Cupid: Automatic Fuzzer Selection for Collaborative Fuzzing

Emre Güler; Philipp Görz; Elia Geretto; Andrea Jemmett; Sebastian Österlund; Herbert Bos; Cristiano Giuffrida; Thorsten Holz

doi:10.1145/3427228.3427266

Cupid: Automatic Fuzzer Selection for Collaborative Fuzzing

Emre Güler
, Philipp Görz
, Elia Geretto
, Andrea Jemmett
, Sebastian Österlund
, Herbert Bos
, Cristiano Giuffrida
, Thorsten Holz

Research output: Chapter in Book / Report / Conference proceeding › Conference contribution › Academic › peer-review

659 Downloads (Pure)

Abstract

Combining the strengths of individual fuzzing methods is an appealing idea to find software faults more efficiently, especially when the computing budget is limited. In prior work, EnFuzz introduced the idea of ensemble fuzzing and devised three heuristics to classify properties of fuzzers in terms of diversity. Based on these heuristics, the authors manually picked a combination of different fuzzers that collaborate. In this paper, we generalize this idea by collecting and applying empirical data from single, isolated fuzzer runs to automatically identify a set of fuzzers that complement each other when executed collaboratively. To this end, we present Cupid, a collaborative fuzzing framework allowing automated, data-driven selection of multiple complementary fuzzers for parallelized and distributed fuzzing. We evaluate the automatically selected target-independent combination of fuzzers by Cupid on Google's fuzzer-test-suite, a collection of real-world binaries, as well as on the synthetic Lava-M dataset. We find that Cupid outperforms two expert-guided, target-specific and hand-picked combinations on Google's fuzzer-test-suite in terms of branch coverage, and improves bug finding on Lava-M by 10%. Most importantly, we improve the latency for obtaining 95% and 99% of the coverage by 90% and 64%, respectively. Furthermore, Cupid reduces the amount of CPU hours needed to find a high-performing combination of fuzzers by multiple orders of magnitude compared to an exhaustive evaluation.

Original language	English
Title of host publication	ACSAC 2020
Subtitle of host publication	Annual Computer Security Applications Conference
Publisher	Association for Computing Machinery
Pages	360-372
Number of pages	13
ISBN (Electronic)	9781450388580
DOIs	https://doi.org/10.1145/3427228.3427266
Publication status	Published - 2020
Event	36th Annual Computer Security Applications Conference, ACSAC 2020 - Virtual, Online, United States Duration: 7 Dec 2020 → 11 Dec 2020

Publication series

Name	ACM International Conference Proceeding Series

Conference

Conference	36th Annual Computer Security Applications Conference, ACSAC 2020
Country/Territory	United States
City	Virtual, Online
Period	7/12/20 → 11/12/20

Funding

We would like to thank our shepherd Hayawardh Vijayakumar and the anonynous reviewers for their constructive feedback. This work was supported by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) under Germany’s Excellence Strategy – EXC-2092 CaSa – 390781972. In addition, this project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 786669 (ReAct). This paper reflects only the authors’ view. The Research Executive Agency is not responsible for any use that may be made of the information it contains.

Funders	Funder number
Horizon 2020 Framework Programme	786669
Deutsche Forschungsgemeinschaft	EXC-2092 CaSa – 390781972

UN SDGs

This output contributes to the following UN Sustainable Development Goals (SDGs)

SDG 17 Partnerships for the Goals

Keywords

automated bug finding
collaborative fuzzing
ensemble fuzzing
fuzzing
parallel fuzzing

Access to Document

10.1145/3427228.3427266

Cupid_Automatic Fuzzer Selection for Collaborative FuzzingFinal published version, 898 KBLicence: Article 25fa Dutch Copyright Act

Persistent URL (handle)

Persistent link

Cite this

Güler, E., Görz, P., Geretto, E., Jemmett, A., Österlund, S., Bos, H., Giuffrida, C., & Holz, T. (2020). Cupid: Automatic Fuzzer Selection for Collaborative Fuzzing. In ACSAC 2020: Annual Computer Security Applications Conference (pp. 360-372). Article 3427266 (ACM International Conference Proceeding Series). Association for Computing Machinery. https://doi.org/10.1145/3427228.3427266

@inproceedings{eac10c8047424eba92f363bece5b4114,

title = "Cupid: Automatic Fuzzer Selection for Collaborative Fuzzing",

abstract = "Combining the strengths of individual fuzzing methods is an appealing idea to find software faults more efficiently, especially when the computing budget is limited. In prior work, EnFuzz introduced the idea of ensemble fuzzing and devised three heuristics to classify properties of fuzzers in terms of diversity. Based on these heuristics, the authors manually picked a combination of different fuzzers that collaborate. In this paper, we generalize this idea by collecting and applying empirical data from single, isolated fuzzer runs to automatically identify a set of fuzzers that complement each other when executed collaboratively. To this end, we present Cupid, a collaborative fuzzing framework allowing automated, data-driven selection of multiple complementary fuzzers for parallelized and distributed fuzzing. We evaluate the automatically selected target-independent combination of fuzzers by Cupid on Google's fuzzer-test-suite, a collection of real-world binaries, as well as on the synthetic Lava-M dataset. We find that Cupid outperforms two expert-guided, target-specific and hand-picked combinations on Google's fuzzer-test-suite in terms of branch coverage, and improves bug finding on Lava-M by 10\%. Most importantly, we improve the latency for obtaining 95\% and 99\% of the coverage by 90\% and 64\%, respectively. Furthermore, Cupid reduces the amount of CPU hours needed to find a high-performing combination of fuzzers by multiple orders of magnitude compared to an exhaustive evaluation.",

keywords = "automated bug finding, collaborative fuzzing, ensemble fuzzing, fuzzing, parallel fuzzing",

author = "Emre G{\"u}ler and Philipp G{\"o}rz and Elia Geretto and Andrea Jemmett and Sebastian {\"O}sterlund and Herbert Bos and Cristiano Giuffrida and Thorsten Holz",

year = "2020",

doi = "10.1145/3427228.3427266",

language = "English",

series = "ACM International Conference Proceeding Series",

publisher = "Association for Computing Machinery",

pages = "360--372",

booktitle = "ACSAC 2020",

note = "36th Annual Computer Security Applications Conference, ACSAC 2020 ; Conference date: 07-12-2020 Through 11-12-2020",

