Titan: Efficient Multi-target Directed Greybox Fuzzing

Heqing Huang; Peisen Yao; Hung-Chun Chiu; Yiyuan Guo; Charles Zhang

doi:10.1109/SP54263.2024.00059

Titan: Efficient Multi-target Directed Greybox Fuzzing

Heqing Huang
, Peisen Yao^*
, Hung-Chun Chiu
, Yiyuan Guo
, Charles Zhang

^*Corresponding author for this work

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

19 Citations (Scopus)

Abstract

Modern directed fuzzing often faces scalability issues when analyzing multiple targets in a program simultaneously. We observe that the root cause is that directed fuzzers are unaware of the correlations among the targets, thereby could degenerate into a target-undirected method. As a result, directed fuzzing suffers severely from efficiency when reproducing multiple targets. This paper presents Titan, which enables fuzzers to distinguish correlations among various targets in the program and, thus, optimizes the input generation to reproduce multiple targets effectively. Leveraging these correlations, Titan differentiates seeds' potential of reaching each target for the scheduling and identifies bytes that can be changed simultaneously for the mutation. We compare our approach to eight state-of-the-art (directed) fuzzers. The evaluation demonstrates that Titan outperforms existing approaches by efficiently detecting multiple targets, achieving a 21.4x speedup and requiring 95.0% fewer number of executions. In addition, Titan detects nine incomplete fixes, which cannot be detected by other directed fuzzers, in the latest versions of the benchmark programs with two CVE IDs assigned. © 2024 IEEE.

Original language	English
Title of host publication	Proceedings - 45th IEEE Symposium on Security and Privacy, SP 2024
Place of Publication	Los Alamitos, Calif.
Publisher	IEEE
Pages	1849-1864
ISBN (Electronic)	9798350331301
ISBN (Print)	9798350331318
DOIs	https://doi.org/10.1109/SP54263.2024.00059
Publication status	Published - 2024
Externally published	Yes
Event	45th IEEE Symposium on Security and Privacy (SP 2024) - Hilton San Francisco Union Square, San Francisco, United States Duration: 20 May 2024 → 23 May 2024 https://sp2024.ieee-security.org/index.html https://www.computer.org/csdl/proceedings/sp/2024/1RjE8VKKk1y https://ieeexplore.ieee.org/xpl/conhome/1000646/all-proceedings

Publication series

Name	Proceedings - IEEE Symposium on Security and Privacy
ISSN (Print)	1081-6011
ISSN (Electronic)	2375-1207

Conference

Conference	45th IEEE Symposium on Security and Privacy (SP 2024)
Abbreviated title	S&P 2024
Place	United States
City	San Francisco
Period	20/05/24 → 23/05/24
Internet address	https://sp2024.ieee-security.org/index.html https://www.computer.org/csdl/proceedings/sp/2024/1RjE8VKKk1y https://ieeexplore.ieee.org/xpl/conhome/1000646/all-proceedings

Funding

We thank the anonymous reviewers and the shepherd for their valuable feedback. The authors are supported, in part, by Hong Kong Research Grant Council under Grant No. RGC16206517, Hong Kong Innovation and Technology Commission under Grant No. ITS/440/18FP, National Natural Science Foundation of China under Grant No. 62302434, donations from Huawei, and Qizhen Scholar Foundation of Zhejiang University.

Research Keywords

Directed fuzzin
Multi-target
Path correlation

Access Output

10.1109/SP54263.2024.00059

Other Access Options

Check CityUHK Library

Permanent Link

Right click to copy link

Cite this

@inproceedings{0e7e3e04949b4de1a1aeeecaa76d7caa,

title = "Titan: Efficient Multi-target Directed Greybox Fuzzing",

abstract = "Modern directed fuzzing often faces scalability issues when analyzing multiple targets in a program simultaneously. We observe that the root cause is that directed fuzzers are unaware of the correlations among the targets, thereby could degenerate into a target-undirected method. As a result, directed fuzzing suffers severely from efficiency when reproducing multiple targets. This paper presents Titan, which enables fuzzers to distinguish correlations among various targets in the program and, thus, optimizes the input generation to reproduce multiple targets effectively. Leveraging these correlations, Titan differentiates seeds' potential of reaching each target for the scheduling and identifies bytes that can be changed simultaneously for the mutation. We compare our approach to eight state-of-the-art (directed) fuzzers. The evaluation demonstrates that Titan outperforms existing approaches by efficiently detecting multiple targets, achieving a 21.4x speedup and requiring 95.0\% fewer number of executions. In addition, Titan detects nine incomplete fixes, which cannot be detected by other directed fuzzers, in the latest versions of the benchmark programs with two CVE IDs assigned. {\textcopyright} 2024 IEEE.",

keywords = "Directed fuzzin, Multi-target, Path correlation",

author = "Heqing Huang and Peisen Yao and Hung-Chun Chiu and Yiyuan Guo and Charles Zhang",

year = "2024",

doi = "10.1109/SP54263.2024.00059",

language = "English",

isbn = "9798350331318",

series = "Proceedings - IEEE Symposium on Security and Privacy",

publisher = "IEEE",

pages = "1849--1864",

booktitle = "Proceedings - 45th IEEE Symposium on Security and Privacy, SP 2024",

address = "United States",

note = "45th IEEE Symposium on Security and Privacy (SP 2024), S\&P 2024 ; Conference date: 20-05-2024 Through 23-05-2024",

url = "https://sp2024.ieee-security.org/index.html, https://www.computer.org/csdl/proceedings/sp/2024/1RjE8VKKk1y, https://ieeexplore.ieee.org/xpl/conhome/1000646/all-proceedings",

