Top

Published in:

2017 | OriginalPaper | Chapter

Static Program Analysis as a Fuzzing Aid

Authors : Bhargava Shastry, Markus Leutner, Tobias Fiebig, Kashyap Thimmaraju, Fabian Yamaguchi, Konrad Rieck, Stefan Schmid, Jean-Pierre Seifert, Anja Feldmann

Published in: Research in Attacks, Intrusions, and Defenses

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Fuzz testing is an effective and scalable technique to perform software security assessments. Yet, contemporary fuzzers fall short of thoroughly testing applications with a high degree of control-flow diversity, such as firewalls and network packet analyzers. In this paper, we demonstrate how static program analysis can guide fuzzing by augmenting existing program models maintained by the fuzzer. Based on the insight that code patterns reflect the data format of inputs processed by a program, we automatically construct an input dictionary by statically analyzing program control and data flow. Our analysis is performed before fuzzing commences, and the input dictionary is supplied to an off-the-shelf fuzzer to influence input generation. Evaluations show that our technique not only increases test coverage by 10–15% over baseline fuzzers such as afl but also reduces the time required to expose vulnerabilities by up to an order of magnitude. As a case study, we have evaluated our approach on two classes of network applications: nDPI, a deep packet inspection library, and tcpdump, a network packet analyzer. Using our approach, we have uncovered 15 zero-day vulnerabilities in the evaluated software that were not found by stand-alone fuzzers. Our work not only provides a practical method to conduct security evaluations more effectively but also demonstrates that the synergy between program analysis and testing can be exploited for a better outcome.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter VDF: Targeted Evolutionary Fuzz Testing of Virtual Devices

next chapter Breaking Fitness Records Without Moving: Reverse Engineering and Spoofing Fitbit

Available only for authorised users

Ethical Considerations: Vulnerabilities found during our case studies have been responsibly disclosed to the concerned vendors who have subsequently patched them.

Aho, A.V., Sethi, R., Ullman, J.D.: Compilers, Principles, Techniques. Addison-Wesley, Boston (1986)

Address Sanitizer. https://clang.llvm.org/docs/AddressSanitizer.html. Accessed 27 Mar 2017

Böhme, M., Pham, V.T., Roychoudhury, A.: Coverage-based greybox fuzzing as Markov chain. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS), pp. 1032–1043. ACM (2016)

Caballero, J., Yin, H., Liang, Z., Song, D.: Polyglot: automatic extraction of protocol message format using dynamic binary analysis. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS), pp. 317–329 (2007)

Cert Secure Coding Standards. https://www.securecoding.cert.org/confluence/display/seccode/SEI+CERT+Coding+Standards. Accessed 01 June 2017

Clusterfuzzer: Heap-buffer-overflow in read. https://bugs.chromium.org/p/chromium/issues/detail?id=609042. Accessed 23 Mar 2017

Comparetti, P.M., Wondracek, G., Kruegel, C., Kirda, E.: Prospex: Protocol specification extraction. In: Proceedings of the IEEE Security & Privacy, pp. 110–125 (2009)

Cui, W., Kannan, J., Wang, H.J.: Discoverer: automatic protocol reverse engineering from network traces. In: Proceedings of the USENIX Security Symposium, vol. 158 (2007)

Cui, W., Peinado, M., Chen, K., Wang, H.J., Irun-Briz, L.: Tupni: automatic reverse engineering of input formats. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS), pp. 391–402 (2008)

10.

Engler, D., Chelf, B., Chou, A., Hallem, S.: Checking system rules using system-specific, programmer-written compiler extensions. In: Proceedings of the OSDI (2000)

11.

Foote, J.: The exploitable GDB plugin (2015). https://github.com/jfoote/exploitable. Accessed 23 Mar 2017

12.

Gallagher, K.B., Lyle, J.R.: Using program slicing in software maintenance. IEEE Trans. Softw. Eng. 17(8), 751–761 (1991)CrossRef

13.

Godefroid, P., Kiezun, A., Levin, M.Y.: Grammar-based whitebox fuzzing. ACM SIGPLAN Not. 43, 206–215 (2008)CrossRef

14.

Godefroid, P., Levin, M.Y., Molnar, D.: Sage: whitebox fuzzing for security testing. ACM Queue 10(1), 20 (2012)CrossRef

15.

