Directed Greybox Fuzzing

Marcel Böhme; Van-Thuan Pham; Manh-Dung Nguyen; Abhik Roychoudhury

doi:10.1145/3133956.3134020

Directed Greybox Fuzzing

Marcel Böhme, Van-Thuan Pham, Manh-Dung Nguyen, Abhik Roychoudhury

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

611 Citations (Scopus)

Abstract

Existing Greybox Fuzzers (GF) cannot be effectively directed, for instance, towards problematic changes or patches, towards critical system calls or dangerous locations, or towards functions in the stacktrace of a reported vulnerability that we wish to reproduce. In this paper, we introduce Directed Greybox Fuzzing (DGF) which generates inputs with the objective of reaching a given set of target program locations efficiently. We develop and evaluate a simulated annealing-based power schedule that gradually assigns more energy to seeds that are closer to the target locations while reducing energy for seeds that are further away. Experiments with our implementation AFLGo demonstrate that DGF outperforms both directed symbolic-execution-based whitebox fuzzing and undirected greybox fuzzing. We show applications of DGF to patch testing and crash reproduction, and discuss the integration of AFLGo into Google's continuous fuzzing platform OSS-Fuzz. Due to its directedness, AFLGo could find 39 bugs in several well-fuzzed, security-critical projects like LibXML2. 17 CVEs were assigned.

Original language	English
Title of host publication	Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security
Editors	David Evans, Tal Maklin, Dongyan Xu
Place of Publication	New York NY USA
Publisher	Association for Computing Machinery (ACM)
Pages	2329-2344
Number of pages	16
ISBN (Electronic)	9781450349468
DOIs	https://doi.org/10.1145/3133956.3134020
Publication status	Published - 2017
Externally published	Yes
Event	ACM Conference on Computer and Communications Security 2017 - Hotel Sheraton Downtown Dallas, Dallas, United States of America Duration: 30 Oct 2017 → 3 Nov 2017 Conference number: 24th https://ccs2017.sigsac.org/ (Conference website)

Conference

Conference	ACM Conference on Computer and Communications Security 2017
Abbreviated title	CCS 2017
Country/Territory	United States of America
City	Dallas
Period	30/10/17 → 3/11/17
Internet address	https://ccs2017.sigsac.org/ (Conference website)

Keywords

Coverage-based greybox fuzzing
Crash reproduction
Directed testing
Patch testing
Reachability
Verifying true positives

Access to Document

10.1145/3133956.3134020

Cite this

@inproceedings{3b75b551c9054d3f93dbec8e2a800b2a,

title = "Directed Greybox Fuzzing",

abstract = "Existing Greybox Fuzzers (GF) cannot be effectively directed, for instance, towards problematic changes or patches, towards critical system calls or dangerous locations, or towards functions in the stacktrace of a reported vulnerability that we wish to reproduce. In this paper, we introduce Directed Greybox Fuzzing (DGF) which generates inputs with the objective of reaching a given set of target program locations efficiently. We develop and evaluate a simulated annealing-based power schedule that gradually assigns more energy to seeds that are closer to the target locations while reducing energy for seeds that are further away. Experiments with our implementation AFLGo demonstrate that DGF outperforms both directed symbolic-execution-based whitebox fuzzing and undirected greybox fuzzing. We show applications of DGF to patch testing and crash reproduction, and discuss the integration of AFLGo into Google's continuous fuzzing platform OSS-Fuzz. Due to its directedness, AFLGo could find 39 bugs in several well-fuzzed, security-critical projects like LibXML2. 17 CVEs were assigned.",

keywords = "Coverage-based greybox fuzzing, Crash reproduction, Directed testing, Patch testing, Reachability, Verifying true positives",

author = "Marcel B{\"o}hme and Van-Thuan Pham and Manh-Dung Nguyen and Abhik Roychoudhury",

year = "2017",

doi = "10.1145/3133956.3134020",

language = "English",

pages = "2329--2344",

editor = "Evans, {David } and Maklin, {Tal } and Dongyan Xu",

booktitle = "Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security",

publisher = "Association for Computing Machinery (ACM)",

address = "United States of America",

note = "ACM Conference on Computer and Communications Security 2017, CCS 2017 ; Conference date: 30-10-2017 Through 03-11-2017",

