Towards Exploitation: Data-Flow Enpowered Sanitizer Directed Greybox Fuzzing
Event details
| Date | 03.05.2024 |
| Hour | 13:00 › 15:00 |
| Speaker | Han Zheng |
| Location | |
| Category | Conferences - Seminars |
EDIC candidacy exam
Exam president: Prof. Thomas Bourgeat
Thesis advisor: Prof. Mathias Payer
Co-examiner: Prof. Sanidhya Kashyap
Abstract
Coverage-Guided Greybox Fuzzing (CGF) is widely used in bug-hunting. By submitting mutated inputs to the program, CGF effectively explores the whole program space and maximizes its code coverage, further exploiting the bugs that fall behind. CGFs have proven their effectiveness in finding real-world vulnerabilities and draw researchers' interest both in
academia and industry.
Recent works indicate that Coverage-Guided Greybox Fuzzing is too broad. While the goal of fuzzer is finding unknown bugs, targeting all code regions may waste fuzzing power on bug-free locations. Therefore Directed Greybox Fuzzing (DGF) is proposed to make fuzzing more 'focus'. DGF roughly divides fuzzing into two stages: the exploration stage finds the seed that reaches the target code. exploitation stage mutates the seed from the exploration stage, trying to generate inputs that trigger the bug condition.
In this proposal, we introduce three papers: (1) AFLGo, the first work that introduces the concept of DGF (2) ParmeSan, a DGF that targets sanitizer labels to boost the bug-finding capability. (3) Truzz, a CGF that improves the exploitation efficiency. Furthermore, we discuss their contribution and possible limitations, thus pointing out the optimization paths toward more advanced and effective DGFs
Background papers
1) Directed Greybox Fuzzing (CCS'17) https://dl.acm.org/doi/pdf/10.1145/3133956.3134020
2) ParmeSan: Sanitizer-guided Greybox Fuzzing (USENIX SEC'20) https://www.usenix.org/system/files/sec20-osterlund.pdf
3) Path Transitions Tell More: Optimizing Fuzzing Schedules via Runtime Program States (ICSE'23) https://dl.acm.org/doi/pdf/10.1145/3510003.3510063
Exam president: Prof. Thomas Bourgeat
Thesis advisor: Prof. Mathias Payer
Co-examiner: Prof. Sanidhya Kashyap
Abstract
Coverage-Guided Greybox Fuzzing (CGF) is widely used in bug-hunting. By submitting mutated inputs to the program, CGF effectively explores the whole program space and maximizes its code coverage, further exploiting the bugs that fall behind. CGFs have proven their effectiveness in finding real-world vulnerabilities and draw researchers' interest both in
academia and industry.
Recent works indicate that Coverage-Guided Greybox Fuzzing is too broad. While the goal of fuzzer is finding unknown bugs, targeting all code regions may waste fuzzing power on bug-free locations. Therefore Directed Greybox Fuzzing (DGF) is proposed to make fuzzing more 'focus'. DGF roughly divides fuzzing into two stages: the exploration stage finds the seed that reaches the target code. exploitation stage mutates the seed from the exploration stage, trying to generate inputs that trigger the bug condition.
In this proposal, we introduce three papers: (1) AFLGo, the first work that introduces the concept of DGF (2) ParmeSan, a DGF that targets sanitizer labels to boost the bug-finding capability. (3) Truzz, a CGF that improves the exploitation efficiency. Furthermore, we discuss their contribution and possible limitations, thus pointing out the optimization paths toward more advanced and effective DGFs
Background papers
1) Directed Greybox Fuzzing (CCS'17) https://dl.acm.org/doi/pdf/10.1145/3133956.3134020
2) ParmeSan: Sanitizer-guided Greybox Fuzzing (USENIX SEC'20) https://www.usenix.org/system/files/sec20-osterlund.pdf
3) Path Transitions Tell More: Optimizing Fuzzing Schedules via Runtime Program States (ICSE'23) https://dl.acm.org/doi/pdf/10.1145/3510003.3510063
Practical information
- General public
- Free