Fuzzing is widely used to discover software bugs and vulnerabilities. Unfortunately, real-world long-running fuzzing campaigns often plateau and no progress can be made anymore, leaving code areas untested. State-of-the-art fuzzers leverage code coverage to measure progress and reach new areas, but this is insufficient to capture all program behavior, as code coverage may be the same for different behavior, thus preventing progress and masking bugs.
In this paper, we introduce StorFuzz, a novel technique to overcome fuzzing plateaus and improve on code coverage by leveraging our new data coverage. StorFuzz automatically identifies and instruments memory stores to capture changes in program behavior invisible to control flow, which it uses to diversify the saturated corpora of plateaued campaigns. StorFuzz leverages this diversified corpus of test cases that changed internal states to improve navigation of the input space, which also enables conventional fuzzers to improve their code coverage. We implement StorFuzz in LibAFL and evaluate on FuzzBench, starting from a corpus, which is saturated by multimonth OSS-Fuzz fuzzing campaigns and LibAFL.
We show that StorFuzz successfully generates new coverage for plateauing campaigns of widely-used and well-fuzzed software, leading to the discovery of 50 new bugs in 7 OSS-Fuzz projects, like VLC and PHP, with some bugs having been present in the code for 14 years. Our approach significantly outperforms both the state-of-the-art fuzzer LibAFL and data-guided fuzzer DDFuzz in 11 of 23 FuzzBench benchmarks, while performing equally on all others. StorFuzz is also complementary to WingFuzz, an approach guided by static data, as both fuzzers cover distinct code regions.
We make StorFuzz and our artifacts available as open source to aid reproducibility and allow easy reuse by future work.
Thu 16 AprDisplayed time zone: Brasilia, Distrito Federal, Brazil change
11:00 - 12:30 | Testing and Analysis 8Research Track at Oceania IX Chair(s): Luca Di Grazia University of St. Gallen | ||
11:00 15mTalk | RusyFuzz: Unhandled Exception Guided Fuzzing for Rust OS Kernel Research Track Yuwei Liu Ant Group, Yanhao Wang Independent Researcher, Minghua Wang Ant Group, Lin Huang Ant Group, Purui Su Institute of Software/CAS China, Tao Wei Ant Group | ||
11:15 15mTalk | VDBFuzz: Understanding and Detecting Crash Bugs in Vector Database Management Systems Research Track Shenao Wang Huazhong University of Science and Technology, Zhao Liu 360 AI Security Lab, Yanjie Zhao Huazhong University of Science and Technology, Quanchen Zou 360 AI Security Lab, Haoyu Wang Huazhong University of Science and Technology | ||
11:30 15mTalk | GPTrace: Effective Crash Deduplication Using LLM Embeddings Research Track Patrick Herter Fraunhofer AISEC, Vincent Ahlrichs Fraunhofer AISEC, Ridvan Açilan Technical University of Munich, Julian Horsch Fraunhofer AISEC Pre-print Media Attached | ||
11:45 15mTalk | Is My RPC Response Reliable? Detecting RPC Bugs in Blockchain Client under Context Research Track Zhijie Zhong School of Software Engineering, Sun Yat-sen University, Yuhong Nan Sun Yat-sen University, Mingxi Ye Sun Yat-sen University, Qing Xue Sun Yat-sen University, Jiashui Wang Zhejiang University, Long Liu , Xinlei Ying , Zibin Zheng Sun Yat-sen University | ||
12:00 15mTalk | EchoFuzz: Empowering Smart Contract Fuzzing with Large Language Models Research Track Juanen Li Tsinghua University, Peng Qian Zhejiang University, Guanyan Li University of Oxford, Rui Wang Beijing Normal University, Peixin Wang East China Normal University, Zhiqing Tang Beijing Normal University, Fuchen Ma Tsinghua University, Yuanliang Chen Tsinghua University, Lun Zhang GoPlus Security | ||
12:15 15mTalk | StorFuzz: Using Data Diversity to Overcome Fuzzing Plateaus Research Track Leon Weiß Ruhr University Bochum, Tobias Holl Ruhr University Bochum, Kevin Borgolte Ruhr University Bochum Pre-print Media Attached | ||