Fuzzing is a popular technique which has been adopted for automated vulnerability research for software hardening.
Research reveals that increasing fuzzing throughput directly increases bug discovery rate.
Given fuzzing revolves around executing a large number of test cases, test case execution rate is the dominant component of overall fuzzing throughput.
To increase test case execution rate, researchers provide techniques that reduce the amount of time spent performing work that is independent of specific test case data.
The highest performance approach is persistent fuzzing, which reuses a single process for all test cases by looping back to the start instead of exiting.
This eliminates all process initialization and tear-down costs.
Unfortunately, persistent fuzzing leads to semantically inconsistent program states because process state changes from one test case remains for subsequent test cases.
This semantic inconsistency results in both missed crashes and false crashes, undermining fuzzing effectiveness.
I observe that existing fuzzing execution mechanisms exist on a continuum, based on the amount of state that gets discarded and restored between test cases.
I present a fuzzing execution mechanism that sits at a new spot on this state restoration continuum, where only test-case-execution-specific state is reset.
This fine-grain state restoration provides near-persistent performance with the correctness of heavyweight state restoration.
I construct CLOSUREX as a set of LLVM compiler passes that integrate with AFL++.
Our evaluation on ten popular open-source fuzzing targets show that CLOSUREX maintains semantic correctness all while increasing test case execution rate by over 3.5x, on average, compared to AFL++.
CLOSUREX also finds bugs more consistently and 1.9x faster than AFL++, with CLOSUREX discovering 15 0-day bugs (4 CVEs). / Master of Science / Fuzzing is a technique of automated vulnerability research which tries to find bugs in programs by generating randomised inputs and feeding it to the program under test. It then monitors the program execution to identify any crashing inputs which can be later triaged by a human in order to concretely identify any bugs, as well as perform root-cause analysis. In this work, I introduce a new program state restoration technique to achieve correctness in persistent mode, the fastest execution mechanism in fuzzing.
| Identifer | oai:union.ndltd.org:VTETD/oai:vtechworks.lib.vt.edu:10919/119182 |
| Date | 29 May 2024 |
| Creators | Ranjan, Rishi |
| Contributors | Computer Science and#38; Applications, Hicks, Matthew, Hoang, Thang, Meng, Na |
| Publisher | Virginia Tech |
| Source Sets | Virginia Tech Theses and Dissertation |
| Language | English |
| Detected Language | English |
| Type | Thesis |
| Format | ETD, application/pdf |
| Rights | In Copyright, http://rightsstatements.org/vocab/InC/1.0/ |
Page generated in 0.0072 seconds