Improving fuzzing performance by applying interval mutations

This paper presents a novel approach of generation effective inputs for fuzz testing. Most applications check input format before performing basic calculations. That kind of applications usually parse service information of input file to decide whether it is supported or not. Input formats which are not supported are discarded and the application finishes its execution immediately. For example, the service information of ELF (Extensible Linking Format) file should start with the following data: "0x7f 'E' 'L' 'F'". If a file does not contain this information in header section then it will not be considered as ELF. Effective fuzzing of an application which has input validation stage is a relevant and important problem. Random changes of input files usually malform service data and the target application finishes immediately without execution of main code. This makes fuzzing process inefficient. To solve this problem, we have designed and implemented three special plugins for ISP-Fuzzer. The first plugin is intended to collect execution traces. The second plugin connects fragments of input data and executed basic blocks of the target program. Based on that information we can determine potential fragments (critical fragments) of input data which should not be mutated for new test case generation. The third plugin is designed for interval mutations. It mutates input file escaping critical fragments detected by the second plugin. Experimental results prove the effectiveness of proposed method.

1. V.P. Ivannikov, A.A. Belevantsev, A.E. Borodin, V.N. Ignatiev, D.M. Zhurikhin, A.I. Avetisyan. Static analyzer Svace for finding defects in a source program code. Programming and Computer Software, vol. 40, issue 5, 2014, pp 265–275.

2. Hayk Aslanyan, Sergey Asryan, Jivan Hakobyan, Vahagn Vardanyan, Sevak Sargsyan, Shamil Kurmangaleev. Multiplatform Static Analysis Framework for Programs Defects Detection. In Proc. of the 11th International Conference on Computer Science and Information Technologies, 2017, pp. 315-318.

3. H. Aslanyan, A. Avetisyan, M. Arutunian, G. Keropyan, S. Kurmangaleev and V. Vardanyan. Scalable Framework for Accurate Binary Code Comparison, In Proc. of the 2017 Ivannikov ISPRAS Open Conference, 2017, pp. 34-38.

4. M. Arutunian, H. Aslanyan, V. Vardanyan, V. Sirunyan, S. Kurmangaleev, and S. Gaissaryan. Analysis of Program Patches Nature and Searching for Unpatched Code Fragments. In Proc. of the 2019 Ivannikov Memorial Workshop (IVMEM), 2019, pp. 53-56.

5. Aslanyan H.K. Plarform for interprocedural static analysis of binary code. Trudy ISP RAN/Proc. ISP RAS, vol. 30, issue 5, 2018. pp. 89-100. doi: 10.15514/ISPRAS-2018- 30(5)-5.

6. Fuzzing (online publication). Available at: https://en.wikipedia.org/wiki/Fuzzing, accessed 11.12.2018.

7. American fuzzy lop (online publication). Available at: http://lcamtuf.coredump.cx/afl, accessed 11.12.2018.

8. American fuzzy lop for network fuzzing (unofficial) (online publication). Available at: https://github.com/jdbirdwell/afl, , accessed 11.12.2018.

9. Technical «whitepaper» for afl-fuzz (online publication). Available at: http://lcamtuf.coredump.cx/afl/technical_details.txt, accessed 11.12.2018.

10. Michał Zalewski. The bug-o-rama trophy case. Available at: http://lcamtuf.coredump.cx/afl/#bugs, accessed 11.12.2018.

11. WinAFL - A fork of AFL for fuzzing Windows binaries (online publication). Available at https://github.com/googleprojectzero/winafl, accessed 11.12.2018.

12. Schumilo, S, Aschermann C, Gawlik R, Schinzel S, Holz T. kAFL: Hardware-assisted feedback fuzzing for OS kernels. In Proc. of the 26th USENIX Security Symposium, 2017, pp. 167–182.

13. Rawat S., Jain V., Kumar A., Cojocar L., Giuffrida C., Bos H. Vuzzer: Application-aware evolutionary fuzzing. In Proc. of the Network and Distributed System Security Symposium, 2017, 14 p.

14. Luk C-K., Cohn R., Muth R., Patil H., Klauser A., Lowney G., Wallace S., Reddi V.J., Hazelwood K. Pin: building customized program analysis tools with dynamic instrumentation. ACM SIGPLAN Notices, vol. 40, issue 6, pp. 190–200.

15. Jun Li, Bodong Zhao, Chao Zhang. Fuzzing: a survey (online publication). Available at: https://cybersecurity.springeropen.com/articles/10.1186/s42400-018-0002-y, accessed 11.12.2018

16. S. Sargysan, J. Hakobyan, M. Mehrabyan, M. Mishechkin, V. Akozin, Sh. Kurmangaleev. ISP-Fuzzer: Extendable fuzzing framework. In Proc. of the 2019 Ivannikov Memorial Workshop (IVMEM), 2019, pp. 68-71

17. S. Sargsyan, Sh. Kurmangaleev, M. Mehrabyan, M. Mishechkin, T. Ghukasyan, S. Asryan. Grammar-based Fuzzing. In Proc. of the 2018 Ivannikov Memorial Workshop (IVMEM), 2018, pp. 32-36,.

18. Terence Parr. The Definitive ANTLR Reference. Pragmatic Bookshelf, 2013, 328 p.

19. S. Sargsyan, Sh. Kurmangaleev, J. Hakobyan, H. Movsisyan, M. Mehrabyan, S. Asryan. Directed Fuzzing Based on Program Dynamic Instrumentation. In Proc. of the 2019 International Conference on Engineering Technologies and Computer Science , 2019, pp. 30-33.

20. Gerasimov A.Yu., Sargsyan S.S., Kurmangaleev S.F., Hakobyan J.A., Asryan S.A., Ermakov M.K. Combining dynamic symbolic execution and fuzzing. Trudy ISP RAN/Proc. ISP RAS, vol. 30, issue 6, 2018, pp. 25-38. DOI: 10.15514/ISPRAS-2018-30(6)-2.

21. DynamoRIO dynamic instrumentation tool platform, Feb. 2009. Available at http://dynamorio.org, accessed 11.12.2018.

22. Derek Bruening. Efficient, Transparent, and Comprehensive Runtime Code Manipulation. Ph.D. Thesis, MIT, September 2004.

23.