Evaluating Synthetic Bugs

Joshua Bundt; Andrew Fasano; Brendan Dolan-Gavitt; William Robertson; Tim Leek

doi:10.1145/3433210.3453096

Evaluating Synthetic Bugs

Joshua Bundt, Andrew Fasano, Brendan Dolan-Gavitt, William Robertson, Tim Leek

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Fuzz testing has been used to find bugs in programs since the 1990s, but despite decades of dedicated research, there is still no consensus on which fuzzing techniques work best. One reason for this is the paucity of ground truth: bugs in real programs with known root causes and triggering inputs are difficult to collect at a meaningful scale. Bug injection technologies that add synthetic bugs into real programs seem to offer a solution, but the differences in finding these synthetic bugs versus organic bugs have not previously been explored at a large scale. Using over 80 years of CPU time, we ran eight fuzzers across 20 targets from the Rode0day bug-finding competition and the LAVA-M corpus. Experiments were standardized with respect to compute resources and metrics gathered. These experiments show differences in fuzzer performance as well as the impact of various configuration options. For instance, it is clear that integrating symbolic execution with mutational fuzzing is very effective and that using dictionaries improves performance. Other conclusions are less clear-cut; for example, no one fuzzer beat all others on all tests. It is noteworthy that no fuzzer found any organic bugs (i.e., one reported in a CVE), despite 50 such bugs being available for discovery in the fuzzing corpus. A close analysis of results revealed a possible explanation: a dramatic difference between where synthetic and organic bugs live with respect to the "main path"discovered by fuzzers. We find that recent updates to bug injection systems have made synthetic bugs more difficult to discover, but they are still significantly easier to find than organic bugs in our target programs. Finally, this study identifies flaws in bug injection techniques and suggests a number of axes along which synthetic bugs should be improved.

Original language	English (US)
Title of host publication	ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security
Publisher	Association for Computing Machinery, Inc
Pages	716-730
Number of pages	15
ISBN (Electronic)	9781450382878
DOIs	https://doi.org/10.1145/3433210.3453096
State	Published - May 24 2021
Event	16th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2021 - Virtual, Online, Hong Kong Duration: Jun 7 2021 → Jun 11 2021

Publication series

Name	ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security

Conference

Conference	16th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2021
Country/Territory	Hong Kong
City	Virtual, Online
Period	6/7/21 → 6/11/21

Keywords

evaluation
fuzzing
synthetic bugs

ASJC Scopus subject areas

Computer Networks and Communications
Computer Science Applications
Information Systems
Software

Access to Document

10.1145/3433210.3453096

Cite this

Bundt, J., Fasano, A., Dolan-Gavitt, B., Robertson, W., & Leek, T. (2021). Evaluating Synthetic Bugs. In ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security (pp. 716-730). (ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security). Association for Computing Machinery, Inc. https://doi.org/10.1145/3433210.3453096

Evaluating Synthetic Bugs. / Bundt, Joshua; Fasano, Andrew; Dolan-Gavitt, Brendan et al.

ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security. Association for Computing Machinery, Inc, 2021. p. 716-730 (ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Bundt, J, Fasano, A, Dolan-Gavitt, B, Robertson, W & Leek, T 2021, Evaluating Synthetic Bugs. in ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security. ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security, Association for Computing Machinery, Inc, pp. 716-730, 16th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2021, Virtual, Online, Hong Kong, 6/7/21. https://doi.org/10.1145/3433210.3453096

Bundt J, Fasano A, Dolan-Gavitt B, Robertson W, Leek T. Evaluating Synthetic Bugs. In ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security. Association for Computing Machinery, Inc. 2021. p. 716-730. (ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security). doi: 10.1145/3433210.3453096

