ovAFLow: Detecting Memory Corruption Bugs with Fuzzing-Based Taint Inference

Gen Zhang; Peng-Fei Wang; Tai Yue; Xiang-Dong Kong; Xu Zhou; Kai Lu

doi:10.1007/s11390-021-1600-9

AI Chat Paper

Note: Please note that the following content is generated by AMiner AI. SciOpen does not take any responsibility related to this content.

Chat more with AI

| Sign up

Browse by Subject

Search for peer-reviewed journals with full access.

Journals A - Z

About Us

Discover the SciOpen Platform and Achieve Your Research Goals with Ease.

About Us

Publish with Us

Support

Search articles, authors, keywords, DOl and etc.

Published Date

Reset Search

{{expandStatus?'Exit ':''}}Advanced Search

Journals A - Z

About Us

Publish with Us

Support

Article Link

Cite

EndNote(RIS) BibTeX

Collect

Submit Manuscript

Show Outline

Outline

Show full outline

Hide outline

Outline

Show full outline

Hide outline

Regular Paper

ovAFLow: Detecting Memory Corruption Bugs with Fuzzing-Based Taint Inference

Gen Zhang, Peng-Fei Wang, Tai Yue, Xiang-Dong Kong, Xu Zhou, Kai Lu

College of Computer Science and Technology, National University of Defense Technology, Changsha 410073, China

Show Author Information

Abstract

Grey-box fuzzing is an effective technology to detect software vulnerabilities, such as memory corruption. Previous fuzzers in detecting memory corruption bugs either use heavy-weight analysis, or use techniques which are not customized for memory corruption detection. In this paper, we propose a novel memory bug guided fuzzer, ovAFLow. To begin with, we broaden the memory corruption targets where we frequently identify bugs. Next, ovAFLow utilizes light-weight and effective methods to build connections between the fuzzing inputs and these corruption targets. Based on the connection results, ovAFLow uses customized techniques to direct the fuzzing process closer to memory corruption. We evaluate ovAFLow against state-of-the-art fuzzers, including AFL (american fuzzy lop), AFLFast, FairFuzz, QSYM, Angora, TIFF, and TortoiseFuzz. The evaluation results show better vulnerability detection ability of ovAFLow, and the performance overhead is acceptable. Moreover, we identify 12 new memory corruption bugs and two CVEs (common vulnerability exposures) with the help of ovAFLow.

Keywords

fuzzing memory corruption taint inference

Electronic Supplementary Material

Download File(s)

jcst-37-2-405-Highlights.pdf (151.3 KB)

References

[1]

Miller B P, Fredriksen L, So B. An empirical study of the reliability of UNIX utilities. Communications of the ACM, 1990, 33(12): 32-44. DOI: 10.1145/96267.96279.

Crossref Google Scholar

[2]

Böhme M, Pham V T, Roychoudhury A. Coverage-based Greybox Fuzzing as Markov chain. IEEE Transactions on Software Engineering, 2017, 45(5): 489-506. DOI: 10.1109/TSE.2017.2785841.

Crossref Google Scholar

[3]

Rawat S, Jain V, Kumar A, Cojocar L, Giuffrida C, Bos H. VUzzer: Application-aware evolutionary fuzzing. In Proc. the 24th Annual Network and Distributed System Security Symposium, Feb. 26-Mar. 1, 2017. DOI: 10.14722/ndss.2017.23404.

Crossref

[4]

Chen P, Chen H. Angora: Efficient fuzzing by principled search. In Proc. the 2018 IEEE Symposium on Security and Privacy, May 2018, pp.711-725. DOI: 10.1109/SP.2018.00046.

Crossref

[5]

Yun I, Lee S, Xu M, Jang Y, Kim T. QSYM: A practical concolic execution engine tailored for hybrid fuzzing. In Proc. the 2018 USENIX Security Symposium, Aug. 2018, pp.745-761.

[6]

Lemieux C, Sen K. FairFuzz: A targeted mutation strategy for increasing greybox fuzz testing coverage. In Proc. the 2018 ACM/IEEE International Conference on Automated Software Engineering, Sept. 2018, pp.475-485. DOI: 10.1145/3238147.3238176.

Crossref

[7]

Li Y, Ji S, Lv C, Chen Y, Chen J, Gu Q, Wu C. VFuzz: Vulnerability-oriented evolutionary fuzzing. arXiv: 1901.01142, 2019. https://arxiv.org/abs/1901.01142, Sept. 2021.

[8]

Wang Y, Jia X, Liu Y, Zeng K, Bao T, Wu D, Su P. Not all coverage measurements are equal: Fuzzing by coverage accounting for input prioritization. In Proc. the 2020 Network and Distributed System Security Symposium, Feb. 2020. DOI: 10.14722/ndss.2020.24422.

Crossref

[9]

Jain V, Rawat S, Giuffrida C, Bos H. TIFF: Using input type inference to improve fuzzing. In Proc. the 2018 Annual Computer Security Applications Conference, Dec. 2018, pp.505-517. DOI: 10.1145/3274694.3274746.

Crossref

[10]

Coppik N, Schwahn O, Suri N. MemFuzz: Using memory accesses to guide fuzzing. In Proc. the 2019 IEEE Conference on Software Testing, Validation and Verification, Apr. 2019, pp.48-58. DOI: 10.1109/ICST.2019.00015.

Crossref

[11]

Gan S, Zhang C, Qin X, Tu X, Li K, Pei Z, Chen Z. CollAFL: Path sensitive fuzzing. In Proc. the 2018 IEEE Symposium on Security and Privacy, May 2018, pp.679-696. DOI: 10.1109/SP.2018.00040.

