research-article

Typestate-guided fuzzer for discovering use-after-free vulnerabilities

Authors:

Yulei SuiAuthors Info & Claims

ICSE '20: Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering

Pages 999 - 1010

https://doi.org/10.1145/3377811.3380386

Published: 01 October 2020 Publication History

Abstract

Existing coverage-based fuzzers usually use the individual control flow graph (CFG) edge coverage to guide the fuzzing process, which has shown great potential in finding vulnerabilities. However, CFG edge coverage is not effective in discovering vulnerabilities such as use-after-free (UaF). This is because, to trigger UaF vulnerabilities, one needs not only to cover individual edges, but also to traverse some (long) sequence of edges in a particular order, which is challenging for existing fuzzers. To this end, we propose to model UaF vulnerabilities as typestate properties, and develop a typestate-guided fuzzer, named UAFL, for discovering vulnerabilities violating typestate properties. Given a typestate property, we first perform a static typestate analysis to find operation sequences potentially violating the property. Our fuzzing process is then guided by the operation sequences in order to progressively generate test cases triggering property violations. In addition, we also employ an information flow analysis to improve the efficiency of the fuzzing process. We have performed a thorough evaluation of UAFL on 14 widely-used real-world programs. The experiment results show that UAFL substantially outperforms the state-of-the-art fuzzers, including AFL, AFLFast, FairFuzz, MOpt, Angora and QSYM, in terms of the time taken to discover vulnerabilities. We have discovered 10 previously unknown vulnerabilities, and received 5 new CVEs.

References

[1]

Cornelius Aschermann, Sergej Schumilo, Tim Blazytko, Robert Gawlik, and Thorsten Holz. 2019. REDQUEEN: Fuzzing with Input-to-State Correspondence. In 26th Annual Network and Distributed System Security Symposium (NDSS'19). The Internet Society, San Diego, CA USA, 1--15.

[2]

SungGyeong Bae, Hyunghun Cho, Inho Lim, and Sukyoung Ryu. 2014. SAFE-WAPI: web API misuse detector for web applications. In Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering. ACM, 507--517.

Digital Library

[3]

Marcel Böhme, Van-Thuan Pham, Manh-Dung Nguyen, and Abhik Roychoudhury. 2017. Directed Greybox Fuzzing. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM Press, 2329--2344.

Digital Library

[4]

Marcel Böhme, Van-Thuan Pham, and Abhik Roychoudhury. 2016. Coverage-based Greybox Fuzzing As Markov Chain. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM Press, 1032--1043.

Digital Library

[5]

Juan Caballero, Gustavo Grieco, Mark Marron, and Antonio Nappa. 2012. Undangle: early detection of dangling pointers in use-after-free and double-free vulnerabilities. In Proceedings of the 2012 International Symposium on Software Testing and Analysis. ACM, 133--143.

Digital Library

[6]

Hongxu Chen, Yuekang Li, Bihuan Chen, Yinxing Xue, and Yang Liu. 2018. FOT: A Versatile, Configurable, Extensible Fuzzing Framework (FSE '18 tool demo).

[7]

Haogang Chen, Yandong Mao, Xi Wang, Dong Zhou, Nickolai Zeldovich, and M Frans Kaashoek. 2011. Linux kernel vulnerabilities: State-of-the-art defenses and open problems. In Proceedings of the Second Asia-Pacific Workshop on Systems. ACM, 5.

Digital Library

[8]

Hongxu Chen, Yinxing Xue, Yuekang Li, Bihuan Chen, Xiaofei Xie, Xiuheng Wu, and Yang Liu. 2018. Hawkeye: Towards a Desired Directed Grey-box Fuzzer. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. ACM, New York, NY, USA, 2095--2108.

Digital Library

[9]

Peng Chen and Hao Chen. 2018. Angora: Efficient fuzzing by principled search. In 2018 IEEE Symposium on Security and Privacy. IEEE, 711--725.

