ProFuzzer: On-the-fly input type probing for better zero-day vulnerability discovery

Wei You; Xueqiang Wang; Shiqing Ma; Jianjun Huang; Xiangyu Zhang; Xiaofeng Wang; Bin Liang

doi:10.1109/SP.2019.00057

ProFuzzer: On-the-fly input type probing for better zero-day vulnerability discovery

Wei You, Xueqiang Wang, Shiqing Ma, Jianjun Huang, Xiangyu Zhang, Xiaofeng Wang, Bin Liang

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

57 Scopus citations

Abstract

Existing mutation based fuzzers tend to randomly mutate the input of a program without understanding its underlying syntax and semantics. In this paper, we propose a novel on-the-fly probing technique (called ProFuzzer) that automatically recovers and understands input fields of critical importance to vulnerability discovery during a fuzzing process and intelligently adapts the mutation strategy to enhance the chance of hitting zero-day targets. Since such probing is transparently piggybacked to the regular fuzzing, no prior knowledge of the input specification is needed. During fuzzing, individual bytes are first mutated and their fuzzing results are automatically analyzed to link those related together and identify the type for the field connecting them; these bytes are further mutated together following type-specific strategies, which substantially prunes the search space. We define the probe types generally across all applications, thereby making our technique application agnostic. Our experiments on standard benchmarks and real-world applications show that ProFuzzer substantially outperforms AFL and its optimized version AFLFast, as well as other state-of-art fuzzers including VUzzer, Driller and QSYM. Within two months, it exposed 42 zero-days in 10 intensively tested programs, generating 30 CVEs.

Original language	English (US)
Title of host publication	Proceedings - 2019 IEEE Symposium on Security and Privacy, SP 2019
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	769-786
Number of pages	18
ISBN (Electronic)	9781538666609
DOIs	https://doi.org/10.1109/SP.2019.00057
State	Published - May 2019
Externally published	Yes
Event	40th IEEE Symposium on Security and Privacy, SP 2019 - San Francisco, United States Duration: May 19 2019 → May 23 2019

Publication series

Name	Proceedings - IEEE Symposium on Security and Privacy
Volume	2019-May
ISSN (Print)	1081-6011

Conference

Conference	40th IEEE Symposium on Security and Privacy, SP 2019
Country/Territory	United States
City	San Francisco
Period	5/19/19 → 5/23/19

All Science Journal Classification (ASJC) codes

Safety, Risk, Reliability and Quality
Software
Computer Networks and Communications

Keywords

Fuzzing
Input-type
Probing
Vulnerability-discovery

Access to Document

10.1109/SP.2019.00057

Cite this

You, W., Wang, X., Ma, S., Huang, J., Zhang, X., Wang, X., & Liang, B. (2019). ProFuzzer: On-the-fly input type probing for better zero-day vulnerability discovery. In Proceedings - 2019 IEEE Symposium on Security and Privacy, SP 2019 (pp. 769-786). [8835384] (Proceedings - IEEE Symposium on Security and Privacy; Vol. 2019-May). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SP.2019.00057

@inproceedings{17dcc2a607cc48a8b36b4462aab90748,

title = "ProFuzzer: On-the-fly input type probing for better zero-day vulnerability discovery",

abstract = "Existing mutation based fuzzers tend to randomly mutate the input of a program without understanding its underlying syntax and semantics. In this paper, we propose a novel on-the-fly probing technique (called ProFuzzer) that automatically recovers and understands input fields of critical importance to vulnerability discovery during a fuzzing process and intelligently adapts the mutation strategy to enhance the chance of hitting zero-day targets. Since such probing is transparently piggybacked to the regular fuzzing, no prior knowledge of the input specification is needed. During fuzzing, individual bytes are first mutated and their fuzzing results are automatically analyzed to link those related together and identify the type for the field connecting them; these bytes are further mutated together following type-specific strategies, which substantially prunes the search space. We define the probe types generally across all applications, thereby making our technique application agnostic. Our experiments on standard benchmarks and real-world applications show that ProFuzzer substantially outperforms AFL and its optimized version AFLFast, as well as other state-of-art fuzzers including VUzzer, Driller and QSYM. Within two months, it exposed 42 zero-days in 10 intensively tested programs, generating 30 CVEs.",

