Automata-guided control-flow-sensitive fuzz driver generation

Author

Cen ZHANG
Yuekang LI
Hao ZHOU
Xiaohan ZHANG
Yaowen ZHENG
Xian ZHAN
Xiaofei XIE, Singapore Management UniversityFollow
Xiapu LUO
Xinghua LI
Yang Liu LIU
Sheikh M. HABIB

Publication Type

Conference Proceeding Article

Publication Date

8-2023

Abstract

Fuzz drivers are essential for fuzzing library APIs. However, manually composing fuzz drivers is difficult and time-consuming. Therefore, several works have been proposed to generate fuzz drivers automatically. Although these works can learn correct API usage from the consumer programs of the target library, three challenges still hinder the quality of the generated fuzz drivers: 1) How to learn and utilize the control dependencies in API usage; 2) How to handle the noises of the learned API usage, especially for complex real-world consumer programs; 3) How to organize independent sets of API usage inside the fuzz driver to better coordinate with fuzzers.To solve these challenges, we propose RUBICK, an automata-guided control-flow-sensitive fuzz driver generation technique. RUBICK has three key features: 1) it models the API usage (including API data and control dependencies) as a deterministic finite automaton; 2) it leverages active automata learning algorithm to distill the learned API usage; 3) it synthesizes a single automata-guided fuzz driver, which provides scheduling interface for the fuzzer to test independent sets of API usage during fuzzing. During the experiments, the fuzz drivers generated by RUBICK showed a significant performance advantage over the baselines by covering an average of 50.42% more edges than fuzz drivers generated by FUZZGEN and 44.58% more edges than manually written fuzz drivers from OSS-Fuzz or human experts. By learning from large-scale open source projects, RUBICK has generated fuzz drivers for 11 popular Java projects and two of them have been merged into OSS-Fuzz. So far, 199 bugs, including four CVEs, are found using these fuzz drivers, which can affect popular PC and Android software with dozens of millions of downloads.

Discipline

Artificial Intelligence and Robotics

Research Areas

Intelligent Systems and Optimization

Publication

Proceedings of the 32nd USENIX Security Symposium, Anaheim, California, United States of America, August 9-11

Publisher

USENIX

City or Country

Berkeley, California

Citation

ZHANG, Cen; LI, Yuekang; ZHOU, Hao; ZHANG, Xiaohan; ZHENG, Yaowen; ZHAN, Xian; XIE, Xiaofei; LUO, Xiapu; LI, Xinghua; LIU, Yang Liu; and HABIB, Sheikh M.. Automata-guided control-flow-sensitive fuzz driver generation. (2023). Proceedings of the 32nd USENIX Security Symposium, Anaheim, California, United States of America, August 9-11.
Available at: https://ink.library.smu.edu.sg/sis_research/8245