Automata-guided control-flow-sensitive fuzz driver generation

Fuzz drivers are essential for fuzzing library APIs. However, manually composing fuzz drivers is difficult and time-consuming. Therefore, several works have been proposed to generate fuzz drivers automatically. Although these works can learn correct API usage from the consumer programs of the target...

Full description

Saved in:
Bibliographic Details
Main Authors: ZHANG, Cen, LI, Yuekang, ZHOU, Hao, ZHANG, Xiaohan, ZHENG, Yaowen, ZHAN, Xian, XIE, Xiaofei, LUO, Xiapu, LI, Xinghua, LIU, Yang Liu, HABIB, Sheikh M.
Format: text
Language:English
Published: Institutional Knowledge at Singapore Management University 2023
Subjects:
Online Access:https://ink.library.smu.edu.sg/sis_research/8245
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Singapore Management University
Language: English
id sg-smu-ink.sis_research-9248
record_format dspace
spelling sg-smu-ink.sis_research-92482023-10-26T01:36:06Z Automata-guided control-flow-sensitive fuzz driver generation ZHANG, Cen LI, Yuekang ZHOU, Hao ZHANG, Xiaohan ZHENG, Yaowen ZHAN, Xian XIE, Xiaofei LUO, Xiapu LI, Xinghua LIU, Yang Liu HABIB, Sheikh M. Fuzz drivers are essential for fuzzing library APIs. However, manually composing fuzz drivers is difficult and time-consuming. Therefore, several works have been proposed to generate fuzz drivers automatically. Although these works can learn correct API usage from the consumer programs of the target library, three challenges still hinder the quality of the generated fuzz drivers: 1) How to learn and utilize the control dependencies in API usage; 2) How to handle the noises of the learned API usage, especially for complex real-world consumer programs; 3) How to organize independent sets of API usage inside the fuzz driver to better coordinate with fuzzers.To solve these challenges, we propose RUBICK, an automata-guided control-flow-sensitive fuzz driver generation technique. RUBICK has three key features: 1) it models the API usage (including API data and control dependencies) as a deterministic finite automaton; 2) it leverages active automata learning algorithm to distill the learned API usage; 3) it synthesizes a single automata-guided fuzz driver, which provides scheduling interface for the fuzzer to test independent sets of API usage during fuzzing. During the experiments, the fuzz drivers generated by RUBICK showed a significant performance advantage over the baselines by covering an average of 50.42% more edges than fuzz drivers generated by FUZZGEN and 44.58% more edges than manually written fuzz drivers from OSS-Fuzz or human experts. By learning from large-scale open source projects, RUBICK has generated fuzz drivers for 11 popular Java projects and two of them have been merged into OSS-Fuzz. So far, 199 bugs, including four CVEs, are found using these fuzz drivers, which can affect popular PC and Android software with dozens of millions of downloads. 2023-08-11T07:00:00Z text https://ink.library.smu.edu.sg/sis_research/8245 Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Artificial Intelligence and Robotics
institution Singapore Management University
building SMU Libraries
continent Asia
country Singapore
Singapore
content_provider SMU Libraries
collection InK@SMU
language English
topic Artificial Intelligence and Robotics
spellingShingle Artificial Intelligence and Robotics
ZHANG, Cen
LI, Yuekang
ZHOU, Hao
ZHANG, Xiaohan
ZHENG, Yaowen
ZHAN, Xian
XIE, Xiaofei
LUO, Xiapu
LI, Xinghua
LIU, Yang Liu
HABIB, Sheikh M.
Automata-guided control-flow-sensitive fuzz driver generation
description Fuzz drivers are essential for fuzzing library APIs. However, manually composing fuzz drivers is difficult and time-consuming. Therefore, several works have been proposed to generate fuzz drivers automatically. Although these works can learn correct API usage from the consumer programs of the target library, three challenges still hinder the quality of the generated fuzz drivers: 1) How to learn and utilize the control dependencies in API usage; 2) How to handle the noises of the learned API usage, especially for complex real-world consumer programs; 3) How to organize independent sets of API usage inside the fuzz driver to better coordinate with fuzzers.To solve these challenges, we propose RUBICK, an automata-guided control-flow-sensitive fuzz driver generation technique. RUBICK has three key features: 1) it models the API usage (including API data and control dependencies) as a deterministic finite automaton; 2) it leverages active automata learning algorithm to distill the learned API usage; 3) it synthesizes a single automata-guided fuzz driver, which provides scheduling interface for the fuzzer to test independent sets of API usage during fuzzing. During the experiments, the fuzz drivers generated by RUBICK showed a significant performance advantage over the baselines by covering an average of 50.42% more edges than fuzz drivers generated by FUZZGEN and 44.58% more edges than manually written fuzz drivers from OSS-Fuzz or human experts. By learning from large-scale open source projects, RUBICK has generated fuzz drivers for 11 popular Java projects and two of them have been merged into OSS-Fuzz. So far, 199 bugs, including four CVEs, are found using these fuzz drivers, which can affect popular PC and Android software with dozens of millions of downloads.
format text
author ZHANG, Cen
LI, Yuekang
ZHOU, Hao
ZHANG, Xiaohan
ZHENG, Yaowen
ZHAN, Xian
XIE, Xiaofei
LUO, Xiapu
LI, Xinghua
LIU, Yang Liu
HABIB, Sheikh M.
author_facet ZHANG, Cen
LI, Yuekang
ZHOU, Hao
ZHANG, Xiaohan
ZHENG, Yaowen
ZHAN, Xian
XIE, Xiaofei
LUO, Xiapu
LI, Xinghua
LIU, Yang Liu
HABIB, Sheikh M.
author_sort ZHANG, Cen
title Automata-guided control-flow-sensitive fuzz driver generation
title_short Automata-guided control-flow-sensitive fuzz driver generation
title_full Automata-guided control-flow-sensitive fuzz driver generation
title_fullStr Automata-guided control-flow-sensitive fuzz driver generation
title_full_unstemmed Automata-guided control-flow-sensitive fuzz driver generation
title_sort automata-guided control-flow-sensitive fuzz driver generation
publisher Institutional Knowledge at Singapore Management University
publishDate 2023
url https://ink.library.smu.edu.sg/sis_research/8245
_version_ 1781793972263321600