Google Inc.: Fuzzer test suite. https://github.com/google/fuzzer-test-suite. Accessed 23 Mar 2017

16.

Holler, C., Herzig, K., Zeller, A.: Fuzzing with code fragments. In: Proceedings of the USENIX Security Symposium, pp. 445–458 (2012)

17.

Hopcroft, J.E., Motwani, R., Ullman, J.D.: Introduction to Automata Theory, Languages, and Computation, 3rd edn. Addison-Wesley, Reading (2006)MATH

18.

Lam, M.S., Whaley, J., Livshits, V.B., Martin, M.C., Avots, D., Carbin, M., Unkel, C.: Context-sensitive program analysis as database queries. In: Proceedings of the ACM Symposium on Principles of Database Systems, pp. 1–12 (2005)

19.

Lin, Z., Jiang, X., Xu, D., Zhang, X.: Automatic protocol format reverse engineering through context-aware monitored execution. In: Proceedings of Symposium on Network and Distributed System Security (NDSS), pp. 1–15 (2008)

20.

LLVM Compiler Infrastructure: Clang static analyzer. http://clang-analyzer.llvm.org/. Accessed 23 Mar 2017

21.

LLVM Compiler Infrastructure: libFuzzer: a library for coverage-guided fuzz testing. http://llvm.org/docs/LibFuzzer.html. Accessed 23 Mar 2017

22.

Miller, B.P., Fredriksen, L., So, B.: An empirical study of the reliability of UNIX utilities. Commun. ACM 33(12), 32–44 (1990)CrossRef

23.

MITRE.org: CVE-2014-0160: The Heartbleed Bug. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160. Accessed 23 Mar 2017

24.

MITRE.org: CVE-2015-8317: Libxml2: several out of bounds reads. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8317. Accessed 23 Mar 2017

25.

MITRE.org: CVE-2016-5180: Project c-ares security advisory. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5180. Accessed 23 Mar 2017

26.

Molnar, D., Li, X.C., Wagner, D.: Dynamic test generation to find integer bugs in x86 binary Linux programs. In: Proceedings of the USENIX Security Symposium, vol. 9, pp. 67–82 (2009)

27.

nDPI: Open and Extensible LGPLv3 Deep Packet Inspection Library. http://www.ntop.org/products/deep-packet-inspection/ndpi/. Accessed 23 Mar 2017

28.

OpenRCE: Sulley. https://github.com/OpenRCE/sulley. Accessed 23 Mar 2017

29.

Peach Fuzzer. http://www.peachfuzzer.com/. Accessed 23 Mar 2017

30.

Reps, T., Horwitz, S., Sagiv, M.: Precise interprocedural dataflow analysis via graph reachability. In: Proceedings of the ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 49–61 (1995)

31.

Snort++ vulnerabilities found. http://blog.snort.org/2017/05/snort-vulnerabilities-found.html. Accessed 05 June 2017

32.

Wondracek, G., Comparetti, P.M., Kruegel, C., Kirda, E.: Automatic network protocol analysis. In: Proceedings of the Symposium on Network and Distributed System Security (NDSS) (2008)

33.

Yamaguchi, F., Maier, A., Gascon, H., Rieck, K.: Automatic inference of search patterns for taint-style vulnerabilities. In: Proceedings of the IEEE Security & Privacy, pp. 797–812 (2015)

34.

Zalewski, M.: American fuzzy lop. http://lcamtuf.coredump.cx/afl/. Accessed 23 Mar 2017

35.

Zalewski, M.: afl-fuzz: making up grammar with a dictionary in hand (2015). https://lcamtuf.blogspot.de/2015/01/afl-fuzz-making-up-grammar-with.html. Accessed 23 Mar 2017

Title: Static Program Analysis as a Fuzzing Aid
Authors: Bhargava Shastry
Markus Leutner
Tobias Fiebig
Kashyap Thimmaraju
Fabian Yamaguchi
Konrad Rieck
Stefan Schmid
Jean-Pierre Seifert
Anja Feldmann
Publisher: Springer International Publishing
Book: Research in Attacks, Intrusions, and Defenses
Print ISBN: 978-3-319-66331-9

Electronic ISBN: 978-3-319-66332-6

Copyright Year: 2017
DOI: https://doi.org/10.1007/978-3-319-66332-6_2

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner