MemLock: Memory usage guided fuzzing
Uncontrolled memory consumption is a kind of critical software security weaknesses. It can also become a security-critical vulnerability when attackers can take control of the input to consume a large amount of memory and launch a Denial-of-Service attack. However, detecting such vulnerability is ch...
Saved in:
| Main Authors: | , , , , , , , , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2020
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/7081 https://ink.library.smu.edu.sg/context/sis_research/article/8084/viewcontent/3377811.3380396.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-8084 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-80842022-04-07T08:04:48Z MemLock: Memory usage guided fuzzing WEN, Cheng WANG, Haijun LI, Yuekang QIN, Shengchao LIU, Yang XU, Zhiwu CHEN, Hongxu Xiaofei XIE, PU, Geguang LIU, Ting Uncontrolled memory consumption is a kind of critical software security weaknesses. It can also become a security-critical vulnerability when attackers can take control of the input to consume a large amount of memory and launch a Denial-of-Service attack. However, detecting such vulnerability is challenging, as the state-of-the-art fuzzing techniques focus on the code coverage but not memory consumption. To this end, we propose a memory usage guided fuzzing technique, named MemLock, to generate the excessive memory consumption inputs and trigger uncontrolled memory consumption bugs. The fuzzing process is guided with memory consumption information so that our approach is general and does not require any domain knowledge. We perform a thorough evaluation for MemLock on 14 widely-used real-world programs. Our experiment results show that MemLock substantially outperforms the state-of-the-art fuzzing techniques, including AFL, AFLfast, PerfFuzz, FairFuzz, Angora and QSYM, in discovering memory consumption bugs. During the experiments, we discovered many previously unknown memory consumption bugs and received 15 new CVEs. 2020-05-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/7081 info:doi/10.1145/3377811.3380396 https://ink.library.smu.edu.sg/context/sis_research/article/8084/viewcontent/3377811.3380396.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Fuzz Testing Software Vulnerability Memory Consumption OS and Networks Software Engineering |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Fuzz Testing Software Vulnerability Memory Consumption OS and Networks Software Engineering |
| spellingShingle |
Fuzz Testing Software Vulnerability Memory Consumption OS and Networks Software Engineering WEN, Cheng WANG, Haijun LI, Yuekang QIN, Shengchao LIU, Yang XU, Zhiwu CHEN, Hongxu Xiaofei XIE, PU, Geguang LIU, Ting MemLock: Memory usage guided fuzzing |
| description |
Uncontrolled memory consumption is a kind of critical software security weaknesses. It can also become a security-critical vulnerability when attackers can take control of the input to consume a large amount of memory and launch a Denial-of-Service attack. However, detecting such vulnerability is challenging, as the state-of-the-art fuzzing techniques focus on the code coverage but not memory consumption. To this end, we propose a memory usage guided fuzzing technique, named MemLock, to generate the excessive memory consumption inputs and trigger uncontrolled memory consumption bugs. The fuzzing process is guided with memory consumption information so that our approach is general and does not require any domain knowledge. We perform a thorough evaluation for MemLock on 14 widely-used real-world programs. Our experiment results show that MemLock substantially outperforms the state-of-the-art fuzzing techniques, including AFL, AFLfast, PerfFuzz, FairFuzz, Angora and QSYM, in discovering memory consumption bugs. During the experiments, we discovered many previously unknown memory consumption bugs and received 15 new CVEs. |
| format |
text |
| author |
WEN, Cheng WANG, Haijun LI, Yuekang QIN, Shengchao LIU, Yang XU, Zhiwu CHEN, Hongxu Xiaofei XIE, PU, Geguang LIU, Ting |
| author_facet |
WEN, Cheng WANG, Haijun LI, Yuekang QIN, Shengchao LIU, Yang XU, Zhiwu CHEN, Hongxu Xiaofei XIE, PU, Geguang LIU, Ting |
| author_sort |
WEN, Cheng |
| title |
MemLock: Memory usage guided fuzzing |
| title_short |
MemLock: Memory usage guided fuzzing |
| title_full |
MemLock: Memory usage guided fuzzing |
| title_fullStr |
MemLock: Memory usage guided fuzzing |
| title_full_unstemmed |
MemLock: Memory usage guided fuzzing |
| title_sort |
memlock: memory usage guided fuzzing |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2020 |
| url |
https://ink.library.smu.edu.sg/sis_research/7081 https://ink.library.smu.edu.sg/context/sis_research/article/8084/viewcontent/3377811.3380396.pdf |
| _version_ |
1770576208397860864 |