url = "https://ccs2017.sigsac.org/",

}

Böhme, M, Pham, V-T, Nguyen, M-D & Roychoudhury, A 2017, Directed Greybox Fuzzing. in D Evans, T Maklin & D Xu (eds), Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery (ACM), New York NY USA, pp. 2329-2344, ACM Conference on Computer and Communications Security 2017, Dallas, Texas, United States of America, 30/10/17. https://doi.org/10.1145/3133956.3134020

Directed Greybox Fuzzing. / Böhme, Marcel; Pham, Van-Thuan; Nguyen, Manh-Dung et al.
Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ed. / David Evans; Tal Maklin; Dongyan Xu. New York NY USA: Association for Computing Machinery (ACM), 2017. p. 2329-2344.

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

TY - GEN

T1 - Directed Greybox Fuzzing

AU - Böhme, Marcel

AU - Pham, Van-Thuan

AU - Nguyen, Manh-Dung

AU - Roychoudhury, Abhik

N1 - Conference code: 24th

PY - 2017

Y1 - 2017

N2 - Existing Greybox Fuzzers (GF) cannot be effectively directed, for instance, towards problematic changes or patches, towards critical system calls or dangerous locations, or towards functions in the stacktrace of a reported vulnerability that we wish to reproduce. In this paper, we introduce Directed Greybox Fuzzing (DGF) which generates inputs with the objective of reaching a given set of target program locations efficiently. We develop and evaluate a simulated annealing-based power schedule that gradually assigns more energy to seeds that are closer to the target locations while reducing energy for seeds that are further away. Experiments with our implementation AFLGo demonstrate that DGF outperforms both directed symbolic-execution-based whitebox fuzzing and undirected greybox fuzzing. We show applications of DGF to patch testing and crash reproduction, and discuss the integration of AFLGo into Google's continuous fuzzing platform OSS-Fuzz. Due to its directedness, AFLGo could find 39 bugs in several well-fuzzed, security-critical projects like LibXML2. 17 CVEs were assigned.

AB - Existing Greybox Fuzzers (GF) cannot be effectively directed, for instance, towards problematic changes or patches, towards critical system calls or dangerous locations, or towards functions in the stacktrace of a reported vulnerability that we wish to reproduce. In this paper, we introduce Directed Greybox Fuzzing (DGF) which generates inputs with the objective of reaching a given set of target program locations efficiently. We develop and evaluate a simulated annealing-based power schedule that gradually assigns more energy to seeds that are closer to the target locations while reducing energy for seeds that are further away. Experiments with our implementation AFLGo demonstrate that DGF outperforms both directed symbolic-execution-based whitebox fuzzing and undirected greybox fuzzing. We show applications of DGF to patch testing and crash reproduction, and discuss the integration of AFLGo into Google's continuous fuzzing platform OSS-Fuzz. Due to its directedness, AFLGo could find 39 bugs in several well-fuzzed, security-critical projects like LibXML2. 17 CVEs were assigned.

KW - Coverage-based greybox fuzzing

KW - Crash reproduction

KW - Directed testing

KW - Patch testing

KW - Reachability

KW - Verifying true positives

UR - http://www.scopus.com/inward/record.url?scp=85041437649&partnerID=8YFLogxK

U2 - 10.1145/3133956.3134020

DO - 10.1145/3133956.3134020

M3 - Conference Paper

AN - SCOPUS:85041437649

SP - 2329

EP - 2344

BT - Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

A2 - Evans, David

A2 - Maklin, Tal

A2 - Xu, Dongyan

PB - Association for Computing Machinery (ACM)

CY - New York NY USA

T2 - ACM Conference on Computer and Communications Security 2017

Y2 - 30 October 2017 through 3 November 2017

ER -

Directed Greybox Fuzzing

Abstract

Conference

Keywords

Access to Document

Other files and links

Cite this