Engineering a Better Fuzzer with Synergically Integrated Optimizations

Authors: Jie Liang Yuanliang Chen Mingzhe Wang Yu Jiang Zijiang Yang Chengnian Sun Xun Jiao Jiaguang Sun

Venue: 2019 IEEE 30th International Symposium on Software Reliability Engineering (ISSRE), pp. 82-92, 2019

Year: 2019

Abstract: State-of-the-art fuzzers implement various optimizations to enhance their performance. As the optimizations reside in different stages such as input seed selection and mutation, it is tempting to combine the optimizations in different stages. However, our initial attempts demonstrate that naive combination actually worsens the performance, which explains that most optimizations are still isolated by stages and metrics. In this paper, we present InteFuzz, the first framework that synergically integrates multiple fuzzing optimizations. We analyze the root cause for performance degradation in naive combination, and discover optimizations conflict in coverage criteria and optimization granularity. To resolve the conflicts, we propose a novel priority-based scheduling mechanism. The dynamic integration considers both branch-based and block-based coverage feedbacks that are used by most fuzzing optimizations. In our evaluation, we extract four optimizations from popular fuzzers such as AFLFast and FairFuzz and compare InteFuzz against naive combinations. The evaluation results show that InteFuzz outperforms the naive combination by 29% and 26% in path-and branch-coverage. Additionally, InteFuzz triggers 222 more unique crashes, and discovers 33 zero-day vulnerabilities in real-world projects with 12 registered as CVEs.

BibTeX:

@inproceedings{jieliang2019eabfwsio,
    author = "Jie Liang and Yuanliang Chen and Mingzhe Wang and Yu Jiang and Zijiang Yang and Chengnian Sun and Xun Jiao and Jiaguang Sun",
    title = "Engineering a Better Fuzzer with Synergically Integrated Optimizations",
    year = "2019",
    pages = "82-92",
    booktitle = "Proceedings of 2019 IEEE 30th International Symposium on Software Reliability Engineering (ISSRE)"
}

Plain Text:

Jie Liang, Yuanliang Chen, Mingzhe Wang, Yu Jiang, Zijiang Yang, Chengnian Sun, Xun Jiao, and Jiaguang Sun, "Engineering a Better Fuzzer with Synergically Integrated Optimizations," 2019 IEEE 30th International Symposium on Software Reliability Engineering (ISSRE), pp. 82-92