TY - GEN
T1 - Typestate-guided fuzzer for discovering use-after-free vulnerabilities
AU - Wang, Haijun
AU - Xie, Xiaofei
AU - Li, Yi
AU - Wen, Cheng
AU - Li, Yuekang
AU - Liu, Yang
AU - Qin, Shengchao
AU - Chen, Hongxu
AU - Sui, Yulei
N1 - Funding Information:
This work was supported by Ant Financial Services Group through Ant Financial Research Program, the National Natural Science Foundation of China (Grant No. 61772347,61836005, 61972260), Singapore Ministry of Education Academic Research Fund Tier 1 (Award No. 2018-T1-002-069), the National Research Foundation, Prime Ministers Office, Singapore under its National Cybersecu-rity R&D Program (Award No. NRF2018NCR-NCR005-0001), the Singapore National Research Foundation under NCR Award Number NRF2018NCR-NSOE004-0001, and Australia Research Council (Grant No. DP200101328).
Publisher Copyright:
© 2020 Association for Computing Machinery.
PY - 2020/6/27
Y1 - 2020/6/27
N2 - Existing coverage-based fuzzers usually use the individual control flow graph (CFG) edge coverage to guide the fuzzing process, which has shown great potential in finding vulnerabilities. However, CFG edge coverage is not effective in discovering vulnerabilities such as use-after-free (UaF). This is because, to trigger UaF vulnerabilities, one needs not only to cover individual edges, but also to traverse some (long) sequence of edges in a particular order, which is challenging for existing fuzzers. To this end, we propose to model UaF vulnerabilities as typestate properties, and develop a typestateguided fuzzer, named UAFL, for discovering vulnerabilities violating typestate properties. Given a typestate property, we first perform a static typestate analysis to find operation sequences potentially violating the property. Our fuzzing process is then guided by the operation sequences in order to progressively generate test cases triggering property violations. In addition, we also employ an information flow analysis to improve the efficiency of the fuzzing process. We have performed a thorough evaluation of UAFL on 14 widely-used real-world programs. The experiment results show that UAFL substantially outperforms the state-of-the-art fuzzers, including AFL, AFLFast, FairFuzz, MOpt, Angora and QSYM, in terms of the time taken to discover vulnerabilities. We have discovered 10 previously unknown vulnerabilities, and received 5 new CVEs.
AB - Existing coverage-based fuzzers usually use the individual control flow graph (CFG) edge coverage to guide the fuzzing process, which has shown great potential in finding vulnerabilities. However, CFG edge coverage is not effective in discovering vulnerabilities such as use-after-free (UaF). This is because, to trigger UaF vulnerabilities, one needs not only to cover individual edges, but also to traverse some (long) sequence of edges in a particular order, which is challenging for existing fuzzers. To this end, we propose to model UaF vulnerabilities as typestate properties, and develop a typestateguided fuzzer, named UAFL, for discovering vulnerabilities violating typestate properties. Given a typestate property, we first perform a static typestate analysis to find operation sequences potentially violating the property. Our fuzzing process is then guided by the operation sequences in order to progressively generate test cases triggering property violations. In addition, we also employ an information flow analysis to improve the efficiency of the fuzzing process. We have performed a thorough evaluation of UAFL on 14 widely-used real-world programs. The experiment results show that UAFL substantially outperforms the state-of-the-art fuzzers, including AFL, AFLFast, FairFuzz, MOpt, Angora and QSYM, in terms of the time taken to discover vulnerabilities. We have discovered 10 previously unknown vulnerabilities, and received 5 new CVEs.
UR - http://www.scopus.com/inward/record.url?scp=85091902798&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85091902798&partnerID=8YFLogxK
U2 - 10.1145/3377811.3380386
DO - 10.1145/3377811.3380386
M3 - Conference contribution
AN - SCOPUS:85091902798
T3 - Proceedings - International Conference on Software Engineering
SP - 999
EP - 1010
BT - Proceedings - 2020 ACM/IEEE 42nd International Conference on Software Engineering, ICSE 2020
PB - IEEE Computer Society
T2 - 42nd ACM/IEEE International Conference on Software Engineering, ICSE 2020
Y2 - 27 June 2020 through 19 July 2020
ER -