When Control Flows Deviate: Directed Grey-box Fuzzing with Probabilistic Reachability Analysis
This program is tentative and subject to change.
Directed grey-box fuzzing (DGF) steers testing toward high-value targets, but developing effective DGF for commercial off-the-shelf (COTS) binaries is challenging due to the lack of accurate structural information (e.g., control-flow and call graphs), which causes control flows to deviate and misguide DGF’s reachability analysis. In this paper, we introduce BinGo, a tailored binary-level directed grey-box fuzzer, which can accommodate the flawed CFGs of COTS binaries and realize accurate and efficient reachability analysis. First, to quantify the inevitable inaccuracies of unexecuted indirect edges and analyze their impact on the reachability of basic blocks, we propose a Bayesian-based method. This method combines prior knowledge from static analysis with dynamic observations from fuzzing to estimate the confidence in correctly recovering indirect edges. Then, we present a new concept called \textit{region}, which redefines granularity for efficient reachability analysis by transforming the control-flow graph (CFG) into a region graph. Using the Bayesian results and region graph, we propose a custom fitness metric for binary-level DGF, termed \textit{probabilistic reachability}. This metric, based on a dynamically updated region graph and reachability scores, is adaptive, lightweight, and accommodates the inaccurate binary-level CFG. We implemented a prototype tool, BinGo, and evaluated it in the CGC dataset, CVE-Benchmark, and UniBench benchmark. Experimental results show that BinGo surpasses baseline fuzzers (AFL++, AFLGo, PDGF, UAFuzz, and 1dVul) in reaching target locations and triggering known vulnerabilities. Additionally, BinGo uncovered three new vulnerabilities in the real-world application cscope-15.9.
This program is tentative and subject to change.
Tue 18 NovDisplayed time zone: Seoul change
14:00 - 15:30 | |||
14:00 10mTalk | Exploring Static Taint Analysis in LLMs: A Dynamic Benchmarking Framework for Measurement and Enhancement Research Papers Haoran Zhao Fudan University, Lei Zhang Fudan University, Keke Lian Fudan University, Fute Sun Fudan University, Bofei Chen Fudan University, Yongheng Liu Fudan University, Zhiyu Wu Fudan University, Yuan Zhang Fudan University, Min Yang Fudan University | ||
14:10 10mTalk | EPSO: A Caching-Based Efficient Superoptimizer for BPF Bytecode Research Papers Qian Zhu Nanjing University, Yuxuan Liu Nanjing University, Ziyuan Zhu Nanjing University, Shangqing Liu Nanjing University, Lei Bu Nanjing University | ||
14:20 10mTalk | GNNContext: GNN-based Code Context Prediction for Programming Tasks Journal-First Track Xiaoye Zheng Zhejiang University, Zhiyuan Wan Zhejiang University, Shun Liu Zhejiang University, Kaiwen Yang Zhejiang University, David Lo Singapore Management University, Xiaohu Yang Zhejiang University | ||
14:30 10mTalk | R3-Bench: Reproducible Real-world Reverse Engineering Dataset for Symbol Recovery Research Papers Muzhi Yu Peking University and Alibaba Group, Zhengran Zeng Peking University, Wei Ye Peking University, Jinan Sun Peking University, Xiaolong Bai Alibaba Group, Shikun Zhang Peking University | ||
14:40 10mTalk | Protecting Source Code Privacy When Hunting Memory Bugs Research Papers Jielun Wu Nanjing University, Bing Shui Nanjing University, Hongcheng Fan Nanjing University, Shengxin Wu Nanjing University, Rongxin Wu Xiamen University, Yang Feng Nanjing University, Baowen Xu Nanjing University, Qingkai Shi Nanjing University | ||
14:50 10mTalk | Latra: A Template-Based Language-Agnostic Transformation Framework for Effective Program Reduction Research Papers Zhenyang Xu University of Waterloo, Yiran Wang University of Waterloo, Yongqiang Tian Monash University, Mengxiao Zhang University of Waterloo, Chengnian Sun University of Waterloo | ||
15:00 10mTalk | When Control Flows Deviate: Directed Grey-box Fuzzing with Probabilistic Reachability Analysis Research Papers Peihong Lin National University of Defense Technology, Pengfei Wang National University of Defense Technology, Xu Zhou National University of Defense Technology, Wei Xie University of Science and Technology of China, Xin Ren National University of Defense Technology, Kai Lu National University of Defense Technology, China | ||
15:10 10mTalk | EditFusion: Resolving Code Merge Conflicts via Edit Selection Research Papers Changxin Wang Nanjing University, Yiming Ma Nanjing University, Lei Xu Nanjing University, Weifeng Zhang Nanjing University of Posts and Telecommunications | ||
15:20 10mTalk | Detecting Semantic Clones of Unseen Functionality Research Papers Konstantinos Kitsios University of Zurich, Francesco Sovrano Collegium Helveticum, ETH Zurich, Switzerland; Department of Informatics, University of Zurich, Switzerland, Earl T. Barr University College London, Alberto Bacchelli University of Zurich Pre-print | ||