[10]

Yaohui Chen, Peng Li, Jun Xu, Shengjian Guo, Rundong Zhou, Yulong Zhang Zhang, Tao Wei, and Long Lu. 2020. SAVIOR: Towards Bug-Driven Hybrid Testing. In 2020 IEEE Symposium on Security and Privacy. IEEE.

[11]

Mauro Conti, Stephen Crane, Lucas Davi, Michael Franz, Per Larsen, Marco Negro, Christopher Liebchen, Mohaned Qunaibit, and Ahmad-Reza Sadeghi. 2015. Losing control: On the effectiveness of control-flow integrity under stack attacks. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 952--963.

Digital Library

[12]

Crispan Cowan, Calton Pu, Dave Maier, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, Qian Zhang, and Heather Hinton. 1998. Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks. In USENIX Security Symposium, Vol. 98. San Antonio, TX, 63--78.

Digital Library

[13]

Ankush Das, Shuvendu K. Lahiri, Akash Lal, and Yi Li. 2015. Angelic Verification: Precise Verification Modulo Unknowns. In Proceedings of 27th International Conference on Computer Aided Verification. San Francisco, CA, USA, 324--342.

[14]

John Field, Deepak Goyal, G. Ramalingam, and Eran Yahav. 2003. Typestate Verification: Abstraction Techniques and Complexity Results. In Static Analysis, Radhia Cousot (Ed.). Springer Berlin Heidelberg, Berlin, Heidelberg, 439--462.

[15]

Stephen Fink, Eran Yahav, Nurit Dor, G. Ramalingam, and Emmanuel Geay. 2006. Effective Typestate Verification in the Presence of Aliasing. In Proceedings of the 2006 International Symposium on Software Testing and Analysis. ACM, 133--144.

Digital Library

[16]

Shuitao Gan, Chao Zhang, Xiaojun Qin, Xuwen Tu, Kang Li, Zhongyu Pei, and Zuoning Chen. 2018. CollAFL: Path Sensitive Fuzzing. In 2018 IEEE Symposium on Security and Privacy. IEEE Press, 1--12.

[17]

Google Inc. 2019. ClusterFuzz. https://google.github.io/clusterfuzz/

[18]

George Klees, Andrew Ruef, Benji Cooper, Shiyi Wei, and Michael Hicks. 2018. Evaluating Fuzz Testing. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2123--2138.

Digital Library

[19]

Byoungyoung Lee, Chengyu Song, Yeongjin Jang, Tielei Wang, Taesoo Kim, Long Lu, and Wenke Lee. 2015. Preventing Use-after-free with Dangling Pointers Nullification. In 22nd Annual Network and Distributed System Security Symposium.

[20]

Caroline Lemieux, Rohan Padhye, Koushik Sen, and Dawn Song. 2018. PerfFuzz: Automatically Generating Pathological Inputs. In Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis. ACM, 254--265.

Digital Library

[21]

Caroline Lemieux and Koushik Sen. 2018. FairFuzz: A Targeted Mutation Strategy for Increasing Greybox Fuzz Testing Coverage. In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering. ACM, 475--485.

Digital Library

[22]

Yuekang Li, Bihuan Chen, Mahinthan Chandramohan, Shang-Wei Lin, Yang Liu, and Alwen Tiu. 2017. Steelix: Program-state Based Binary Fuzzing. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering (ESEC/FSE 2017). ACM, New York, NY, USA, 627--637.

Digital Library

[23]

Yuekang Li, Yinxing Xue, Hongxu Chen, Xiuheng Wu, Cen Zhang, Xiaofei Xie, Haijun Wang, and Yang Liu. 2019. Cerebro: Context-aware Adaptive Fuzzing for Effective Vulnerability Detection. In 27th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering. Tallinn, Estonia.

