DDGF: Dynamic Directed Greybox Fuzzing with Path Profiling
Coverage-Guided Fuzzing (CGF) has become the most popular and effective method for vulnerability detection. It is usually designed as an automated “black-box” tool. Security auditors start it and then just wait for the results. However, after a period of testing, CGF struggles to find new coverage gradually, thus making it inefficient. It is difficult for users to explain reasons that prevent fuzzing from making further progress and to determine whether the existing coverage is sufficient. In addition, there is no way to interact and direct the fuzzing process.
In this paper, we design the dynamic directed greybox fuzzing (DDGF) to facilitate collaboration between the user and fuzzer. By leveraging Ball-Larus path profiling algorithm, we propose two new techniques: dynamic introspection and dynamic direction. Dynamic introspection reveals the significant imbalance in the distribution of path frequency through encoding and decoding. Based on the insight from introspection, users can dynamically direct the fuzzer to focus testing on the selected paths in real time. We implement DDGF based on AFL++. Experiments on Magma show that DDGF is effective in helping the fuzzer to reproduce vulnerabilities faster, with up to 100x speedup and only 13% performance overhead. DDGF shows the great potential of human-in-the-loop for fuzzing.
Fri 20 SepDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
10:30 - 11:50 | |||
10:30 20mTalk | Prospector: Boosting Directed Greybox Fuzzing for Large-Scale Target Sets with Iterative Prioritization Technical Papers Zhijie Zhang Institute of Information Engineering at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Liwei Chen Institute of Information Engineering at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Haolai Wei Institute of Information Engineering at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Gang Shi Institute of Information Engineering at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Dan Meng Institute of Information Engineering at Chinese Academy of Sciences; University of Chinese Academy of Sciences DOI | ||
10:50 20mTalk | FRIES: Fuzzing Rust Library Interactions via Efficient Ecosystem-Guided Target Generation Technical Papers Xizhe Yin Nanjing University, Yang Feng Nanjing University, Qingkai Shi Nanjing University, Zixi Liu Nanjing University, Hongwang Liu Nanjing University, Baowen Xu Nanjing University DOI | ||
11:10 20mTalk | DDGF: Dynamic Directed Greybox Fuzzing with Path Profiling Technical Papers Haoran Fang Shanghai Jiao Tong University, Kaikai Zhang Shanghai Jiao Tong University, Donghui Yu Shanghai Jiao Tong University, Yuanyuan Zhang Shanghai Jiao Tong University DOI Pre-print | ||
11:30 20mTalk | Logos: Log Guided Fuzzing for Protocol Implementations Technical Papers Feifan Wu Tsinghua University, Zhengxiong Luo National University of Singapore, Yanyang Zhao Tsinghua University, Qingpeng Du Beijing University of Posts and Telecommunications, Junze Yu Tsinghua University, Ruikang Peng Central South University, Heyuan Shi Central South University, Yu Jiang Tsinghua University DOI | ||