Automata-guided control-flow-sensitive fuzz driver generation
Publication Type
Conference Proceeding Article
Publication Date
8-2023
Abstract
Fuzz drivers are essential for fuzzing library APIs. However, manually composing fuzz drivers is difficult and time-consuming. Therefore, several works have been proposed to generate fuzz drivers automatically. Although these works can learn correct API usage from the consumer programs of the target library, three challenges still hinder the quality of the generated fuzz drivers: 1) How to learn and utilize the control dependencies in API usage; 2) How to handle the noises of the learned API usage, especially for complex real-world consumer programs; 3) How to organize independent sets of API usage inside the fuzz driver to better coordinate with fuzzers.To solve these challenges, we propose RUBICK, an automata-guided control-flow-sensitive fuzz driver generation technique. RUBICK has three key features: 1) it models the API usage (including API data and control dependencies) as a deterministic finite automaton; 2) it leverages active automata learning algorithm to distill the learned API usage; 3) it synthesizes a single automata-guided fuzz driver, which provides scheduling interface for the fuzzer to test independent sets of API usage during fuzzing. During the experiments, the fuzz drivers generated by RUBICK showed a significant performance advantage over the baselines by covering an average of 50.42% more edges than fuzz drivers generated by FUZZGEN and 44.58% more edges than manually written fuzz drivers from OSS-Fuzz or human experts. By learning from large-scale open source projects, RUBICK has generated fuzz drivers for 11 popular Java projects and two of them have been merged into OSS-Fuzz. So far, 199 bugs, including four CVEs, are found using these fuzz drivers, which can affect popular PC and Android software with dozens of millions of downloads.
Discipline
Artificial Intelligence and Robotics
Research Areas
Intelligent Systems and Optimization
Publication
Proceedings of the 32nd USENIX Security Symposium, Anaheim, California, United States of America, August 9-11
Publisher
USENIX
City or Country
Berkeley, California
Citation
ZHANG, Cen; LI, Yuekang; ZHOU, Hao; ZHANG, Xiaohan; ZHENG, Yaowen; ZHAN, Xian; XIE, Xiaofei; LUO, Xiapu; LI, Xinghua; LIU, Yang Liu; and HABIB, Sheikh M..
Automata-guided control-flow-sensitive fuzz driver generation. (2023). Proceedings of the 32nd USENIX Security Symposium, Anaheim, California, United States of America, August 9-11.
Available at: https://ink.library.smu.edu.sg/sis_research/8245