Fuzz to the Future: Uncovering Occluded Future Vulnerabilities via Robust Fuzzing

Arvind S. Raj; Wil Gibbs; Fangzhou Dong; Jayakrishna Menon Vadayath; Michael Tompkins; Steven Wirsz; Yibo Liu; Zhenghao Hu; Chang Zhu; Gokulkrishna Praveen Menon; Brendan Dolan-Gavitt; Adam Doupé; Ruoyu Wang; Yan Shoshitaishvili; Tiffany Bao

doi:10.1145/3658644.3690278

Fuzz to the Future: Uncovering Occluded Future Vulnerabilities via Robust Fuzzing

Arvind S. Raj, Wil Gibbs, Fangzhou Dong, Jayakrishna Menon Vadayath, Michael Tompkins, Steven Wirsz, Yibo Liu, Zhenghao Hu, Chang Zhu, Gokulkrishna Praveen Menon, Brendan Dolan-Gavitt, Adam Doupé, Ruoyu Wang, Yan Shoshitaishvili, Tiffany Bao

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

The security landscape of software systems has witnessed considerable advancements through dynamic testing methodologies, especially fuzzing. Traditionally, fuzzing involves a sequential, cyclic process where software is tested to identify crashes. These crashes are then triaged and patched, leading to subsequent cycles that uncover further vulnerabilities. While effective, this method is not efficient as each cycle potentially reveals new issues previously obscured by earlier crashes, thus resulting in vulnerabilities being discovered sequentially. In this paper, we present a solution to identify occluded future vulnerabilities — vulnerabilities that are hard or impossible to trigger due to current vulnerabilities occluding the triggering path. We introduce robust fuzzing, a novel technique that enables fuzzers probe beyond the immediate crash location and uncover new vulnerabilities or variants of known ones. We implemented robust fuzzing in FlakJack, a pioneering fuzzing add-on that leverages binary patching to proactively identify occluded future vulnerabilities hidden behind current crashes. By enabling fuzzers to bypass immediate crash points and delve deeper into the software, FlakJack not only accelerates the vulnerability discovery process but also significantly enhances the efficacy of software testing. With the help of FlakJack, we found 28 new vulnerabilities in projects that have been extensively tested through the OSS-Fuzz project. This approach promises a transformative shift in how vulnerabilities are identified and managed, aiming to shorten the time span of vulnerability discovery over the long term.

Original language	English (US)
Title of host publication	CCS 2024 - Proceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security
Publisher	Association for Computing Machinery, Inc
Pages	3719-3733
Number of pages	15
ISBN (Electronic)	9798400706363
DOIs	https://doi.org/10.1145/3658644.3690278
State	Published - Dec 9 2024
Event	31st ACM SIGSAC Conference on Computer and Communications Security, CCS 2024 - Salt Lake City, United States Duration: Oct 14 2024 → Oct 18 2024

Publication series

Name	CCS 2024 - Proceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security

Conference

Conference	31st ACM SIGSAC Conference on Computer and Communications Security, CCS 2024
Country/Territory	United States
City	Salt Lake City
Period	10/14/24 → 10/18/24

Keywords

Binary Analysis
Fuzzing
Software Security

ASJC Scopus subject areas

Computer Networks and Communications
Computer Science Applications
Software

Access to Document

10.1145/3658644.3690278

Cite this

Raj, A. S., Gibbs, W., Dong, F., Vadayath, J. M., Tompkins, M., Wirsz, S., Liu, Y., Hu, Z., Zhu, C., Menon, G. P., Dolan-Gavitt, B., Doupé, A., Wang, R., Shoshitaishvili, Y., & Bao, T. (2024). Fuzz to the Future: Uncovering Occluded Future Vulnerabilities via Robust Fuzzing. In CCS 2024 - Proceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security (pp. 3719-3733). (CCS 2024 - Proceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security). Association for Computing Machinery, Inc. https://doi.org/10.1145/3658644.3690278

Fuzz to the Future: Uncovering Occluded Future Vulnerabilities via Robust Fuzzing. / Raj, Arvind S.; Gibbs, Wil; Dong, Fangzhou et al.
CCS 2024 - Proceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, Inc, 2024. p. 3719-3733 (CCS 2024 - Proceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Raj, AS, Gibbs, W, Dong, F, Vadayath, JM, Tompkins, M, Wirsz, S, Liu, Y, Hu, Z, Zhu, C, Menon, GP, Dolan-Gavitt, B, Doupé, A, Wang, R, Shoshitaishvili, Y & Bao, T 2024, Fuzz to the Future: Uncovering Occluded Future Vulnerabilities via Robust Fuzzing. in CCS 2024 - Proceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security. CCS 2024 - Proceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security, Association for Computing Machinery, Inc, pp. 3719-3733, 31st ACM SIGSAC Conference on Computer and Communications Security, CCS 2024, Salt Lake City, United States, 10/14/24. https://doi.org/10.1145/3658644.3690278

Raj AS, Gibbs W, Dong F, Vadayath JM, Tompkins M, Wirsz S et al. Fuzz to the Future: Uncovering Occluded Future Vulnerabilities via Robust Fuzzing. In CCS 2024 - Proceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, Inc. 2024. p. 3719-3733. (CCS 2024 - Proceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security). doi: 10.1145/3658644.3690278

Raj, Arvind S. ; Gibbs, Wil ; Dong, Fangzhou et al. / Fuzz to the Future : Uncovering Occluded Future Vulnerabilities via Robust Fuzzing. CCS 2024 - Proceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, Inc, 2024. pp. 3719-3733 (CCS 2024 - Proceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security).

