Operand-Variation-Oriented Differential Analysis for Fuzzing Binding Calls in PDF Readers
Binding calls of embedded scripting engines introduce a serious attack surface in PDF readers. To effectively test binding calls, the knowledge of parameter types is necessary. Unfortunately, due to the absence or incompleteness of documentation and the lack of sufficient samples, automatic type reasoning for binding call parameters is a big challenge. In this paper, we propose a novel operand-variation-oriented differential analysis approach, which automatically extracts features from execution traces as oracles for inferring parameter types. In particular, the parameter types of a binding call are inferred by executing the binding call with different values of different types and investigating which types cause an expected effect on the instruction operands. The inferred type information is used to guide the test generation in fuzzing. Through the evaluation on two popular PDF readers (Adobe Reader and Foxit Reader), we demonstrated the accuracy of our type reasoning method and the effectiveness of the inferred type information for improving fuzzing in both code coverage and vulnerability discovery. We found 38 previously unknown security vulnerabilities, 26 of which were certified with CVE numbers.
Wed 17 MayDisplayed time zone: Hobart change
11:00 - 12:30 | Fuzzing: applicationsTechnical Track / DEMO - Demonstrations at Meeting Room 101 Chair(s): Corina S. Păsăreanu Carnegie Mellon University | ||
11:00 15mTalk | Detecting JVM JIT Compiler Bugs via Exploring Two-Dimensional Input Spaces Technical Track Haoxiang Jia Huazhong University of Science and Technology, Ming Wen Huazhong University of Science and Technology, Zifan Xie Huazhong University of Science and Technology, Xiaochen Guo Huazhong University of Science and Technology, Rongxin Wu Xiamen University, Maolin Sun Huazhong University of Science and Technology, Kang Chen Huazhong University of Science and Technology, Hai Jin Huazhong University of Science and Technology Pre-print | ||
11:15 15mTalk | JITfuzz: Coverage-guided Fuzzing for JVM Just-in-Time Compilers Technical Track Mingyuan Wu Southern University of Science and Technology, Minghai Lu Southern University of Science and Technology, Heming Cui University of Hong Kong, Junjie Chen Tianjin University, Yuqun Zhang Southern University of Science and Technology, Lingming Zhang University of Illinois at Urbana-Champaign | ||
11:30 15mTalk | Validating SMT Solvers via Skeleton Enumeration Empowered by Historical Bug-Triggering Inputs Technical Track Maolin Sun Huazhong University of Science and Technology, Yibiao Yang Nanjing University, Ming Wen Huazhong University of Science and Technology, Yongcong Wang Huazhong University of Science and Technology, Yuming Zhou Nanjing University, Hai Jin Huazhong University of Science and Technology Pre-print | ||
11:45 15mTalk | Regression Fuzzing for Deep Learning Systems Technical Track Hanmo You College of Intelligence and Computing, Tianjin University, Zan Wang Tianjin University, China, Junjie Chen Tianjin University, Shuang Liu Tianjin University, Shuochuan Li College of Intelligence and Computing, Tianjin University | ||
12:00 15mTalk | Operand-Variation-Oriented Differential Analysis for Fuzzing Binding Calls in PDF Readers Technical Track Suyue Guo Renmin University of China, Xinyu Wan Renmin University of China, Wei You Renmin University of China, Bin Liang Renmin University of China, China, Wenchang Shi Renmin University of China, China, Yiwei Zhang Renmin University of China, Jianjun Huang Renmin University of China, China, Jian Zhang State Key Laboratory of Computer Science, Institute of Software, Chinese Academy of Sciences, Beijing, China Pre-print | ||
12:15 7mTalk | JAttack: Java JIT Testing using Template Programs DEMO - Demonstrations Zhiqiang Zang University of Texas at Austin, Fu-Yao Yu The University of Texas at Austin, Nathan Wiatrek The University of Texas at Austin, Milos Gligoric University of Texas at Austin, August Shi University of Texas at Austin Pre-print | ||