research-article

InFuzz: An Interactive Tool for Enhancing Efficiency in Fuzzing through Visual Bottleneck Analysis (Registered Report)

Authors:

Minhuan HuangAuthors Info & Claims

FUZZING 2023: Proceedings of the 2nd International Fuzzing Workshop

Pages 56 - 61

https://doi.org/10.1145/3605157.3605847

Published: 17 July 2023 Publication History

Abstract

Despite the effectiveness of current fuzzing methods, fully automated fuzzing techniques still face an important challenge in overcoming complex code constraints to achieve high coverage and find new vulnerabilities. As a result, experts in practice are starting to add themselves to the fuzzing workflow to look for defects. In this context, current state-of-the-art fuzzing methods are of limited help to improve the efficiency of human-assisted fuzzing. Therefore, we introduced an interactive tool called InFuzz to help humans better understand and intervene in the fuzzing process through visual bottleneck analysis. InFuzz extracts information from source code and runtime coverage and maps blocking branches in tests to source code lines, and gets potential inputs to blocking branches through dynamic data flow analysis, which are presented in the form of HTML web pages to the tester. In addition, it provides code annotation techniques to better intervene in fuzzing. Using InFuzz, testers can focus their attention on blocking constraints and learn their semantic context and associated input sources to better design code annotations, construct new input seeds, or update test drivers.

References

[1]

Cornelius Aschermann, Sergej Schumilo, Ali Abbasi, and Thorsten Holz. 2020. Ijon: Exploring Deep State Spaces via Fuzzing. In 2020 IEEE Symposium on Security and Privacy (SP). 1597-1612. https://doi.org/10.1109/SP40000. 2020.00117

[2]

Tim Blazytko, Cornelius Aschermann, Moritz Schlögel, Ali Abbasi, Sergej Schumilo, Simon Wörner, and Thorsten Holz. 2019. GRIMOIRE: Synthesizing Structure While Fuzzing. In Proceedings of the 28th USENIX Conference on Security Symposium (Santa Clara, CA, USA) ( SEC'19). USENIX Association, USA, 1985-2002.

[3]

Marcel Böhme and Brandon Falk. 2020. Fuzzing: On the Exponential Cost of Vulnerability Discovery. In Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (Virtual Event, USA) (ESEC/FSE 2020 ). Association for Computing Machinery, New York, NY, USA, 713-724. https://doi.org/10.1145/3368089.3409729

Digital Library

[4]

Marcel Böhme, Van-Thuan Pham, and Abhik Roychoudhury. 2016. Coveragebased Greybox Fuzzing as Markov Chain. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, October 24-28, 2016, Edgar R. Weippl, Stefan Katzenbeisser, Christopher Kruegel, Andrew C. Myers, and Shai Halevi (Eds.). ACM, 1032-1043. https://doi.org/10.1145/2976749. 2978428

Digital Library

[5]

Joshua Bundt, Andrew Fasano, Brendan Dolan-Gavitt, William Robertson, and Tim Leek. 2023. Homo in Machina: Improving Fuzz Testing Coverage via Compartment Analysis. In 2023 IEEE Conference on Software Testing, Verification and Validation (ICST). 117-128. https://doi.org/10.1109/ICST57152. 2023.00020

[6]

Marcel Böhme, Van-Thuan Pham, and Abhik Roychoudhury. 2019. CoverageBased Greybox Fuzzing as Markov Chain. IEEE Transactions on Software Engineering 45, 5 ( 2019 ), 489-506. https://doi.org/10.1109/TSE. 2017.2785841

[7]

Andrea Fioraldi, Dominik Maier, Heiko Eißfeldt, and Marc Heuse. 2020. AFL++: Combining Incremental Steps of Fuzzing Research. In Proceedings of the 14th USENIX Conference on Ofensive Technologies (WOOT'20). USENIX Association, USA, Article 10, 1 pages.

[8]

Andrea Fioraldi and Luigi Paolo Pileggi. 2021. FuzzSplore: Visualizing FeedbackDriven Fuzzing Techniques. ArXiv abs/2102.02527 ( 2021 ).

[9]

Shuitao Gan, Chao Zhang, Xiaojun Qin, Xuwen Tu, Kang Li, Zhongyu Pei, and Zuoning Chen. 2018. CollAFL: Path Sensitive Fuzzing. In 2018 IEEE Symposium on Security and Privacy (SP). 679-696. https://doi.org/10.1109/SP. 2018.00040

[10]

Patrice Godefroid, Hila Peleg, and Rishabh Singh. 2017. Learnamp;Fuzz: Machine Learning for Input Fuzzing. In Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering (Urbana-Champaign, IL, USA) ( ASE '17). IEEE Press, 50-59.

