APSEC 2024
Tue 3 - Fri 6 December 2024 China
Thu 5 Dec 2024 14:30 - 15:00 at Room 2 (Xiangshan Ballroom) - Session (9) Chair(s): Zhiqiang Li

WebAudio is a widely used audio processing API in popular browsers, which provides rich audio support for the exclusive browser Safari on macOS. Given its widespread use, it is critical to thoroughly test WebAudio to ensure its reliability. Traditional fuzzing techniques typically lack awareness of the input structure and fail to accommodate the unique characteristics of audio file formats, and cannot generate effective fuzzing input, thus falling short of effectively detecting vulnerabilities within WebAudio.

In this work, we introduce Proteus, an advanced greybox fuzzer designed to achieve structure awareness through the use of input templates. Moreover, Proteus is equipped with high-level mutation operators, diverging from traditional bit-level manipulations, and incorporates a post-processing stage that repairs format constraints disrupted during mutation. These enhancements enable Proteus to explore new input domains effectively while maintaining file validity, significantly improving the depth and efficiency of the fuzzing process.

Our evaluation confirms the effectiveness of Proteus. In the experiment of fuzzing WebAudio using CAF files, our tool exposed significantly more vulnerabilities than the baseline Honggfuzz without compromising efficiency. Excitingly, we have identified a vulnerability that can be exploited to gain control of the browser. Generally, Proteus has discovered 36 zero-day vulnerabilities in WebAudio on macOS 10.15.3, with 11 of these assigned CVEs.

Thu 5 Dec

Displayed time zone: Beijing, Chongqing, Hong Kong, Urumqi change

14:00 - 15:30
14:00
30m
Talk
Multi-Hierarchy Metamorphic Testing for Hyphenated Words in Machine Translation
Technical Track
Rui Zhu Nanjing University of Aeronautics and Astronautics, Chuanqi Tao Nanjing University of Aeronautics and Astronautics, Jerry Gao San Jose State University
14:30
30m
Talk
Exploring the Depths of WebAudio: Advancing Greybox Fuzzing for Enhanced Vulnerability Detection in Safari
Technical Track
Jiashui Wang Zhejiang University, Jiahui Wang Zhejiang University, Jundong Xie Ant Group, Zhenyuan Li Zhejiang University, Yan Chen Northwestern University, Peng Qian Zhejiang University
15:00
20m
Talk
A Study On C Code Defect Detection With Fine-tuned Large Language Models
ERA - Early Research Achievements
Yue Wang Beihang University, Xu Wang Beihang University, Hongwei Yu Beihang University, Fei Gao Beijing Aerospace Automatic Control Institute, Xueshi Liu Beijing Aerospace Automatic Control Institute, Xiaoling Wang