Model-based Whitebox Fuzzing for program binaries

Van-Thuan Pham; Marcel Böhme; Abhik Roychoudhury

doi:10.1145/2970276.2970316

Model-based Whitebox Fuzzing for program binaries

Van-Thuan Pham, Marcel Böhme, Abhik Roychoudhury

Dept of Software Systems & Cybersecurity

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

31 Citations (Scopus)

Abstract

Many real-world programs take highly structured and complex files as inputs. The automated testing of such programs is non-trivial. If the test does not adhere to a specific file format, the program returns a parser error. For symbolic execution-based whitebox fuzzing the corresponding error handling code becomes a significant time sink. Too much time is spent in the parser exploring too many paths leading to trivial parser errors. Naturally, the time is better spent exploring the functional part of the program where failure with valid input exposes deep and real bugs in the program. In this paper, we suggest to leverage information about the file format and data chunks of existing, valid files to swiftly carry the exploration beyond the parser code. We call our approach Modelbased Whitebox Fuzzing (MoWF) because the file format input model of blackbox fuzzers can be exploited as a constraint on the vast input space to rule out most invalid inputs during path exploration in symbolic execution. We evaluate on 13 vulnerabilities in 8 large program binaries with 6 separate file formats and found that MoWF exposes all vulnerabilities while both, traditional whitebox fuzzing and model-based blackbox fuzzing, expose only less than half, respectively. Our experiments also demonstrate that MoWF exposes 70% vulnerabilities without any seed inputs.

Original language	English
Title of host publication	Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering
Editors	David Lo, Sven Apel, Sarfraz Khurshid
Place of Publication	New York NY USA
Publisher	Association for Computing Machinery (ACM)
Pages	543-553
Number of pages	11
ISBN (Electronic)	9781450338455
DOIs	https://doi.org/10.1145/2970276.2970316
Publication status	Published - 2016
Event	Automated Software Engineering Conference 2016 - Singapore Management University (SMU), Singapore, Singapore Duration: 3 Sep 2016 → 7 Sep 2016 Conference number: 31st http://www.ase2016.org/ (Conference website) https://dl.acm.org/doi/proceedings/10.1145/2970276 (Proceedings)

Conference

Conference	Automated Software Engineering Conference 2016
Abbreviated title	ASE 2016
Country	Singapore
City	Singapore
Period	3/09/16 → 7/09/16
Internet address	http://www.ase2016.org/ (Conference website) https://dl.acm.org/doi/proceedings/10.1145/2970276 (Proceedings)

Keywords

Program Binaries
Symbolic Execution

Access to Document

10.1145/2970276.2970316

Link to publication in Scopus

Cite this

@inproceedings{ea6e3afa16ac43899ab1ebe2b77a8788,

title = "Model-based Whitebox Fuzzing for program binaries",

abstract = "Many real-world programs take highly structured and complex files as inputs. The automated testing of such programs is non-trivial. If the test does not adhere to a specific file format, the program returns a parser error. For symbolic execution-based whitebox fuzzing the corresponding error handling code becomes a significant time sink. Too much time is spent in the parser exploring too many paths leading to trivial parser errors. Naturally, the time is better spent exploring the functional part of the program where failure with valid input exposes deep and real bugs in the program. In this paper, we suggest to leverage information about the file format and data chunks of existing, valid files to swiftly carry the exploration beyond the parser code. We call our approach Modelbased Whitebox Fuzzing (MoWF) because the file format input model of blackbox fuzzers can be exploited as a constraint on the vast input space to rule out most invalid inputs during path exploration in symbolic execution. We evaluate on 13 vulnerabilities in 8 large program binaries with 6 separate file formats and found that MoWF exposes all vulnerabilities while both, traditional whitebox fuzzing and model-based blackbox fuzzing, expose only less than half, respectively. Our experiments also demonstrate that MoWF exposes 70% vulnerabilities without any seed inputs.",

keywords = "Program Binaries, Symbolic Execution",

author = "Van-Thuan Pham and Marcel B{\"o}hme and Abhik Roychoudhury",

year = "2016",

doi = "10.1145/2970276.2970316",

language = "English",

pages = "543--553",

editor = "Lo, {David } and Sven Apel and Khurshid, {Sarfraz }",

booktitle = "Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering",

publisher = "Association for Computing Machinery (ACM)",

address = "United States of America",

note = "Automated Software Engineering Conference 2016, ASE 2016 ; Conference date: 03-09-2016 Through 07-09-2016",

url = "http://www.ase2016.org/, https://dl.acm.org/doi/proceedings/10.1145/2970276",

}

Pham, V-T, Böhme, M & Roychoudhury, A 2016, Model-based Whitebox Fuzzing for program binaries. in D Lo, S Apel & S Khurshid (eds), Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering. Association for Computing Machinery (ACM), New York NY USA, pp. 543-553, Automated Software Engineering Conference 2016, Singapore, Singapore, 3/09/16. https://doi.org/10.1145/2970276.2970316

Model-based Whitebox Fuzzing for program binaries. / Pham, Van-Thuan; Böhme, Marcel; Roychoudhury, Abhik.

Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering. ed. / David Lo; Sven Apel; Sarfraz Khurshid. New York NY USA : Association for Computing Machinery (ACM), 2016. p. 543-553.

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

TY - GEN

T1 - Model-based Whitebox Fuzzing for program binaries

AU - Pham, Van-Thuan

AU - Böhme, Marcel

AU - Roychoudhury, Abhik

N1 - Conference code: 31st

PY - 2016

Y1 - 2016

N2 - Many real-world programs take highly structured and complex files as inputs. The automated testing of such programs is non-trivial. If the test does not adhere to a specific file format, the program returns a parser error. For symbolic execution-based whitebox fuzzing the corresponding error handling code becomes a significant time sink. Too much time is spent in the parser exploring too many paths leading to trivial parser errors. Naturally, the time is better spent exploring the functional part of the program where failure with valid input exposes deep and real bugs in the program. In this paper, we suggest to leverage information about the file format and data chunks of existing, valid files to swiftly carry the exploration beyond the parser code. We call our approach Modelbased Whitebox Fuzzing (MoWF) because the file format input model of blackbox fuzzers can be exploited as a constraint on the vast input space to rule out most invalid inputs during path exploration in symbolic execution. We evaluate on 13 vulnerabilities in 8 large program binaries with 6 separate file formats and found that MoWF exposes all vulnerabilities while both, traditional whitebox fuzzing and model-based blackbox fuzzing, expose only less than half, respectively. Our experiments also demonstrate that MoWF exposes 70% vulnerabilities without any seed inputs.

AB - Many real-world programs take highly structured and complex files as inputs. The automated testing of such programs is non-trivial. If the test does not adhere to a specific file format, the program returns a parser error. For symbolic execution-based whitebox fuzzing the corresponding error handling code becomes a significant time sink. Too much time is spent in the parser exploring too many paths leading to trivial parser errors. Naturally, the time is better spent exploring the functional part of the program where failure with valid input exposes deep and real bugs in the program. In this paper, we suggest to leverage information about the file format and data chunks of existing, valid files to swiftly carry the exploration beyond the parser code. We call our approach Modelbased Whitebox Fuzzing (MoWF) because the file format input model of blackbox fuzzers can be exploited as a constraint on the vast input space to rule out most invalid inputs during path exploration in symbolic execution. We evaluate on 13 vulnerabilities in 8 large program binaries with 6 separate file formats and found that MoWF exposes all vulnerabilities while both, traditional whitebox fuzzing and model-based blackbox fuzzing, expose only less than half, respectively. Our experiments also demonstrate that MoWF exposes 70% vulnerabilities without any seed inputs.

KW - Program Binaries

KW - Symbolic Execution

UR - http://www.scopus.com/inward/record.url?scp=84989182173&partnerID=8YFLogxK

U2 - 10.1145/2970276.2970316

DO - 10.1145/2970276.2970316

M3 - Conference Paper

AN - SCOPUS:84989182173

SP - 543

EP - 553

BT - Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering

A2 - Lo, David

A2 - Apel, Sven

A2 - Khurshid, Sarfraz

PB - Association for Computing Machinery (ACM)

CY - New York NY USA

T2 - Automated Software Engineering Conference 2016

Y2 - 3 September 2016 through 7 September 2016

ER -