[11]

Heqing Huang, Peisen Yao, Rongxin Wu, Qingkai Shi, and Charles Zhang. 2020. Pangolin: Incremental Hybrid Fuzzing with Polyhedral Path Abstraction. In 2020 IEEE Symposium on Security and Privacy (SP). 1613-1627. https://doi.org/10.1109/ SP40000. 2020.00063

[12]

Aftab Hussain and Mohammad Amin Alipour. 2021. FMViz: Visualizing Tests Generated by AFL at the Byte-level. ArXiv abs/2112.13207 ( 2021 ).

[13]

David Korczynski. 2022. Fuzz Introspector. https://google.github.io/oss-fuzz/ advanced-topics/fuzz-introspector/, Last accessed on 2023-5-15.

[14]

Caroline Lemieux and Koushik Sen. 2018. FairFuzz: A Targeted Mutation Strategy for Increasing Greybox Fuzz Testing Coverage. In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering (Montpellier, France) (ASE '18). Association for Computing Machinery, New York, NY, USA, 475-485. https://doi.org/10.1145/3238147.3238176

Digital Library

[15]

Xiao Liu, Xiaoting Li, Rupesh Prajapati, and Dinghao Wu. 2019. DeepFuzz: Automatic Generation of Syntax Valid C Programs for Fuzz Testing. In AAAI Conference on Artificial Intelligence.

[16]

Aravind Machiry, Rohan Tahiliani, and Mayur Naik. 2013. Dynodroid: An Input Generation System for Android Apps. In Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering (Saint Petersburg, Russia) (ESEC/FSE 2013 ). Association for Computing Machinery, New York, NY, USA, 224-234. https://doi.org/10.1145/2491411.2491450

Digital Library

[17]

Rohan Padhye, Caroline Lemieux, Koushik Sen, Laurent Simon, and Hayawardh Vijayakumar. 2019. FuzzFactory: Domain-Specific Fuzzing with Waypoints. Proc. ACM Program. Lang. 3, OOPSLA, Article 174 (oct 2019 ), 29 pages. https: //doi.org/10.1145/3360600

Digital Library

[18]

Sanjay Rawat, Vivek Jain, Ashish Kumar, Lucian Cojocar, Cristiano Giufrida, and Herbert Bos. 2017. VUzzer: Application-aware Evolutionary Fuzzing. In 24th Annual Network and Distributed System Security Symposium, NDSS 2017, San Diego, California, USA, February 26-March 1, 2017. The Internet Society. https://www.ndss-symposium.org/ndss2017/ndss-2017-programme/vuzzerapplication-aware-evolutionary-fuzzing/

[19]

Dongdong She, Kexin Pei, Dave Epstein, Junfeng Yang, Baishakhi Ray, and Suman Jana. 2019. NEUZZ: Eficient Fuzzing with Neural Program Smoothing. In 2019 IEEE Symposium on Security and Privacy (SP). 803-817. https://doi.org/10.1109/ SP. 2019.00052

[20]

Yan Shoshitaishvili, Michael Weissbacher, Lukas Dresel, Christopher Salls, Ruoyu Wang, Christopher Kruegel, and Giovanni Vigna. 2017. Rise of the HaCRS: Augmenting Autonomous Cyber Reasoning Systems with Human Assistance. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (Dallas, Texas, USA) ( CCS '17). Association for Computing Machinery, New York, NY, USA, 347-362. https://doi.org/10.1145/3133956.3134105

Digital Library

[21]

Nick Stephens, John Grosen, Christopher Salls, Andrew Dutcher, Ruoyu Wang, Jacopo Corbetta, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2016. Driller: Augmenting Fuzzing Through Selective Symbolic Execution. In 23rd Annual Network and Distributed System Security Symposium, NDSS 2016, San Diego, California, USA, February 21-24, 2016. The Internet Society. http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/ driller-augmenting-fuzzing-through-selective-symbolic-execution.pdf

[22]

Jarmo Vainio. 2014. THE USE OF DATA VISUALIZATION IN FUZZ TEST MONITORING.

[23]

Wei You, Xuwei Liu, Shiqing Ma, David Perry, Xiangyu Zhang, and Bin Liang. 2019. SLF: Fuzzing without Valid Seed Inputs. In 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE). 712-723. https://doi.org/10.1109/ ICSE. 2019.00080

Digital Library

[24]

Wei You, Xueqiang Wang, Shiqing Ma, Jianjun Huang, Xiangyu Zhang, XiaoFeng Wang, and Bin Liang. 2019. ProFuzzer: On-the-fly Input Type Probing for Better Zero-Day Vulnerability Discovery. In 2019 IEEE Symposium on Security and Privacy (SP). 769-786. https://doi.org/10.1109/SP. 2019.00057

[25]

Tai Yue, Pengfei Wang, Yong Tang, Enze Wang, Bo Yu, Kai Lu, and Xu Zhou. 2020. EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit. In USENIX Security Symposium.

