Abstract
Directed fuzzing demonstrates the potential to reproduce bug reports, verify patches, and debug vulnerabilities. State-of-the-art directed fuzzers prioritize inputs that are more likely to trigger the target vulnerability or filter irrelevant inputs unrelated to the targets. Despite these efforts, existing approaches struggle to reproduce specific vulnerabilities as most generated inputs are irrelevant. For instance, in the Magma benchmark, more than 94% of generated inputs miss the target vulnerability. We call this challenge the indirect input generation problem.
We propose to increase the yield of inputs that reach the target location by restraining input generation. Our key insight is to infer likely invariants from both reachable and unreachable executed inputs to constrain the search space of the subsequent input generation and produce more reachable inputs. Moreover, we propose two selection strategies to minimize the fraction of unnecessary inputs for efficient invariant inference and deprioritize imprecise invariants for effective input generation. Halo, our prototype implementation, outperforms state-of-the-art directed fuzzers with a 15.3x speedup in reproducing target vulnerabilities by generating 6.2x more reachable inputs. During our evaluation, we also detected ten previously unknown bugs involving seven incomplete fixes in the latest versions of well-fuzzed targets.
© 2024, Heqing Huang. Under license to IEEE.
We propose to increase the yield of inputs that reach the target location by restraining input generation. Our key insight is to infer likely invariants from both reachable and unreachable executed inputs to constrain the search space of the subsequent input generation and produce more reachable inputs. Moreover, we propose two selection strategies to minimize the fraction of unnecessary inputs for efficient invariant inference and deprioritize imprecise invariants for effective input generation. Halo, our prototype implementation, outperforms state-of-the-art directed fuzzers with a 15.3x speedup in reproducing target vulnerabilities by generating 6.2x more reachable inputs. During our evaluation, we also detected ten previously unknown bugs involving seven incomplete fixes in the latest versions of well-fuzzed targets.
© 2024, Heqing Huang. Under license to IEEE.
| Original language | English |
|---|---|
| Title of host publication | Proceedings - 45th IEEE Symposium on Security and Privacy |
| Subtitle of host publication | SP 2024 |
| Publisher | IEEE |
| Pages | 1956-1973 |
| ISBN (Electronic) | 979-8-3503-3130-1 |
| ISBN (Print) | 979-8-3503-3131-8 |
| DOIs | |
| Publication status | Published - 2024 |
| Event | 45th IEEE Symposium on Security and Privacy (SP 2024) - Hilton San Francisco Union Square, San Francisco, United States Duration: 20 May 2024 → 23 May 2024 https://sp2024.ieee-security.org/index.html https://www.computer.org/csdl/proceedings/sp/2024/1RjE8VKKk1y https://ieeexplore.ieee.org/xpl/conhome/1000646/all-proceedings |
Publication series
| Name | Proceedings of the IEEE Symposium on Security and Privacy |
|---|---|
| ISSN (Print) | 1081-6011 |
| ISSN (Electronic) | 2375-1207 |
Conference
| Conference | 45th IEEE Symposium on Security and Privacy (SP 2024) |
|---|---|
| Country/Territory | United States |
| City | San Francisco |
| Period | 20/05/24 → 23/05/24 |
| Internet address |
Bibliographical note
Research Unit(s) information for this publication is provided by the author(s) concerned.Research Keywords
- Directed Fuzzing
- Indirected Input Generation
- Invariant Inference