Medicherla, RK and Komondoor, R and Roychoudhury, A (2020) Fitness Guided Vulnerability Detection with Greybox Fuzzing. In: Proceedings - 2020 IEEE/ACM 42nd International Conference on Software Engineering Workshops, ICSEW 2020, 27 June - 19 July 2020, Seoul, pp. 513-520.
PDF
Int_Con_Soft_513-520_2020.pdf - Published Version Restricted to Registered users only Download (276kB) | Request a copy |
Abstract
Greybox fuzzing is an automated test-input generation technique that aims to uncover program errors by searching for bug-inducing inputs using a fitness-guided search process. Existing fuzzing approaches are primarily coverage-based. That is, they regard a test input that covers a new region of code as being fit to be retained. However, a vulnerability at a program location may not get exhibited in every execution that happens to visit to this program location; only certain program executions that lead to the location may expose the vulnerability. In this paper, we introduce a unified fitness metric called headroom, which can be used within greybox fuzzers, and which is explicitly oriented towards searching for test inputs that come closer to exposing vulnerabilities. We have implemented our approach by enhancing AFL, which is a production quality fuzzing tool. We have instantiated our approach to detecting buffer overrun as well as integer-overflow vulnerabilities. We have evaluated our approach on a suite of benchmark programs, and compared it with AFL, as well as a recent extension over AFL called AFLGo. Our approach could uncover more number of vulnerabilities in a given amount of fuzzing time and also uncover the vulnerabilities faster than these two tools.
Item Type: | Conference Paper |
---|---|
Publication: | Proceedings - 2020 IEEE/ACM 42nd International Conference on Software Engineering Workshops, ICSEW 2020 |
Publisher: | Association for Computing Machinery, Inc |
Additional Information: | The copyright for this article belongs to Association for Computing Machinery, Inc |
Keywords: | Health; Location; Technical presentations, Automated test; Benchmark programs; Buffer overrun; Generation techniques; Integer overflow; Production quality; Program execution; Vulnerability detection, Software testing |
Department/Centre: | Division of Electrical Sciences > Computer Science & Automation |
Date Deposited: | 06 Feb 2023 06:43 |
Last Modified: | 06 Feb 2023 06:43 |
URI: | https://eprints.iisc.ac.in/id/eprint/79864 |
Actions (login required)
View Item |