More Like this

1. FIXREVERTER: A Realistic Bug Injection Methodology for Benchmarking Fuzz Testing

   Zhang, Zenong ; Patterson, Zach ; Hicks, Michael ; Wei, Shiyi ( August 2022 , 31st USENIX Security Symposium)

   Fuzz testing is an active area of research with proposed improvements published at a rapid pace. Such proposals are assessed empirically: Can they be shown to perform better than the status quo? Such an assessment requires a benchmark of target programs with well-identified, realistic bugs. To ease the construction of such a benchmark, this paper presents FIXREVERTER, a tool that automatically injects realistic bugs in a program. FIXREVERTER takes as input a bugfix pattern which contains both code syntax and semantic conditions. Any code site that matches the specified syntax is undone if the semantic conditions are satisfied, as checked by static analysis, thus (re)introducing a likely bug. This paper focuses on three bugfix patterns, which we call conditional-abort, conditional-execute, and conditional-assign, based on a study of fixes in a corpus of Common Vulnerabilities and Exposures (CVEs). Using FIXREVERTER we have built REVBUGBENCH, which consists of 10 programs into which we have injected nearly 8,000 bugs; the programs are taken from FuzzBench and Binutils, and represent common targets of fuzzing evaluations. We have integrated REVBUGBENCH into the FuzzBench service, and used it to evaluate five fuzzers. Fuzzing performance varies by fuzzer and program, as desired/expected. Overall, 219 unique bugs weremore »reported, 19% of which were detected by just one fuzzer.« less
2. One Fuzzing Strategy to Rule Them All

   https://doi.org/10.1145/3510003.3510174  

   Wu, Mingyuan ; Jiang, Ling ; Xiang, Jiahong ; Huang, Yanwei ; Cui, Heming ; Zhang, Lingming ; Zhang, Yuqun ( April 2022 , Proceedings of the International Conference on Software Engineering)

   Coverage-guided fuzzing has become mainstream in fuzzing to automatically expose program vulnerabilities. Recently, a group of fuzzers are proposed to adopt a random search mechanism namely Havoc, explicitly or implicitly, to augment their edge exploration. However, they only tend to adopt the default setup of Havoc as an implementation option while none of them attempts to explore its power under diverse setups or inspect its rationale for potential improvement. In this paper, to address such issues, we conduct the first empirical study on Havoc to enhance the understanding of its characteristics. Specifically, we first find that applying the default setup of Havoc to fuzzers can significantly improve their edge coverage performance. Interestingly, we further observe that even simply executing Havoc itself without appending it to any fuzzer can lead to strong edge coverage performance and outperform most of our studied fuzzers. Moreover, we also extend the execution time of Havoc and find that most fuzzers can not only achieve significantly higher edge coverage, but also tend to perform similarly (i.e., their performance gaps get largely bridged). Inspired by the findings, we further propose Havoc𝑀𝐴𝐵, which models the Havoc mutation strategy as a multi-armed bandit problem to be solved by dynamicallymore »adjusting the mutation strategy. The evaluation result presents that Havoc𝑀𝐴𝐵 can significantly increase the edge coverage by 11.1% on average for all the benchmark projects compared with Havoc and even slightly outperform state-of-the-art QSYM which augments its computing resource by adopting three parallel threads. We further execute Havoc𝑀𝐴𝐵 with three parallel threads and result in 9% higher average edge coverage over QSYM upon all the benchmark projects« less
3. Evaluating Synthetic Bugs

   https://doi.org/10.1145/3433210.3453096  

   Bundt, Joshua ; Fasano, Andrew ; Dolan-Gavitt, Brendan ; Robertson, William ; Leek, Tim ( May 2021 , ASIA CCS '21: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security)

