Sleuth: A Switchable Dual-Mode Fuzzer to Investigate Bug Impacts Following a Single PoC
Pages 730 - 742
Abstract
A proof of concept (PoC) is essential for pinpointing a bug within software. However, relying on it alone for the timely and complete repair of bugs is insufficient due to underestimating the bug impacts. The bug impact reflects that a bug may be triggered at multiple positions following from the root cause, resulting in different bug types (e.g., use-after-free, heap-buffer-overflow). Current techniques discover bug impacts using fuzzing with a specific coverage-guided strategy: assigning more energy to seeds that cover the buggy code regions. This method can utilize a single PoC to generate multiple PoCs that contain different bug impacts in a short time. Unfortunately, we observe existing techniques are still unreliable, primarily due to their failure in balancing the time between in-depth and breadth exploration: (i) in-depth exploration for bug impacts behind crash regions and (ii) breadth exploration for bug impacts alongside unreached regions. Current techniques only focus on one exploration or conduct two explorations in separate stages leading to low accuracy and efficiency. Considering the aforementioned problem, we propose Sleuth, an approach for automatically investigating bug impacts following a known single PoC to enhance bug fixing. We design Sleuth on two novel concepts: (i) a dual-mode exploration mechanism built on a fuzzer designed for efficient in-depth and breadth exploration. (ii) a dynamic switchable strategy connecting with the dual-mode exploration that facilitates the reliability of bug impact investigation. We evaluate Sleuth using 50 known CVEs, and the result of experiment shows that Sleuth can efficiently discover new bug impacts in 86% CVEs and find 1.5x more bug impacts than state-of-art tools. Furthermore, Sleuth successfully identifies 13 incomplete fixes using the generated new PoCs.
References
[1]
2018. CVE-2018-7875, CVE-2018-8964, CVE-2018-7871 Patch. https://github.com/libming/libming/commit/3a000c7b6fe978dd9925266bb6847709e06dbaa3
[2]
2018. CVE-2018-9009 Patch. https://github.com/libming/libming/commit/1d698a4b1f03d6136bbf2b0171b86985be553454
[3]
2018. CVE-2018-9132 Patch. https://github.com/hlef/libming/commit/d13db01ea1c416f51043bef7496cfb25c2dde29a
[4]
2019. ASAN public interface. https://github.com/google/sanitizers/wiki/AddressSanitizer
[5]
2019. CVE-2019-7663 Patch. https://gitlab.com/libtiff/libtiff/-/commit/802d3cbf3043be5dce5317e140ccb1c17a6a2d39
[6]
2020. CVE-2020-19143 Patch. https://gitlab.com/libtiff/libtiff/-/commit/84b8b9a3e7c5eca4bb7fea85bbd67d67507946e7
[7]
2020. CVE-2020-27828 Patch. https://github.com/jasper-software/jasper/pull/253/commits/4cd52b5daac62b00a0a328451544807ddecf775f
[8]
2021. CVE-2021-3246 Patch. https://github.com/libsndfile/libsndfile/pull/713/commits/243b518137d9a921a4c8630accdde2b6b64975b2
[9]
2022. CVE-2022-3598 Patch. https://gitlab.com/libtiff/libtiff/-/commit/cfbb883bf6ea7bedcb04177cc4e52d304522fdff
[10]
2022. CVE-2022-45703 Patch. https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=69bfd1759db41c8d369f9dcc98a135c5a5d97299
[11]
2023. CVE-2023-0799 Patch. https://gitlab.com/libtiff/libtiff/-/commit/afaabc3e50d4e5d80a94143f7e3c997e7e410f68
[12]
2023. CVE-2023-1916 Patch. https://gitlab.com/libtiff/libtiff/-/merge_requests/476
[13]
2024. Replication package. https://doi.org/10.5281/zenodo.12668172
[14]
2024. Sleuth. https://sites.google.com/view/sleuth-fuzzing-site
[15]
Lars Ole Andersen. 1994. Program analysis and specialization for the C programming language. https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=b7efe971a34a0f2482e0b2520ffb31062dcdde62
[16]
Cornelius Aschermann, Sergej Schumilo, Tim Blazytko, Robert Gawlik, and Thorsten Holz. 2019. REDQUEEN: Fuzzing with Input-to-State Correspondence. In NDSS. 19, 1–15. https://doi.org/10.14722/ndss.2019.23371
