Binary-level Directed Fuzzing for Use-After-Free Vulnerabilities

Directed fuzzing focuses on automatically testing specific parts of the code by taking advantage of additional information such as (partial) bug stack trace, patches or risky operations. Key applications include bug reproduction, patch testing and static analysis report verification. Although directed fuzzing has received a lot of attention recently, hard-to-detect vulnerabilities such as Use-After-Free (UAF) are still not well addressed, especially at the binary level. We propose UAFuzz, the first (binary-level) directed greybox fuzzer dedicated to UAF bugs. The technique features a fuzzing engine tailored to UAF specifics, a lightweight code instrumentation and an efficient bug triage step. Experimental evaluation for bug reproduction on real cases demonstrates that UAFuzz significantly outperforms state-of-the-art directed fuzzers in terms of fault detection rate, time to exposure and bug triaging. UAFuzz has also been proven effective in patch testing, leading to the discovery of 30 new bugs (7 CVEs) in programs such as Perl, GPAC and GNU Patch. Finally, we provide to the community a large fuzzing benchmark dedicated to UAF, built on both real codes and real bugs.

[1]  Yang Liu,et al.  Steelix: program-state based binary fuzzing , 2017, ESEC/SIGSOFT FSE.

[2]  Abhik Roychoudhury,et al.  Directed Greybox Fuzzing , 2017, CCS.

[3]  Emilio Coppa,et al.  WEIZZ: automatic grey-box fuzzing for structured binary formats , 2019, ISSTA.

[4]  Julia L. Lawall,et al.  Coccinelle: Tool support for automated CERT C Secure Coding Standard certification , 2014, Sci. Comput. Program..

[5]  Chao Zhang,et al.  CollAFL: Path Sensitive Fuzzing , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[6]  Yang Liu,et al.  Cerebro: context-aware adaptive fuzzing for effective vulnerability detection , 2019, ESEC/SIGSOFT FSE.

[7]  Gang Wang,et al.  Understanding the Reproducibility of Crowd-reported Security Vulnerabilities , 2018, USENIX Security Symposium.

[8]  Yue Yu,et al.  Sequence Coverage Directed Greybox Fuzzing , 2019, 2019 IEEE/ACM 27th International Conference on Program Comprehension (ICPC).

[9]  Thorsten Holz,et al.  REDQUEEN: Fuzzing with Input-to-State Correspondence , 2019, NDSS.

[10]  Xiangyu Zhang,et al.  ProFuzzer: On-the-fly Input Type Probing for Better Zero-Day Vulnerability Discovery , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[11]  Yves Younan,et al.  FreeSentry: protecting against use-after-free vulnerabilities due to dangling pointers , 2015, NDSS.

[12]  Thorsten Holz,et al.  GRIMOIRE: Synthesizing Structure while Fuzzing , 2019, USENIX Security Symposium.

[13]  Jean-Yves Marion,et al.  Backward-Bounded DSE: Targeting Infeasibility Questions on Obfuscated Codes , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[14]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[15]  William K. Robertson,et al.  LAVA: Large-Scale Automated Vulnerability Addition , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[16]  Peiyuan Zong,et al.  SemFuzz: Semantics-based Automatic Generation of Proof-of-Concept Exploits , 2017, CCS.

[17]  Junfeng Yang,et al.  NEUZZ: Efficient Fuzzing with Neural Program Smoothing , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[18]  Junfeng Yang,et al.  NEUZZ: Efficient Fuzzing with Neural Program Learning , 2018, ArXiv.

[19]  Christopher Krügel,et al.  Driller: Augmenting Fuzzing Through Selective Symbolic Execution , 2016, NDSS.

[20]  Peter Müller,et al.  Guiding Dynamic Symbolic Execution toward Unverified Program Executions , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[21]  Bihuan Chen,et al.  Hawkeye: Towards a Desired Directed Grey-box Fuzzer , 2018, CCS.

[22]  Mathias Payer,et al.  T-Fuzz: Fuzzing by Program Transformation , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[23]  Subhajit Roy,et al.  Bug synthesis: challenging bug-finding tools with deep faults , 2018, ESEC/SIGSOFT FSE.