   Fuzz testing has been used to find bugs in programs since the 1990s, but despite decades of dedicated research, there is still no consensus on which fuzzing techniques work best. One reason for this is the paucity of ground truth: bugs in real programs with known root causes and triggering inputs are difficult to collect at a meaningful scale. Bug injection technologies that add synthetic bugs into real programs seem to offer a solution, but the differences in finding these synthetic bugs versus organic bugs have not previously been explored at a large scale. Using over 80 years of CPU time, we ran eight fuzzers across 20 targets from the Rode0day bug-finding competition and the LAVA-M corpus. Experiments were standardized with respect to compute resources and metrics gathered. These experiments show differences in fuzzer performance as well as the impact of various configuration options. For instance, it is clear that integrating symbolic execution with mutational fuzzing is very effective and that using dictionaries improves performance. Other conclusions are less clear-cut; for example, no one fuzzer beat all others on all tests. It is noteworthy that no fuzzer found any organic bugs (i.e., one reported in a CVE), despite 50 suchmore »bugs being available for discovery in the fuzzing corpus. A close analysis of results revealed a possible explanation: a dramatic difference between where synthetic and organic bugs live with respect to the "main path" discovered by fuzzers. We find that recent updates to bug injection systems have made synthetic bugs more difficult to discover, but they are still significantly easier to find than organic bugs in our target programs. Finally, this study identifies flaws in bug injection techniques and suggests a number of axes along which synthetic bugs should be improved.« less
4. Determining the Impact of Cybersecurity Failures During and Attributable to Pandemics and Other Emergency Situations

   Lusardi, Maria Clare ; Dubovoy, Isaac ; Straub, Jeremy ( January 2020 , IEEE Applied Imagery Pattern Recognition Workshop)

   In emergency situations, such as the current COVID-19 pandemic, less immediate concerns such as cybersecurity and long-term economic impact can fall by the wayside. This paper presents a discussion of the impact of cybersecurity issues that occur during and are attributable to pandemics and other emergency situations. This discussion is facilitated by a simulation tool, the Disaster Vulnerability Threat and Impact Simulator System (DVTISS). DVTISS simulates the network structure, security measures, user characteristics and demographics, data, and devices of an organization or region’s computing infrastructure. The system is provided input parameters and performs analysis to identify the combined results of numerous different decisions, which are made in concert, to identify the types of vulnerabilities that may be present and the impact of their exploitation. The impacts of system unavailability are considered. This can aid businesses, governments and others in determining the level of prioritization that should be given to cybersecurity considerations. The simulator can also be used for disaster preparedness and planning, evaluating particular response strategies and the evaluation of laws and policies that impact IT decision making during emergencies. This paper uses the DVTISS tool to consider organizational responses to several example emergency situations. It demonstrates the utility ofmore »the tool as well as its efficacy for decision making support. Based on the example emergencies, the paper also discusses key areas of vulnerability during emergency situations and their financial, data and system outage impacts. © 2020 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.« less
5. GLeeFuzz: Fuzzing WebGL Through Error Message Guided Mutation

   Peng, Hui ; Yao Zhihao ; Sani, Amiri Ardalan ; Tian, Dave ; Payer, Mathias ( August 2023 , USENIX Security'23)

   WebGL is a set of standardized JavaScript APIs for GPU-accelerated graphics. Security of the WebGL interface is paramount because it exposes remote and unsandboxed access to the underlying graphics stack (including the native GL libraries and GPU drivers) in the host OS. Unfortunately, applying state-of-the-art fuzzing techniques to the WebGL interface for vulnerability discovery is challenging because of (1) its huge input state space, and (2) the infeasibility of collecting code coverage across concurrent processes, closed-source libraries, and device drivers in the kernel. Our fuzzing technique, GLeeFuzz, guides input mutation by error messages instead of code coverage. Our key observation is that browsers emit meaningful error messages to aid developers in debugging their WebGL programs. Error messages indicate which part of the input fails (e.g., incomplete arguments, invalid arguments, or unsatisfied dependencies between API calls). Leveraging error messages as feedback, the fuzzer effectively expands coverage by focusing mutation on erroneous parts of the input. We analyze Chrome’s WebGL implementation to identify the dependencies between error-emitting statements and rejected parts of the input, and use this information to guide input mutation. We evaluate our GLeeFuzz prototype on Chrome, Firefox, and Safari on diverse desktop and mobile OSes. We discovered 7 vulnerabilities,more »4 in Chrome, 2 in Safari, and 1 in Firefox. The Chrome vulnerabilities allow a remote attacker to freeze the GPU and possibly execute remote code at the browser privilege.« less