[24]

LLVM. 2015. libFuzzer. https://llvm.org/docs/LibFuzzer.html

[25]

Chenyang Lyu, Shouling Ji, Chao Zhang, Yuwei Li, Wei-Han Lee, Yu Song, and Raheem Beyah. 2019. MOpt: Optimized Mutation Scheduling for Fuzzers. In 28th USENIX Security Symposium. 1949--1966.

[26]

Wes Masri and Andy Podgurski. 2009. Measuring the strength of information flows in programs. ACM Transactions on Software Engineering and Methodology (TOSEM) 19, 2 (2009), 5.

Digital Library

[27]

Theofilos Petsios, Jason Zhao, Angelos D. Keromytis, and Suman Jana. 2017. SlowFuzz: Automated Domain-Independent Detection of Algorithmic Complexity Vulnerabilities. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM, New York, NY, USA, 2155--2168.

Digital Library

[28]

Sanjay Rawat, Vivek Jain, Ashish Kumar, Lucian Cojocar, Cristiano Giuffrida, and Herbert Bos. 2017. VUzzer: Application-aware Evolutionary Fuzzing. In NDSS. https://www.vusec.net/download/?t=papers/vuzzer_ndss17.pdf

[29]

Bhargava Shastry, Markus Leutner, Tobias Fiebig, Kashyap Thimmaraju, Fabian Yamaguchi, Konrad Rieck, Stefan Schmid, Jean-Pierre Seifert, and Anja Feldmann. 2017. Static program analysis as a fuzzing aid. In International Symposium on Research in Attacks, Intrusions, and Defenses. Springer, 26--47.

[30]

Qingkai Shi, Xiao Xiao, Rongxin Wu, Jinguo Zhou, Gang Fan, and Charles Zhang. 2018. Pinpoint: Fast and precise sparse value flow analysis for million lines of code. In ACM SIGPLAN Notices, Vol. 53. ACM, 693--706.

[31]

Nick Stephens, John Grosen, Christopher Salls, Andrew Dutcher, Ruoyu Wang, Jacopo Corbetta, Yan Shoshitaishvili, Christopher Krügel, and Giovanni Vigna. 2016. Driller: Augmenting Fuzzing Through Selective Symbolic Execution. In NDSS.

[32]

Yulei Sui and Jingling Xue. 2016. SVF: interprocedural static value-flow analysis in LLVM. In Proceedings of the 25th international conference on compiler construction. ACM, 265--266.

Digital Library

[33]

Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song. 2013. Sok: Eternal war in memory. In 2013 IEEE Symposium on Security and Privacy. IEEE, 48--62.

Digital Library

[34]

UAFL. 2019. Additoinal experiment results. https://sites.google.com/view/uafl/

[35]

Erik Van Der Kouwe, Vinod Nigade, and Cristiano Giuffrida. 2017. Dangsan: Scalable use-after-free detection. In Proceedings of the Twelfth European Conference on Computer Systems. ACM, 405--419.

Digital Library

[36]

Haijun Wang, Yun Lin, Zijiang Yang, Jun Sun, Yang Liu, Jin Song Dong, Qinghua Zheng, and Ting Liu. 2019. Explaining Regressions via Alignment Slicing and Mending. IEEE Transactions on Software Engineering (2019), 1--1.

[37]

Haijun Wang, Ting Liu, Xiaohong Guan, Chao Shen, Qinghua Zheng, and Zijiang Yang. 2016. Dependence guided symbolic execution. IEEE Transactions on Software Engineering 43, 3 (2016), 252--271.

Digital Library

[38]

Haijun Wang, Xiaofei Xie, Shang-Wei Lin, Yun Lin, Yuekang Li, Shengchao Qin, Yang Liu, and Ting Liu. 2019. Locating vulnerabilities in binaries via memory layout recovering. In Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. 718--728.

