Fuzzing with Advanced Program Exploration and Bug Modeling for Software Security
Author(s)
Chen, Yongheng
Advisor(s)
Editor(s)
Collections
Supplementary to:
Permanent Link
Abstract
Fuzzing is a well-received software testing technique. It operates by generating random inputs and then executing these against a given target program, thus probing various program states to pinpoint anomalies. Despite its proven utility, fuzzing has its limitations. Like other dynamic testing methods, it struggles with inadequate exploration of the program state space. This limitation stems from issues such as the unstructured nature of the generated inputs and the inefficient use of computational resources across multiple cores. A more critical shortcoming of traditional fuzzing lies in its approach to bug modeling: it primarily detects bugs through program crashes, overlooking a myriad of bugs that do not crash the program execution but are equally consequential. While the development of dedicated oracles represents a stride toward refined bug modeling, this solution is often impractical due to the high costs associated with crafting oracles that are typically bug-specific or tailored to individual programs.
To address these limitations, we propose two-dimensional improvements, which scales the program exploration capability and enhances bug modeling in fuzzing. To explore more program states, we propose POLYGLOT and µFUZZ to scale the program exploration capability vertically and horizontally. Specifically, POLYGLOT utilizes a unified intermediate representation to handle diverse programming languages, effectively generating semantically valid inputs that result in deeper program exploration, finding over 170 new bugs in 21 language processors. µFUZZ, on the other hand, employs a microservice architecture to maximize the efficiency of parallel fuzzing, reducing synchronization overhead and enhancing the utilization of computational resources. More importantly, µFUZZ found 11 new bugs in well-tested popular programs. To enhance bug modeling, we introduce PROPGUARD, a framework that enables the specification and automatic detection of a wide range of bug patterns, moving beyond mere crash detection to identify subtle, non-crashing bugs. By a lowing users to define bug patterns through an intuitive specification language, PROPGUARD facilitates the development of targeted fuzzing oracles, thus significantly broadening the spectrum of detectable software vulnerabilities and finding two new non-crashing issues in open-source projects.
Sponsor
Date
2024-06-13
Extent
Resource Type
Text
Resource Subtype
Dissertation