GREYONE: Data Flow Sensitive Fuzzing
收起
中科院计算所计算机体系结构国家重点实验室
内构安全体系结构实验室
GREYONE: Data Flow Sensitive Fuzzing
报告时间: 2019年11月8日(周五)
下午 15:30-18:00
报告地点: 计算所601会议室
主讲人:甘水滔(MEAC-SKL & Tsinghua University 助理研究员)
邀请人:武成岗
报告摘要:
Data flow analysis (e.g., dynamic taint analysis) has proven to be useful for guiding fuzzers to explore hard-to-reach code and find vulnerabilities. However, traditional taint analysis is labor-intensive, inaccurate and slow, affecting the fuzzing efficiency. Apart from taint, few data flow features are utilized.
In this work, we proposed a data flow sensitive fuzzing solution GREYONE. We first utilize the classic feature taint to guide fuzzing. A lightweight and sound fuzzing-driven taint inference (FTI) is adopted to infer taint of variables, by monitoring their value changes while mutating input bytes during fuzzing. With the taint, we propose a novel input prioritization model to determine which branch to explore, which bytes to mutate and how to mutate. Further, we use another data flow feature constraint conformance, i.e., distance of tainted variables to values expected in untouched branches, to tune the evolution direction of fuzzing.
We implemented a prototype of GREYONE and evaluated it on 19 real world programs. The results showed that it outperforms various state-of-the-art fuzzers in terms of both code coverage and vulnerability discovery. In real world programs, GREYONE on average found 2.12X unique program paths and 3.09X unique bugs than state-of-the-art evolutionary fuzzers. In total, it found 105 new security bugs, of which 41 are confirmed by CVE.
主讲人简介:
Dr. Shuitao Gan is an assistant researcher in MEAC-SKL. His research interest lies in system and software security, especially in automatic vulnerability analysis including static analysis, fuzzing, symbolic execution, etc. He proposed many efficient vulnerability discovery solutions including flow sensitive fuzzing and found hundreds of security vulnerabilities and obtained more than 100 CVEs. Some of these solutions are published in top-tier security conferences like IEEE S&P, USENIX security.
承办单位:
- 中国科学院计算技术研究所计算机体系结构国家重点实验室内构安全体系结构实验室
中国计算机学会体系结构专业委员会
InForSec学术论坛