Typestate-guided fuzzer for discovering use-after-free vulnerabilities

Author

Haijun WANG
Xiaofei XIE, Singapore Management UniversityFollow
Yi LI
Cheng WEN
Yuekang LI
Yang LIU
Shengchao QIN
Hongxu CHEN
Yulei SUI

Publication Type

Conference Proceeding Article

Version

publishedVersion

Publication Date

5-2020

Abstract

Existing coverage-based fuzzers usually use the individual control flow graph (CFG) edge coverage to guide the fuzzing process, which has shown great potential in finding vulnerabilities. However, CFG edge coverage is not effective in discovering vulnerabilities such as use-after-free (UaF). This is because, to trigger UaF vulnerabilities, one needs not only to cover individual edges, but also to traverse some (long) sequence of edges in a particular order, which is challenging for existing fuzzers. To this end, we propose to model UaF vulnerabilities as typestate properties, and develop a typestate-guided fuzzer, named UAFL, for discovering vulnerabilities violating typestate properties. Given a typestate property, we first perform a static typestate analysis to find operation sequences potentially violating the property. Our fuzzing process is then guided by the operation sequences in order to progressively generate test cases triggering property violations. In addition, we also employ an information flow analysis to improve the efficiency of the fuzzing process. We have performed a thorough evaluation of UAFL on 14 widely-used real-world programs. The experiment results show that UAFL substantially outperforms the state-of-the-art fuzzers, including AFL, AFLFast, FairFuzz, MOpt, Angora and QSYM, in terms of the time taken to discover vulnerabilities. We have discovered 10 previously unknown vulnerabilities, and received 5 new CVEs.

Keywords

Fuzzing, Typestate-guided fuzzing, Use-after-Free vulnerabilities

Discipline

OS and Networks | Software Engineering

Research Areas

Software and Cyber-Physical Systems

Publication

Proceedings of the 42nd International Conference on Software Engineering, Seoul, South Korea, 2020, May 23-29

First Page

999

Last Page

1010

ISBN

9781450371216

Identifier

10.1145/3377811.3380386

Publisher

Association for Computing Machinery

City or Country

Seoul, South Korea

Citation

WANG, Haijun; XIE, Xiaofei; LI, Yi; WEN, Cheng; LI, Yuekang; LIU, Yang; QIN, Shengchao; CHEN, Hongxu; and SUI, Yulei. Typestate-guided fuzzer for discovering use-after-free vulnerabilities. (2020). Proceedings of the 42nd International Conference on Software Engineering, Seoul, South Korea, 2020, May 23-29. 999-1010.
Available at: https://ink.library.smu.edu.sg/sis_research/7086

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.