@inproceedings{9764dd8a75b6495a8babe4c297a5d85c,

title = "Evaluating Synthetic Bugs",

abstract = "Fuzz testing has been used to find bugs in programs since the 1990s, but despite decades of dedicated research, there is still no consensus on which fuzzing techniques work best. One reason for this is the paucity of ground truth: bugs in real programs with known root causes and triggering inputs are difficult to collect at a meaningful scale. Bug injection technologies that add synthetic bugs into real programs seem to offer a solution, but the differences in finding these synthetic bugs versus organic bugs have not previously been explored at a large scale. Using over 80 years of CPU time, we ran eight fuzzers across 20 targets from the Rode0day bug-finding competition and the LAVA-M corpus. Experiments were standardized with respect to compute resources and metrics gathered. These experiments show differences in fuzzer performance as well as the impact of various configuration options. For instance, it is clear that integrating symbolic execution with mutational fuzzing is very effective and that using dictionaries improves performance. Other conclusions are less clear-cut; for example, no one fuzzer beat all others on all tests. It is noteworthy that no fuzzer found any organic bugs (i.e., one reported in a CVE), despite 50 such bugs being available for discovery in the fuzzing corpus. A close analysis of results revealed a possible explanation: a dramatic difference between where synthetic and organic bugs live with respect to the {"}main path{"}discovered by fuzzers. We find that recent updates to bug injection systems have made synthetic bugs more difficult to discover, but they are still significantly easier to find than organic bugs in our target programs. Finally, this study identifies flaws in bug injection techniques and suggests a number of axes along which synthetic bugs should be improved.",

keywords = "evaluation, fuzzing, synthetic bugs",

author = "Joshua Bundt and Andrew Fasano and Brendan Dolan-Gavitt and William Robertson and Tim Leek",

note = "Funding Information: DISTRIBUTION STATEMENT A. Approved for public release. Distribution is unlimited. This material is based upon work supported by the Department of Defense under Air Force Contract No. FA8702-15-D-0001. Any opinions, findings, conclusions or recommendations expressed in this material are those of the author?s? and do not necessarily reflect the views of the Department of Defense. Delivered to the U.S. Government with Unlimited Rights, as defined in DFARS Part 252.227-7013 or 7014 ?Feb 2014?. Notwithstanding any copyright notice, U.S. Government rights in this work are defined by DFARS 252.227-7013 or DFARS 252.227-7014 as detailed above. Use of this work other than as specifically authorized by the U.S. Government may violate any copyrights that exist in this work. Funding Information: The authors would like to thank Northeastern University{\textquoteright}s Research Computing team, the MIT SuperCloud and Lincoln Laboratory Supercomputing Center and the Information Directorate{\textquoteright}s AFRL/RITB High Performance Systems Branch for providing HPC resources that contributed to the research reported within this paper. This material is based upon work supported by the National Science Foundation under Grant No. CNS-1916398. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author?s? and do not necessarily reflect the views of the National Science Foundation. This material is based upon work supported by the Office of Naval Research under Grant No. N00014-19-1-2364. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author?s? and do not necessarily reflect the views of the Office of Naval Research. Publisher Copyright: {\textcopyright} 2021 Owner/Author.; 16th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2021 ; Conference date: 07-06-2021 Through 11-06-2021",

year = "2021",

month = may,

day = "24",

doi = "10.1145/3433210.3453096",

language = "English (US)",

series = "ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security",

publisher = "Association for Computing Machinery, Inc",

pages = "716--730",

booktitle = "ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security",

}

TY - GEN

T1 - Evaluating Synthetic Bugs

AU - Bundt, Joshua

AU - Fasano, Andrew

AU - Dolan-Gavitt, Brendan

AU - Robertson, William

AU - Leek, Tim

N1 - Funding Information: DISTRIBUTION STATEMENT A. Approved for public release. Distribution is unlimited. This material is based upon work supported by the Department of Defense under Air Force Contract No. FA8702-15-D-0001. Any opinions, findings, conclusions or recommendations expressed in this material are those of the author?s? and do not necessarily reflect the views of the Department of Defense. Delivered to the U.S. Government with Unlimited Rights, as defined in DFARS Part 252.227-7013 or 7014 ?Feb 2014?. Notwithstanding any copyright notice, U.S. Government rights in this work are defined by DFARS 252.227-7013 or DFARS 252.227-7014 as detailed above. Use of this work other than as specifically authorized by the U.S. Government may violate any copyrights that exist in this work. Funding Information: The authors would like to thank Northeastern University’s Research Computing team, the MIT SuperCloud and Lincoln Laboratory Supercomputing Center and the Information Directorate’s AFRL/RITB High Performance Systems Branch for providing HPC resources that contributed to the research reported within this paper. This material is based upon work supported by the National Science Foundation under Grant No. CNS-1916398. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author?s? and do not necessarily reflect the views of the National Science Foundation. This material is based upon work supported by the Office of Naval Research under Grant No. N00014-19-1-2364. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author?s? and do not necessarily reflect the views of the Office of Naval Research. Publisher Copyright: © 2021 Owner/Author.