}

Huang, H, Yao, P, Chiu, H-C, Guo, Y & Zhang, C 2024, Titan: Efficient Multi-target Directed Greybox Fuzzing. in Proceedings - 45th IEEE Symposium on Security and Privacy, SP 2024. Proceedings - IEEE Symposium on Security and Privacy, IEEE, Los Alamitos, Calif., pp. 1849-1864, 45th IEEE Symposium on Security and Privacy (SP 2024), San Francisco, California, United States, 20/05/24. https://doi.org/10.1109/SP54263.2024.00059

Titan: Efficient Multi-target Directed Greybox Fuzzing. / Huang, Heqing; Yao, Peisen; Chiu, Hung-Chun et al.
Proceedings - 45th IEEE Symposium on Security and Privacy, SP 2024. Los Alamitos, Calif.: IEEE, 2024. p. 1849-1864 (Proceedings - IEEE Symposium on Security and Privacy).

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

TY - GEN

T1 - Titan

T2 - 45th IEEE Symposium on Security and Privacy (SP 2024)

AU - Huang, Heqing

AU - Yao, Peisen

AU - Chiu, Hung-Chun

AU - Guo, Yiyuan

AU - Zhang, Charles

PY - 2024

Y1 - 2024

N2 - Modern directed fuzzing often faces scalability issues when analyzing multiple targets in a program simultaneously. We observe that the root cause is that directed fuzzers are unaware of the correlations among the targets, thereby could degenerate into a target-undirected method. As a result, directed fuzzing suffers severely from efficiency when reproducing multiple targets. This paper presents Titan, which enables fuzzers to distinguish correlations among various targets in the program and, thus, optimizes the input generation to reproduce multiple targets effectively. Leveraging these correlations, Titan differentiates seeds' potential of reaching each target for the scheduling and identifies bytes that can be changed simultaneously for the mutation. We compare our approach to eight state-of-the-art (directed) fuzzers. The evaluation demonstrates that Titan outperforms existing approaches by efficiently detecting multiple targets, achieving a 21.4x speedup and requiring 95.0% fewer number of executions. In addition, Titan detects nine incomplete fixes, which cannot be detected by other directed fuzzers, in the latest versions of the benchmark programs with two CVE IDs assigned. © 2024 IEEE.

AB - Modern directed fuzzing often faces scalability issues when analyzing multiple targets in a program simultaneously. We observe that the root cause is that directed fuzzers are unaware of the correlations among the targets, thereby could degenerate into a target-undirected method. As a result, directed fuzzing suffers severely from efficiency when reproducing multiple targets. This paper presents Titan, which enables fuzzers to distinguish correlations among various targets in the program and, thus, optimizes the input generation to reproduce multiple targets effectively. Leveraging these correlations, Titan differentiates seeds' potential of reaching each target for the scheduling and identifies bytes that can be changed simultaneously for the mutation. We compare our approach to eight state-of-the-art (directed) fuzzers. The evaluation demonstrates that Titan outperforms existing approaches by efficiently detecting multiple targets, achieving a 21.4x speedup and requiring 95.0% fewer number of executions. In addition, Titan detects nine incomplete fixes, which cannot be detected by other directed fuzzers, in the latest versions of the benchmark programs with two CVE IDs assigned. © 2024 IEEE.

KW - Directed fuzzin

KW - Multi-target

KW - Path correlation

UR - https://www.scopus.com/pages/publications/85200662104

UR - https://www.scopus.com/record/pubmetrics.uri?eid=2-s2.0-85200662104&origin=recordpage

U2 - 10.1109/SP54263.2024.00059

DO - 10.1109/SP54263.2024.00059

M3 - RGC 32 - Refereed conference paper (with host publication)

SN - 9798350331318

T3 - Proceedings - IEEE Symposium on Security and Privacy

SP - 1849

EP - 1864

BT - Proceedings - 45th IEEE Symposium on Security and Privacy, SP 2024

PB - IEEE

CY - Los Alamitos, Calif.

Y2 - 20 May 2024 through 23 May 2024

ER -

Titan: Efficient Multi-target Directed Greybox Fuzzing

Abstract

Publication series

Conference

Funding

Research Keywords

Access Output

Other Access Options

Permanent Link

Other Files and Links

Fingerprint

Cite this