Towards Systematic and Dynamic Task Allocation for Collaborative Parallel Fuzzing

Parallel coverage-guided greybox fuzzing is the most common setup for vulnerability discovery at scale. However, so far it has received little attention from the research community compared to single-mode fuzzing, leaving open several problems particularly in its task allocation strategies. Current approaches focus on managing micro tasks, at the seed input level, and their task division algorithms are either ad-hoc or static. In this paper, we leverage research on graph partitioning and search algorithms to propose a systematic and dynamic task allocation solution that works at the macro-task level. First, we design an attributed graph to capture both the program structures (e.g., program call graph) and fuzzing information (e.g., branch hit counts, bug discovery probability). Second, our graph partitioning algorithm divides the global program search space into sub-search-spaces. Finally our search algorithm prioritizes these sub-search-spaces (i.e., tasks) and explores them to maximize code coverage and number of bugs found. The results are collected to update the graph and guide further iterations of partitioning and exploration. We implemented a prototype tool called AFLTeam. In our preliminary experiments on well-tested benchmarks, AFLTeam achieved higher code coverage (up to 16.4% branch coverage improvement) compared to the default parallel mode of AFL and discovered 2 zero-day bugs in FFmpeg and JasPer toolkits.

[1]  Xu Zhou,et al.  P-Fuzz: A Parallel Grey-Box Fuzzing Framework , 2019 .

[2]  Joseph Y.-T. Leung,et al.  Complexity of Scheduling Parallel Task Systems , 1989, SIAM J. Discret. Math..

[3]  Abhik Roychoudhury,et al.  Fuzzing: Challenges and Reflections , 2020, IEEE Software.

[4]  Chao Zhang,et al.  CollAFL: Path Sensitive Fuzzing , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[5]  Bruce Hendrickson,et al.  An Improved Spectral Graph Partitioning Algorithm for Mapping Parallel Computations , 1995, SIAM J. Sci. Comput..

[6]  Xu Zhou,et al.  UniFuzz: Optimizing Distributed Fuzzing via Dynamic Centralized Task Scheduling , 2020, ArXiv.

[7]  Chao Zhang,et al.  MOPT: Optimized Mutation Scheduling for Fuzzers , 2019, USENIX Security Symposium.

[8]  Abhik Roychoudhury,et al.  Coverage-Based Greybox Fuzzing as Markov Chain , 2016, IEEE Transactions on Software Engineering.

[9]  Ahmad-Reza Sadeghi,et al.  NAUTILUS: Fishing for Deep Bugs with Grammars , 2019, NDSS.

[10]  Martin C. Rinard,et al.  Taint-based directed whitebox fuzzing , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[11]  Joseph A. Lukes Efficient Algorithm for the Partitioning of Trees , 1974, IBM J. Res. Dev..

[12]  Brian W. Kernighan,et al.  An efficient heuristic procedure for partitioning graphs , 1970, Bell Syst. Tech. J..

[13]  Andrew E. Santosa,et al.  Smart Greybox Fuzzing , 2018, IEEE Transactions on Software Engineering.

[14]  Yang Liu,et al.  Superion: Grammar-Aware Greybox Fuzzing , 2018, 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE).

[15]  Thorsten Holz,et al.  REDQUEEN: Fuzzing with Input-to-State Correspondence , 2019, NDSS.

[16]  Koushik Sen,et al.  FairFuzz: A Targeted Mutation Strategy for Increasing Greybox Fuzz Testing Coverage , 2018, 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[17]  Jia-Guang Sun,et al.  PAFL: extend fuzzing optimizations of single mode to industrial parallel mode , 2018, ESEC/SIGSOFT FSE.

[18]  Sang Kil Cha,et al.  Ankou: Guiding Grey-box Fuzzing towards Combinatorial Difference , 2020, 2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE).

[19]  Marcel Böhme,et al.  Boosting fuzzer efficiency: an information theoretic perspective , 2020, ESEC/SIGSOFT FSE.

[20]  Choongwoo Han,et al.  The Art, Science, and Engineering of Fuzzing: A Survey , 2018, IEEE Transactions on Software Engineering.

[21]  Andreas Zeller,et al.  Detecting information flow by mutating input data , 2017, 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[22]  Marcel Böhme,et al.  AFLNET: A Greybox Fuzzer for Network Protocols , 2020, 2020 IEEE 13th International Conference on Software Testing, Validation and Verification (ICST).

[23]  Jun Sun,et al.  sFuzz: An Efficient Adaptive Fuzzer for Solidity Smart Contracts , 2020, 2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE).

[24]  R. Groz,et al.  Binary-level Directed Fuzzing for Use-After-Free Vulnerabilities , 2020, RAID.

[25]  Abhik Roychoudhury,et al.  Directed Greybox Fuzzing , 2017, CCS.

[26]  Brandon Falk,et al.  Fuzzing: on the exponential cost of vulnerability discovery , 2020, ESEC/SIGSOFT FSE.

[27]  Ulrich Elsner,et al.  Graph partitioning - a survey , 2005 .