Typestate-guided fuzzer for discovering use-after-free vulnerabilities

Wang, H; Xie, X; Li, Y; Wen, C; Li, Y; Liu, Y; Qin, S; Chen, H; Sui, Y

Typestate-guided fuzzer for discovering use-after-free vulnerabilities

Wang, H Xie, X Li, Y Wen, C Li, Y Liu, Y Qin, S Chen, H Sui, Y

Permalink

Publisher:: ACM
Publication Type:: Conference Proceeding
Citation:: Proceedings - International Conference on Software Engineering, 2020, pp. 999-1010
Issue Date:: 2020-06-27

Closed Access

	Filename	Description	Size
	icse20.pdf	Accepted version	944.25 kB	Adobe PDF	View/Open

Copyright Clearance Process

Recently Added
In Progress
Closed Access

This item is closed access and not available.

Full metadata record

Field	Value	Language
dc.contributor.author	Wang, H
dc.contributor.author	Xie, X
dc.contributor.author	Li, Y
dc.contributor.author	Wen, C
dc.contributor.author	Li, Y
dc.contributor.author	Liu, Y
dc.contributor.author	Qin, S
dc.contributor.author	Chen, H
dc.contributor.author	Sui, Y https://orcid.org/0000-0002-9510-6574
dc.date.accessioned	2021-01-28T00:24:54Z
dc.date.available	2021-01-28T00:24:54Z
dc.date.issued	2020-06-27
dc.identifier.citation	Proceedings - International Conference on Software Engineering, 2020, pp. 999-1010
dc.identifier.isbn	9781450371216
dc.identifier.issn	0270-5257
dc.identifier.uri	http://hdl.handle.net/10453/145621
dc.description.abstract	© 2020 Association for Computing Machinery. Existing coverage-based fuzzers usually use the individual control flow graph (CFG) edge coverage to guide the fuzzing process, which has shown great potential in finding vulnerabilities. However, CFG edge coverage is not effective in discovering vulnerabilities such as use-after-free (UaF). This is because, to trigger UaF vulnerabilities, one needs not only to cover individual edges, but also to traverse some (long) sequence of edges in a particular order, which is challenging for existing fuzzers. To this end, we propose to model UaF vulnerabilities as typestate properties, and develop a typestateguided fuzzer, named UAFL, for discovering vulnerabilities violating typestate properties. Given a typestate property, we first perform a static typestate analysis to find operation sequences potentially violating the property. Our fuzzing process is then guided by the operation sequences in order to progressively generate test cases triggering property violations. In addition, we also employ an information flow analysis to improve the efficiency of the fuzzing process. We have performed a thorough evaluation of UAFL on 14 widely-used real-world programs. The experiment results show that UAFL substantially outperforms the state-of-the-art fuzzers, including AFL, AFLFast, FairFuzz, MOpt, Angora and QSYM, in terms of the time taken to discover vulnerabilities. We have discovered 10 previously unknown vulnerabilities, and received 5 new CVEs.
dc.language	en
dc.publisher	ACM
dc.relation.ispartof	Proceedings - International Conference on Software Engineering
dc.relation.ispartof	ICSE '20: 42nd International Conference on Software Engineering
dc.relation.isbasedon	10.1145/3377811.3380386
dc.rights	info:eu-repo/semantics/closedAccess
dc.title	Typestate-guided fuzzer for discovering use-after-free vulnerabilities
dc.type	Conference Proceeding
pubs.organisational-group	/University of Technology Sydney/Faculty of Engineering and Information Technology
pubs.organisational-group	/University of Technology Sydney/Strength - AAII - Australian Artificial Intelligence Institute
pubs.organisational-group	/University of Technology Sydney/Faculty of Engineering and Information Technology/School of Computer Science
pubs.organisational-group	/University of Technology Sydney
utslib.copyright.status	closed_access	*
dc.date.updated	2021-01-28T00:23:58Z
pubs.publication-status	Published

Abstract:

© 2020 Association for Computing Machinery. Existing coverage-based fuzzers usually use the individual control flow graph (CFG) edge coverage to guide the fuzzing process, which has shown great potential in finding vulnerabilities. However, CFG edge coverage is not effective in discovering vulnerabilities such as use-after-free (UaF). This is because, to trigger UaF vulnerabilities, one needs not only to cover individual edges, but also to traverse some (long) sequence of edges in a particular order, which is challenging for existing fuzzers. To this end, we propose to model UaF vulnerabilities as typestate properties, and develop a typestateguided fuzzer, named UAFL, for discovering vulnerabilities violating typestate properties. Given a typestate property, we first perform a static typestate analysis to find operation sequences potentially violating the property. Our fuzzing process is then guided by the operation sequences in order to progressively generate test cases triggering property violations. In addition, we also employ an information flow analysis to improve the efficiency of the fuzzing process. We have performed a thorough evaluation of UAFL on 14 widely-used real-world programs. The experiment results show that UAFL substantially outperforms the state-of-the-art fuzzers, including AFL, AFLFast, FairFuzz, MOpt, Angora and QSYM, in terms of the time taken to discover vulnerabilities. We have discovered 10 previously unknown vulnerabilities, and received 5 new CVEs.

Please use this identifier to cite or link to this item:

http://hdl.handle.net/10453/145621