Abstract
One of the key questions when fuzzing is where to look for vulnerabilities. Coverage-guided fuzzers indiscriminately optimize for covering as much code as possible given that bug coverage often correlates with code coverage. Since code coverage overapproximates bug coverage, this approach is less than ideal and may lead to non-trivial time-to-exposure (TTE) of bugs. Directed fuzzers try to address this problem by directing the fuzzer to a basic block with a potential vulnerability. This approach can greatly reduce the TTE for a specific bug, but such special-purpose fuzzers can then greatly underapproximate overall bug coverage. In this paper, we present sanitizer-guided fuzzing, a new design point in this space that specifically optimizes for bug coverage. For this purpose, we make the key observation that while the instrumentation performed by existing software sanitizers are regularly used for detecting fuzzer-induced error conditions, they can further serve as a generic and effective mechanism to identify interesting basic blocks for guiding fuzzers. We present the design and implementation of ParmeSan, a new sanitizer-guided fuzzer that builds on this observation. We show that ParmeSan greatly reduces the TTE of real-world bugs, and finds bugs 37% faster than existing state-of-the-art coverage-based fuzzers (Angora) and 288% faster than directed fuzzers (AFLGo), while still covering the same set of bugs.
Original language | English |
---|---|
Title of host publication | Proceedings of the 29th USENIX Security Symposium |
Publisher | USENIX Association |
Pages | 2289-2306 |
Number of pages | 18 |
ISBN (Electronic) | 9781939133175 |
Publication status | Published - Aug 2020 |
Event | 29th USENIX Security Symposium - Virtual, Online Duration: 12 Aug 2020 → 14 Aug 2020 |
Conference
Conference | 29th USENIX Security Symposium |
---|---|
City | Virtual, Online |
Period | 12/08/20 → 14/08/20 |
Funding
We thank our shepherd, Aurélien Francillon, and the anonymous reviewers for their feedback. This work was supported by the EU’s Horizon 2020 research and innovation programme under grant agreement No. 786669 (ReAct), by the Netherlands Organisation for Scientic Research through grants 639.023.309 VICI “Dowsing” and 639.021.753 VENI “PantaRhei”, by the United States Office of Naval Research (ONR) under contract N00014-17-1-2782, and by Cisco Systems, Inc. through grant #1138109. Any opinions, findings, and conclusions or recommendations expressed in this paper are those of the authors and do not necessarily reflect the views of any of the sponsors or any of their affiliates.
Funders | Funder number |
---|---|
EU's Horizon 2020 research and innovation programme | |
Netherlands Organisation for Scientic Research | 639.021.753 |
United States Office of Naval Research | |
Office of Naval Research | N00014-17-1-2782 |
Cisco Systems | 1138109 |
Horizon 2020 Framework Programme | 786669 |
Nederlandse Organisatie voor Wetenschappelijk Onderzoek | 639.023.309 |