Everything is Good for Something: Counterexample-Guided Directed Fuzzing via Likely Invariant Inference

Heqing Huang, Anshunkang Zhou, Mathias Payer, Charles Zhang

Research output: Chapters, Conference Papers, Creative and Literary WorksRGC 32 - Refereed conference paper (with host publication)peer-review

2 Citations (Scopus)

Abstract

Directed fuzzing demonstrates the potential to reproduce bug reports, verify patches, and debug vulnerabilities. State-of-the-art directed fuzzers prioritize inputs that are more likely to trigger the target vulnerability or filter irrelevant inputs unrelated to the targets. Despite these efforts, existing approaches struggle to reproduce specific vulnerabilities as most generated inputs are irrelevant. For instance, in the Magma benchmark, more than 94% of generated inputs miss the target vulnerability. We call this challenge the indirect input generation problem.
We propose to increase the yield of inputs that reach the target location by restraining input generation. Our key insight is to infer likely invariants from both reachable and unreachable executed inputs to constrain the search space of the subsequent input generation and produce more reachable inputs. Moreover, we propose two selection strategies to minimize the fraction of unnecessary inputs for efficient invariant inference and deprioritize imprecise invariants for effective input generation. Halo, our prototype implementation, outperforms state-of-the-art directed fuzzers with a 15.3x speedup in reproducing target vulnerabilities by generating 6.2x more reachable inputs. During our evaluation, we also detected ten previously unknown bugs involving seven incomplete fixes in the latest versions of well-fuzzed targets.
© 2024, Heqing Huang. Under license to IEEE.
Original languageEnglish
Title of host publicationProceedings - 45th IEEE Symposium on Security and Privacy
Subtitle of host publicationSP 2024
PublisherIEEE
Pages1956-1973
ISBN (Electronic)979-8-3503-3130-1
ISBN (Print)979-8-3503-3131-8
DOIs
Publication statusPublished - 2024
Event45th IEEE Symposium on Security and Privacy (SP 2024) - Hilton San Francisco Union Square, San Francisco, United States
Duration: 20 May 202423 May 2024
https://sp2024.ieee-security.org/index.html
https://www.computer.org/csdl/proceedings/sp/2024/1RjE8VKKk1y
https://ieeexplore.ieee.org/xpl/conhome/1000646/all-proceedings

Publication series

NameProceedings of the IEEE Symposium on Security and Privacy
ISSN (Print)1081-6011
ISSN (Electronic)2375-1207

Conference

Conference45th IEEE Symposium on Security and Privacy (SP 2024)
Country/TerritoryUnited States
CitySan Francisco
Period20/05/2423/05/24
Internet address

Bibliographical note

Research Unit(s) information for this publication is provided by the author(s) concerned.

Research Keywords

  • Directed Fuzzing
  • Indirected Input Generation
  • Invariant Inference

Fingerprint

Dive into the research topics of 'Everything is Good for Something: Counterexample-Guided Directed Fuzzing via Likely Invariant Inference'. Together they form a unique fingerprint.

Cite this