[24]  Marie-Laure Potet,et al.  Get Rid of Inline Assembly through Verification-Oriented Lifting , 2019, 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[25]  Marie-Laure Potet,et al.  Finding the needle in the heap: combining static analysis and dynamic symbolic execution to trigger use-after-free , 2016, SSPREW '16.

[26]  Derek Bruening,et al.  AddressSanitizer: A Fast Address Sanity Checker , 2012, USENIX Annual Technical Conference.

[27]  Barton P. Miller,et al.  An empirical study of the reliability of UNIX utilities , 1990, Commun. ACM.

[28]  Alessandro Orso,et al.  BugRedux: Reproducing field failures for in-house debugging , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[29]  Choongwoo Han,et al.  The Art, Science, and Engineering of Fuzzing: A Survey , 2018, IEEE Transactions on Software Engineering.

[30]  Jingling Xue,et al.  On-demand strong update analysis via value-flow refinement , 2016, SIGSOFT FSE.

[31]  Juan Caballero,et al.  Undangle: early detection of dangling pointers in use-after-free and double-free vulnerabilities , 2012, ISSTA 2012.

[32]  Shiping Chen,et al.  Spatio-Temporal Context Reduction: A Pointer-Analysis-Based Static Approach for Detecting Use-After-Free Vulnerabilities , 2018, 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE).

[33]  Jean-Yves Marion,et al.  BINSEC/SE: A Dynamic Symbolic Execution Toolkit for Binary-Level Analysis , 2016, 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER).

[34]  Adel Djoudi,et al.  BINSEC: Binary Code Analysis with Low-Level Regions , 2015, TACAS.

[35]  Rishabh Singh,et al.  Learn&Fuzz: Machine learning for input fuzzing , 2017, 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[36]  Hao Chen,et al.  Angora: Efficient Fuzzing by Principled Search , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[37]  Abhik Roychoudhury,et al.  Coverage-Based Greybox Fuzzing as Markov Chain , 2016, IEEE Transactions on Software Engineering.

[38]  Wenke Lee,et al.  Preventing Use-after-free with Dangling Pointers Nullification , 2015, NDSS.

[39]  Hao Chen,et al.  Matryoshka: Fuzzing Deeply Nested Branches , 2019, CCS.

[40]  Wei Huo,et al.  1dVul: Discovering 1-Day Vulnerabilities through Binary Patches , 2019, 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[41]  Herbert Bos,et al.  VUzzer: Application-aware Evolutionary Fuzzing , 2017, NDSS.

[42]  Yi Li,et al.  Typestate-Guided Fuzzer for Discovering Use-after-Free Vulnerabilities , 2020, 2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE).

[43]  Per Larsen,et al.  SoK: Sanitizing for Security , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[44]  Jean-Yves Marion,et al.  Specification of concretization and symbolization policies in symbolic execution , 2016, ISSTA.

[45]  Brendan Dolan-Gavitt,et al.  The Rode0day to Less-Buggy Programs , 2019, IEEE Security & Privacy.

[46]  Andrew Ruef,et al.  Evaluating Fuzz Testing , 2018, CCS.

[47]  Marcel Böhme,et al.  Assurances in Software Testing: A Roadmap , 2018, 2019 IEEE/ACM 41st International Conference on Software Engineering: New Ideas and Emerging Results (ICSE-NIER).

[48]  Cristian Cadar,et al.  KATCH: high-coverage testing of software patches , 2013, ESEC/FSE 2013.

[49]  A. Vargha,et al.  A Critique and Improvement of the CL Common Language Effect Size Statistics of McGraw and Wong , 2000 .

[50]  Abhik Roychoudhury,et al.  Hercules: Reproducing Crashes in Real-World Application Binaries , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[51]  Koushik Sen,et al.  FairFuzz: A Targeted Mutation Strategy for Increasing Greybox Fuzz Testing Coverage , 2018, 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[52]  Weiguang Wang,et al.  SeededFuzz: Selecting and Generating Seeds for Directed Fuzzing , 2016, 2016 10th International Symposium on Theoretical Aspects of Software Engineering (TASE).

[53]  Meng Xu,et al.  QSYM : A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing , 2018, USENIX Security Symposium.

[54]  Andrew E. Santosa,et al.  Smart Greybox Fuzzing , 2018, IEEE Transactions on Software Engineering.