[17]
Roberto Baldoni, Emilio Coppa, Daniele Cono D’elia, Camil Demetrescu, and Irene Finocchi. 2018. A survey of symbolic execution techniques. ACM Computing Surveys (CSUR), 51, 3 (2018), 1–39. https://doi.org/10.1145/3182657
[18]
Tim Blazytko, Moritz Schlögel, Cornelius Aschermann, Ali Abbasi, Joel Frank, Simon Wörner, and Thorsten Holz. 2020. $AURORA$: Statistical crash analysis for automated root cause explanation. In 29th USENIX Security Symposium (USENIX Security 20). 235–252. https://www.usenix.org/conference/usenixsecurity20/presentation/blazytko
[19]
Marcel Böhme, Van-Thuan Pham, Manh-Dung Nguyen, and Abhik Roychoudhury. 2017. Directed greybox fuzzing. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 2329–2344. https://doi.org/10.1145/3133956.3134020
[20]
Lingchao Chen, Yicheng Ouyang, and Lingming Zhang. 2021. Fast and precise on-the-fly patch validation for all. In 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE). 1123–1134. https://doi.org/10.1109/ICSE43902.2021.00104
[21]
Peng Chen and Hao Chen. 2018. Angora: Efficient fuzzing by principled search. In 2018 IEEE Symposium on Security and Privacy (SP). 711–725. https://doi.org/10.1109/SP.2018.00046
[22]
Weiteng Chen, Xiaochen Zou, Guoren Li, and Zhiyun Qian. 2020. $KOOBE$: towards facilitating exploit generation of kernel $Out-Of-Bounds$ write vulnerabilities. In 29th USENIX Security Symposium (USENIX Security 20). 1093–1110. https://www.usenix.org/conference/usenixsecurity20/presentation/chen-weiteng
[23]
Zhengjie Du, Yuekang Li, Yang Liu, and Bing Mao. 2022. WindRanger: a directed greybox fuzzer driven by deviation basic blocks. In Proceedings of the 44th International Conference on Software Engineering. 2440–2451. https://doi.org/10.1145/3510003.3510197
[24]
Thomas Dullien. 2017. Weird machines, exploitability, and provable unexploitability. IEEE Transactions on Emerging Topics in Computing, 8, 2 (2017), 391–403. https://doi.org/10.1109/TETC.2017.2785299
[25]
Thomas Dullien and Halvar Flake. 2011. Exploitation and state machines. Proceedings of Infiltrate, https://downloads.immunityinc.com/infiltrate-archives/Fundamentals_of_exploitation_revisited.pdf
[26]
Andrea Fioraldi, Dominik Maier, Heiko Eiß feldt, and Marc Heuse. 2020. $AFL++$: Combining incremental steps of fuzzing research. In 14th USENIX Workshop on Offensive Technologies (WOOT 20). https://www.usenix.org/conference/woot20/presentation/fioraldi
[27]
Shuitao Gan, Chao Zhang, Peng Chen, Bodong Zhao, Xiaojun Qin, Dong Wu, and Zuoning Chen. 2020. $GREYONE$: Data flow sensitive fuzzing. In 29th USENIX security symposium (USENIX Security 20). 2577–2594. https://www.usenix.org/conference/usenixsecurity20/presentation/gan
[28]
Shuitao Gan, Chao Zhang, Xiaojun Qin, Xuwen Tu, Kang Li, Zhongyu Pei, and Zuoning Chen. 2018. Collafl: Path sensitive fuzzing. In 2018 IEEE Symposium on Security and Privacy (SP). 679–696. https://doi.org/10.1109/SP.2018.00040
[29]
Luca Gazzola, Daniela Micucci, and Leonardo Mariani. 2018. Automatic software repair: A survey. In Proceedings of the 40th International Conference on Software Engineering. 1219–1219. https://doi.org/10.1145/3180155.3182526
[30]
Adrian Herrera, Mathias Payer, and Antony L Hosking. 2022. DatAFLow: Toward a Data-Flow-Guided Fuzzer. ACM Transactions on Software Engineering and Methodology, https://doi.org/10.1145/3587156
[31]
Heqing Huang, Yiyuan Guo, Qingkai Shi, Peisen Yao, Rongxin Wu, and Charles Zhang. 2022. Beacon: Directed grey-box fuzzing with provable path pruning. In 2022 IEEE Symposium on Security and Privacy (SP). 36–50. https://doi.org/10.1109/SP46214.2022.9833751
[32]