[26]

Insu Yun, Sangho Lee, Meng Xu, Yeongjin Jang, and Taesoo Kim. 2018. QSYM : A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, Baltimore, MD, 745-761. https://www.usenix.org/conference/usenixsecurity18/presentation/ yun

[27]

Michal Zalewski. 2014. American fuzzy lop.

[28]

Chijin Zhou, Mingzhe Wang, Jie Liang, Zhe Liu, Chengnian Sun, and Yu Jiang. 2020. VisFuzz: Understanding and Intervening Fuzzing with Interactive Visualization. In Proceedings of the 34th IEEE/ACM International Conference on Automated Software Engineering (San Diego, California) ( ASE '19). IEEE Press, 1078-1081. https://doi.org/10.1109/ASE. 2019.00106

Cited By

Kummita SMiao MBodden EWei SBöhme MNoller YSzekeres L(2024)Visualization Task Taxonomy to Understand the Fuzzing Internals (Registered Report)Proceedings of the 3rd ACM International Fuzzing Workshop10.1145/3678722.3685530(13-22)Online publication date: 13-Sep-2024
https://dl.acm.org/doi/10.1145/3678722.3685530
Fang HZhang KYu DZhang YChristakis MPradel M(2024)DDGF: Dynamic Directed Greybox Fuzzing with Path ProfilingProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3680324(832-843)Online publication date: 11-Sep-2024
https://dl.acm.org/doi/10.1145/3650212.3680324

Index Terms

InFuzz: An Interactive Tool for Enhancing Efficiency in Fuzzing through Visual Bottleneck Analysis (Registered Report)
1. Security and privacy
  1. Software and application security
    1. Software security engineering

Recommendations

Beyond the Coverage Plateau: A Comprehensive Study of Fuzz Blockers (Registered Report)
FUZZING 2023: Proceedings of the 2nd International Fuzzing Workshop

Fuzzing and particularly code coverage-guided greybox fuzzing is highly successful in automated vulnerability discovery, as evidenced by the multitude of vulnerabilities uncovered in real-world software systems. However, results on large benchmarks ...
DiPri: Distance-Based Seed Prioritization for Greybox Fuzzing (Registered Report)
FUZZING 2023: Proceedings of the 2nd International Fuzzing Workshop

Greybox fuzzing is a powerful testing technique. Given a set of initial seeds, greybox fuzzing continuously generates new test inputs to execute the program under test and gravitates executions towards rarely explored program regions with code ...
Hopper: Interpretative Fuzzing for Libraries
CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

Despite the fact that the state-of-the-art fuzzers can generate inputs efficiently, existing fuzz drivers still cannot adequately cover entries in libraries. Most of these fuzz drivers are crafted manually by developers, and their quality depends on the ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

FUZZING 2023: Proceedings of the 2nd International Fuzzing Workshop

July 2023

61 pages

ISBN:9798400702471

DOI:10.1145/3605157

General Chairs:
Marcel Böhme
MPI-SP, Germany / Monash University, Australia
,
Yannic Noller
National University of Singapore, Singapore
,
Baishakhi Ray
Columbia University, USA
,
László Szekeres
Google, USA

Copyright © 2023 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 July 2023

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

FUZZING '23

Sponsor:

SIGSOFT

FUZZING '23: 2nd International Fuzzing Workshop

July 17, 2023

WA, Seattle, USA

Upcoming Conference

ISSTA '25

Sponsor:
sigsoft

34th ACM SIGSOFT International Symposium on Software Testing and Analysis

June 25 - 28, 2025

Trondheim , Norway

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
194
Total Downloads

Downloads (Last 12 months)112
Downloads (Last 6 weeks)9

Reflects downloads up to 13 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kummita SMiao MBodden EWei SBöhme MNoller YSzekeres L(2024)Visualization Task Taxonomy to Understand the Fuzzing Internals (Registered Report)Proceedings of the 3rd ACM International Fuzzing Workshop10.1145/3678722.3685530(13-22)Online publication date: 13-Sep-2024
https://dl.acm.org/doi/10.1145/3678722.3685530
Fang HZhang KYu DZhang YChristakis MPradel M(2024)DDGF: Dynamic Directed Greybox Fuzzing with Path ProfilingProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3680324(832-843)Online publication date: 11-Sep-2024
https://dl.acm.org/doi/10.1145/3650212.3680324

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents