Typestate-Guided Fuzzer for Discovering Use-after-Free VulnerabilitiesTechnical
Existing coverage-based fuzzers usually use the individual controlflow graph (CFG) edge coverage to guide the fuzzing process, which has shown great potential in finding vulnerabilities. However, CFG edge coverage is not effective in discovering vulnerabilities such as use-after-free (UaF). This is because, to trigger UaF vulnerabilities, one needs not only to cover individual edges, but also to traverse some long sequence of edges in a particular order, which is challenging for existing fuzzers. To this end, we first propose to model UaF vulnerabilities as typestate properties, then develop a typestate-guided fuzzer, named UAFL, for discovering vulnerabilities violating typestate properties. Given a typestate property, we first perform a static typestate analysis to find operation sequences potentially violating the property. Then, the fuzzing process is guided by the operation sequences in order to progressively generate test cases triggering property violations. In addition, we also adopt the information flow analysis to improve the efficiency of the fuzzing process. We performed a thorough evaluation of UAFL on 14 widely-used real-world programs. The experiment results show that UAFL substantially outperforms the state-of-the-art fuzzers, including AFL, AFLFast, FairFuzz, MOpt, Angora and QSYM, interms of the time taken to discover vulnerabilities. We discovered10 previously unknown vulnerabilities, and received 5 new CVEs.
Sat 11 JulDisplayed time zone: (UTC) Coordinated Universal Time change
00:00 - 01:00 | |||
00:00 12mTalk | Typestate-Guided Fuzzer for Discovering Use-after-Free VulnerabilitiesTechnical Technical Papers Haijun Wang Ant Financial Services Group, China; CSSE, Shenzhen University, China, Xiaofei Xie Nanyang Technological University, Yi Li Nanyang Technological University, Cheng Wen Xidian University, Yuekang Li Nanyang Technological University, Yang Liu Nanyang Technological University, Singapore, Shengchao Qin University of Teesside, Hongxu Chen Research Associate, Yulei Sui University of Technology Sydney, Australia Link to publication DOI Pre-print | ||
00:12 12mTalk | sFuzz: An Efficient Adaptive Fuzzer for Solidity Smart ContractsTechnical Technical Papers Tai D. Nguyen Singapore Management University, Long H. Pham Singapore University of Technology and Design, Jun Sun Singapore Management University, Yun Lin National University of Singapore, Minh Quang Tran Ho Chi Minh City University of Technology | ||
00:24 12mTalk | Planning for Untangling: Predicting the Difficulty of Merge ConflictsTechnical Technical Papers Caius Brindescu Oregon State University, Iftekhar Ahmed University of California at Irvine, USA, Rafael Leano Oregon State University, Anita Sarma Oregon State University | ||
00:36 12mTalk | Gang of Eight: A Defect Taxonomy for Infrastructure as Code ScriptsTechnical Technical Papers Akond Rahman Tennessee Tech University, Effat Farhana North Carolina State University, Chris Parnin North Carolina State University, Laurie Williams North Carolina State University Pre-print | ||
00:48 12mTalk | JVM Fuzzing for JIT-Induced Side-Channel DetectionTechnical Technical Papers Tegan Brennan University of California, Santa Barbara, Seemanta Saha University of California Santa Barbara, Tevfik Bultan University of California, Santa Barbara | ||