Enhancing Coverage-Guided Fuzzing via Phantom Program

Wu, Mingyuan1,2,4; Chen, Kunqiu1; Luo, Qi1; Xiang, Jiahong1; Qi, Ji2; Chen, Junjie3; Cui, Heming2; Zhang, Yuqun1,4,5

10.1145/3611643.3616294

2023

31st ACM Joint Meeting of the European Software Engineering Conference / Symposium on the Foundations-of-Software-Engineering (ESEC/FSE)

PROCEEDINGS OF THE 31ST ACM JOINT MEETING EUROPEAN SOFTWARE ENGINEERING CONFERENCE AND SYMPOSIUM ON THE FOUNDATIONS OF SOFTWARE ENGINEERING, ESEC/FSE 2023

DEC 03-09, 2023

null,San Francisco,CA

1601 Broadway, 10th Floor, NEW YORK, NY, UNITED STATES

ASSOC COMPUTING MACHINERY

For coverage-guided fuzzers, many of their adopted seeds are usually ineffective by exploring limited program states since essentially all their executions have to abide by rigorous dependencies between program branches while only limited seeds are capable of accessing such dependencies. Moreover, even when iteratively executing such limited seeds, the fuzzers have to repeatedly access the covered program states before uncovering new states. Such facts indicate that exploration power on program states of seeds has not been sufficiently leveraged by the existing coverage-guided fuzzing strategies. To tackle these issues, we propose a coverageguided fuzzer, namely MirageFuzz, to mitigate the dependencies between program branches when executing seeds for enhancing their exploration power on program states. Specifically, MirageFuzz first creates a "phantom" program of the target program by reducing its dependencies corresponding to conditional statements while retaining their original semantics. Accordingly, MirageFuzz performs dual fuzzing, i.e., the source fuzzing to fuzz the original program and the phantom fuzzing to fuzz the phantom program simultaneously. Then, MirageFuzz generates a new seed for the source fuzzing via a taint-based mutation mechanism, i.e., updating the target conditional statement of a given seed from the source fuzzing with its corresponding condition value derived by the phantom fuzzing. To evaluate the effectiveness of MirageFuzz, we build a benchmark suite with 18 projects commonly adopted by recent fuzzing papers, and select nine open-source fuzzers as baselines for performance comparison with MirageFuzz. The experiment results suggest that MirageFuzz outperforms our baseline fuzzers from 13.42% to 77.96% averagely. Furthermore, MirageFuzz exposes 29 previously unknown bugs where 7 of them have been confirmed and 6 have been fixed by the corresponding developers.

Fuzzing Coverage Guidance Phantom Program

第一 ; 通讯

英语

EI ; CPCI-S

Guangdong Provincial Key Laboratory[2020B121201001]

Computer Science

Computer Science, Software Engineering ; Computer Science, Theory & Methods

WOS:001148157800084

Web of Science

1.Southern University of Science and Technology, Shenzhen, China
2.The University of Hong Kong, Hong Kong
3.College of Intelligence and Computing, Tianjin University, Tianjin, China
4.The Research Institute of Trustworthy Autonomous Systems, Shenzhen, China
5.Guangdong Provincial Key Laboratory of Brain-inspired Intelligent Computation, China

Wu, Mingyuan,Chen, Kunqiu,Luo, Qi,et al. Enhancing Coverage-Guided Fuzzing via Phantom Program[C]. 1601 Broadway, 10th Floor, NEW YORK, NY, UNITED STATES:ASSOC COMPUTING MACHINERY,2023.