research-article

Open access

FuzzFactory: domain-specific fuzzing with waypoints

Authors:

Caroline Lemieux,

Hayawardh VijayakumarAuthors Info & Claims

Proceedings of the ACM on Programming Languages, Volume 3, Issue OOPSLA

Article No.: 174, Pages 1 - 29

https://doi.org/10.1145/3360600

Published: 10 October 2019 Publication History

Abstract

Coverage-guided fuzz testing has gained prominence as a highly effective method of finding security vulnerabilities such as buffer overflows in programs that parse binary data. Recently, researchers have introduced various specializations to the coverage-guided fuzzing algorithm for different domain-specific testing goals, such as finding performance bottlenecks, generating valid inputs, handling magic-byte comparisons, etc. Each such solution can require non-trivial implementation effort and produces a distinct variant of a fuzzing tool. We observe that many of these domain-specific solutions follow a common solution pattern.

In this paper, we present FuzzFactory, a framework for developing domain-specific fuzzing applications without requiring changes to mutation and search heuristics. FuzzFactory allows users to specify the collection of dynamic domain-specific feedback during test execution, as well as how such feedback should be aggregated. FuzzFactory uses this information to selectively save intermediate inputs, called waypoints, to augment coverage-guided fuzzing. Such waypoints always make progress towards domain-specific multi-dimensional objectives. We instantiate six domain-specific fuzzing applications using FuzzFactory: three re-implementations of prior work and three novel solutions, and evaluate their effectiveness on benchmarks from Google's fuzzer test suite. We also show how multiple domains can be composed to perform better than the sum of their parts. For example, we combine domain-specific feedback about strict equality comparisons and dynamic memory allocations, to enable the automatic generation of LZ4 bombs and PNG bombs.

Supplementary Material

a174-padhye (a174-padhye.webm)

Presentation at OOPSLA '19

Download
70.42 MB

References

[1]

Cornelius Aschermann, Tommaso Frassetto, Thorsten Holz, Patrick Jauernig, Ahmad-Reza Sadeghi, and Daniel Teuchert. 2019. Nautilus: Fishing for Deep Bugs with Grammars. In 26th Annual Network and Distributed System Security Symposium (NDSS ’19) .

[2]

Marcel Böhme, Van-Thuan Pham, Manh-Dung Nguyen, and Abhik Roychoudhury. 2017. Directed Greybox Fuzzing. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS ’17) .

Digital Library

[3]

Marcel Böhme, Van-Thuan Pham, and Abhik Roychoudhury. 2016. Coverage-based Greybox Fuzzing As Markov Chain. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS ’16) .

Digital Library

[4]

Peng Chen and Hao Chen. 2018. Angora: Efficient Fuzzing by Principled Search. In Proceedings of the 39th IEEE Symposium on Security and Privacy .

[5]

Yuanliang Chen, Yu Jiang, Fuchen Ma, Jie Liang, Mingzhe Wang, Chijin Zhou, Xun Jiao, and Zhuo Su. 2019. EnFuzz: Ensemble Fuzzing with Seed Synchronization among Diverse Fuzzers. In 28th USENIX Security Symposium (USENIX Security 19) . USENIX Association, Santa Clara, CA. https://www.usenix.org/conference/usenixsecurity19/presentation/chenyuanliang

[6]

Nicolas Coppik, Oliver Schwahn, and Neeraj Suri. 2019. MemFuzz: Using Memory Accesses to Guide Fuzzing. In 2019 12th IEEE Conference on Software Testing, Validation and Verification (ICST) . IEEE, 48–58.

[7]

Google. 2019a. Continuous fuzzing of open source software. https://opensource.google.com/projects/oss-fuzz . Accessed March 26, 2019.

[8]

Google. 2019b. Set of tests for fuzzing engines. https://github.com/google/fuzzer-test-suite . Accessed March 20, 2019.

[9]

Lei Wei Junjie Wang, Bihuan Chen and Yang Liu. 2019. Superion: Grammar-Aware Greybox Fuzzing. In 41st International Conference on Software Engineering (ICSE ’19) .

[10]

Kevin Laeufer, Jack Koenig, Donggyu Kim, Jonathan Bachrach, and Koushik Sen. 2018. RFUZZ: Coverage-directed Fuzz Testing of RTL on FPGAs. In Proceedings of the International Conference on Computer-Aided Design (ICCAD ’18). ACM, New York, NY, USA, Article 28, 8 pages.

Digital Library

[11]

LafIntel. 2016. Circumventing Fuzzing Roadblocks with Compiler Transformations. https://lafintel.wordpress.com/2016/08/ 15/circumventing-fuzzing-roadblocks-with-compiler-transformations/ . Accessed March 20, 2019.

[12]

Chris Lattner and Vikram Adve. 2004. LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation. In Proceedings of the International Symposium on Code Generation and Optimization: Feedback-directed and Runtime Optimization (CGO ’04) . IEEE Computer Society, Washington, DC, USA, 75–. http://dl.acm.org/citation.cfm?id=977395. 977673

Digital Library

[13]

Caroline Lemieux, Rohan Padhye, Koushik Sen, and Dawn Song. 2018. PerfFuzz: Automatically Generating Pathological Inputs. In Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2018). ACM, New York, NY, USA, 254–265.

Digital Library

[14]

Caroline Lemieux and Koushik Sen. 2018. FairFuzz: A Targeted Mutation Strategy for Increasing Greybox Fuzz Testing Coverage. In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering (ASE ’18).

Digital Library

[15]

Yuekang Li, Bihuan Chen, Mahinthan Chandramohan, Shang-Wei Lin, Yang Liu, and Alwen Tiu. 2017. Steelix: Program-state Based Binary Fuzzing. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering (ESEC/FSE 2017) .

Digital Library

[16]

LLVM Developer Group. 2016. libFuzzer. http://llvm.org/docs/LibFuzzer.html . Accessed March 20, 2019.

[17]

Chi-Keung Luk, Robert Cohn, Robert Muth, Harish Patil, Artur Klauser, Geoff Lowney, Steven Wallace, Vijay Janapa Reddi, and Kim Hazelwood. 2005. Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation. In Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’05) . ACM, New York, NY, USA, 190–200.

Digital Library

[18]

Valentin J. M. Manès, HyungSeok Han, Choongwoo Han, Sang Kil Cha, Manuel Egele, Edward J. Schwartz, and Maverick Woo. 2018. Fuzzing: Art, Science, and Engineering. CoRR abs/1812.00140 (2018). arXiv: 1812.00140 http://arxiv.org/abs/ 1812.00140

[19]

Shirin Nilizadeh, Yannic Noller, and Corina S. Păsăreanu. 2019. DifFuzz: Differential Fuzzing for Side-channel Analysis. In Proceedings of the 41st International Conference on Software Engineering (ICSE ’19). IEEE Press, Piscataway, NJ, USA, 176–187.

Digital Library

[20]

Saahil Ognawala, Thomas Hutzelmann, Eirini Psallida, and Alexander Pretschner. 2018. Improving Function Coverage with Munch: A Hybrid Fuzzing and Directed Symbolic Execution Approach. In Proceedings of the 33rd Annual ACM Symposium on Applied Computing (SAC ’18) . ACM, New York, NY, USA, 1475–1482.

Digital Library

[21]

Rohan Padhye, Caroline Lemieux, and Koushik Sen. 2019a. JQF: Coverage-guided Property-based Testing in Java. In Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2019) . ACM, New York, NY, USA, 398–401.

Digital Library

[22]

Rohan Padhye, Caroline Lemieux, Koushik Sen, Mike Papadakis, and Yves Le Traon. 2019b. Semantic Fuzzing with Zest. In Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2019) . ACM, New York, NY, USA, 329–340.

Digital Library

[23]

Rohan Padhye, Caroline Lemieux, Koushik Sen, Mike Papadakis, and Yves Le Traon. 2019c. Validity Fuzzing and Parametric Generators for Effective Random Testing. In Proceedings of the 41st International Conference on Software Engineering: Companion Proceedings (ICSE ’19) . IEEE Press, Piscataway, NJ, USA, 266–267. https://dl.acm.org/citation.cfm?id=3339777

Digital Library

[24]

Hui Peng, Yan Shoshitaishvili, and Mathias Payer. 2018. T-Fuzz: fuzzing by program transformation. In 2018 IEEE Symposium on Security and Privacy (SP) . IEEE, 697–710.

[25]

Theofilos Petsios, Adrian Tang, Salvatore Stolfo, Angelos D Keromytis, and Suman Jana. 2017a. Nezha: Efficient domainindependent differential testing. In 2017 IEEE Symposium on Security and Privacy (SP). IEEE, 615–632.

[26]

Theofilos Petsios, Jason Zhao, Angelos D. Keromytis, and Suman Jana. 2017b. SlowFuzz: Automated Domain-Independent Detection of Algorithmic Complexity Vulnerabilities. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS ’17) . ACM, New York, NY, USA, 2155–2168.

Digital Library

[27]

Van-Thuan Pham, Marcel Böhme, Andrew E. Santosa, Alexandru Razvan Caciulescu, and Abhik Roychoudhury. 2018. Smart Greybox Fuzzing. CoRR abs/1811.09447 (2018). arXiv: 1811.09447 http://arxiv.org/abs/1811.09447

[28]

Sanjay Rawat, Vivek Jain, Ashish Kumar, Lucian Cojocar, Cristiano Giuffrida, and Herbert Bos. 2017. VUzzer: Applicationaware Evolutionary Fuzzing. In Proceedings of the 2017 Network and Distributed System Security Symposium (NDSS ’17) .

[29]

Kostya Serebryany, Vitaly Buka, and Matt Morehouse. 2017. Structure-aware fuzzing for Clang and LLVM with libprotobufmutator.

[30]

Richard M. Stallman et al. 2009. Using The Gnu Compiler Collection: A Gnu Manual For Gcc Version 4.3.3. CreateSpace, Paramount, CA.

Digital Library

[31]

Nick Stephens, John Grosen, Christopher Salls, Andrew Dutcher, Ruoyu Wang, Jacopo Corbetta, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2016. Driller: Augmenting Fuzzing Through Selective Symbolic Execution. In Proceedings of the 2016 Network and Distributed System Security Symposium (NDSS ’16) .

[32]

Insu Yun, Sangho Lee, Meng Xu, Yeongjin Jang, and Taesoo Kim. 2018. QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing. In Proceedings of the 27th USENIX Conference on Security Symposium (SEC’18). USENIX Association, Berkeley, CA, USA, 745–761. http://dl.acm.org/citation.cfm?id=3277203.3277260

Digital Library

[33]

Michał Zalewski. 2014. American Fuzzy Lop. http://lcamtuf.coredump.cx/afl . Accessed March 20, 2019.

[34]

Michał Zalewski. 2017. American Fuzzy Lop Technical Details. http://lcamtuf.coredump.cx/afl/technical_details.txt . Accessed March 20, 2019.

Cited By

Huang MLemieux CBöhme MNoller YSzekeres L(2024)Directed or Undirected: Investigating Fuzzing Strategies in a CI/CD Setup (Registered Report)Proceedings of the 3rd ACM International Fuzzing Workshop10.1145/3678722.3685532(33-41)Online publication date: 13-Sep-2024
https://dl.acm.org/doi/10.1145/3678722.3685532
Predoaia IHarbin JGerasimou SVasiliou CKolovos DGarcía-Domínguez AEgyed AWimmer MChechik MCombemale B(2024)Tree-Based versus Hybrid Graphical-Textual Model Editors: An Empirical Study of Testing SpecificationsProceedings of the ACM/IEEE 27th International Conference on Model Driven Engineering Languages and Systems10.1145/3640310.3674102(80-91)Online publication date: 22-Sep-2024
https://dl.acm.org/doi/10.1145/3640310.3674102
Liu XYou WYe YZhang ZHuang JZhang XRoychoudhury APaiva AAbreu RStorey M(2024)FuzzInMem: Fuzzing Programs via In-memory StructuresProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639172(1-13)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639172
Show More Cited By

Index Terms

FuzzFactory: domain-specific fuzzing with waypoints
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging

Recommendations

Guiding Greybox Fuzzing with Mutation Testing
ISSTA 2023: Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis

Greybox fuzzing and mutation testing are two popular but mostly independent fields of software testing research that have so far had limited overlap. Greybox fuzzing, generally geared towards searching for new bugs, predominantly uses code coverage ...
Stateful Black-Box Fuzzing of Bluetooth Devices Using Automata Learning
NASA Formal Methods
Abstract
Fuzzing (aka fuzz testing) shows promising results in security testing. The advantage of fuzzing is the relatively simple applicability compared to comprehensive manual security analysis. However, the effectiveness of black-box fuzzing is hard to ...
Growing A Test Corpus with Bonsai Fuzzing
ICSE '21: Proceedings of the 43rd International Conference on Software Engineering

This paper presents a coverage-guided grammar-based fuzzing technique for automatically synthesizing a corpus of concise test inputs. We walk-through a case study of a compiler designed for education and the corresponding problem of generating ...

Comments

Information & Contributors

Information

Published In

cover image Proceedings of the ACM on Programming Languages

Proceedings of the ACM on Programming Languages Volume 3, Issue OOPSLA

October 2019

2077 pages

EISSN:2475-1421

DOI:10.1145/3366395

Issue’s Table of Contents

Copyright © 2019 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 October 2019

Published in PACMPL Volume 3, Issue OOPSLA

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Badges

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

45
Total Citations
View Citations
2,569
Total Downloads

Downloads (Last 12 months)505
Downloads (Last 6 weeks)61

Reflects downloads up to 03 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Huang MLemieux CBöhme MNoller YSzekeres L(2024)Directed or Undirected: Investigating Fuzzing Strategies in a CI/CD Setup (Registered Report)Proceedings of the 3rd ACM International Fuzzing Workshop10.1145/3678722.3685532(33-41)Online publication date: 13-Sep-2024
https://dl.acm.org/doi/10.1145/3678722.3685532
Predoaia IHarbin JGerasimou SVasiliou CKolovos DGarcía-Domínguez AEgyed AWimmer MChechik MCombemale B(2024)Tree-Based versus Hybrid Graphical-Textual Model Editors: An Empirical Study of Testing SpecificationsProceedings of the ACM/IEEE 27th International Conference on Model Driven Engineering Languages and Systems10.1145/3640310.3674102(80-91)Online publication date: 22-Sep-2024
https://dl.acm.org/doi/10.1145/3640310.3674102
Liu XYou WYe YZhang ZHuang JZhang XRoychoudhury APaiva AAbreu RStorey M(2024)FuzzInMem: Fuzzing Programs via In-memory StructuresProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639172(1-13)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639172
Wu WNongpoh BNour MMarcozzi MBardin SHauser C(2024)Fine-grained Coverage-based FuzzingACM Transactions on Software Engineering and Methodology10.1145/358715833:5(1-41)Online publication date: 4-Jun-2024
https://dl.acm.org/doi/10.1145/3587158
Zhang GWang PYue TLiu DGuo YLu K(2024)Instiller: Toward Efficient and Realistic RTL FuzzingIEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems10.1109/TCAD.2024.336031843:7(2177-2190)Online publication date: Jul-2024
https://doi.org/10.1109/TCAD.2024.3360318
Kadron INoller YPadhye RBultan TPăsăreanu CSen K(2024)Fuzzing, Symbolic Execution, and Expert Guidance for Better TestingIEEE Software10.1109/MS.2023.323798141:1(98-104)Online publication date: 1-Jan-2024
https://dl.acm.org/doi/10.1109/MS.2023.3237981
Schindewolf MKuebler MPett THettich LAgh HLorenz JWagner SWeyrich MSchaefer IDüser TSax E(2024)Integrated Approach for High-quality Software Development of Upgradeable Vehicles2024 Stuttgart International Symposium on Automotive and Engine Technology10.1007/978-3-658-45010-6_13(202-217)Online publication date: 30-Jun-2024
https://doi.org/10.1007/978-3-658-45010-6_13
Paliath VTrickel EBao TWang RDoupé AShoshitaishvili Y(2024)SandPuppy: Deep-State Fuzzing Guided by Automatic Detection of State-Representative VariablesDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-031-64171-8_12(227-250)Online publication date: 9-Jul-2024
https://doi.org/10.1007/978-3-031-64171-8_12
Zhou CZhang QGuo LWang MJiang YLiao QWu ZLi SGu B(2023)Towards Better Semantics Exploration for Browser FuzzingProceedings of the ACM on Programming Languages10.1145/36228197:OOPSLA2(604-631)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3622819
Nourry OKashiwa YLin BBavota GLanza MKamei Y(2023)The Human Side of Fuzzing: Challenges Faced by Developers during Fuzzing ActivitiesACM Transactions on Software Engineering and Methodology10.1145/361166833:1(1-26)Online publication date: 23-Nov-2023
https://dl.acm.org/doi/10.1145/3611668
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Media

Figures

Other

Tables

View Issue’s Table of Contents