research-article

Fuzzing the ActionScript virtual machine

Authors:

Dingning YangAuthors Info & Claims

ASIA CCS '13: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security

Pages 457 - 468

https://doi.org/10.1145/2484313.2484372

Published: 08 May 2013 Publication History

Abstract

Fuzz testing is an automated testing technique where random data is used as an input to software systems in order to reveal security bugs/vulnerabilities. Fuzzed inputs must be binaries embedded with compiled bytecodes when testing against ActionScript virtual machines (AVMs). The current fuzzing method for JavaScript-like virtual machines is very limited when applied to compiler-involved AVMs. The complete source code should be both grammatically and semantically valid to allow execution by first passing through the compiler. In this paper, we present ScriptGene, an algorithmic approach to overcome the additional complexity of generating valid ActionScript programs. First, nearly-valid code snippets are randomly generated, with some controls on instruction flow. Second, we present a novel mutation method where the former code snippets are lexically analyzed and mutated with runtime information of the AVM, which helps us to build context for undefined behaviours against compiler-check and produce a high code coverage. Accordingly, we have implemented and evaluated ScriptGene on three different versions of Adobe AVMs. Results demonstrate that ScriptGene not only covers almost all the blocks of the official test suite (Tamarin), but also is capable of nearly twice the code coverage. The discovery of six bugs missed by the official test suite demonstrates the effectiveness, validity and novelty of ScriptGene.

References

[1]

http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/utils/package.html#describeType().

[2]

About flex sdk. http://sourceforge.net/adobe/flexsdk/wiki/About/.

[3]

Actionscript acceptance tests. https://developer.mozilla.org/en-US/docs/Tamarin/Tamarin_Acceptance_Testing/Actionscript_Acceptance_Tests.

[4]

Adobe flash professional cs6. http://www.adobe.com/en/products/flash.html.

[5]

Cygwin. http://www.cygwin.com.

[6]

Ecmascript. http://www.adobe.com/devnet/actionscript/articles/actionscript3_overview.html.

[7]

Flex formatter. http://flexformatter.cvs.sourceforge.net/viewvc/flexformatter/ActionscriptInfoCollector/ASCollector.g3?view=log.

[8]

Ida:about. http://www.hex-rays.com/products/ida/index.shtml.

[9]

Peach fuzzing platform. http://peachfuzz.sourceforge.net/.

[10]

Running tamarin acceptance tests. https://developer.mozilla.org/en-US/docs/Tamarin/Tamarin_Acceptance_Testing/Running_Tamarin_acceptance_tests.

[11]

Scriptgene project. http://www.nipc.org.cn/project/ScriptGene.

[12]

Tamarin. https://developer.mozilla.org/en-US/docs/Tamarin.

[13]

D. Aitel. The advantages of block-based protocol analysis for security testing. Immunity Inc., February, 2002.

[14]

D. Aitel. An introduction to spike, the fuzzer creation kit. immunity inc. white paper, 2004.

[15]

B. Binde, R. McRee, and T. O'Connor. Assessing outbound traffic to uncover advanced persistent threat. SANS Institute. Whitepaper, 2011.

[16]

D. Blazakis. Interpreter exploitation. In Proceedings of the USENIX Workshop on Offensive Technologies, 2010.

Digital Library

[17]

P. Godefroid, A. Kiezun, and M. Levin. Grammar-based whitebox fuzzing. In ACM SIGPLAN Notices, volume 43, pages 206--215. ACM, 2008.

Digital Library

[18]

Google. Fuzzing at scale, 2011. http://googleonlinesecurity.blogspot.nl/2011/08/fuzzing-at-scale.html.

[19]

C. Holler, K. Herzig, and A. Zeller. Fuzzing with code fragments. In Proceedings of the 21st USENIX conference on Security symposium, Security'12, pages 38--38, Berkeley, CA, USA, 2012. USENIX Association.

Digital Library

[20]

H. Li. Understanding and exploiting flash actionscript vulnerabilities, 2011.

[21]

B. Miller, L. Fredriksen, and B. So. An empirical study of the reliability of unix utilities. Communications of the ACM, 33(12):32--44, 1990.

Digital Library

[22]

P. Oehlert. Violating assumptions with fuzzing. Security & Privacy, IEEE, 3(2):58--62, 2005.

Digital Library

[23]

T. Parr and R. Quong. Antlr: A predicated-ll (k) parser generator. Software: Practice and Experience, 25(7):789--810, 1995.

Digital Library

[24]

pedramamini. Paimei. http://pedramamini.com/PaiMei/docs/.

[25]

P. Purdom. A sentence generator for testing parsers. BIT Numerical Mathematics, 12(3):366--375, 1972.

Digital Library

[26]

G. Shu, Y. Hsu, and D. Lee. Detecting communication protocol security flaws by formal fuzz testing and machine learning. Formal Techniques for Networked and Distributed Systems-FORTE 2008, pages 299--304, 2008.

