Everything is Good for Something : Counterexample-Guided Directed Fuzzing via Likely Invariant Inference

Research output: Chapters, Conference Papers, Creative and Literary WorksRGC 32 - Refereed conference paper (with host publication)peer-review

View graph of relations

Author(s)

Related Research Unit(s)

Detail(s)

Original languageEnglish
Title of host publication2024 IEEE Symposium on Security and Privacy (SP)
PublisherIEEE
Pages142
ISBN (Electronic)979-8-3503-3130-1
Publication statusOnline published - 2024

Publication series

NameProceedings of the IEEE Symposium on Security and Privacy
ISSN (Electronic)2375-1207

Conference

Title45th IEEE Symposium on Security and Privacy (SP 2024)
LocationHilton San Francisco Union Square
PlaceUnited States
CitySan Francisco
Period20 - 22 May 2024

Abstract

Directed fuzzing demonstrates the potential to reproduce bug reports, verify patches, and debug vulnerabilities. State-of-the-art directed fuzzers prioritize inputs that are more likely to trigger the target vulnerability or filter irrelevant inputs unrelated to the targets. Despite these efforts, existing approaches struggle to reproduce specific vulnerabilities as most generated inputs are irrelevant. For instance, in the Magma benchmark, more than 94% of generated inputs miss the target vulnerability. We call this challenge the indirect input generation problem. We propose to increase the yield of inputs that reach the target location by restraining input generation. Our key insight is to infer likely invariants from both reachable and unreachable executed inputs to constrain the search space of the subsequent input generation and produce more reachable inputs. Moreover, we propose two selection strategies to minimize the fraction of unnecessary inputs for efficient invariant inference and deprioritize imprecise invariants for effective input generation. Halo, our prototype implementation, outperforms state-of-the-art directed fuzzers with a 15.3x speedup in reproducing target vulnerabilities by generating 6.2x more reachable inputs. During our evaluation, we also detected ten previously unknown bugs involving seven incomplete fixes in the latest versions of well-fuzzed targets.

Bibliographic Note

Since this conference is yet to commence, the information for this record is subject to revision.

Citation Format(s)

Everything is Good for Something: Counterexample-Guided Directed Fuzzing via Likely Invariant Inference. / Huang, Heqing; Zhou, Anshunkang; Payer, Mathias et al.
2024 IEEE Symposium on Security and Privacy (SP). IEEE, 2024. p. 142 (Proceedings of the IEEE Symposium on Security and Privacy).

Research output: Chapters, Conference Papers, Creative and Literary WorksRGC 32 - Refereed conference paper (with host publication)peer-review