ParmeSan: Sanitizer-guided greybox fuzzing

Sebastian Österlund, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review

Abstract

One of the key questions when fuzzing is where to look for vulnerabilities. Coverage-guided fuzzers indiscriminately optimize for covering as much code as possible given that bug coverage often correlates with code coverage. Since code coverage overapproximates bug coverage, this approach is less than ideal and may lead to non-trivial time-to-exposure (TTE) of bugs. Directed fuzzers try to address this problem by directing the fuzzer to a basic block with a potential vulnerability. This approach can greatly reduce the TTE for a specific bug, but such special-purpose fuzzers can then greatly underapproximate overall bug coverage. In this paper, we present sanitizer-guided fuzzing, a new design point in this space that specifically optimizes for bug coverage. For this purpose, we make the key observation that while the instrumentation performed by existing software sanitizers are regularly used for detecting fuzzer-induced error conditions, they can further serve as a generic and effective mechanism to identify interesting basic blocks for guiding fuzzers. We present the design and implementation of ParmeSan, a new sanitizer-guided fuzzer that builds on this observation. We show that ParmeSan greatly reduces the TTE of real-world bugs, and finds bugs 37% faster than existing state-of-the-art coverage-based fuzzers (Angora) and 288% faster than directed fuzzers (AFLGo), while still covering the same set of bugs.

Original languageEnglish
Title of host publicationProceedings of the 29th USENIX Security Symposium
PublisherUSENIX Association
Pages2289-2306
Number of pages18
ISBN (Electronic)9781939133175
Publication statusPublished - Aug 2020
Event29th USENIX Security Symposium - Virtual, Online
Duration: 12 Aug 202014 Aug 2020

Conference

Conference29th USENIX Security Symposium
CityVirtual, Online
Period12/08/2014/08/20

Funding

We thank our shepherd, Aurélien Francillon, and the anonymous reviewers for their feedback. This work was supported by the EU’s Horizon 2020 research and innovation programme under grant agreement No. 786669 (ReAct), by the Netherlands Organisation for Scientic Research through grants 639.023.309 VICI “Dowsing” and 639.021.753 VENI “PantaRhei”, by the United States Office of Naval Research (ONR) under contract N00014-17-1-2782, and by Cisco Systems, Inc. through grant #1138109. Any opinions, findings, and conclusions or recommendations expressed in this paper are those of the authors and do not necessarily reflect the views of any of the sponsors or any of their affiliates.

FundersFunder number
EU's Horizon 2020 research and innovation programme
Netherlands Organisation for Scientic Research639.021.753
United States Office of Naval Research
Office of Naval ResearchN00014-17-1-2782
Cisco Systems1138109
Horizon 2020 Framework Programme786669
Nederlandse Organisatie voor Wetenschappelijk Onderzoek639.023.309

    Fingerprint

    Dive into the research topics of 'ParmeSan: Sanitizer-guided greybox fuzzing'. Together they form a unique fingerprint.

    Cite this