Typestate-guided fuzzer for discovering use-after-free vulnerabilities
Existing coverage-based fuzzers usually use the individual control flow graph (CFG) edge coverage to guide the fuzzing process, which has shown great potential in finding vulnerabilities. However, CFG edge coverage is not effective in discovering vulnerabilities such as use-after-free (UaF). This is...
Saved in:
| Main Authors: | , , , , , , , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2020
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/7086 https://ink.library.smu.edu.sg/context/sis_research/article/8089/viewcontent/3377811.3380386__1_.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-8089 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-80892022-04-07T07:39:44Z Typestate-guided fuzzer for discovering use-after-free vulnerabilities WANG, Haijun XIE, Xiaofei LI, Yi WEN, Cheng LI, Yuekang LIU, Yang QIN, Shengchao CHEN, Hongxu SUI, Yulei Existing coverage-based fuzzers usually use the individual control flow graph (CFG) edge coverage to guide the fuzzing process, which has shown great potential in finding vulnerabilities. However, CFG edge coverage is not effective in discovering vulnerabilities such as use-after-free (UaF). This is because, to trigger UaF vulnerabilities, one needs not only to cover individual edges, but also to traverse some (long) sequence of edges in a particular order, which is challenging for existing fuzzers. To this end, we propose to model UaF vulnerabilities as typestate properties, and develop a typestate-guided fuzzer, named UAFL, for discovering vulnerabilities violating typestate properties. Given a typestate property, we first perform a static typestate analysis to find operation sequences potentially violating the property. Our fuzzing process is then guided by the operation sequences in order to progressively generate test cases triggering property violations. In addition, we also employ an information flow analysis to improve the efficiency of the fuzzing process. We have performed a thorough evaluation of UAFL on 14 widely-used real-world programs. The experiment results show that UAFL substantially outperforms the state-of-the-art fuzzers, including AFL, AFLFast, FairFuzz, MOpt, Angora and QSYM, in terms of the time taken to discover vulnerabilities. We have discovered 10 previously unknown vulnerabilities, and received 5 new CVEs. 2020-05-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/7086 info:doi/10.1145/3377811.3380386 https://ink.library.smu.edu.sg/context/sis_research/article/8089/viewcontent/3377811.3380386__1_.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Fuzzing Typestate-guided fuzzing Use-after-Free vulnerabilities OS and Networks Software Engineering |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Fuzzing Typestate-guided fuzzing Use-after-Free vulnerabilities OS and Networks Software Engineering |
| spellingShingle |
Fuzzing Typestate-guided fuzzing Use-after-Free vulnerabilities OS and Networks Software Engineering WANG, Haijun XIE, Xiaofei LI, Yi WEN, Cheng LI, Yuekang LIU, Yang QIN, Shengchao CHEN, Hongxu SUI, Yulei Typestate-guided fuzzer for discovering use-after-free vulnerabilities |
| description |
Existing coverage-based fuzzers usually use the individual control flow graph (CFG) edge coverage to guide the fuzzing process, which has shown great potential in finding vulnerabilities. However, CFG edge coverage is not effective in discovering vulnerabilities such as use-after-free (UaF). This is because, to trigger UaF vulnerabilities, one needs not only to cover individual edges, but also to traverse some (long) sequence of edges in a particular order, which is challenging for existing fuzzers. To this end, we propose to model UaF vulnerabilities as typestate properties, and develop a typestate-guided fuzzer, named UAFL, for discovering vulnerabilities violating typestate properties. Given a typestate property, we first perform a static typestate analysis to find operation sequences potentially violating the property. Our fuzzing process is then guided by the operation sequences in order to progressively generate test cases triggering property violations. In addition, we also employ an information flow analysis to improve the efficiency of the fuzzing process. We have performed a thorough evaluation of UAFL on 14 widely-used real-world programs. The experiment results show that UAFL substantially outperforms the state-of-the-art fuzzers, including AFL, AFLFast, FairFuzz, MOpt, Angora and QSYM, in terms of the time taken to discover vulnerabilities. We have discovered 10 previously unknown vulnerabilities, and received 5 new CVEs. |
| format |
text |
| author |
WANG, Haijun XIE, Xiaofei LI, Yi WEN, Cheng LI, Yuekang LIU, Yang QIN, Shengchao CHEN, Hongxu SUI, Yulei |
| author_facet |
WANG, Haijun XIE, Xiaofei LI, Yi WEN, Cheng LI, Yuekang LIU, Yang QIN, Shengchao CHEN, Hongxu SUI, Yulei |
| author_sort |
WANG, Haijun |
| title |
Typestate-guided fuzzer for discovering use-after-free vulnerabilities |
| title_short |
Typestate-guided fuzzer for discovering use-after-free vulnerabilities |
| title_full |
Typestate-guided fuzzer for discovering use-after-free vulnerabilities |
| title_fullStr |
Typestate-guided fuzzer for discovering use-after-free vulnerabilities |
| title_full_unstemmed |
Typestate-guided fuzzer for discovering use-after-free vulnerabilities |
| title_sort |
typestate-guided fuzzer for discovering use-after-free vulnerabilities |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2020 |
| url |
https://ink.library.smu.edu.sg/sis_research/7086 https://ink.library.smu.edu.sg/context/sis_research/article/8089/viewcontent/3377811.3380386__1_.pdf |
| _version_ |
1770576209500962816 |