The development of the Internet of Things(IoT)has brought convenience to people’s lives,but it also introduces significant security risks.Due to the limitations of IoT devices themselves and the challenges of re-host...The development of the Internet of Things(IoT)has brought convenience to people’s lives,but it also introduces significant security risks.Due to the limitations of IoT devices themselves and the challenges of re-hosting technology,existing fuzzing for IoT devices is mainly conducted through black-box methods,which lack effective execution feedback and are blind.Meanwhile,the existing static methods mainly rely on taint analysis,which has high overhead and high false alarm rates.We propose a new directed fuzz testing method for detecting bugs in web service programs of IoT devices,which can test IoT devices more quickly and efficiently.Specifically,we identify external input entry points using multiple features.Then we quickly find sensitive targets and paths affected by external input sources based on sensitive data flow analysis of decompiled code,treating them as testing objects.Finally,we performa directed fuzzing test.We use debugging interfaces to collect execution feedback and guide the programto reach sensitive targets based on programpruning techniques.We have implemented a prototype system,AntDFuzz,and evaluated it on firmware fromten devices across five well-known manufacturers.We discovered twelve potential vulnerabilities,seven of which were confirmed and assigned bug id by China National Vulnerability Database(CNVD).The results show that our approach has the ability to find unknown bugs in real devices and is more efficient compared to existing tools.展开更多
Memory leak is a common software vulnerability that can decrease the reliability of an application and,in severe cases,even cause program crashes.If there are intentionally triggerable memory leak vulnerabilities in a...Memory leak is a common software vulnerability that can decrease the reliability of an application and,in severe cases,even cause program crashes.If there are intentionally triggerable memory leak vulnerabilities in a program,attackers can exploit these bugs to launch denial-of-service attacks or induce the program to exhibit unexpected behaviors due to low memory conditions.Existing fuzzing techniques primarily focus on improving code coverage,and specialized fuzzing techniques for individual memory-related defects like uncontrolled memory allocation do not address memory leak vulnerabilities.MemLock is the first fuzzing technique to address memory consumption vulnerabilities including memory leakage.However,the coverage-centric guidance mechanism of MemLock introduces a degree of aimlessness in the testing process,that results in low seed quality and slow bug exposure speed.To address this issue,we propose a risk areas guidance-based fuzzing technique called RBZZER.First,RBZZER retains MemLock’s memory consumption-guided mechanism and introduces a novel distance-guided approach to expedite the arrival of fuzzing at the potential memory areas.Second,we introduce a new seed scheduling strategy called risk areas-based seed scheduling,which classifies seeds based on potential memory leak areas in the program and further schedules them,thereby effectively improving the efficiency of discovering memory leak vulnerabilities.Experiments demonstrate that RBZZER outperforms the state-of-the-art fuzzing techniques by finding 52%more program unique crashes than the second-best counterpart.In particular,RBZZER can discover the amount of memory leakage at least 112%more than the other baseline fuzzers.Besides,RBZZER detects memory leaks at an average speed that is 9.10x faster than MemLock.展开更多
Fuzz testing is crucial for identifying software vulnerabilities,with coverage-guided grey-box fuzzers like AFL and Angora excelling in broad detection.However,as the need for targeted detection grows,directed grey-bo...Fuzz testing is crucial for identifying software vulnerabilities,with coverage-guided grey-box fuzzers like AFL and Angora excelling in broad detection.However,as the need for targeted detection grows,directed grey-box fuzzing(DGF)has become essential,focusing on specific vulnerabilities.The initial seed corpus,which consists of carefully selected input samples that the fuzzer uses as a starting point,is fundamental in determining the paths that the fuzzer explores.A well-designed seed corpus can guide the fuzzer more effectively towards critical areas of the code,improving the efficiency and success of the fuzzing process.Even with its importance,much work concentrates on refining guidance mechanisms while paying less attention to optimizing the initial seed corpus.In this paper,we introduce ISC4DGF,a novel approach to generating optimized initial seed corpus for DGF using large language models(LLMs).By leveraging LLMs’deep understanding of software and refined user inputs,ISC4DGF creates a precise seed corpus that efficiently triggers specific vulnerabilities through a multi-round validation process.Implemented on AFL and tested against state-of-the-art fuzzers such as Titan,BEACON,AFLGo,FairFuzz,and Entropic using the Magma benchmark,ISC4DGF achieves a 25.03x speedup with fewer target reaches.Moreover,ISC4DGF improves target vulnerabilities detection accuracy while narrowing the detection scope and reducing code coverage.展开更多
文摘The development of the Internet of Things(IoT)has brought convenience to people’s lives,but it also introduces significant security risks.Due to the limitations of IoT devices themselves and the challenges of re-hosting technology,existing fuzzing for IoT devices is mainly conducted through black-box methods,which lack effective execution feedback and are blind.Meanwhile,the existing static methods mainly rely on taint analysis,which has high overhead and high false alarm rates.We propose a new directed fuzz testing method for detecting bugs in web service programs of IoT devices,which can test IoT devices more quickly and efficiently.Specifically,we identify external input entry points using multiple features.Then we quickly find sensitive targets and paths affected by external input sources based on sensitive data flow analysis of decompiled code,treating them as testing objects.Finally,we performa directed fuzzing test.We use debugging interfaces to collect execution feedback and guide the programto reach sensitive targets based on programpruning techniques.We have implemented a prototype system,AntDFuzz,and evaluated it on firmware fromten devices across five well-known manufacturers.We discovered twelve potential vulnerabilities,seven of which were confirmed and assigned bug id by China National Vulnerability Database(CNVD).The results show that our approach has the ability to find unknown bugs in real devices and is more efficient compared to existing tools.
基金supported by the National Key R&D Program of China(No.2021YFB3101803).
文摘Memory leak is a common software vulnerability that can decrease the reliability of an application and,in severe cases,even cause program crashes.If there are intentionally triggerable memory leak vulnerabilities in a program,attackers can exploit these bugs to launch denial-of-service attacks or induce the program to exhibit unexpected behaviors due to low memory conditions.Existing fuzzing techniques primarily focus on improving code coverage,and specialized fuzzing techniques for individual memory-related defects like uncontrolled memory allocation do not address memory leak vulnerabilities.MemLock is the first fuzzing technique to address memory consumption vulnerabilities including memory leakage.However,the coverage-centric guidance mechanism of MemLock introduces a degree of aimlessness in the testing process,that results in low seed quality and slow bug exposure speed.To address this issue,we propose a risk areas guidance-based fuzzing technique called RBZZER.First,RBZZER retains MemLock’s memory consumption-guided mechanism and introduces a novel distance-guided approach to expedite the arrival of fuzzing at the potential memory areas.Second,we introduce a new seed scheduling strategy called risk areas-based seed scheduling,which classifies seeds based on potential memory leak areas in the program and further schedules them,thereby effectively improving the efficiency of discovering memory leak vulnerabilities.Experiments demonstrate that RBZZER outperforms the state-of-the-art fuzzing techniques by finding 52%more program unique crashes than the second-best counterpart.In particular,RBZZER can discover the amount of memory leakage at least 112%more than the other baseline fuzzers.Besides,RBZZER detects memory leaks at an average speed that is 9.10x faster than MemLock.
基金supported by the National Key Research and Development Program of China under Grant No.2021YFB3101802.
文摘Fuzz testing is crucial for identifying software vulnerabilities,with coverage-guided grey-box fuzzers like AFL and Angora excelling in broad detection.However,as the need for targeted detection grows,directed grey-box fuzzing(DGF)has become essential,focusing on specific vulnerabilities.The initial seed corpus,which consists of carefully selected input samples that the fuzzer uses as a starting point,is fundamental in determining the paths that the fuzzer explores.A well-designed seed corpus can guide the fuzzer more effectively towards critical areas of the code,improving the efficiency and success of the fuzzing process.Even with its importance,much work concentrates on refining guidance mechanisms while paying less attention to optimizing the initial seed corpus.In this paper,we introduce ISC4DGF,a novel approach to generating optimized initial seed corpus for DGF using large language models(LLMs).By leveraging LLMs’deep understanding of software and refined user inputs,ISC4DGF creates a precise seed corpus that efficiently triggers specific vulnerabilities through a multi-round validation process.Implemented on AFL and tested against state-of-the-art fuzzers such as Titan,BEACON,AFLGo,FairFuzz,and Entropic using the Magma benchmark,ISC4DGF achieves a 25.03x speedup with fewer target reaches.Moreover,ISC4DGF improves target vulnerabilities detection accuracy while narrowing the detection scope and reducing code coverage.
