Static Exploration of Taint-Style Vulnerabilities Found by Fuzzing

06/01/2017
by   Bhargava Shastry, et al.
0

Taint-style vulnerabilities comprise a majority of fuzzer discovered program faults. These vulnerabilities usually manifest as memory access violations caused by tainted program input. Although fuzzers have helped uncover a majority of taint-style vulnerabilities in software to date, they are limited by (i) extent of test coverage; and (ii) the availability of fuzzable test cases. Therefore, fuzzing alone cannot provide a high assurance that all taint-style vulnerabilities have been uncovered. In this paper, we use static template matching to find recurrences of fuzzer-discovered vulnerabilities. To compensate for the inherent incompleteness of template matching, we implement a simple yet effective match-ranking algorithm that uses test coverage data to focus attention on those matches that comprise untested code. We prototype our approach using the Clang/LLVM compiler toolchain and use it in conjunction with afl-fuzz, a modern coverage-guided fuzzer. Using a case study carried out on the Open vSwitch codebase, we show that our prototype uncovers corner cases in modules that lack a fuzzable test harness. Our work demonstrates that static analysis can effectively complement fuzz testing, and is a useful addition to the security assessment tool-set. Furthermore, our techniques hold promise for increasing the effectiveness of program analysis and testing, and serve as a building block for a hybrid vulnerability discovery framework.

READ FULL TEXT

page 1

page 2

page 3

page 4

research
04/28/2023

Cross-coverage testing of functionally equivalent programs

Cross-coverage of a program P refers to the test coverage measured over ...
research
06/18/2019

SAVIOR: Towards Bug-Driven Hybrid Testing

Hybrid testing combines fuzz testing and concolic execution. It leverage...
research
04/21/2021

HDR-Fuzz: Detecting Buffer Overruns using AddressSanitizer Instrumentation and Fuzzing

Buffer-overruns are a prevalent vulnerability in software libraries and ...
research
06/14/2020

Vulnerability Coverage as an Adequacy Testing Criterion

Mainstream software applications and tools are the configurable platform...
research
11/26/2020

Why Charles Can Pen-test: an Evolutionary Approach to Vulnerability Testing

Discovering vulnerabilities in applications of real-world complexity is ...
research
05/23/2022

A Model-Driven-Engineering Approach for Detecting Privilege Escalation in IoT Systems

Software vulnerabilities in access control models can represent a seriou...
research
05/24/2019

SpecFuzz: Bringing Spectre-type vulnerabilities to the surface

SpecFuzz is the first tool that enables dynamic testing for speculative ...

Please sign up or login with your details

Forgot password? Click here to reset