Affiliation:
1. School of Cyberspace, Hangzhou Dianzi University, Hangzhou, China
2. Zhejiang Key Laboratory of Open Data, Hangzhou, China
3. Hangzhou Innovation Institute, Beihang University, Hangzhou, China
Abstract
Fuzzing has become an important method for finding vulnerabilities in software. For fuzzing programs expecting structural inputs, syntactic- and semantic-aware fuzzing approaches have been particularly proposed. However, they still cannot fuzz in-memory data stores sufficiently, since some code paths are only executed when the required data are available. In this article, we propose a data-aware fuzzing method, DAFuzz, which is designed by considering the data used during fuzzing. Specifically, to ensure different data-sensitive code paths are exercised, DAFuzz first loads different kinds of data into the stores before feeding fuzzing inputs. Then, when generating inputs, DAFuzz ensures the generated inputs are not only syntactically and semantically valid but also use the data correctly. We implement a prototype of DAFuzz based on Superion and use it to fuzz Redis and Memcached. Experiments show that DAFuzz covers 13~95% more edges than AFL, Superion, AFL++, and AFLNet, and discovers vulnerabilities over 2.7× faster. In total, we discovered four new vulnerabilities in Redis and Memcached. All the vulnerabilities were reported to developers and have been acknowledged and fixed.
Funder
Zhejiang Provincial Natural Science Foundation of China
National Natural Science Foundation of China
Key Research Project of Zhejiang Province, China
“Pioneer” and “Leading Goose” R&D Program of Zhejiang
Reference60 articles.
1. NAUTILUS: fishing for deep bugs with grammars;Aschermann,2019a
2. IJON: exploring deep state spaces via fuzzing;Aschermann,2020
3. REDQUEEN: fuzzing with input-to-state correspondence;Aschermann,2019b
4. Stateful greybox fuzzing;Ba,2022
5. Boofuzz: network protocol fuzzing for humans;Boofuzz;GitHub,2023