ePrints@IIScePrints@IISc Home | About | Browse | Latest Additions | Advanced Search | Contact | Help

Fitness Guided Vulnerability Detection with Greybox Fuzzing

Medicherla, RK and Komondoor, R and Roychoudhury, A (2020) Fitness Guided Vulnerability Detection with Greybox Fuzzing. In: Proceedings - 2020 IEEE/ACM 42nd International Conference on Software Engineering Workshops, ICSEW 2020, 27 June - 19 July 2020, Seoul, pp. 513-520.

[img] PDF
Int_Con_Soft_513-520_2020.pdf - Published Version
Restricted to Registered users only

Download (276kB) | Request a copy
Official URL: https://doi.org/10.1145/3387940.3391457


Greybox fuzzing is an automated test-input generation technique that aims to uncover program errors by searching for bug-inducing inputs using a fitness-guided search process. Existing fuzzing approaches are primarily coverage-based. That is, they regard a test input that covers a new region of code as being fit to be retained. However, a vulnerability at a program location may not get exhibited in every execution that happens to visit to this program location; only certain program executions that lead to the location may expose the vulnerability. In this paper, we introduce a unified fitness metric called headroom, which can be used within greybox fuzzers, and which is explicitly oriented towards searching for test inputs that come closer to exposing vulnerabilities. We have implemented our approach by enhancing AFL, which is a production quality fuzzing tool. We have instantiated our approach to detecting buffer overrun as well as integer-overflow vulnerabilities. We have evaluated our approach on a suite of benchmark programs, and compared it with AFL, as well as a recent extension over AFL called AFLGo. Our approach could uncover more number of vulnerabilities in a given amount of fuzzing time and also uncover the vulnerabilities faster than these two tools.

Item Type: Conference Paper
Publication: Proceedings - 2020 IEEE/ACM 42nd International Conference on Software Engineering Workshops, ICSEW 2020
Publisher: Association for Computing Machinery, Inc
Additional Information: The copyright for this article belongs to Association for Computing Machinery, Inc
Keywords: Health; Location; Technical presentations, Automated test; Benchmark programs; Buffer overrun; Generation techniques; Integer overflow; Production quality; Program execution; Vulnerability detection, Software testing
Department/Centre: Division of Electrical Sciences > Computer Science & Automation
Date Deposited: 06 Feb 2023 06:43
Last Modified: 06 Feb 2023 06:43
URI: https://eprints.iisc.ac.in/id/eprint/79864

Actions (login required)

View Item View Item