Digital Library

[39]

Cheng Wen, Haijun Wang, Yuekang Li, Shengchao Qin, Yang Liu, Zhiwu Xu, Hongxu Chen, Xiaofei Xie, Geguang Pu, and Ting Liu. 2020. MemLock: Memory Usage Guided Fuzzing. In 2020 IEEE/ACM 42nd International Conference on Software Engineering. Seoul, South Korea.

Digital Library

[40]

Wen Xu, Juanru Li, Junliang Shu, Wenbo Yang, Tianyi Xie, Yuanyuan Zhang, and Dawu Gu. 2015. From collision to exploitation: Unleashing use-after-free vulnerabilities in linux kernel. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 414--425.

Digital Library

[41]

Hua Yan, Yulei Sui, Shiping Chen, and Jingling Xue. 2017. Machine-Learning-Guided Typestate Analysis for Static Use-After-Free Detection. In Proceedings of the 33rd Annual Computer Security Applications Conference. 42--54.

Digital Library

[42]

Hua Yan, Yulei Sui, Shiping Chen, and Jingling Xue. 2018. Spatio-temporal context reduction: A pointer-analysis-based static approach for detecting use-after-free vulnerabilities. In 2018 IEEE/ACM 40th International Conference on Software Engineering. IEEE, 327--337.

Digital Library

[43]

Wei You, Xueqiang Wang, Shiqing Ma, Jianjun Huang, Xiangyu Zhang, XiaoFeng Wang, and Bin Liang. 2019. Profuzzer: On-the-fly input type probing for better zero-day vulnerability discovery. In 2019 IEEE Symposium on Security and Privacy. IEEE.

[44]

Yves Younan. 2015. FreeSentry: protecting against use-after-free vulnerabilities due to dangling pointers. In 22nd Annual Network and Distributed System Security Symposiu.

[45]

H. Yu, Z. Chen, J. Wang, Z. Su, and W. Dong. 2018. Symbolic Verification of Regular Properties. In 2018 IEEE/ACM 40th International Conference on Software Engineering. 871--881.

[46]

Insu Yun, Sangho Lee, Meng Xu, Yeongjin Jang, and Taesoo Kim. 2018. QSYM: A practical concolic execution engine tailored for hybrid fuzzing. In 27th USENIX Security Symposium. 745--761.

[47]

Michal Zalewski. 2014. American Fuzzy Lop. http://lcamtuf.coredump.cx/afl/

[48]

Yufeng Zhang, Zhenbang Chen, Ji Wang, Wei Dong, and Zhiming Liu. 2015. Regular property guided dynamic symbolic execution. In Proceedings of the 37th International Conference on Software Engineering-Volume 1. IEEE Press, 643--653.

Cited By

Wei JChen P(2024)DSLR–Journal of Computer Security10.3233/JCS-23005332:3(221-246)Online publication date: 17-Jun-2024
https://dl.acm.org/doi/10.3233/JCS-230053
Wang HHu YWu HLiu DPeng CWu YFan MLiu TFilkov VRay BZhou M(2024)Skyeye: Detecting Imminent Attacks via Analyzing Adversarial Smart ContractsProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695526(1570-1582)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695526
Kummita SZhang ZBodden EWei SFilkov VRay BZhou M(2024)Visualizing and Understanding the Internals of FuzzingProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695284(2199-2204)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695284
Show More Cited By

Index Terms

Typestate-guided fuzzer for discovering use-after-free vulnerabilities
1. Security and privacy
  1. Software and application security
    1. Software security engineering

Recommendations

Machine-Learning-Guided Typestate Analysis for Static Use-After-Free Detection
ACSAC '17: Proceedings of the 33rd Annual Computer Security Applications Conference