PY - 2021/5/24

Y1 - 2021/5/24

N2 - Fuzz testing has been used to find bugs in programs since the 1990s, but despite decades of dedicated research, there is still no consensus on which fuzzing techniques work best. One reason for this is the paucity of ground truth: bugs in real programs with known root causes and triggering inputs are difficult to collect at a meaningful scale. Bug injection technologies that add synthetic bugs into real programs seem to offer a solution, but the differences in finding these synthetic bugs versus organic bugs have not previously been explored at a large scale. Using over 80 years of CPU time, we ran eight fuzzers across 20 targets from the Rode0day bug-finding competition and the LAVA-M corpus. Experiments were standardized with respect to compute resources and metrics gathered. These experiments show differences in fuzzer performance as well as the impact of various configuration options. For instance, it is clear that integrating symbolic execution with mutational fuzzing is very effective and that using dictionaries improves performance. Other conclusions are less clear-cut; for example, no one fuzzer beat all others on all tests. It is noteworthy that no fuzzer found any organic bugs (i.e., one reported in a CVE), despite 50 such bugs being available for discovery in the fuzzing corpus. A close analysis of results revealed a possible explanation: a dramatic difference between where synthetic and organic bugs live with respect to the "main path"discovered by fuzzers. We find that recent updates to bug injection systems have made synthetic bugs more difficult to discover, but they are still significantly easier to find than organic bugs in our target programs. Finally, this study identifies flaws in bug injection techniques and suggests a number of axes along which synthetic bugs should be improved.

AB - Fuzz testing has been used to find bugs in programs since the 1990s, but despite decades of dedicated research, there is still no consensus on which fuzzing techniques work best. One reason for this is the paucity of ground truth: bugs in real programs with known root causes and triggering inputs are difficult to collect at a meaningful scale. Bug injection technologies that add synthetic bugs into real programs seem to offer a solution, but the differences in finding these synthetic bugs versus organic bugs have not previously been explored at a large scale. Using over 80 years of CPU time, we ran eight fuzzers across 20 targets from the Rode0day bug-finding competition and the LAVA-M corpus. Experiments were standardized with respect to compute resources and metrics gathered. These experiments show differences in fuzzer performance as well as the impact of various configuration options. For instance, it is clear that integrating symbolic execution with mutational fuzzing is very effective and that using dictionaries improves performance. Other conclusions are less clear-cut; for example, no one fuzzer beat all others on all tests. It is noteworthy that no fuzzer found any organic bugs (i.e., one reported in a CVE), despite 50 such bugs being available for discovery in the fuzzing corpus. A close analysis of results revealed a possible explanation: a dramatic difference between where synthetic and organic bugs live with respect to the "main path"discovered by fuzzers. We find that recent updates to bug injection systems have made synthetic bugs more difficult to discover, but they are still significantly easier to find than organic bugs in our target programs. Finally, this study identifies flaws in bug injection techniques and suggests a number of axes along which synthetic bugs should be improved.

KW - evaluation

KW - fuzzing

KW - synthetic bugs

UR - http://www.scopus.com/inward/record.url?scp=85108068235&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85108068235&partnerID=8YFLogxK

U2 - 10.1145/3433210.3453096

DO - 10.1145/3433210.3453096

M3 - Conference contribution

AN - SCOPUS:85108068235

T3 - ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security

SP - 716

EP - 730

BT - ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security

PB - Association for Computing Machinery, Inc

T2 - 16th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2021

Y2 - 7 June 2021 through 11 June 2021

ER -

Evaluating Synthetic Bugs

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this