Liberating libraries through automated fuzz driver generation: Striking a Balance Without Consumer Code
Harnessing fuzzers to test software libraries requires developers to write fuzz drivers, specialized programs that exercise valid library usage. Given a driver, fuzzers generate interesting inputs that trigger the library’s bugs. Writing fuzz drivers manually is a cumbersome process and these drivers frequently hit a coverage plateau, calling for more diverse drivers. To alleviate the need for human expert knowledge, emerging automatic driver generation techniques invest computational time for tasks besides input generation. Therefore, to maximize the number of bugs found, it is crucial to allocate computation resources carefully between generating valid drivers and testing them thoroughly. Current works model driver generation and testing as a single problem, i.e., they mutate both the driver’s code and input together. This simple approach is limited, as many libraries need a combination of non-trivial library usage and complex inputs. For example, consider a JPEG manipulation library, bugs appear when specific library functions and corrupted images are coincidentally tested together, which, if both are mutated synchronously is difficult to trigger.
We introduce libErator, a novel library testing approach that balances constrained computational resources to achieve two goals (a) quickly generate valid fuzz drivers and (b) deeply test these drivers to find bugs. To achieve these goals, libErator employs three main techniques. First, we leverage insights from a novel static analysis to improve the likelihood of generating meaningful drivers. Second, we design a method to quickly discard non-functional drivers, further reducing resources wasted on unfruitful drivers. Finally, we show an effective driver selection method that avoids redundant tests. We deploy libErator on 11 open-source libraries and evaluate it against manually written and automatically generated drivers. We show that libErator reaches comparable coverage to manually written drivers and, on average, exceeds coverage from existing automated driver generation techniques. More importantly, libErator automatically finds 16 confirmed bugs, 10 of which are already fixed and upstreamed. Among the bugs found, one was assigned a CVE while others contributed to the project test suites, thus showcasing the ability of libErator to create valid library usages. Finally, since driver synthesis may find invalid errors, we assess the true positive ratio of libErator at 20%, double the state of the art.
Mon 23 JunDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
14:00 - 15:30 | Fuzzing 1Demonstrations / Research Papers / Journal First at Cosmos 3C Chair(s): Shin Hwei Tan Concordia University | ||
14:00 20mTalk | Liberating libraries through automated fuzz driver generation: Striking a Balance Without Consumer Code Research Papers Flavio Toffalini EPFL, Switzerland and Ruhr-Universität Bochum, Germany, Nicolas Badoux EPFL, Zurab Tsinadze EPFL, Mathias Payer EPFL DOI | ||
14:20 20mTalk | Presentation Proposal for: Finding Information Leaks with Information Flow Fuzzing Journal First Bernd Gruner German Aerospace Center (DLR), Institute of Data Science, Clemens-Alexander Brust German Aerospace Center (DLR), Andreas Zeller CISPA Helmholtz Center for Information Security | ||
14:40 20mTalk | MendelFuzz: The Return of the Deterministic Stage Research Papers Han Zheng EPFL, Flavio Toffalini EPFL, Switzerland and Ruhr-Universität Bochum, Germany, Marcel Böhme MPI for Security and Privacy, Mathias Payer EPFL DOI | ||
15:00 10mTalk | PeachCI: Scalable Continuous Integration of Generation-Based Protocol Fuzzing Demonstrations Wanli Chen Central South University, Yuanliang Chen Tsinghua University, Fuchen Ma Tsinghua University, Ruikang Peng Central South University, Qi Xu Tsinghua University, Yu Jiang Tsinghua University, Qiang Fu Central South University, Heyuan Shi Central South University | ||
15:10 10mTalk | Widening The Adoption of Web API Fuzzing: Docker, GitHub Action and Python Support for EvoMaster Demonstrations Andrea Arcuri Kristiania University of Applied Sciences, Philip Garrett Kristiania University of Applied Sciences, Juan Pablo Galeotti University of Buenos Aires, Man Zhang Beihang University, China |
Cosmos 3C is the third room in the Cosmos 3 wing.
When facing the main Cosmos Hall, access to the Cosmos 3 wing is on the left, close to the stairs. The area is accessed through a large door with the number “3”, which will stay open during the event.