V-Fuzz: Vulnerability-Oriented Evolutionary Fuzzing

01/04/2019
by   Yuwei Li, et al.
0

Fuzzing is a technique of finding bugs by executing a software recurrently with a large number of abnormal inputs. Most of the existing fuzzers consider all parts of a software equally, and pay too much attention on how to improve the code coverage. It is inefficient as the vulnerable code only takes a tiny fraction of the entire code. In this paper, we design and implement a vulnerability-oriented evolutionary fuzzing prototype named V-Fuzz, which aims to find bugs efficiently and quickly in a limited time. V-Fuzz consists of two main components: a neural network-based vulnerability prediction model and a vulnerability-oriented evolutionary fuzzer. Given a binary program to V-Fuzz, the vulnerability prediction model will give a prior estimation on which parts of the software are more likely to be vulnerable. Then, the fuzzer leverages an evolutionary algorithm to generate inputs which tend to arrive at the vulnerable locations, guided by the vulnerability prediction result. Experimental results demonstrate that V-Fuzz can find bugs more efficiently than state-of-the-art fuzzers. Moreover, V-Fuzz has discovered 10 CVEs, and 3 of them are newly discovered. We reported the new CVEs, and they have been confirmed and fixed.

READ FULL TEXT
research
10/23/2020

DeFuzz: Deep Learning Guided Directed Fuzzing

Fuzzing is one of the most effective technique to identify potential sof...
research
09/26/2021

Defect Prediction Guided Search-Based Software Testing

Today, most automated test generators, such as search-based software tes...
research
07/15/2018

NEUZZ: Efficient Fuzzing with Neural Program Learning

Fuzzing has become the de facto standard technique for finding software ...
research
02/07/2018

Click Spam Prevention Model for On-Line Advertisement

This paper shows a vulnerability of the pay-per-click accounting of Goog...
research
04/19/2021

Multi-context Attention Fusion Neural Network for Software Vulnerability Identification

Security issues in shipped code can lead to unforeseen device malfunctio...
research
07/22/2022

Learning from what we know: How to perform vulnerability prediction using noisy historical data

Vulnerability prediction refers to the problem of identifying system com...
research
07/21/2023

Dissecting Code Vulnerabilities: Insights from C++ and Java Vulnerability Analysis with ReVeal Model

This study presents an analysis conducted on a real-world dataset of Jav...

Please sign up or login with your details

Forgot password? Click here to reset