publications

(3 citation statements)

References 35 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Therefore, SlowFuzz [152] detects AC bugs via guiding fuzzing towards executions that increase the number of executed instructions. Similarly, HotFuzz [15] detects AC bugs in Java methods via maximizing the resource consumption of individual methods. MemLock [44] detects AC bugs based on both metrics of edge coverage and memory consumption.…”

Section: Algorithmic Complexitymentioning

confidence: 99%

Fuzzing: A Survey for Roadmap

et al. 2022

View full text Add to dashboard Cite

Fuzz testing (fuzzing) has witnessed its prosperity in detecting security flaws recently. It generates a large number of test cases and monitors the executions for defects. Fuzzing has detected thousands of bugs and vulnerabilities in various applications. Although effective, there lacks systematic analysis of gaps faced by fuzzing. As a technique of defect detection, fuzzing is required to narrow down the gaps between the entire input space and the defect space. Without limitation on the generated inputs, the input space is infinite. However, defects are sparse in an application, which indicates that the defect space is much smaller than the entire input space. Besides, because fuzzing generates numerous test cases to repeatedly examine targets, it requires fuzzing to perform in an automatic manner. Due to the complexity of applications and defects, it is challenging to automatize the execution of diverse applications. In this paper, we systematically review and analyze the gaps as well as their solutions, considering both breadth and depth. This survey can be a roadmap for both beginners and advanced developers to better understand fuzzing.

show abstract

Section: Algorithmic Complexitymentioning

confidence: 99%

Fuzzing: A Survey for Roadmap

et al. 2022

View full text Add to dashboard Cite

show abstract

“…Following the publication of AFL [66], its impact soon caused a wave of additional research. Almost every design choice was investigated: AFL's input mutation algorithm where extended upon [1,3,16,23,42,45] as was its ability to trigger and identify bugs [5,5,29,40,41,61,64]. To improve the strength of AFL's semi-random mutations, many researchers proposed to combine fuzzing with more elaborate program analysis techniques such as taint tracking [11,48] and symbolic or concolic execution [19-22, 27, 37, 44, 56, 59, 65, 68].…”

Section: Related Workmentioning

confidence: 99%

Nyx-Net: Network Fuzzing with Incremental Snapshots

Schumilo,

Aschermann,

Jemmett

et al. 2021

Preprint

View full text Add to dashboard Cite

Coverage-guided fuzz testing ("fuzzing") has become mainstream and we have observed lots of progress in this research area recently. However, it is still challenging to efficiently test network services with existing coverage-guided fuzzing methods. In this paper, we introduce the design and implementation of Nyx-Net, a novel snapshot-based fuzzing approach that can successfully fuzz a wide range of targets spanning servers, clients, games, and even Firefox's Inter-Process Communication (IPC) interface. Compared to state-of-the-art methods, Nyx-Net improves test throughput by up to 300x and coverage found by up to 70%. Additionally, Nyx-Net is able to find crashes in two of ProFuzzBench's targets that no other fuzzer found previously. When using Nyx-Net to play the game Super Mario, Nyx-Net shows speedups of 10-30x compared to existing work. Under some circumstances, Nyx-Net is even able play "faster than light": solving the level takes less wall-clock time than playing the level perfectly even once. Nyx-Net is able to find previously unknown bugs in servers such as Lighttpd, clients such as MySQL client, and even Firefox's IPC mechanism-demonstrating the strength and versatility of the proposed approach. Lastly, our prototype implementation was awarded a $20.000 bug bounty for enabling fuzzing on previously unfuzzable code in Firefox and solving a long-standing problem at Mozilla.

show abstract

“…Based on the feedback information from the execution of the PUT, greybox fuzzers use an evolutionary algorithm to generate new inputs and explore paths. Greybox fuzzing is widely used to test application software, libraries [8, 9], kernel code [10–12], and protocols [13–15]. Most greybox fuzzing tools are coverage‐guided, which aim to cover as many program paths as possible within a limited time budget.…”

Section: Introductionmentioning

confidence: 99%

The progress, challenges, and perspectives of directed greybox fuzzing

Wang,

Zhou,

Yue

et al. 2023

Software Testing Verif & Rel

View full text Add to dashboard Cite

SummaryGreybox fuzzing is a scalable and practical approach for software testing. Most greybox fuzzing tools are coverage‐guided as reaching high code coverage is more likely to find bugs. However, since most covered codes may not contain bugs, blindly extending code coverage is less efficient, especially for corner cases. Unlike coverage‐guided greybox fuzzing which increases code coverage in an undirected manner, directed greybox fuzzing (DGF) spends most of its time allocation on reaching specific targets (e.g. the bug‐prone zone) without wasting resources stressing unrelated parts. Thus, DGF is particularly suitable for scenarios such as patch testing, bug reproduction, and special bug detection. For now, DGF has become an active research area. However, DGF has general limitations and challenges that are worth further studying. Based on the investigation of 42 state‐of‐the‐art fuzzers that are closely related to DGF, we conducted the first in‐depth study to summarize the empirical evidence on the research progress of DGF. This paper studies DGF from a broader view, which takes into account not only the location‐directed type that targets specific code parts but also the behavior‐directed type that aims to expose abnormal program behaviors. By analyzing the benefits and limitations of DGF research, we try to identify gaps in current research, meanwhile, reveal new research opportunities and suggest areas for further investigation.

show abstract

HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Guided Micro-Fuzzing

Cited by 15 publications

References 35 publications

Fuzzing: A Survey for Roadmap

Fuzzing: A Survey for Roadmap

Nyx-Net: Network Fuzzing with Incremental Snapshots

The progress, challenges, and perspectives of directed greybox fuzzing

Contact Info

Product

Resources

About