Typestate-guided fuzzer for discovering use-after-free vulnerabilities

Haijun Wang, Xiaofei Xie, Yi Li, Cheng Wen, Yuekang Li, Yang Liu, Shengchao Qin, Hongxu Chen, Yulei Sui

研究成果: Chapter in Book/Report/Conference proceedingConference contribution

20 被引用数 (Scopus)

抄録

Existing coverage-based fuzzers usually use the individual control flow graph (CFG) edge coverage to guide the fuzzing process, which has shown great potential in finding vulnerabilities. However, CFG edge coverage is not effective in discovering vulnerabilities such as use-after-free (UaF). This is because, to trigger UaF vulnerabilities, one needs not only to cover individual edges, but also to traverse some (long) sequence of edges in a particular order, which is challenging for existing fuzzers. To this end, we propose to model UaF vulnerabilities as typestate properties, and develop a typestateguided fuzzer, named UAFL, for discovering vulnerabilities violating typestate properties. Given a typestate property, we first perform a static typestate analysis to find operation sequences potentially violating the property. Our fuzzing process is then guided by the operation sequences in order to progressively generate test cases triggering property violations. In addition, we also employ an information flow analysis to improve the efficiency of the fuzzing process. We have performed a thorough evaluation of UAFL on 14 widely-used real-world programs. The experiment results show that UAFL substantially outperforms the state-of-the-art fuzzers, including AFL, AFLFast, FairFuzz, MOpt, Angora and QSYM, in terms of the time taken to discover vulnerabilities. We have discovered 10 previously unknown vulnerabilities, and received 5 new CVEs.

本文言語英語
ホスト出版物のタイトルProceedings - 2020 ACM/IEEE 42nd International Conference on Software Engineering, ICSE 2020
出版社IEEE Computer Society
ページ999-1010
ページ数12
ISBN(電子版)9781450371216
DOI
出版ステータス出版済み - 6 27 2020
外部発表はい
イベント42nd ACM/IEEE International Conference on Software Engineering, ICSE 2020 - Virtual, Online, 大韓民国
継続期間: 6 27 20207 19 2020

出版物シリーズ

名前Proceedings - International Conference on Software Engineering
ISSN(印刷版)0270-5257

会議

会議42nd ACM/IEEE International Conference on Software Engineering, ICSE 2020
国/地域大韓民国
CityVirtual, Online
Period6/27/207/19/20

All Science Journal Classification (ASJC) codes

  • ソフトウェア

フィンガープリント

「Typestate-guided fuzzer for discovering use-after-free vulnerabilities」の研究トピックを掘り下げます。これらがまとまってユニークなフィンガープリントを構成します。

引用スタイル