Digital Library

[27]

J. Smith and R. Nair. Virtual machines: versatile platforms for systems and processes. Morgan Kaufmann, 2005.

Digital Library

[28]

M. Sutton and A. Greene. The art of file format fuzzing. In Blackhat USA Conference, 2005.

[29]

M. Sutton, A. Greene, and P. Amini. Fuzzing: brute force vulnerabilty discovery. Addison-Wesley Professional, 2007.

Digital Library

[30]

B. TURNER. Random c program generator, 2007. http://sites.google.com/site/brturn2/randomcprogramgenerator.

[31]

D. Yang, Y. Zhang, and Q. Liu. Blendfuzz: A model-based framework for fuzz testing programs with grammatical inputs. In Trust, Security and Privacy in Computing and Communications (TrustCom), 2012 IEEE 11th International Conference on, pages 1070--1076. IEEE, 2012.

Digital Library

[32]

X. Yang, Y. Chen, E. Eide, and J. Regehr. Finding and understanding bugs in c compilers. ACM SIGPLAN Notices, 47(6):283--294, 2012.

Digital Library

Cited By

Park SXu WYun IJang DKim T(2020)Fuzzing JavaScript Engines with Aspect-preserving Mutation2020 IEEE Symposium on Security and Privacy (SP)10.1109/SP40000.2020.00067(1629-1642)Online publication date: May-2020
https://doi.org/10.1109/SP40000.2020.00067
Liang HPei XJia XShen WZhang J(2018)Fuzzing: State of the ArtIEEE Transactions on Reliability10.1109/TR.2018.283447667:3(1199-1218)Online publication date: Sep-2018
https://doi.org/10.1109/TR.2018.2834476
Kyle SLeather HFranke BButcher DMonteith S(2015)Application of Domain-aware Binary Fuzzing to Aid Android Virtual Machine TestingACM SIGPLAN Notices10.1145/2817817.273119850:7(121-132)Online publication date: 14-Mar-2015
https://dl.acm.org/doi/10.1145/2817817.2731198
Show More Cited By

Index Terms

Fuzzing the ActionScript virtual machine
1. General and reference
  1. Cross-computing tools and techniques
    1. Verification
2. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

A Model-Based Behavioral Fuzzing Approach for Network Service
IMCCC '13: Proceedings of the 2013 Third International Conference on Instrumentation, Measurement, Computer, Communication and Control

Network services face various security challenges such as targeted attacks exploiting security vulnerabilities. Fuzz testing plays an important role in security testing of network service. However, current fuzzing approaches focus on protocol syntax and ...
Guiding Greybox Fuzzing with Mutation Testing
ISSTA 2023: Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis

Greybox fuzzing and mutation testing are two popular but mostly independent fields of software testing research that have so far had limited overlap. Greybox fuzzing, generally geared towards searching for new bugs, predominantly uses code coverage ...
Stateful Black-Box Fuzzing of Bluetooth Devices Using Automata Learning
NASA Formal Methods
Abstract
Fuzzing (aka fuzz testing) shows promising results in security testing. The advantage of fuzzing is the relatively simple applicability compared to comprehensive manual security analysis. However, the effectiveness of black-box fuzzing is hard to ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIA CCS '13: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security

May 2013

574 pages

ISBN:9781450317672

DOI:10.1145/2484313

General Chairs:
Kefei Chen
Shanghai Jiao Tong University, China
,
Qi Xie
Hangzhou Normal University, China
,
Weidong Qiu
Shanghai Jiao Tong University, China
,
Program Chairs:
Ninghui Li
Purdue University, USA
,
Wen-Guey Tzeng
National Chiao Tung University, Taiwan

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 May 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ASIA CCS '13

Sponsor:

SIGSAC

ASIA CCS '13: 8th ACM Symposium on Information, Computer and Communications Security

May 8 - 10, 2013

Hangzhou, China

Acceptance Rates

ASIA CCS '13 Paper Acceptance Rate 35 of 216 submissions, 16%;

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
385
Total Downloads

Downloads (Last 12 months)12
Downloads (Last 6 weeks)4

Reflects downloads up to 16 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Park SXu WYun IJang DKim T(2020)Fuzzing JavaScript Engines with Aspect-preserving Mutation2020 IEEE Symposium on Security and Privacy (SP)10.1109/SP40000.2020.00067(1629-1642)Online publication date: May-2020
https://doi.org/10.1109/SP40000.2020.00067
Liang HPei XJia XShen WZhang J(2018)Fuzzing: State of the ArtIEEE Transactions on Reliability10.1109/TR.2018.283447667:3(1199-1218)Online publication date: Sep-2018
https://doi.org/10.1109/TR.2018.2834476
Kyle SLeather HFranke BButcher DMonteith S(2015)Application of Domain-aware Binary Fuzzing to Aid Android Virtual Machine TestingACM SIGPLAN Notices10.1145/2817817.273119850:7(121-132)Online publication date: 14-Mar-2015
https://dl.acm.org/doi/10.1145/2817817.2731198
Kyle SLeather HFranke BButcher DMonteith SGavrilovska ABrown ASteensgaard B(2015)Application of Domain-aware Binary Fuzzing to Aid Android Virtual Machine TestingProceedings of the 11th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments10.1145/2731186.2731198(121-132)Online publication date: 14-Mar-2015
https://dl.acm.org/doi/10.1145/2731186.2731198

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents