Coverage-based Greybox Fuzzing as Markov chain

Marcel Böhme; Van-Thuan Pham; Abhik Roychoudhury

doi:10.1145/2976749.2978428

Coverage-based Greybox Fuzzing as Markov chain

Marcel Böhme, Van-Thuan Pham, Abhik Roychoudhury

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

474 Citations (Scopus)

Abstract

Coverage-based Greybox Fuzzing (CGF) is a random testing approach that requires no program analysis. A new test is generated by slightly mutating a seed input. If the test exercises a new and interesting path, it is added to the set of seeds; otherwise, it is discarded. We observe that most tests exercise the same few "high-frequency" paths and develop strategies to explore significantly more paths with the same number of tests by gravitating towards low-frequency paths. We explain the challenges and opportunities of CGF using a Markov chain model which specifies the probability that fuzzing the seed that exercises path i generates an input that exercises path j. Each state (i.e., seed) has an energy that specifies the number of inputs to be generated from that seed. We show that CGF is considerably more efficient if energy is inversely proportional to the density of the stationary distribution and increases monotonically every time that seed is chosen. Energy is controlled with a power schedule. We implemented the exponential schedule by extending AFL. In 24 hours, AFLFast exposes 3 previously unreported CVEs that are not exposed by AFL and exposes 6 previously unreported CVEs 7x faster than AFL. AFLFast produces at least an order of magnitude more unique crashes than AFL.

Original language	English
Title of host publication	CCS' 2016
Subtitle of host publication	Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security
Editors	Shai Halevi, Christopher Kruegel, Andrew Myers
Place of Publication	New York NY USA
Publisher	Association for Computing Machinery (ACM)
Pages	1032-1043
Number of pages	12
ISBN (Print)	9781450341394
DOIs	https://doi.org/10.1145/2976749.2978428
Publication status	Published - 24 Oct 2016
Externally published	Yes
Event	ACM Conference on Computer and Communications Security 2016 - Vienna, Austria Duration: 24 Oct 2016 → 28 Oct 2016 Conference number: 23rd https://www.sigsac.org/ccs/CCS2016/

Conference

Conference	ACM Conference on Computer and Communications Security 2016
Abbreviated title	CCS 2016
Country/Territory	Austria
City	Vienna
Period	24/10/16 → 28/10/16
Internet address	https://www.sigsac.org/ccs/CCS2016/

Access to Document

10.1145/2976749.2978428

Cite this

@inproceedings{a9ca62d7cb924f9da28dc3182389b20c,

title = "Coverage-based Greybox Fuzzing as Markov chain",

abstract = "Coverage-based Greybox Fuzzing (CGF) is a random testing approach that requires no program analysis. A new test is generated by slightly mutating a seed input. If the test exercises a new and interesting path, it is added to the set of seeds; otherwise, it is discarded. We observe that most tests exercise the same few {"}high-frequency{"} paths and develop strategies to explore significantly more paths with the same number of tests by gravitating towards low-frequency paths. We explain the challenges and opportunities of CGF using a Markov chain model which specifies the probability that fuzzing the seed that exercises path i generates an input that exercises path j. Each state (i.e., seed) has an energy that specifies the number of inputs to be generated from that seed. We show that CGF is considerably more efficient if energy is inversely proportional to the density of the stationary distribution and increases monotonically every time that seed is chosen. Energy is controlled with a power schedule. We implemented the exponential schedule by extending AFL. In 24 hours, AFLFast exposes 3 previously unreported CVEs that are not exposed by AFL and exposes 6 previously unreported CVEs 7x faster than AFL. AFLFast produces at least an order of magnitude more unique crashes than AFL.",

author = "Marcel B{\"o}hme and Van-Thuan Pham and Abhik Roychoudhury",

year = "2016",

month = oct,

day = "24",

doi = "10.1145/2976749.2978428",

language = "English",

isbn = "9781450341394",

pages = "1032--1043",

editor = "Shai Halevi and Christopher Kruegel and Andrew Myers",

booktitle = "CCS' 2016",

publisher = "Association for Computing Machinery (ACM)",

address = "United States of America",

note = "ACM Conference on Computer and Communications Security 2016, CCS 2016 ; Conference date: 24-10-2016 Through 28-10-2016",

url = "https://www.sigsac.org/ccs/CCS2016/",

}

Böhme, M, Pham, V-T & Roychoudhury, A 2016, Coverage-based Greybox Fuzzing as Markov chain. in S Halevi, C Kruegel & A Myers (eds), CCS' 2016: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery (ACM), New York NY USA, pp. 1032-1043, ACM Conference on Computer and Communications Security 2016, Vienna, Austria, 24/10/16. https://doi.org/10.1145/2976749.2978428

