WINNIE : Fuzzing Windows Applications with Harness Synthesis and Fast Cloning

Fuzzing is an emerging technique to automatically validate programs and uncover bugs. It has been widely used to test many programs and has found thousands of security vulnerabilities. However, existing fuzzing efforts are mainly centered around Unix-like systems, as Windows imposes unique challenges for fuzzing: a closed-source ecosystem, the heavy use of graphical interfaces and the lack of fast process cloning machinery. In this paper, we propose two solutions to address the challenges Windows fuzzing faces. Our system, WINNIE, first tries to synthesize a harness for the application, a simple program that directly invokes target functions, based on sample executions. It then tests the harness, instead of the original complicated program, using an efficient implementation of fork on Windows. Using these techniques, WINNIE can bypass irrelevant GUI code to test logic deep within the application. We used WINNIE to fuzz 59 closed-source Windows binaries, and it successfully generated valid fuzzing harnesses for all of them. In our evaluation, WINNIE can support 2.2× more programs than existing Windows fuzzers could, and identified 3.9× more program states and achieved 26.6× faster execution. In total, WINNIE found 61 unique bugs in 32 Windows binaries.

[1]  Christopher Krügel,et al.  Driller: Augmenting Fuzzing Through Selective Symbolic Execution , 2016, NDSS.

[2]  Derek Bruening,et al.  AddressSanitizer: A Fast Address Sanity Checker , 2012, USENIX Annual Technical Conference.

[3]  Gabriele Bavota,et al.  How Can I Use This Method? , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[4]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.

[5]  Andrew Ruef,et al.  Evaluating Fuzz Testing , 2018, CCS.

[6]  Zhiqiang Lin,et al.  IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing , 2018, NDSS.

[7]  Meng Xu,et al.  QSYM : A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing , 2018, USENIX Security Symposium.

[8]  Mathias Payer,et al.  FuzzGen: Automatic Fuzzer Generation , 2020, USENIX Security Symposium.

[9]  Andreas Zeller,et al.  Fuzzing with Code Fragments , 2012, USENIX Security Symposium.

[10]  Wen Xu,et al.  CAB-Fuzz: Practical Concolic Testing Techniques for COTS Operating Systems , 2017, USENIX Annual Technical Conference.

[11]  Yang Liu,et al.  Steelix: program-state based binary fuzzing , 2017, ESEC/SIGSOFT FSE.

[12]  Cornelius Aschermann,et al.  Ijon: Exploring Deep State Spaces via Fuzzing , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[13]  William R. Harris,et al.  Enforcing Unique Code Target Property for Control-Flow Integrity , 2018, CCS.

[14]  Marco Tulio Valente,et al.  Documenting APIs with examples: Lessons learned with the APIMiner platform , 2013, 2013 20th Working Conference on Reverse Engineering (WCRE).

[15]  Lu Zhang,et al.  Mining API Usage Examples from Test Code , 2014, 2014 IEEE International Conference on Software Maintenance and Evolution.

[16]  Jian Pei,et al.  MAPO: Mining and Recommending API Usage Patterns , 2009, ECOOP.

[17]  Abhik Roychoudhury,et al.  Coverage-Based Greybox Fuzzing as Markov Chain , 2016, IEEE Transactions on Software Engineering.

[18]  Herbert Bos,et al.  VUzzer: Application-aware Evolutionary Fuzzing , 2017, NDSS.

[19]  Wei Wang,et al.  FUDGE: fuzz driver generation at scale , 2019, ESEC/SIGSOFT FSE.

[20]  Matthew Hicks,et al.  Full-Speed Fuzzing: Reducing Fuzzing Overhead through Coverage-Guided Tracing , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[21]  Patrice Godefroid,et al.  Micro execution , 2014, ICSE.

[22]  Chao Zhang,et al.  CollAFL: Path Sensitive Fuzzing , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[23]  Barton P. Miller,et al.  An empirical study of the reliability of UNIX utilities , 1990, Commun. ACM.

[24]  Xiangyu Zhang,et al.  PMP: Cost-effective Forced Execution with Probabilistic Memory Pre-planning , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[25]  Charles A. Sutton,et al.  Parameter-free probabilistic API mining across GitHub , 2015, SIGSOFT FSE.

[26]  Mathias Payer,et al.  T-Fuzz: Fuzzing by Program Transformation , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[27]  Sang Kil Cha,et al.  IMF: Inferred Model-based Fuzzer , 2017, CCS.

[28]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[29]  Wen Xu,et al.  Designing New Operating Primitives to Improve Fuzzing Performance , 2017, CCS.

[30]  Dawson R. Engler,et al.  Under-Constrained Symbolic Execution: Correctness Checking for Real Code , 2015, USENIX Annual Technical Conference.

[31]  Heng Yin,et al.  FIRM-AFL: High-Throughput Greybox Fuzzing of IoT Firmware via Augmented Process Emulation , 2019, USENIX Security Symposium.

[32]  Hao Chen,et al.  Angora: Efficient Fuzzing by Principled Search , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[33]  Thorsten Holz,et al.  REDQUEEN: Fuzzing with Input-to-State Correspondence , 2019, NDSS.