Yuseok Jeon, WookHyun Han, Nathan Burow, and Mathias Payer. 2020. $FuZZan$: Efficient sanitizer metadata design for fuzzing. In 2020 USENIX Annual Technical Conference (USENIX ATC 20). 249–263. https://www.usenix.org/conference/atc20/presentation/jeon
[33]
Zhiyuan Jiang, Shuitao Gan, Adrian Herrera, Flavio Toffalini, Lucio Romerio, Chaojing Tang, Manuel Egele, Chao Zhang, and Mathias Payer. 2022. Evocatio: Conjuring Bug Capabilities from a Single PoC. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 1599–1613. https://doi.org/10.1145/3548606.3560575
[34]
Zhiyuan Jiang, Xiyue Jiang, Ahmad Hazimeh, Chaojing Tang, Chao Zhang, and Mathias Payer. 2021. Igor: Crash deduplication through root-cause clustering. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. 3318–3336. https://doi.org/10.1145/3460120.3485364
[35]
Chris Lattner and Vikram Adve. 2004. LLVM: A compilation framework for lifelong program analysis & transformation. In International symposium on code generation and optimization, 2004. CGO 2004. 75–86. https://doi.org/10.1109/CGO.2004.1281665
[36]
Caroline Lemieux and Koushik Sen. 2018. Fairfuzz: A targeted mutation strategy for increasing greybox fuzz testing coverage. In Proceedings of the 33rd ACM/IEEE international conference on automated software engineering. 475–485. https://doi.org/10.1145/3238147.3238176
[37]
Zhen Li, Deqing Zou, Shouhuai Xu, Hai Jin, Yawei Zhu, and Zhaoxuan Chen. 2021. Sysevr: A framework for using deep learning to detect software vulnerabilities. IEEE Transactions on Dependable and Secure Computing, 19, 4 (2021), 2244–2258. https://doi.org/10.1109/TDSC.2021.3051525
[38]
Zhenpeng Lin, Yueqi Chen, Yuhang Wu, Dongliang Mu, Chensheng Yu, Xinyu Xing, and Kang Li. 2022. GREBE: Unveiling exploitation potential for Linux kernel bugs. In 2022 IEEE Symposium on Security and Privacy (SP). 2078–2095. https://doi.org/10.1109/SP46214.2022.9833683
[39]
Antonio Nappa, Richard Johnson, Leyla Bilge, Juan Caballero, and Tudor Dumitras. 2015. The attack of the clones: A study of the impact of shared code on vulnerability patching. In 2015 IEEE symposium on security and privacy. 692–708. https://doi.org/10.1109/SP.2015.48
[40]
Sebastian Österlund, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida. 2020. $ParmeSan$: Sanitizer-guided greybox fuzzing. In 29th USENIX Security Symposium (USENIX Security 20). 2289–2306. https://www.usenix.org/conference/usenixsecurity20/presentation/osterlund
[41]
Sanjay Rawat, Vivek Jain, Ashish Kumar, Lucian Cojocar, Cristiano Giuffrida, and Herbert Bos. 2017. VUzzer: Application-aware Evolutionary Fuzzing. In NDSS. 17, 1–14. https://doi.org/10.14722/ndss.2017.23404
[42]
Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitriy Vyukov. 2012. $AddressSanitizer$: A fast address sanity checker. In 2012 USENIX annual technical conference (USENIX ATC 12). 309–318. https://www.usenix.org/conference/atc12/technical-sessions/presentation/serebryany
[43]
Nick Stephens, John Grosen, Christopher Salls, Andrew Dutcher, Ruoyu Wang, Jacopo Corbetta, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2016. Driller: Augmenting fuzzing through selective symbolic execution. In NDSS. 16, 1–16. https://doi.org/10.14722/ndss.2016.23368
[44]
Yulei Sui and Jingling Xue. 2016. SVF: interprocedural static value-flow analysis in LLVM. In Proceedings of the 25th international conference on compiler construction. 265–266. https://doi.org/10.1145/2892208.2892235
[45]
Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song. 2013. Sok: Eternal war in memory. In 2013 IEEE Symposium on Security and Privacy. 48–62. https://doi.org/10.1109/SP.2013.13
[46]
Julien Vanegue. 2013. The automated exploitation grand challenge. In H2HC Conference. https://openwall.info/wiki/_media/people/jvanegue/files/aegc_vanegue.pdf
[47]
