FuZZan: Efficient Sanitizer Metadata Design for Fuzzing

Fuzzing is one of the most popular and effective techniques for finding software bugs. To detect triggered bugs, fuzzers leverage a variety of sanitizers in practice. Unfortunately, sanitizers target long running experiments—e.g., developer test suites—not fuzzing, where execution time is highly variable ranging from extremely short to long. Design decisions made for developer test suites introduce high overhead on short lived fuzzing executions, decreasing the fuzzer’s throughput and thereby reducing effectiveness. The root cause of this sanitization overhead is the heavyweight metadata structure that is optimized for frequent metadata operations over long executions. To address this, we design new metadata structures for sanitizers, and propose FuZZan to automatically select the optimal metadata structure without any user configuration. Our new metadata structures have the same bug detection capabilities as the ones they replace. We implement and apply these ideas to Address Sanitizer (ASan), which is the most popular sanitizer. Our evaluation shows that on the Google fuzzer test suite, FuZZan improves fuzzing throughput over ASan by 48% starting with Google’s provided seeds (52% when starting with empty seeds on the same applications). Due to this improved throughput, FuZZan discovers 13% more unique paths given the same 24 hours and finds bugs 42% faster. Furthermore, FuZZan catches all bugs ASan does; i.e., we have not traded precision for performance. Our findings show that sanitizer performance overhead is avoidable when metadata structures are designed for fuzzing, and that the performance difference will have a meaningful difference in squashing software bugs.

[1]  Thorsten Holz,et al.  REDQUEEN: Fuzzing with Input-to-State Correspondence , 2019, NDSS.

[2]  Robert O. Hastings,et al.  Fast detection of memory leaks and access errors , 1991 .

[3]  Yang Liu,et al.  Steelix: program-state based binary fuzzing , 2017, ESEC/SIGSOFT FSE.

[4]  Wenke Lee,et al.  Bunshin: Compositing Security Mechanisms through Diversification , 2017, USENIX Annual Technical Conference.

[5]  Per Larsen,et al.  SoK: Sanitizing for Security , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[6]  Wenke Lee,et al.  Type Casting Verification: Stopping an Emerging Attack Vector , 2015, USENIX Security Symposium.

[7]  Mathias Payer,et al.  T-Fuzz: Fuzzing by Program Transformation , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[8]  Cristian Cadar,et al.  FreeDA: deploying incompatible stock dynamic analyses in production via multi-version execution , 2018, CF.

[9]  Derek Bruening,et al.  AddressSanitizer: A Fast Address Sanity Checker , 2012, USENIX Annual Technical Conference.

[10]  Barton P. Miller,et al.  An empirical study of the reliability of UNIX utilities , 1990, Commun. ACM.

[11]  Erik van der Kouwe,et al.  TypeSan: Practical Type Confusion Detection , 2016, CCS.

[12]  Chao Zhang,et al.  MOPT: Optimized Mutation Scheduling for Fuzzers , 2019, USENIX Security Symposium.

[13]  Cristian Cadar,et al.  A DSL Approach to Reconcile Equivalent Divergent Program Executions , 2017, USENIX Annual Technical Conference.

[14]  Mathias Payer,et al.  HexType: Efficient Detection of Type Confusion Errors for C++ , 2017, CCS.

[15]  Nicholas Nethercote,et al.  Using Valgrind to Detect Undefined Value Errors with Bit-Precision , 2005, USENIX Annual Technical Conference, General Track.

[16]  George Candea,et al.  High System-Code Security with Low Overhead , 2015, 2015 IEEE Symposium on Security and Privacy.

[17]  Junfeng Yang,et al.  NEUZZ: Efficient Fuzzing with Neural Program Smoothing , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[18]  Herbert Bos,et al.  TIFF: Using Input Type Inference To Improve Fuzzing , 2018, ACSAC.

[19]  Susan Horwitz,et al.  Debugging via Run-Time Type Checking , 2001, FASE.

[20]  Taddeus Kroes,et al.  Fast and Generic Metadata Management with Mid-Fat Pointers , 2017, EUROSEC.

[21]  Peng Li,et al.  SAVIOR: Towards Bug-Driven Hybrid Testing , 2019, 2020 IEEE Symposium on Security and Privacy (SP).

[22]  Andrew Ruef,et al.  Evaluating Fuzz Testing , 2018, CCS.

[23]  Qin Zhao,et al.  Practical memory checking with Dr. Memory , 2011, International Symposium on Code Generation and Optimization (CGO 2011).

[24]  Choongwoo Han,et al.  The Art, Science, and Engineering of Fuzzing: A Survey , 2018, IEEE Transactions on Software Engineering.

[25]  Van Jacobson,et al.  Congestion avoidance and control , 1988, SIGCOMM '88.

[26]  Erik van der Kouwe,et al.  DangSan: Scalable Use-after-free Detection , 2017, EuroSys.

[27]  Yves Younan,et al.  FreeSentry: protecting against use-after-free vulnerabilities due to dangling pointers , 2015, NDSS.

[28]  Konstantin Serebryany,et al.  MemorySanitizer: Fast detector of uninitialized memory use in C++ , 2015, 2015 IEEE/ACM International Symposium on Code Generation and Optimization (CGO).

[29]  Per Larsen,et al.  PartiSan: Fast and Flexible Sanitization via Run-time Partitioning , 2017, RAID.

[30]  Abhik Roychoudhury,et al.  Coverage-Based Greybox Fuzzing as Markov Chain , 2016, IEEE Transactions on Software Engineering.

[31]  Abhik Roychoudhury,et al.  Directed Greybox Fuzzing , 2017, CCS.

[32]  Hao Chen,et al.  Matryoshka: Fuzzing Deeply Nested Branches , 2019, CCS.

[33]  Herbert Bos,et al.  VUzzer: Application-aware Evolutionary Fuzzing , 2017, NDSS.

[34]  Mathias Payer,et al.  CUP: Comprehensive User-Space Protection for C/C++ , 2017, AsiaCCS.

[35]  Konstantin Serebryany,et al.  ThreadSanitizer: data race detection in practice , 2009, WBIA '09.

[36]  Hao Chen,et al.  Angora: Efficient Fuzzing by Principled Search , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[37]  Wenke Lee,et al.  Preventing Use-after-free with Dangling Pointers Nullification , 2015, NDSS.

[38]  Wen Xu,et al.  Designing New Operating Primitives to Improve Fuzzing Performance , 2017, CCS.