keywords = "Fuzzing, Input-type, Probing, Vulnerability-discovery",

author = "Wei You and Xueqiang Wang and Shiqing Ma and Jianjun Huang and Xiangyu Zhang and Xiaofeng Wang and Bin Liang",

note = "Funding Information: ONR N000141410468 and N000141712947, and Sandia National Lab under award 1701331. IU authors were supported in part by NSF CNS-1527141, 1618493, 1801432, 1838083, ARO W911NF1610127 and Samsung Gift fund. RUC authors were supported in part by NSFC U1836209 and 61802413. Any opinions, findings, and conclusions in this paper are those of the authors only and do not necessarily reflect the views of the sponsors. Funding Information: Purdue authors were supported in part by DARPA FA8650-15-C-7562, NSF 1748764 and 1409668, ONR N000141410468 and N000141712947, and Sandia National Lab under award 1701331. IU authors were supported in part by NSF CNS-1527141, 1618493, 1801432, 1838083, ARO W911NF1610127 and Samsung Gift fund. RUC authors were supported in part by NSFC U1836209 and 61802413 Funding Information: The authors would like to thank the anonymous reviewers and Professor Herbert Bos (the PC contact) for their constructive comments. Also, the authors would like to express their thanks to the authors of VUzzer and Angora for the discussion of experiment settings. Purdue authors were supported in part by DARPA FA8650-15-C-7562, NSF 1748764 and 1409668, Publisher Copyright: {\textcopyright} 2019 IEEE.; 40th IEEE Symposium on Security and Privacy, SP 2019 ; Conference date: 19-05-2019 Through 23-05-2019",

year = "2019",

month = may,

doi = "10.1109/SP.2019.00057",

language = "English (US)",

series = "Proceedings - IEEE Symposium on Security and Privacy",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "769--786",

booktitle = "Proceedings - 2019 IEEE Symposium on Security and Privacy, SP 2019",

address = "United States",

}

You, W, Wang, X, Ma, S, Huang, J, Zhang, X, Wang, X & Liang, B 2019, ProFuzzer: On-the-fly input type probing for better zero-day vulnerability discovery. in Proceedings - 2019 IEEE Symposium on Security and Privacy, SP 2019., 8835384, Proceedings - IEEE Symposium on Security and Privacy, vol. 2019-May, Institute of Electrical and Electronics Engineers Inc., pp. 769-786, 40th IEEE Symposium on Security and Privacy, SP 2019, San Francisco, United States, 5/19/19. https://doi.org/10.1109/SP.2019.00057

ProFuzzer : On-the-fly input type probing for better zero-day vulnerability discovery. / You, Wei; Wang, Xueqiang; Ma, Shiqing et al.

Proceedings - 2019 IEEE Symposium on Security and Privacy, SP 2019. Institute of Electrical and Electronics Engineers Inc., 2019. p. 769-786 8835384 (Proceedings - IEEE Symposium on Security and Privacy; Vol. 2019-May).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - ProFuzzer

T2 - 40th IEEE Symposium on Security and Privacy, SP 2019

AU - You, Wei

AU - Wang, Xueqiang

AU - Ma, Shiqing

AU - Huang, Jianjun

AU - Zhang, Xiangyu

AU - Wang, Xiaofeng

AU - Liang, Bin

N1 - Funding Information: ONR N000141410468 and N000141712947, and Sandia National Lab under award 1701331. IU authors were supported in part by NSF CNS-1527141, 1618493, 1801432, 1838083, ARO W911NF1610127 and Samsung Gift fund. RUC authors were supported in part by NSFC U1836209 and 61802413. Any opinions, findings, and conclusions in this paper are those of the authors only and do not necessarily reflect the views of the sponsors. Funding Information: Purdue authors were supported in part by DARPA FA8650-15-C-7562, NSF 1748764 and 1409668, ONR N000141410468 and N000141712947, and Sandia National Lab under award 1701331. IU authors were supported in part by NSF CNS-1527141, 1618493, 1801432, 1838083, ARO W911NF1610127 and Samsung Gift fund. RUC authors were supported in part by NSFC U1836209 and 61802413 Funding Information: The authors would like to thank the anonymous reviewers and Professor Herbert Bos (the PC contact) for their constructive comments. Also, the authors would like to express their thanks to the authors of VUzzer and Angora for the discussion of experiment settings. Purdue authors were supported in part by DARPA FA8650-15-C-7562, NSF 1748764 and 1409668, Publisher Copyright: © 2019 IEEE.

PY - 2019/5

Y1 - 2019/5

N2 - Existing mutation based fuzzers tend to randomly mutate the input of a program without understanding its underlying syntax and semantics. In this paper, we propose a novel on-the-fly probing technique (called ProFuzzer) that automatically recovers and understands input fields of critical importance to vulnerability discovery during a fuzzing process and intelligently adapts the mutation strategy to enhance the chance of hitting zero-day targets. Since such probing is transparently piggybacked to the regular fuzzing, no prior knowledge of the input specification is needed. During fuzzing, individual bytes are first mutated and their fuzzing results are automatically analyzed to link those related together and identify the type for the field connecting them; these bytes are further mutated together following type-specific strategies, which substantially prunes the search space. We define the probe types generally across all applications, thereby making our technique application agnostic. Our experiments on standard benchmarks and real-world applications show that ProFuzzer substantially outperforms AFL and its optimized version AFLFast, as well as other state-of-art fuzzers including VUzzer, Driller and QSYM. Within two months, it exposed 42 zero-days in 10 intensively tested programs, generating 30 CVEs.

AB - Existing mutation based fuzzers tend to randomly mutate the input of a program without understanding its underlying syntax and semantics. In this paper, we propose a novel on-the-fly probing technique (called ProFuzzer) that automatically recovers and understands input fields of critical importance to vulnerability discovery during a fuzzing process and intelligently adapts the mutation strategy to enhance the chance of hitting zero-day targets. Since such probing is transparently piggybacked to the regular fuzzing, no prior knowledge of the input specification is needed. During fuzzing, individual bytes are first mutated and their fuzzing results are automatically analyzed to link those related together and identify the type for the field connecting them; these bytes are further mutated together following type-specific strategies, which substantially prunes the search space. We define the probe types generally across all applications, thereby making our technique application agnostic. Our experiments on standard benchmarks and real-world applications show that ProFuzzer substantially outperforms AFL and its optimized version AFLFast, as well as other state-of-art fuzzers including VUzzer, Driller and QSYM. Within two months, it exposed 42 zero-days in 10 intensively tested programs, generating 30 CVEs.

KW - Fuzzing

KW - Input-type

KW - Probing

KW - Vulnerability-discovery

UR - http://www.scopus.com/inward/record.url?scp=85072932802&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85072932802&partnerID=8YFLogxK

U2 - 10.1109/SP.2019.00057

DO - 10.1109/SP.2019.00057

M3 - Conference contribution

AN - SCOPUS:85072932802

T3 - Proceedings - IEEE Symposium on Security and Privacy

SP - 769

EP - 786

BT - Proceedings - 2019 IEEE Symposium on Security and Privacy, SP 2019

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 19 May 2019 through 23 May 2019

ER -

You W, Wang X, Ma S, Huang J, Zhang X, Wang X et al. ProFuzzer: On-the-fly input type probing for better zero-day vulnerability discovery. In Proceedings - 2019 IEEE Symposium on Security and Privacy, SP 2019. Institute of Electrical and Electronics Engineers Inc. 2019. p. 769-786. 8835384. (Proceedings - IEEE Symposium on Security and Privacy). doi: 10.1109/SP.2019.00057

ProFuzzer: On-the-fly input type probing for better zero-day vulnerability discovery

Abstract

Publication series

Conference

All Science Journal Classification (ASJC) codes

Keywords

Access to Document

Other files and links

Fingerprint

Cite this