Yan Wang, Chao Zhang, Xiaobo Xiang, Zixuan Zhao, Wenjie Li, Xiaorui Gong, Bingchang Liu, Kaixiang Chen, and Wei Zou. 2018. Revery: From proof-of-concept to exploitable. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 1914–1927. https://doi.org/10.1145/3243734.3243847
[48]
Carter Yagemann, Matthew Pruett, Simon P Chung, Kennon Bittick, Brendan Saltaformaggio, and Wenke Lee. 2021. $ARCUS$: symbolic root cause analysis of exploits in production systems. In 30th USENIX Security Symposium (USENIX Security 21). 1989–2006. https://www.usenix.org/conference/usenixsecurity21/presentation/yagemann
[49]
Wei You, Peiyuan Zong, Kai Chen, XiaoFeng Wang, Xiaojing Liao, Pan Bian, and Bin Liang. 2017. Semfuzz: Semantics-based automatic generation of proof-of-concept exploits. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 2139–2154. https://doi.org/10.1145/3133956.3134085
[50]
Insu Yun, Sangho Lee, Meng Xu, Yeongjin Jang, and Taesoo Kim. 2018. $QSYM$: A practical concolic execution engine tailored for hybrid fuzzing. In 27th USENIX Security Symposium (USENIX Security 18). 745–761. https://www.usenix.org/conference/usenixsecurity18/presentation/yun
[51]
Michal Zalewski. 2018. Afl-fuzz: Crash exploration mode. https://afl-1.readthedocs.io/en/latest/fuzzing.html
[52]
Michal Zalewski. 2019. american fuzzy lop (2.52 b). Retrieved April, 10 (2019), 2020. https://lcamtuf.coredump.cx/afl/
[53]
Yuchen Zhang, Chengbin Pang, Georgios Portokalidis, Nikos Triandopoulos, and Jun Xu. 2022. Debloating address sanitizer. In 31st USENIX Security Symposium (USENIX Security 22). 4345–4363. https://www.usenix.org/conference/usenixsecurity22/presentation/zhang-yuchen
[54]
Xiaochen Zou, Guoren Li, Weiteng Chen, Hang Zhang, and Zhiyun Qian. 2022. $SyzScope$: Revealing $High-Risk$ Security Impacts of $Fuzzer-Exposed$ Bugs in Linux kernel. In 31st USENIX Security Symposium (USENIX Security 22). 3201–3217. https://www.usenix.org/conference/usenixsecurity22/presentation/zou
Index Terms
- Sleuth: A Switchable Dual-Mode Fuzzer to Investigate Bug Impacts Following a Single PoC
Recommendations
Evocatio: Conjuring Bug Capabilities from a Single PoC
CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications SecurityThe popularity of coverage-guided greybox fuzzers has led to a tsunami of security-critical bugs that developers must prioritize and fix. Knowing the capabilities a bug exposes (e.g., type of vulnerability, number of bytes read/written) enables ...
Compiler fuzzing: how much does it matter?
Despite much recent interest in randomised testing (fuzzing) of compilers, the practical impact of fuzzer-found compiler bugs on real-world applications has barely been assessed. We present the first quantitative and qualitative study of the tangible ...
Effective Bug Triage Based on Historical Bug-Fix Information
ISSRE '14: Proceedings of the 2014 IEEE 25th International Symposium on Software Reliability EngineeringFor complex and popular software, project teams could receive a large number of bug reports. It is often tedious and costly to manually assign these bug reports to developers who have the expertise to fix the bugs. Many bug triage techniques have been ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
September 2024
1928 pages
Copyright © 2024 Copyright is held by the owner/author(s). Publication rights licensed to ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 11 September 2024
Check for updates
Badges
Author Tags
Qualifiers
- Research-article
Conference
ISSTA '24
Sponsor:
ISSTA '24: 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis
September 16 - 20, 2024
Vienna, Austria
Acceptance Rates
Overall Acceptance Rate 58 of 213 submissions, 27%
Upcoming Conference
ISSTA '25
- Sponsor:
- sigsoft
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 80Total Downloads
- Downloads (Last 12 months)80
- Downloads (Last 6 weeks)80
Reflects downloads up to 02 Oct 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in