Fine-Grained Coverage-Based Fuzzing-Reference-Cited by-同舟云学术

Fine-Grained Coverage-Based Fuzzing

Published:2023-03-14 Issue: Volume: Page:
ISSN:1049-331X
Container-title:ACM Transactions on Software Engineering and Methodology
language:en
Short-container-title:ACM Trans. Softw. Eng. Methodol.

Author:

Wu Wei-Cheng¹,Nongpoh Bernard²,Nour Marwan²,Marcozzi Michaël²,Bardin Sébastien²,Hauser Christophe³

Affiliation:

1. Université Paris-Saclay, CEA, List, France and University of Southern California, USA

2. Université Paris-Saclay, CEA, List, France

3. University of Southern California, USA

Abstract

Fuzzing is a popular software testing method that discovers bugs by massively feeding target applications with automatically generated inputs. Many state-of-art fuzzers use branch coverage as a feedback metric to guide the fuzzing process. The fuzzer retains inputs for further mutation only if branch coverage is increased. However, branch coverage only provides a shallow sampling of program behaviours and hence may discard interesting inputs to mutate. This work aims at taking advantage of the large body of research over defining finer-grained code coverage metrics (such as control-flow, data-flow or mutation coverage) and at evaluating how fuzzing performance is impacted when using these metrics to select interesting inputs for mutation. We propose to make branch coverage-based fuzzers support most fine-grained coverage metrics out of the box (i.e., without changing fuzzer internals). We achieve this by making the test objectives defined by these metrics (such as conditions to activate or mutants to kill) explicit as new branches in the target program. Fuzzing such a modified target is then equivalent to fuzzing the original target, but the fuzzer will also retain inputs covering the additional metrics objectives for mutation. In addition, all the fuzzer mechanisms to penetrate hard-to-cover branches will help covering the additional metrics objectives. We use this approach to evaluate the impact of supporting two fine-grained coverage metrics (multiple condition coverage and weak mutation) over the performance of two state-of-the-art fuzzers (AFL++ and QSYM) with the standard LAVA-M and MAGMA benchmarks. This evaluation suggests that our mechanism for runtime fuzzer guidance, where the fuzzed code is instrumented with additional branches, is effective and could be leveraged to encode guidance from human users or static analysers. Our results also show that the impact of fine-grained metrics over fuzzing performance is hard to predict before fuzzing, and most of the time either neutral or negative. As a consequence, we do not recommend using them to guide fuzzers, except maybe in some possibly favorable circumstances yet to investigate, like for limited parts of the code or to complement classical fuzzing campaigns.

Publisher

Association for Computing Machinery (ACM)

Subject

Software

Link

https://dl.acm.org/doi/pdf/10.1145/3587158

Reference46 articles.

1. An empirical study of the reliability of UNIX utilities

2. Yuekang Li , Bihuan Chen , Mahinthan Chandramohan , Shang-Wei Lin , Yang Liu , and Alwen Tiu . 2017 . Steelix: Program-State Based Binary Fuzzing. In Joint Meeting on Foundations of Software Engineering (ESEC/FSE 2017). Association for Computing Machinery. Yuekang Li, Bihuan Chen, Mahinthan Chandramohan, Shang-Wei Lin, Yang Liu, and Alwen Tiu. 2017. Steelix: Program-State Based Binary Fuzzing. In Joint Meeting on Foundations of Software Engineering (ESEC/FSE 2017). Association for Computing Machinery.

3. Sanjay Rawat Vivek Jain Ashish Kumar Lucian Cojocar Cristiano Giuffrida and Herbert Bos. 2017. VUzzer: Application-aware Evolutionary Fuzzing. In NDSS. Sanjay Rawat Vivek Jain Ashish Kumar Lucian Cojocar Cristiano Giuffrida and Herbert Bos. 2017. VUzzer: Application-aware Evolutionary Fuzzing. In NDSS.

4. american fuzzy lop - a security-oriented fuzzer. https://github.com/google/AFL. ([n. d.]). Accessed: 2021-12-12. american fuzzy lop - a security-oriented fuzzer. https://github.com/google/AFL. ([n. d.]). Accessed: 2021-12-12.

5. Andrea Fioraldi , Dominik Maier , Heiko Eißfeldt , and Marc Heuse . 2020 . AFL++: Combining Incremental Steps of Fuzzing Research . In 14th USENIX Workshop on Offensive Technologies (WOOT 20) . USENIX Association. Andrea Fioraldi, Dominik Maier, Heiko Eißfeldt, and Marc Heuse. 2020. AFL++: Combining Incremental Steps of Fuzzing Research. In 14th USENIX Workshop on Offensive Technologies (WOOT 20). USENIX Association.

Cited by 2 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. FCEVAL: An effective and quantitative platform for evaluating fuzzer combinations fairly and easily;Computers & Security;2023-09

2. DiPri: Distance-Based Seed Prioritization for Greybox Fuzzing (Registered Report);Proceedings of the 2nd International Fuzzing Workshop;2023-07-17