Typestate analysis relies on pointer analysis for detecting temporal memory safety errors, such as use-after-free (UAF). For large programs, scalable pointer analysis is usually imprecise in analyzing their hard "corner cases", such as infeasible paths, ...
DatAFLow: Toward a Data-Flow-Guided Fuzzer
Coverage-guided greybox fuzzers rely on control-flow coverage feedback to explore a target program and uncover bugs. Compared to control-flow coverage, data-flow coverage offers a more fine-grained approximation of program behavior. Data-flow coverage ...
Undangle: early detection of dangling pointers in use-after-free and double-free vulnerabilities
ISSTA 2012: Proceedings of the 2012 International Symposium on Software Testing and Analysis

Use-after-free vulnerabilities are rapidly growing in popularity, especially for exploiting web browsers. Use-after-free (and double-free) vulnerabilities are caused by a program operating on a dangling pointer. In this work we propose early detection, ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ICSE '20: Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering

June 2020

1640 pages

ISBN:9781450371216

DOI:10.1145/3377811

General Chairs:
Gregg Rothermel
North Carolina State University
,
Doo-Hwan Bae
KAIST, South Korea

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

In-Cooperation

KIISE: Korean Institute of Information Scientists and Engineers
IEEE CS

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 October 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ICSE '20

Sponsor:

SIGSOFT

ICSE '20: 42nd International Conference on Software Engineering

June 27 - July 19, 2020

Seoul, South Korea

Acceptance Rates

Overall Acceptance Rate 276 of 1,856 submissions, 15%

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

70
Total Citations
View Citations
492
Total Downloads

Downloads (Last 12 months)170
Downloads (Last 6 weeks)15

Reflects downloads up to 17 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wei JChen P(2024)DSLR–Journal of Computer Security10.3233/JCS-23005332:3(221-246)Online publication date: 17-Jun-2024
https://dl.acm.org/doi/10.3233/JCS-230053
Wang HHu YWu HLiu DPeng CWu YFan MLiu TFilkov VRay BZhou M(2024)Skyeye: Detecting Imminent Attacks via Analyzing Adversarial Smart ContractsProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695526(1570-1582)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695526
Kummita SZhang ZBodden EWei SFilkov VRay BZhou M(2024)Visualizing and Understanding the Internals of FuzzingProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695284(2199-2204)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695284
Yue TJin YZhang FNing ZWang PZhou XLu K(2024)Efficiently Rebuilding Coverage in Hardware-Assisted Greybox FuzzingProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678933(450-464)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678933
Wen CCai YZhang BSu JXu ZLiu DQin SMing ZCong T(2024)Automatically Inspecting Thousands of Static Bug Warnings with Large Language Model: How Far Are We?ACM Transactions on Knowledge Discovery from Data10.1145/365371818:7(1-34)Online publication date: 19-Jun-2024
https://dl.acm.org/doi/10.1145/3653718
Zhang ZChen LWei HShi GMeng DChristakis MPradel M(2024)Prospector: Boosting Directed Greybox Fuzzing for Large-Scale Target Sets with Iterative PrioritizationProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3680365(1351-1363)Online publication date: 11-Sep-2024
https://dl.acm.org/doi/10.1145/3650212.3680365
Cheng XRen JSui Y(2024)Fast Graph Simplification for Path-Sensitive Typestate Analysis through Tempo-Spatial Multi-Point SlicingProceedings of the ACM on Software Engineering10.1145/36437491:FSE(494-516)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3643749
Xu ZWu BWen CZhang BQin SHe MRoychoudhury APaiva AAbreu RStorey M(2024)RPG: Rust Library Fuzzing with Pool-based Fuzz Target Generation and Generic SupportProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639102(1-13)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639102
Guo YZhu SCai YHe LZhang JRoychoudhury APaiva AAbreu RStorey M(2024)Reorder Pointer Flow in Sound Concurrency Bug PredictionProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3623300(1-13)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3623300
Schloegel MBars NSchiller NBernhard LScharnowski TCrump AAle-Ebrahim ABissantz NMuench MHolz T(2024)SoK: Prudent Evaluation Practices for Fuzzing2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00137(1974-1993)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00137
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents