Search Results (101)

As IoT devices with microcontroller (MCU)-based firmware become more common in our lives, memory corruption vulnerabilities in their firmware are increasingly targeted by adversaries. Fuzzing is a powerful method for detecting these vulnerabilities, but it poses unique challenges when applied to IoT devices. Direct fuzzing on these devices is inefficient, and recent efforts have shifted towards creating emulation environments for dynamic firmware testing. However, unlike traditional software, firmware interactions with peripherals that are significantly more diverse presents new challenges for achieving scalable full-system emulation and effective fuzzing. This paper reviews 27 state-of-the-art works in MCU-based firmware emulation and its applications in fuzzing. Instead of classifying existing techniques based on their capabilities and features, we first identify the fundamental challenges faced by firmware emulation and fuzzing. We then revisit recent studies, organizing them according to the specific challenges they address, and discussing how each specific challenge is addressed. We compare the emulation fidelity and bug detection capabilities of various techniques to clearly demonstrate their strengths and weaknesses, aiding users in selecting or combining tools to meet their needs. Finally, we highlight the remaining technical gaps and point out important future research directions in firmware emulation and fuzzing. Full article

In network protocol fuzzing, effective seed scheduling plays a critical role in improving testing efficiency. Traditional state-driven seed scheduling methods in network protocol fuzzing are often limited by imbalanced seed selection, monolithic scheduling strategies, and ineffective power allocation. To overcome these limitations, we propose SCFuzz, specifically by employing a multi-armed bandit model to dynamically balance exploration and exploitation across multiple fuzzing phases. The fuzzing process is divided into initial, middle, and final phases with seed selection strategies adapted at each phase to optimize the discovery of new states, paths, and code coverage. Additionally, SCFuzz employs a power allocation method based on state weights, focusing power on high-potential messages to improve the overall fuzzing efficiency. Experimental evaluations on open-source protocol implementations show that SCFuzz significantly improves state and code coverage, achieving up to 17.10% more states, 22.92% higher state transitions, and 7.92% greater code branch coverage compared to AFLNet. Moreover, SCFuzz improves seed selection effectiveness by 389.37% and increases power utilization by 45.61%, effectively boosting the overall efficiency of fuzzing. Full article

Software testing is an important step in the software development life cycle to ensure the quality and security of software. Fuzzing is a security testing technique that finds vulnerabilities automatically without accessing the source code. We built a fuzzer, called JIMA-Fuzzing, which is an effective fuzzing tool that utilizes grammar detected from sample input. Based on the detected grammar, JIMA-Fuzzing selects a portion of the valid user input and fuzzes that portion. For example, the tool may greatly increase the size of the input, truncate the input, replace numeric values with new values, replace words with numbers, etc. This paper discusses how JIMA-Fuzzing works and shows the evaluation results after testing against the DARPA Cyber Grand Challenge (CGC) dataset. JIMA-Fuzzing is capable of extracting grammar from sample input files, meaning that it does not require access to the source code to generate effective fuzzing files. This feature allows it to work with proprietary or non-open-source programs and significantly reduces the effort needed from human testers. In addition, compared to fuzzing tools guided with symbolic execution or taint analysis, JIMA-Fuzzing takes much less computing power and time to analyze sample input and generate fuzzing files. However, the limitation is that JIMA-Fuzzing relies on good sample inputs and works primarily on programs that require user interaction/input. Full article

Hybrid fuzzing leverages the result of the concolic executor for a direct exploration of fuzzing, which has been proven to improve coverage during tests significantly.However, some constraints, such as those related to environments or depending on the host’s status, cannot be solved. Despite many performance optimizations on hybrid fuzzing, we observe that repeatedly constraint solving on unsolvable branches causes significant computational redundancies. This paper focuses on eliminating the unsolvable branches in concolic execution. We propose Branch Splitting for Unsolvable Path Hybrid Fuzzing (BSP), which splits unsolvable branches to achieve higher fuzzing coverage. BSP modifies the target program during concolic execution so that the fuzzer can easily cover initially unsolvable branches. Specifically, it changes the condition of unsolvable branches to constant True (or False), which generates multiple variants of the original program. Then, the fuzzer tests these variants instead. This allows BSP to explore more branches with high performance. The experimental results on real-world programs demonstrate that BSP can explore 46.68% more branches than QSYM. Full article

In contemporary software security testing, fuzzing is a pervasive methodology employed to identify vulnerabilities. However, one of the most significant challenges is the vast number of crash reports, many of which are repetitive, resulting in an increased analysis burden for security researchers. To address this issue, we propose a novel method for reducing crash redundancy and grouping similar crashes based on their execution traces. By leveraging the Intel Processor Trace (PT), we can reconstruct the instruction flow of the last executed function in each crash and extract its relevant instruction slice through data dependency backward slicing. The registers are abstracted, and the immediate values are generalized to normalize the instruction sequence. Subsequently, fuzzy hashing is applied to the generalized instruction sequences, and a similarity-based greedy strategy is employed for grouping. The method effectively reduces the workload by clustering crashes with similar root causes, leaving analysts with only representative samples to investigate. Furthermore, compared with conventional stack hashing techniques, our methodology demonstrates an average improvement in accuracy of 15.38% across four programs, with a total of 281 crashes. Full article

Fuzzing is an extensively used automated vulnerability detection technique. Most existing fuzzers are guided by edge coverage, which makes them less effective in detecting specific vulnerabilities, especially use-after-free (UAF) vulnerabilities. This is because the triggering of a UAF vulnerability must not only cover a specific memory operation but also satisfy a specific sequence of operations. In this paper, we propose UAF-Fuzzer for detecting UAFs, which consists of static analysis and fuzzing stages. In the static analysis stage, UAF-Fuzzer first uses target identification to determine the basic blocks that may cause UAFs as the target basic blocks; subsequently, it then instruments these target basic blocks. Subsequently, we propose a memory operation evaluation method to assess the complexity of memory operations. In the fuzzing stage, UAF-Fuzzer assigns energy to seeds using a memory evaluation operation and employs a novel seed selection algorithm to prioritize the execution of test cases that are likely to trigger UAF vulnerabilities. We designed and implemented a UAF-Fuzzer to improve the detection of UAFs and compared it with AFL, AFLFast, FairFuzz, MOPT, EcoFuzz, and TortoiseFuzz in terms of UAF vulnerability detection, crash detection, and path discovery. The results showed that UAF-Fuzzer is more effective in terms of detecting UAF vulnerabilities. We have also discovered three UAF vulnerabilities, submitted them to the software maintainer for fixing, and obtained CVE IDs. Full article

Modern web services widely provide RESTful APIs for clients to access their functionality programmatically. Fuzzing is an emerging technique for ensuring the reliability of RESTful APIs. However, the existing RESTful API fuzzers repeatedly generate invalid requests due to unawareness of errors in the invalid tested requests and lack of effective strategy to generate legal value for the incorrect parameters. Such limitations severely hinder the fuzzing performance. In this paper, we propose DynER, a new test case generation method guided by dynamic error responses during fuzzing. DynER designs two strategies of parameter value generation for purposefully revising the incorrect parameters of invalid tested requests to generate new test requests. The strategies are, respectively, based on prompting Large Language Model (LLM) to understand the semantics information in error responses and actively accessing API-related resources. We apply DynER to the state-of-the-art fuzzer RESTler and implement DynER-RESTler. DynER-RESTler outperforms foREST on two real-world RESTful services, WordPress and GitLab with a 41.21% and 26.33% higher average pass rate for test requests and a 12.50% and 22.80% higher average number of unique request types successfully tested, respectively. The experimental results demonstrate that DynER significantly improves the effectiveness of test cases and fuzzing performance. Additionally, DynER-RESTler finds three new bugs. Full article

Fuzz testing technology is an important approach to detecting SQL injection vulnerabilities. Among them, coverage-guided gray-box fuzz testing technology is the current research focus, and has been proved to be an effective method. However, for SQL injection vulnerability, coverage-guided gray-box fuzz testing as a detection method has the problems of low efficiency and high false positives. In order to solve the above problems, we propose a potentially vulnerable code-guided gray-box fuzz testing technology. Firstly, taint analysis technology is used to locate all the taint propagation paths containing potential vulnerabilities as potentially vulnerable codes. Then, the source code of the application program is instrumented according to the location of the potentially vulnerable code. Finally, the feedback of seeds during the run is used to guide seed selection and seed mutation, and a large number of test cases are generated. Based on the above techniques, we implement the sqlFuzz prototype system, and use this system to analyze eight modern PHP applications. The experimental results show that sqlFuzz can not only detect more SQL injection vulnerabilities than the existing coverage-guided gray box fuzz testing technology, but also significantly improve the efficiency, in terms of time efficiency increased by 80 percent. Full article

Coverage feedback is one of the key mechanisms for improving the effectiveness of fuzzers by measuring and comparing the executed code regions while processing input data. In general, such guidance should always improve the performance of fuzzers to better find unexplored code regions. However, proprietary systems with uncommon I/O interfaces (e.g., UAV system, IoT devices, satellite firmware) require extensive engineering/porting efforts to apply coverage feedback support in developing their fuzzing platform. In this paper, we evaluate the detailed efficacy of coverage feedback in fuzzing based on 44 real-world bugs we found using OSS-Fuzz. Our analysis uncovered when and how code coverage information can be helpful, and our experiment demonstrates that although coverage guidance is always helpful to some extent, its effectiveness depends on various external factors. Therefore, such factors should be carefully considered for optimizing the cost and efficiency in designing the fuzzing architecture of proprietary systems. Full article

Network protocol implementations, as integral components of information communication, are critically important for security. Due to its efficiency and automation, fuzzing has become a popular method for protocol security detection. However, the existing protocol-fuzzing techniques face the critical problem of generating high-quality inputs. To address the problem, in this paper, we propose MSFuzz, which is a protocol-fuzzing method with message syntax comprehension. The core observation of MSFuzz is that the source code of protocol implementations contains detailed and comprehensive knowledge of the message syntax. Specifically, we leveraged the code-understanding capabilities of large language models to extract the message syntax from the source code and construct message syntax trees. Then, using these syntax trees, we expanded the initial seed corpus and designed a novel syntax-aware mutation strategy to guide the fuzzing. To evaluate the performance of MSFuzz, we compared it with the state-of-the-art (SOTA) protocol fuzzers, namely, AFLNET and CHATAFL. Experimental results showed that compared with AFLNET and CHATAFL, MSFuzz achieved average improvements of 22.53% and 10.04% in the number of states, 60.62% and 19.52% improvements in the number of state transitions, and 29.30% and 23.13% improvements in branch coverage. Additionally, MSFuzz discovered more vulnerabilities than the SOTA fuzzers. Full article

Landraces are an important reservoir of genetic variation that can expand the narrow genetic base of cultivated cotton. In this study, quantitative trait loci (QTL) analysis was conducted using an F₂ population developed from crosses between the landrace Hopi and inbred TM-1. A high-density genetic map spanning 2253.11 and 1932.21 cM for the A and D sub-genomes, respectively, with an average marker interval of 1.14 cM, was generated using the CottonSNP63K array. The linkage map showed a strong co-linearity with the physical map of cotton. A total of 21 QTLs were identified, controlling plant height (1), bract type (1), boll number (1), stem color (2), boll pitting (2), fuzz fiber development (2), boll shape (3), boll point (4), and boll glanding (5). In silico analysis of the novel QTLs for boll glanding identified a total of 13 candidate genes. Analysis of tissue-specific expression of the candidate genes suggests roles for the transcription factors bHLH1, MYB2, and ZF1 in gland formation. Comparative sequencing of open reading frames identified early stop codons in all three transcription factors in Hopi. Functional validation of these genes offers avenues to reduce glanding and, consequently, lower gossypol levels in cottonseeds without compromising the defense mechanisms of the plant against biotic stresses. Full article

Rigorous testing methods are essential for ensuring the security and reliability of industrial controller software. Fuzzing, a technique that automatically discovers software bugs, has also proven effective in finding software vulnerabilities. Unsurprisingly, fuzzing has been applied to a wide range of platforms, including programmable logic controllers (PLCs). However, current approaches, such as coverage-guided evolutionary fuzzing implemented in the popular fuzzer American Fuzzy Lop Plus Plus (AFL++), are often inadequate for finding logical errors and bugs in PLC control logic applications. They primarily target generic programming languages like C/C++, Java, and Python, and do not consider the unique characteristics and behaviors of PLCs, which are often programmed using specialized programming languages like Structured Text (ST). Furthermore, these fuzzers are ill suited to deal with complex input structures encapsulated in ST, as they are not specifically designed to generate appropriate input sequences. This renders the application of traditional fuzzing techniques less efficient on these platforms. To address this issue, this paper presents a fuzzing framework designed explicitly for PLC software to discover logic bugs in applications written in ST specified by the IEC 61131-3 standard. The proposed framework incorporates a custom-tailored PLC runtime and a fuzzer designed for the purpose. We demonstrate its effectiveness by fuzzing a collection of ST programs that were crafted for evaluation purposes. We compare the performance against a popular fuzzer, namely, AFL++. The proposed fuzzing framework demonstrated its capabilities in our experiments, successfully detecting logic bugs in the tested PLC control logic applications written in ST. On average, it was at least 83 times faster than AFL++, and in certain cases, for example, it was more than 23,000 times faster. Full article

As the directed greybox fuzzing (DGF) technique advances, it is being extensively utilized in various fields such as defect reproduction, patch testing, and vulnerability identification. Nevertheless, current DGFs waste a significant amount of resources due to their simplistic distance definitions and overly straightforward energy distribution for the seeds. To address these issues, a dynamic distance-weighting-based distance estimation strategy is proposed first, which facilitates strategies for seed distribution that take energy into consideration. Second, to overcome the limitations of current seed energy distribution strategies, the gray wolf optimizer (GWO) is improved by integrating four strategies, leading to the development of the improved gray wolf optimizer (IGWO). Lastly, an adaptive search algorithm is proposed, and the WolfFuzz prototype tool is implemented. In vulnerability recurrence scenarios, WolfFuzz is 3.2× faster on average compared with the baseline and reproduces 76.4% of existing bugs faster. WolfFuzz also discovers nine different types of bugs in seven real-world programs. Full article

Effective and optimal decision-making can enhance system performance, potentially leading to a positive reputation and financial gains. Multi-criteria decision-making (MCDM) is an important research topic widely applied to practical decision-making problems. Using the basic idea of symmetry to balance the arrangement where elements or features have an equality or similarity in distribution, MCDM provides robust decisions in such multi-dimensional complex issues. This study proposes MultiFuzzTOPS, a decision-making model to deal with complexity of multi-criteria decision-making. The proposed MultiFuzzTOPS leverages the fuzzy logic and soft sets such as type-2 soft sets (T2SS) and technique for order preference by similarity to ideal solution (TOPSIS) for decision-making. We validate the proposed model by implementing it to solve the pesticide selection problem in food science by considering various criteria for the selection of pesticides. Our proposed MultiFuzzTOPS recommends the best pesticide compared with its counterparts because it covers the maximum information for the selection of the best alternative. Results are ranked on the basis of the Hamming distance and similarity coefficient. We also validate the effectiveness by performing the sensitivity analysis, and the validation shows the reliability and effectiveness of our proposed model. Full article

Software vulnerabilities present a significant cybersecurity threat, particularly as software code grows in size and complexity. Traditional vulnerability-mining techniques face challenges in keeping pace with this complexity. Fuzzing, a key automated vulnerability-mining approach, typically focuses on code branch coverage, overlooking syntactic and semantic elements of the code. In this paper, we introduce HotCFuzz, a novel vulnerability-mining model centered on the coverage of hot code blocks. Leveraging vulnerability syntactic features to identify these hot code blocks, we devise a seed selection algorithm based on their coverage and integrate it into the established fuzzing test framework AFL. Experimental results demonstrate that HotCFuzz surpasses AFL, AFLGo, Beacon, and FairFuzz in terms of efficiency and time savings. Full article