Mocov: Model Based Fuzzing Through Coverage Guided Technology

Fuzzing is an effective and widely used technique to find bugs and vulnerabilities in program. It triggers the vulnerable condition in program execution by inputting randomly-mutated seeds into program to be tested. It is difficult for random fuzzing to find bugs hided deeply in the target program with complex structured input formats due to its blindly emitting random data. In this paper, we propose an effective model-based fuzzing system, named Mocov, which leverages the coverage-guided technology. Mocov uses model-based technology to find deeply-hided bugs in the target program and uses instrumentation approach to feedback the runtime information in order to avoid blindness. It has the advantages and avoids the disadvantages of both technologies. We test the Mocov using a program elaborately designed. The result showed that it can generate fine seeds and improve the code coverage compared with Peach.

[1]  Abhik Roychoudhury,et al.  Coverage-Based Greybox Fuzzing as Markov Chain , 2016, IEEE Transactions on Software Engineering.

[2]  Adam Kiezun,et al.  Grammar-based whitebox fuzzing , 2008, PLDI '08.

[3]  Herbert Bos,et al.  Dowsing for Overflows: A Guided Fuzzer to Find Buffer Boundary Violations , 2013, USENIX Security Symposium.

[4]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.

[5]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[6]  Herbert Bos,et al.  VUzzer: Application-aware Evolutionary Fuzzing , 2017, NDSS.

[7]  Herbert Bos,et al.  The BORG: Nanoprobing Binaries for Buffer Overreads , 2015, CODASPY.

[8]  Xuejun Yang,et al.  Finding and understanding bugs in C compilers , 2011, PLDI '11.

[9]  Guofei Gu,et al.  TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[10]  Christopher Krügel,et al.  Driller: Augmenting Fuzzing Through Selective Symbolic Execution , 2016, NDSS.

[11]  Ryan Cunningham,et al.  Automated Vulnerability Analysis: Leveraging Control Flow for Evolutionary Input Crafting , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[12]  Sarfraz Khurshid,et al.  Directed incremental symbolic execution , 2011, PLDI '11.

[13]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[14]  Abhik Roychoudhury,et al.  Model-based whitebox fuzzing for program binaries , 2016, 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE).

[15]  David Brumley,et al.  Automatic exploit generation , 2014, CACM.

[16]  Barton P. Miller,et al.  An empirical study of the reliability of UNIX utilities , 1990, Commun. ACM.

[17]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[18]  Martin C. Rinard,et al.  Taint-based directed whitebox fuzzing , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[19]  Shih-Kun Huang,et al.  Software Crash Analysis for Automatic Exploit Generation on Binary Programs , 2014, IEEE Transactions on Reliability.

[20]  Herbert Bos,et al.  IFuzzer: An Evolutionary Interpreter Fuzzer Using Genetic Programming , 2016, ESORICS.

[21]  Andreas Zeller,et al.  Fuzzing with Code Fragments , 2012, USENIX Security Symposium.

[22]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[23]  Cristian Cadar,et al.  make test-zesti: A symbolic execution solution for improving regression testing , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[24]  Herbert Bos,et al.  Dowser: A Guided Fuzzer for Finding Buffer Overflow Vulnerabilities , 2013, login Usenix Mag..

[25]  Junfeng Yang,et al.  Verifying systems rules using rule-directed symbolic execution , 2013, ASPLOS '13.

[26]  David Brumley,et al.  Unleashing Mayhem on Binary Code , 2012, 2012 IEEE Symposium on Security and Privacy.