Crossref

[12]

Zhou C, Wang M, Liang J, Liu Z, Jiang Y. Zeror: Speed up fuzzing with coverage-sensitive tracing and scheduling. In Proc. the 2020 IEEE/ACM International Conference on Automated Software Engineering, Sept. 2020, pp.858-870. DOI: 10.1145/3324884.3416572.

Crossref

[13]

Nagy S, Hicks M. Full-speed fuzzing: Reducing fuzzing overhead through coverage-guided tracing. In Proc. the 2019 IEEE Symposium on Security and Privacy, May 2019, pp.787-802. DOI: 10.1109/SP.2019.00069.

Crossref

[14]

Zhang C, Dong W Y, Ren Y Z. INSTRCR: Lightweight instrumentation optimization based on coverage-guided fuzz testing. In Proc. the 2nd IEEE International Conference on Computer and Communication Engineering Technology, Aug. 2019, pp.74-78. DOI: 10.1109/CCET48361.2019.8989335.

Crossref

[15]

Jia X, Zhang C, Su P, Yang Y, Huang H, Feng D. Towards efficient heap overow discovery. In Proc. the 2017 USENIX Security Symposium, Aug. 2017, pp.989-1006.

[16]

Qin F, Lu S, Zhou, Y. SafeMem: Exploiting ECC-memory for detecting memory leaks and memory corruption during production runs. In Proc. the 2005 International Symposium on High-Performance Computer Architecture, Feb. 2005, pp.291-302. DOI: 10.1109/HPCA.2005.29.

Crossref

[17]

Gan S, Zhang C, Chen P, Zhao B, Qin X, Wu D, Chen Z. GREYONE: Data ow sensitive fuzzing. In Proc. the 2020 U SENIX Security Symposium, Aug. 2020, pp.2577-2594.

[18]

You W, Wang X, Ma S, Huang J, Zhang X, Wang X, Liang B. ProFuzzer: On-the-y input type probing for better zeroday vulnerability discovery. In Proc. the 2019 IEEE Symposium on Security and Privacy, May 2019, pp.769-786. DOI: 10.1109/SP.2019.00057.

Crossref

[19]

You W, Liu X, Ma S, Perry D, Zhang X, Liang B. SLF: Fuzzing without valid seed inputs. In Proc. the 2019 IEEE/ACM International Conference on Software Engineering, May 2019, pp.712-723. DOI: 10.1109/ICSE.2019.00080.

Crossref

[20]

Dolan-Gavitt B, Hulin P, Kirda E, Leek T, Mambretti A, Robertson W, Whelan R. LAVA: Large-scale automated vulnerability addition. In Proc. the 2016 IEEE Symposium on Security and Privacy, May 2016, pp.110-121. DOI: 10.1109/SP.2016.15.

Crossref

[21]

Aho A V, Sethi R, Ullman J D. Compilers, Principles, Techniques, and Tools (1st edition). Addison Wesley, 1986.

[22]

Zhang G, Zhou X, Luo Y, Wu X, Min E. PTfuzz: Guided fuzzing with processor trace feedback. IEEE Access, 2018, 6: 37302-37313. DOI: 10.1109/ACCESS.2018.2851237.

Crossref Google Scholar

[23]

Lyu C, Ji S, Zhang C, Li Y, Lee W H, Song Y, Beyah R. MOPT: Optimized mutation scheduling for fuzzers. In Proc. the 2019 USENIX Security Symposium, Aug. 2019, pp.1949-1966.

[24]

Yue T, Wang P, Tang Y, Wang E, Yu B, Lu K, Zhou X. EcoFuzz: Adaptive energy-saving greybox fuzzing as a variant of the adversarial multi-armed bandit. In Proc. the 2020 USENIX Security Symposium, Aug. 2020, pp.2307-2324.

[25]

Serebryany K, Bruening D, Potapenko A, Vyukov D. AddressSanitizer: A fast address sanity checker. In Proc. the 2012 USENIX Security Symposium, Aug. 2012, pp.309-318.

[26]

Wen C, Wang H, Li Y, Qin S, Liu Y, Xu Z, Liu T. MemLock: Memory usage guided fuzzing. In Proc. the 2020 ACM/IEEE International Conference on Software Engineering, July 2020, pp.765-777. DOI: 10.1145/3377811.3380396.

Crossref

[27]

Wang H, Xie X, Li Y, Wen C, Li Y, Liu Y, Sui Y. Typestateguided fuzzer for discovering use-after-free vulnerabilities. In Proc. the 2020 ACM/IEEE International Conference on Software Engineering, July 2020, pp.999-1010. DOI: 10.1145/3377811.3380386.

Crossref

[28]

Böhme M, Pham V T, Nguyen M D, Roychoudhury A. Directed Greybox Fuzzing. In Proc. the 2017 ACM SIGSAC Conference on Computer and Communications Security, Oct. 30-Nov. 03, 2017, pp.2329-2344. DOI: 10.1145/3133956.3134020.

Crossref

Journal of Computer Science and Technology

Volume 37 Issue 2,
March 2022

Pages 405-422

DOI: 10.1007/s11390-021-1600-9

Cite this article:

Zhang G, Wang P-F, Yue T, et al. ovAFLow: Detecting Memory Corruption Bugs with Fuzzing-Based Taint Inference. Journal of Computer Science and Technology, 2022, 37(2): 405-422. https://doi.org/10.1007/s11390-021-1600-9

436

Views

Crossref

Web of Science

Scopus

CSCD

Google Scholar
Citation

Altmetrics

Received: 21 May 2021

Accepted: 15 November 2021

Published: 31 March 2022