Hawkeye: Towards a desired directed grey-box fuzzer

Grey-box fuzzing is a practically effective approach to test real-world programs. However, most existing grey-box fuzzers lack directedness, i.e. the capability of executing towards user-specified target sites in the program. To emphasize existing challenges in directed fuzzing, we propose Hawkeye t...

Full description

Saved in:
Bibliographic Details
Main Authors: CHEN, Hongxu, XUE, Yinxing, LI, Yuekang, CHEN, Bihuan, XIE, Xiaofei, WU, Xiuheng, LIU, Yang
Format: text
Language:English
Published: Institutional Knowledge at Singapore Management University 2018
Subjects:
Online Access:https://ink.library.smu.edu.sg/sis_research/7063
https://ink.library.smu.edu.sg/context/sis_research/article/8066/viewcontent/3243734.3243849.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Singapore Management University
Language: English
id sg-smu-ink.sis_research-8066
record_format dspace
spelling sg-smu-ink.sis_research-80662023-08-04T00:26:47Z Hawkeye: Towards a desired directed grey-box fuzzer CHEN, Hongxu XUE, Yinxing LI, Yuekang CHEN, Bihuan XIE, Xiaofei WU, Xiuheng LIU, Yang Grey-box fuzzing is a practically effective approach to test real-world programs. However, most existing grey-box fuzzers lack directedness, i.e. the capability of executing towards user-specified target sites in the program. To emphasize existing challenges in directed fuzzing, we propose Hawkeye to feature four desired properties of directed grey-box fuzzers. Owing to a novel static analysis on the program under test and the target sites, Hawkeye precisely collects the information such as the call graph, function and basic block level distances to the targets. During fuzzing, Hawkeye evaluates exercised seeds based on both static information and the execution traces to generate the dynamic metrics, which are then used for seed prioritization, power scheduling and adaptive mutating. These strategies help Hawkeye to achieve better directedness and gravitate towards the target sites. We implemented Hawkeye as a fuzzing framework and evaluated it on various real-world programs under different scenarios. The experimental results showed that Hawkeye can reach the target sites and reproduce the crashes much faster than state-of-the-art grey-box fuzzers such as AFL and AFLGo. Specially, Hawkeye can reduce the time to exposure for certain vulnerabilities from about 3.5 hours to 0.5 hour. By now, Hawkeye has detected more than 41 previously unknown crashes in projects such as Oniguruma, MJS with the target sites provided by vulnerability prediction tools; all these crashes are confirmed and 15 of them have been assigned CVE IDs. 2018-10-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/7063 info:doi/10.1145/3243734.3243849 https://ink.library.smu.edu.sg/context/sis_research/article/8066/viewcontent/3243734.3243849.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Fuzz Testing Static Analysis Information Security Software Engineering
institution Singapore Management University
building SMU Libraries
continent Asia
country Singapore
Singapore
content_provider SMU Libraries
collection InK@SMU
language English
topic Fuzz Testing
Static Analysis
Information Security
Software Engineering
spellingShingle Fuzz Testing
Static Analysis
Information Security
Software Engineering
CHEN, Hongxu
XUE, Yinxing
LI, Yuekang
CHEN, Bihuan
XIE, Xiaofei
WU, Xiuheng
LIU, Yang
Hawkeye: Towards a desired directed grey-box fuzzer
description Grey-box fuzzing is a practically effective approach to test real-world programs. However, most existing grey-box fuzzers lack directedness, i.e. the capability of executing towards user-specified target sites in the program. To emphasize existing challenges in directed fuzzing, we propose Hawkeye to feature four desired properties of directed grey-box fuzzers. Owing to a novel static analysis on the program under test and the target sites, Hawkeye precisely collects the information such as the call graph, function and basic block level distances to the targets. During fuzzing, Hawkeye evaluates exercised seeds based on both static information and the execution traces to generate the dynamic metrics, which are then used for seed prioritization, power scheduling and adaptive mutating. These strategies help Hawkeye to achieve better directedness and gravitate towards the target sites. We implemented Hawkeye as a fuzzing framework and evaluated it on various real-world programs under different scenarios. The experimental results showed that Hawkeye can reach the target sites and reproduce the crashes much faster than state-of-the-art grey-box fuzzers such as AFL and AFLGo. Specially, Hawkeye can reduce the time to exposure for certain vulnerabilities from about 3.5 hours to 0.5 hour. By now, Hawkeye has detected more than 41 previously unknown crashes in projects such as Oniguruma, MJS with the target sites provided by vulnerability prediction tools; all these crashes are confirmed and 15 of them have been assigned CVE IDs.
format text
author CHEN, Hongxu
XUE, Yinxing
LI, Yuekang
CHEN, Bihuan
XIE, Xiaofei
WU, Xiuheng
LIU, Yang
author_facet CHEN, Hongxu
XUE, Yinxing
LI, Yuekang
CHEN, Bihuan
XIE, Xiaofei
WU, Xiuheng
LIU, Yang
author_sort CHEN, Hongxu
title Hawkeye: Towards a desired directed grey-box fuzzer
title_short Hawkeye: Towards a desired directed grey-box fuzzer
title_full Hawkeye: Towards a desired directed grey-box fuzzer
title_fullStr Hawkeye: Towards a desired directed grey-box fuzzer
title_full_unstemmed Hawkeye: Towards a desired directed grey-box fuzzer
title_sort hawkeye: towards a desired directed grey-box fuzzer
publisher Institutional Knowledge at Singapore Management University
publishDate 2018
url https://ink.library.smu.edu.sg/sis_research/7063
https://ink.library.smu.edu.sg/context/sis_research/article/8066/viewcontent/3243734.3243849.pdf
_version_ 1773551431083622400