}

Güler, E, Görz, P, Geretto, E, Jemmett, A, Österlund, S, Bos, H , Giuffrida, C & Holz, T 2020, Cupid: Automatic Fuzzer Selection for Collaborative Fuzzing. in ACSAC 2020: Annual Computer Security Applications Conference., 3427266, ACM International Conference Proceeding Series, Association for Computing Machinery, pp. 360-372, 36th Annual Computer Security Applications Conference, ACSAC 2020, Virtual, Online, United States, 7/12/20. https://doi.org/10.1145/3427228.3427266

Cupid: Automatic Fuzzer Selection for Collaborative Fuzzing. / Güler, Emre; Görz, Philipp; Geretto, Elia et al.
ACSAC 2020: Annual Computer Security Applications Conference. Association for Computing Machinery, 2020. p. 360-372 3427266 (ACM International Conference Proceeding Series).

Research output: Chapter in Book / Report / Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Cupid: Automatic Fuzzer Selection for Collaborative Fuzzing

AU - Güler, Emre

AU - Görz, Philipp

AU - Geretto, Elia

AU - Jemmett, Andrea

AU - Österlund, Sebastian

AU - Bos, Herbert

AU - Giuffrida, Cristiano

AU - Holz, Thorsten

PY - 2020

Y1 - 2020

N2 - Combining the strengths of individual fuzzing methods is an appealing idea to find software faults more efficiently, especially when the computing budget is limited. In prior work, EnFuzz introduced the idea of ensemble fuzzing and devised three heuristics to classify properties of fuzzers in terms of diversity. Based on these heuristics, the authors manually picked a combination of different fuzzers that collaborate. In this paper, we generalize this idea by collecting and applying empirical data from single, isolated fuzzer runs to automatically identify a set of fuzzers that complement each other when executed collaboratively. To this end, we present Cupid, a collaborative fuzzing framework allowing automated, data-driven selection of multiple complementary fuzzers for parallelized and distributed fuzzing. We evaluate the automatically selected target-independent combination of fuzzers by Cupid on Google's fuzzer-test-suite, a collection of real-world binaries, as well as on the synthetic Lava-M dataset. We find that Cupid outperforms two expert-guided, target-specific and hand-picked combinations on Google's fuzzer-test-suite in terms of branch coverage, and improves bug finding on Lava-M by 10%. Most importantly, we improve the latency for obtaining 95% and 99% of the coverage by 90% and 64%, respectively. Furthermore, Cupid reduces the amount of CPU hours needed to find a high-performing combination of fuzzers by multiple orders of magnitude compared to an exhaustive evaluation.

AB - Combining the strengths of individual fuzzing methods is an appealing idea to find software faults more efficiently, especially when the computing budget is limited. In prior work, EnFuzz introduced the idea of ensemble fuzzing and devised three heuristics to classify properties of fuzzers in terms of diversity. Based on these heuristics, the authors manually picked a combination of different fuzzers that collaborate. In this paper, we generalize this idea by collecting and applying empirical data from single, isolated fuzzer runs to automatically identify a set of fuzzers that complement each other when executed collaboratively. To this end, we present Cupid, a collaborative fuzzing framework allowing automated, data-driven selection of multiple complementary fuzzers for parallelized and distributed fuzzing. We evaluate the automatically selected target-independent combination of fuzzers by Cupid on Google's fuzzer-test-suite, a collection of real-world binaries, as well as on the synthetic Lava-M dataset. We find that Cupid outperforms two expert-guided, target-specific and hand-picked combinations on Google's fuzzer-test-suite in terms of branch coverage, and improves bug finding on Lava-M by 10%. Most importantly, we improve the latency for obtaining 95% and 99% of the coverage by 90% and 64%, respectively. Furthermore, Cupid reduces the amount of CPU hours needed to find a high-performing combination of fuzzers by multiple orders of magnitude compared to an exhaustive evaluation.

KW - automated bug finding

KW - collaborative fuzzing

KW - ensemble fuzzing

KW - fuzzing

KW - parallel fuzzing

UR - https://www.scopus.com/pages/publications/85098053614

UR - https://www.scopus.com/pages/publications/85098053614#tab=citedBy

U2 - 10.1145/3427228.3427266

DO - 10.1145/3427228.3427266

M3 - Conference contribution

AN - SCOPUS:85098053614

T3 - ACM International Conference Proceeding Series

SP - 360

EP - 372

BT - ACSAC 2020

PB - Association for Computing Machinery

T2 - 36th Annual Computer Security Applications Conference, ACSAC 2020

Y2 - 7 December 2020 through 11 December 2020

ER -

Cupid: Automatic Fuzzer Selection for Collaborative Fuzzing

Abstract

Publication series

Conference

Funding

UN SDGs

Keywords

Access to Document

Persistent URL (handle)

Other files and links

Fingerprint

Cite this