Coverage-based Greybox Fuzzing as Markov chain. / Böhme, Marcel; Pham, Van-Thuan; Roychoudhury, Abhik.
CCS' 2016: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ed. / Shai Halevi; Christopher Kruegel; Andrew Myers. New York NY USA: Association for Computing Machinery (ACM), 2016. p. 1032-1043.

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

TY - GEN

T1 - Coverage-based Greybox Fuzzing as Markov chain

AU - Böhme, Marcel

AU - Pham, Van-Thuan

AU - Roychoudhury, Abhik

N1 - Conference code: 23rd

PY - 2016/10/24

Y1 - 2016/10/24

N2 - Coverage-based Greybox Fuzzing (CGF) is a random testing approach that requires no program analysis. A new test is generated by slightly mutating a seed input. If the test exercises a new and interesting path, it is added to the set of seeds; otherwise, it is discarded. We observe that most tests exercise the same few "high-frequency" paths and develop strategies to explore significantly more paths with the same number of tests by gravitating towards low-frequency paths. We explain the challenges and opportunities of CGF using a Markov chain model which specifies the probability that fuzzing the seed that exercises path i generates an input that exercises path j. Each state (i.e., seed) has an energy that specifies the number of inputs to be generated from that seed. We show that CGF is considerably more efficient if energy is inversely proportional to the density of the stationary distribution and increases monotonically every time that seed is chosen. Energy is controlled with a power schedule. We implemented the exponential schedule by extending AFL. In 24 hours, AFLFast exposes 3 previously unreported CVEs that are not exposed by AFL and exposes 6 previously unreported CVEs 7x faster than AFL. AFLFast produces at least an order of magnitude more unique crashes than AFL.

AB - Coverage-based Greybox Fuzzing (CGF) is a random testing approach that requires no program analysis. A new test is generated by slightly mutating a seed input. If the test exercises a new and interesting path, it is added to the set of seeds; otherwise, it is discarded. We observe that most tests exercise the same few "high-frequency" paths and develop strategies to explore significantly more paths with the same number of tests by gravitating towards low-frequency paths. We explain the challenges and opportunities of CGF using a Markov chain model which specifies the probability that fuzzing the seed that exercises path i generates an input that exercises path j. Each state (i.e., seed) has an energy that specifies the number of inputs to be generated from that seed. We show that CGF is considerably more efficient if energy is inversely proportional to the density of the stationary distribution and increases monotonically every time that seed is chosen. Energy is controlled with a power schedule. We implemented the exponential schedule by extending AFL. In 24 hours, AFLFast exposes 3 previously unreported CVEs that are not exposed by AFL and exposes 6 previously unreported CVEs 7x faster than AFL. AFLFast produces at least an order of magnitude more unique crashes than AFL.

UR - http://www.scopus.com/inward/record.url?scp=84995450940&partnerID=8YFLogxK

U2 - 10.1145/2976749.2978428

DO - 10.1145/2976749.2978428

M3 - Conference Paper

AN - SCOPUS:84995450940

SN - 9781450341394

SP - 1032

EP - 1043

BT - CCS' 2016

A2 - Halevi, Shai

A2 - Kruegel, Christopher

A2 - Myers, Andrew

PB - Association for Computing Machinery (ACM)

CY - New York NY USA

T2 - ACM Conference on Computer and Communications Security 2016

Y2 - 24 October 2016 through 28 October 2016

ER -

Coverage-based Greybox Fuzzing as Markov chain

Abstract

Conference

Access to Document

Other files and links

Cite this