In recent years, coverage-based greybox fuzzing has proven to be an effective technique for discovering software vulnerabilities. The availability of American Fuzzy Loop (AFL) has facilitated numerous advances in overcoming challenges in fuzzing. However, the issue of mutating complex file formats, such as PDF, remains unresolved due to strict constraints. Existing fuzzers often produce mutants that fail to parse by applications, limited by bit/byte mutations performed on input files. Our observation is that most in-memory representations of file formats are simple, and well-designed applications have built-in printer functions to emit these structures as files. Thus, we propose a new technique that mutates the in-memory structures of inputs and utilizes printer functions to regenerate mutated files. Unlike prior approaches that require complex analysis to learn file format constraints, our technique leverages the printer function to preserve format constraints. We implement a prototype called FuzzInMem and compare it with AFL as well as other state-of-the-art fuzzers, including AFL++, Mopt, Weizz, and FormatFuzzer. The results show that FuzzInMem is scalable and substantially outperforms general-purpose fuzzers in terms of valid seed generation and path coverage. By applying FuzzInMem to real-world applications, we found 29 unique vulnerabilities and were awarded 5 CVEs.
Thu 18 AprDisplayed time zone: Lisbon change
14:00 - 15:30 | Fuzzing 2Software Engineering in Practice / Research Track at Fernando Pessoa Chair(s): Thuan Pham The University of Melbourne | ||
14:00 15mTalk | Are We There Yet? Unraveling the State-of-the-Art Smart Contract Fuzzers Research Track Shuohan Wu Hong Kong Polytechnic University, Zihao Li The Hong Kong Polytechnic Universituy, Luyi Yan Hong Kong Polytechnic University, Weimin Chen The Hong Kong Polytechnic University, Muhui Jiang The Hong Kong Polytechnic University, Chenxu Wang Xi'an Jiaotong University, Xiapu Luo The Hong Kong Polytechnic University, Hao Zhou Hong Kong Polytechnic University | ||
14:15 15mTalk | RPG: Rust Library Fuzzing with Pool-based Fuzz Target Generation and Generic Support Research Track Zhiwu Xu Shenzhen University, Bohao Wu CSSE, Shenzhen University, Cheng Wen Guangzhou Institute of Technology, Xidian University, Bin Zhang Shenzhen University, Shengchao Qin Fermat Labs, Huawei, Mengda He Fermat Labs, Huawei DOI Pre-print | ||
14:30 15mTalk | Extrapolating Coverage Rate in Greybox Fuzzing Research Track Danushka Liyanage Monash University, Australia, Seongmin Lee Max Planck Institute for Security and Privacy (MPI-SP), Marcel Böhme MPI-SP, Bochum, Kla Tantithamthavorn Monash University DOI Pre-print | ||
14:45 15mTalk | FuzzInMem: Fuzzing Programs via In-memory Structures Research Track Xuwei Liu Purdue University, USA, Wei You Renmin University of China, Yapeng Ye Purdue University, Zhuo Zhang Purdue University, Jianjun Huang Renmin University of China, Xiangyu Zhang Purdue University | ||
15:00 15mTalk | Fuzz4All: Universal Fuzzing with Large Language Models Research Track Chunqiu Steven Xia University of Illinois at Urbana-Champaign, Matteo Paltenghi University of Stuttgart, Jia Le Tian UIUC, Michael Pradel University of Stuttgart, Lingming Zhang University of Illinois at Urbana-Champaign Pre-print | ||
15:15 15mTalk | MicroFuzz: An Efficient Fuzzing Framework for Microservices Software Engineering in Practice | ||