Hybrid fuzzing, which combines fuzzing and concolic execution, is promising in light of the recent performance improvements in concolic engines. We have observed that there is room for further improvement: symbolic emulation is still slow, unnecessary constraints dominate solving time, resources are overly allocated, and hard-to-trigger bugs are missed. To address these problems, we present a new hybrid fuzzer named Intriguer. The key idea of Intriguer is field-level constraint solving, which optimizes symbolic execution with field-level knowledge. Intriguer performs instruction-level taint analysis and records execution traces without data transfer instructions like mov. Intriguer then reduces the execution traces for tainted instructions that accessed a wide range of input bytes, and infers input fields to build field transition trees. With these optimizations, Intriguer can efficiently perform symbolic emulation for more relevant instructions and invoke a solver for complicated constraints only. Our evaluation results indicate that Intriguer outperforms the state-of-the-art fuzzers: Intriguer found all the bugs in the LAVA-M(5h) benchmark dataset for ground truth performance, and also discovered 43 new security bugs in seven real-world programs. We reported the bugs and received 23 new CVEs.
|Title of host publication||CCS 2019 - Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security|
|Publisher||Association for Computing Machinery|
|Number of pages||16|
|Publication status||Published - 2019 Nov 6|
|Event||26th ACM SIGSAC Conference on Computer and Communications Security, CCS 2019 - London, United Kingdom|
Duration: 2019 Nov 11 → 2019 Nov 15
|Name||Proceedings of the ACM Conference on Computer and Communications Security|
|Conference||26th ACM SIGSAC Conference on Computer and Communications Security, CCS 2019|
|Period||19/11/11 → 19/11/15|
Bibliographical noteFunding Information:
We thank the anonymous reviewers and our shepherd Andrew Ruef for helpful comments and suggestions on this work. This research was supported in part by the Institute for Information & communications Technology Promotion (IITP) grant funded by the Korea government (MSIT) (No.2018-0-00513, Machine Learning Based Automation of Vulnerability Detection on Unix-based Kernel).
All Science Journal Classification (ASJC) codes
- Computer Networks and Communications