Titan: Efficient Multi-target Directed Greybox Fuzzing

Heqing Huang; Peisen Yao; Hung-Chun Chiu; Yiyuan Guo; Charles Zhang

Titan: Efficient Multi-target Directed Greybox Fuzzing

Heqing Huang, Peisen Yao^*, Hung-Chun Chiu, Yiyuan Guo, Charles Zhang

^*Corresponding author for this work

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

Abstract

Modern directed fuzzing often faces scalability issues when analyzing multiple targets in a program simultaneously. We observe that the root cause is that directed fuzzers are unaware of the correlations among the targets, thereby could degenerate into a target-undirected method. As a result, directed fuzzing suffers severely from efficiency when reproducing multiple targets.

This paper presents Titan, which enables fuzzers to distinguish correlations among various targets in the program and, thus, optimizes the input generation to reproduce multiple targets effectively. Leveraging these correlations, Titan differentiates seeds’ potential of reaching each target for the scheduling and identifies bytes that can be changed simultaneously for the mutation. We compare our approach to eight state-of-the-art (directed) fuzzers. The evaluation demonstrates that Titan outperforms existing approaches by efficiently detecting multiple targets, achieving a 21.4x speedup, and requiring 95.0% fewer number of executions. In addition, Titan detects ten incomplete fixes, which cannot be detected by other directed fuzzers, in the latest versions of the benchmark programs with two CVE IDs assigned.

Original language	English
Title of host publication	Proceedings - 45th IEEE Symposium on Security and Privacy (SP 2024)
Publisher	IEEE
ISBN (Print)	979-8-3503-3130-1
Publication status	Published - May 2024
Externally published	Yes
Event	45th IEEE Symposium on Security and Privacy (SP 2024) - Hilton San Francisco Union Square, San Francisco, United States Duration: 20 May 2024 → 23 May 2024 https://sp2024.ieee-security.org/index.html https://www.computer.org/csdl/proceedings/sp/2024/1RjE8VKKk1y https://ieeexplore.ieee.org/xpl/conhome/1000646/all-proceedings

Conference

Conference	45th IEEE Symposium on Security and Privacy (SP 2024)
Country/Territory	United States
City	San Francisco
Period	20/05/24 → 23/05/24
Internet address	https://sp2024.ieee-security.org/index.html https://www.computer.org/csdl/proceedings/sp/2024/1RjE8VKKk1y https://ieeexplore.ieee.org/xpl/conhome/1000646/all-proceedings

Research Keywords

Directed fuzzin
Multi-target
Path correlation

Access Output

https://doi.ieeecomputersociety.org/10.1109/SP54263.2024.00059

Other Access Options

Check CityUHK Library

Permanent Link

Right click to copy link

Cite this

@inproceedings{0e7e3e04949b4de1a1aeeecaa76d7caa,

title = "Titan: Efficient Multi-target Directed Greybox Fuzzing",

abstract = "Modern directed fuzzing often faces scalability issues when analyzing multiple targets in a program simultaneously. We observe that the root cause is that directed fuzzers are unaware of the correlations among the targets, thereby could degenerate into a target-undirected method. As a result, directed fuzzing suffers severely from efficiency when reproducing multiple targets. This paper presents Titan, which enables fuzzers to distinguish correlations among various targets in the program and, thus, optimizes the input generation to reproduce multiple targets effectively. Leveraging these correlations, Titan differentiates seeds{\textquoteright} potential of reaching each target for the scheduling and identifies bytes that can be changed simultaneously for the mutation. We compare our approach to eight state-of-the-art (directed) fuzzers. The evaluation demonstrates that Titan outperforms existing approaches by efficiently detecting multiple targets, achieving a 21.4x speedup, and requiring 95.0% fewer number of executions. In addition, Titan detects ten incomplete fixes, which cannot be detected by other directed fuzzers, in the latest versions of the benchmark programs with two CVE IDs assigned.",

keywords = "Directed fuzzin, Multi-target, Path correlation",

author = "Heqing Huang and Peisen Yao and Hung-Chun Chiu and Yiyuan Guo and Charles Zhang",

year = "2024",

month = may,

language = "English",

isbn = "979-8-3503-3130-1",

booktitle = "Proceedings - 45th IEEE Symposium on Security and Privacy (SP 2024)",

publisher = "IEEE",

address = "United States",

note = "45th IEEE Symposium on Security and Privacy (SP 2024) ; Conference date: 20-05-2024 Through 23-05-2024",

url = "https://sp2024.ieee-security.org/index.html, https://www.computer.org/csdl/proceedings/sp/2024/1RjE8VKKk1y, https://ieeexplore.ieee.org/xpl/conhome/1000646/all-proceedings",

}

TY - GEN

T1 - Titan

T2 - 45th IEEE Symposium on Security and Privacy (SP 2024)

AU - Huang, Heqing

AU - Yao, Peisen

AU - Chiu, Hung-Chun

AU - Guo, Yiyuan

AU - Zhang, Charles

PY - 2024/5

Y1 - 2024/5

N2 - Modern directed fuzzing often faces scalability issues when analyzing multiple targets in a program simultaneously. We observe that the root cause is that directed fuzzers are unaware of the correlations among the targets, thereby could degenerate into a target-undirected method. As a result, directed fuzzing suffers severely from efficiency when reproducing multiple targets. This paper presents Titan, which enables fuzzers to distinguish correlations among various targets in the program and, thus, optimizes the input generation to reproduce multiple targets effectively. Leveraging these correlations, Titan differentiates seeds’ potential of reaching each target for the scheduling and identifies bytes that can be changed simultaneously for the mutation. We compare our approach to eight state-of-the-art (directed) fuzzers. The evaluation demonstrates that Titan outperforms existing approaches by efficiently detecting multiple targets, achieving a 21.4x speedup, and requiring 95.0% fewer number of executions. In addition, Titan detects ten incomplete fixes, which cannot be detected by other directed fuzzers, in the latest versions of the benchmark programs with two CVE IDs assigned.

AB - Modern directed fuzzing often faces scalability issues when analyzing multiple targets in a program simultaneously. We observe that the root cause is that directed fuzzers are unaware of the correlations among the targets, thereby could degenerate into a target-undirected method. As a result, directed fuzzing suffers severely from efficiency when reproducing multiple targets. This paper presents Titan, which enables fuzzers to distinguish correlations among various targets in the program and, thus, optimizes the input generation to reproduce multiple targets effectively. Leveraging these correlations, Titan differentiates seeds’ potential of reaching each target for the scheduling and identifies bytes that can be changed simultaneously for the mutation. We compare our approach to eight state-of-the-art (directed) fuzzers. The evaluation demonstrates that Titan outperforms existing approaches by efficiently detecting multiple targets, achieving a 21.4x speedup, and requiring 95.0% fewer number of executions. In addition, Titan detects ten incomplete fixes, which cannot be detected by other directed fuzzers, in the latest versions of the benchmark programs with two CVE IDs assigned.

KW - Directed fuzzin

KW - Multi-target

KW - Path correlation

M3 - RGC 32 - Refereed conference paper (with host publication)

SN - 979-8-3503-3130-1

BT - Proceedings - 45th IEEE Symposium on Security and Privacy (SP 2024)

PB - IEEE

Y2 - 20 May 2024 through 23 May 2024

ER -

Titan: Efficient Multi-target Directed Greybox Fuzzing

Abstract

Conference

Research Keywords

Access Output

Other Access Options

Permanent Link

Fingerprint

Cite this