Typestate-Guided Fuzzer for Discovering Use-after-Free Vulnerabilities

Existing coverage-based fuzzers usually use the individual control flow graph (CFG) edge coverage to guide the fuzzing process, which has shown great potential in finding vulnerabilities. However, CFG edge coverage is not effective in discovering vulnerabilities such as use-after-free (UaF). This is because, to trigger UaF vulnerabilities, one needs not only to cover individual edges, but also to traverse some (long) sequence of edges in a particular order, which is challenging for existing fuzzers. To this end, we propose to model UaF vulnerabilities as typestate properties, and develop a typestate-guided fuzzer, named UAFL, for discovering vulnerabilities violating typestate properties. Given a typestate property, we first perform a static typestate analysis to find operation sequences potentially violating the property. Our fuzzing process is then guided by the operation sequences in order to progressively generate test cases triggering property violations. In addition, we also employ an information flow analysis to improve the efficiency of the fuzzing process. We have performed a thorough evaluation of UAFL on 14 widely-used real-world programs. The experiment results show that UAFL substantially outperforms the state-of-the-art fuzzers, including AFL, AFLFast, FairFuzz, MOpt, Angora and QSYM, in terms of the time taken to discover vulnerabilities. We have discovered 10 previously unknown vulnerabilities, and received 5 new CVEs.

[1]  Erik van der Kouwe,et al.  DangSan: Scalable Use-after-free Detection , 2017, EuroSys.

[2]  Abhik Roychoudhury,et al.  Directed Greybox Fuzzing , 2017, CCS.

[3]  Abhik Roychoudhury,et al.  Coverage-Based Greybox Fuzzing as Markov Chain , 2016, IEEE Transactions on Software Engineering.

[4]  Chao Zhang,et al.  CollAFL: Path Sensitive Fuzzing , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[5]  Meng Xu,et al.  QSYM : A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing , 2018, USENIX Security Symposium.

[6]  Dawn Xiaodong Song,et al.  PerfFuzz: automatically generating pathological inputs , 2018, ISSTA.

[7]  Juanru Li,et al.  From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel , 2015, CCS.

[8]  Shiping Chen,et al.  Machine-Learning-Guided Typestate Analysis for Static Use-After-Free Detection , 2017, ACSAC.

[9]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[10]  Anja Feldmann,et al.  Static Program Analysis as a Fuzzing Aid , 2017, RAID.

[11]  Rongxin Wu,et al.  Pinpoint: fast and precise sparse value flow analysis for million lines of code , 2018, PLDI.

[12]  Shiping Chen,et al.  Spatio-Temporal Context Reduction: A Pointer-Analysis-Based Static Approach for Detecting Use-After-Free Vulnerabilities , 2018, 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE).

[13]  Eran Yahav,et al.  Typestate verification: Abstraction techniques and complexity results , 2005, Sci. Comput. Program..

[14]  Per Larsen,et al.  Losing Control: On the Effectiveness of Control-Flow Integrity under Stack Attacks , 2015, CCS.

[15]  Yang Liu,et al.  MEMLOCK: Memory Usage Guided Fuzzing , 2020, 2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE).

[16]  Wenke Lee,et al.  Preventing Use-after-free with Dangling Pointers Nullification , 2015, NDSS.

[17]  Yang Liu,et al.  Steelix: program-state based binary fuzzing , 2017, ESEC/SIGSOFT FSE.

[18]  Jingling Xue,et al.  SVF: interprocedural static value-flow analysis in LLVM , 2016, CC.

[19]  Hao Chen,et al.  Angora: Efficient Fuzzing by Principled Search , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[20]  Thorsten Holz,et al.  REDQUEEN: Fuzzing with Input-to-State Correspondence , 2019, NDSS.

[21]  Jin Song Dong,et al.  Explaining Regressions via Alignment Slicing and Mending , 2021, IEEE Transactions on Software Engineering.

[22]  Peng Li,et al.  SAVIOR: Towards Bug-Driven Hybrid Testing , 2019, 2020 IEEE Symposium on Security and Privacy (SP).

[23]  Shuvendu K. Lahiri,et al.  Angelic Verification: Precise Verification Modulo Unknowns , 2015, CAV.

[24]  Eran Yahav,et al.  Effective typestate verification in the presence of aliasing , 2006, TSEM.

[25]  Yves Younan,et al.  FreeSentry: protecting against use-after-free vulnerabilities due to dangling pointers , 2015, NDSS.

[26]  Christopher Krügel,et al.  Driller: Augmenting Fuzzing Through Selective Symbolic Execution , 2016, NDSS.

[27]  Xi Wang,et al.  Linux kernel vulnerabilities: state-of-the-art defenses and open problems , 2011, APSys.

[28]  Bihuan Chen,et al.  Hawkeye: Towards a Desired Directed Grey-box Fuzzer , 2018, CCS.

[29]  Zhenbang Chen,et al.  Regular Property Guided Dynamic Symbolic Execution , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[30]  Zhenbang Chen,et al.  Symbolic Verification of Regular Properties , 2018, 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE).

[31]  Andy Podgurski,et al.  Measuring the strength of information flows in programs , 2009, TSEM.

[32]  Angelos D. Keromytis,et al.  SlowFuzz: Automated Domain-Independent Detection of Algorithmic Complexity Vulnerabilities , 2017, CCS.

[33]  Herbert Bos,et al.  VUzzer: Application-aware Evolutionary Fuzzing , 2017, NDSS.

[34]  Chao Zhang,et al.  MOPT: Optimized Mutation Scheduling for Fuzzers , 2019, USENIX Security Symposium.

[35]  Shengchao Qin,et al.  Locating vulnerabilities in binaries via memory layout recovering , 2019, ESEC/SIGSOFT FSE.

[36]  Sukyoung Ryu,et al.  SAFEWAPI: web API misuse detector for web applications , 2014, SIGSOFT FSE.

[37]  Qinghua Zheng,et al.  Dependence Guided Symbolic Execution , 2017, IEEE Transactions on Software Engineering.

[38]  Yang Liu,et al.  FOT: a versatile, configurable, extensible fuzzing framework , 2018, ESEC/SIGSOFT FSE.

[39]  Koushik Sen,et al.  FairFuzz: A Targeted Mutation Strategy for Increasing Greybox Fuzz Testing Coverage , 2018, 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[40]  Juan Caballero,et al.  Undangle: early detection of dangling pointers in use-after-free and double-free vulnerabilities , 2012, ISSTA 2012.

[41]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[42]  Andrew Ruef,et al.  Evaluating Fuzz Testing , 2018, CCS.

[43]  Yang Liu,et al.  Cerebro: context-aware adaptive fuzzing for effective vulnerability detection , 2019, ESEC/SIGSOFT FSE.

[44]  Xiangyu Zhang,et al.  ProFuzzer: On-the-fly Input Type Probing for Better Zero-Day Vulnerability Discovery , 2019, 2019 IEEE Symposium on Security and Privacy (SP).