@inproceedings{41d46dc5164f45a39713b6d3138346d7,

title = "Fuzz to the Future: Uncovering Occluded Future Vulnerabilities via Robust Fuzzing",

abstract = "The security landscape of software systems has witnessed considerable advancements through dynamic testing methodologies, especially fuzzing. Traditionally, fuzzing involves a sequential, cyclic process where software is tested to identify crashes. These crashes are then triaged and patched, leading to subsequent cycles that uncover further vulnerabilities. While effective, this method is not efficient as each cycle potentially reveals new issues previously obscured by earlier crashes, thus resulting in vulnerabilities being discovered sequentially. In this paper, we present a solution to identify occluded future vulnerabilities — vulnerabilities that are hard or impossible to trigger due to current vulnerabilities occluding the triggering path. We introduce robust fuzzing, a novel technique that enables fuzzers probe beyond the immediate crash location and uncover new vulnerabilities or variants of known ones. We implemented robust fuzzing in FlakJack, a pioneering fuzzing add-on that leverages binary patching to proactively identify occluded future vulnerabilities hidden behind current crashes. By enabling fuzzers to bypass immediate crash points and delve deeper into the software, FlakJack not only accelerates the vulnerability discovery process but also significantly enhances the efficacy of software testing. With the help of FlakJack, we found 28 new vulnerabilities in projects that have been extensively tested through the OSS-Fuzz project. This approach promises a transformative shift in how vulnerabilities are identified and managed, aiming to shorten the time span of vulnerability discovery over the long term.",

keywords = "Binary Analysis, Fuzzing, Software Security",

author = "Raj, {Arvind S.} and Wil Gibbs and Fangzhou Dong and Vadayath, {Jayakrishna Menon} and Michael Tompkins and Steven Wirsz and Yibo Liu and Zhenghao Hu and Chang Zhu and Menon, {Gokulkrishna Praveen} and Brendan Dolan-Gavitt and Adam Doup{\'e} and Ruoyu Wang and Yan Shoshitaishvili and Tiffany Bao",

note = "Publisher Copyright: {\textcopyright} 2024 Copyright held by the owner/author(s).; 31st ACM SIGSAC Conference on Computer and Communications Security, CCS 2024 ; Conference date: 14-10-2024 Through 18-10-2024",

year = "2024",

month = dec,

day = "9",

doi = "10.1145/3658644.3690278",

language = "English (US)",

series = "CCS 2024 - Proceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security",

publisher = "Association for Computing Machinery, Inc",

pages = "3719--3733",

booktitle = "CCS 2024 - Proceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security",

}

TY - GEN

T1 - Fuzz to the Future

T2 - 31st ACM SIGSAC Conference on Computer and Communications Security, CCS 2024

AU - Raj, Arvind S.

AU - Gibbs, Wil

AU - Dong, Fangzhou

AU - Vadayath, Jayakrishna Menon

AU - Tompkins, Michael

AU - Wirsz, Steven

AU - Liu, Yibo

AU - Hu, Zhenghao

AU - Zhu, Chang

AU - Menon, Gokulkrishna Praveen

AU - Dolan-Gavitt, Brendan

AU - Doupé, Adam

AU - Wang, Ruoyu

AU - Shoshitaishvili, Yan

AU - Bao, Tiffany

PY - 2024/12/9

Y1 - 2024/12/9

N2 - The security landscape of software systems has witnessed considerable advancements through dynamic testing methodologies, especially fuzzing. Traditionally, fuzzing involves a sequential, cyclic process where software is tested to identify crashes. These crashes are then triaged and patched, leading to subsequent cycles that uncover further vulnerabilities. While effective, this method is not efficient as each cycle potentially reveals new issues previously obscured by earlier crashes, thus resulting in vulnerabilities being discovered sequentially. In this paper, we present a solution to identify occluded future vulnerabilities — vulnerabilities that are hard or impossible to trigger due to current vulnerabilities occluding the triggering path. We introduce robust fuzzing, a novel technique that enables fuzzers probe beyond the immediate crash location and uncover new vulnerabilities or variants of known ones. We implemented robust fuzzing in FlakJack, a pioneering fuzzing add-on that leverages binary patching to proactively identify occluded future vulnerabilities hidden behind current crashes. By enabling fuzzers to bypass immediate crash points and delve deeper into the software, FlakJack not only accelerates the vulnerability discovery process but also significantly enhances the efficacy of software testing. With the help of FlakJack, we found 28 new vulnerabilities in projects that have been extensively tested through the OSS-Fuzz project. This approach promises a transformative shift in how vulnerabilities are identified and managed, aiming to shorten the time span of vulnerability discovery over the long term.

AB - The security landscape of software systems has witnessed considerable advancements through dynamic testing methodologies, especially fuzzing. Traditionally, fuzzing involves a sequential, cyclic process where software is tested to identify crashes. These crashes are then triaged and patched, leading to subsequent cycles that uncover further vulnerabilities. While effective, this method is not efficient as each cycle potentially reveals new issues previously obscured by earlier crashes, thus resulting in vulnerabilities being discovered sequentially. In this paper, we present a solution to identify occluded future vulnerabilities — vulnerabilities that are hard or impossible to trigger due to current vulnerabilities occluding the triggering path. We introduce robust fuzzing, a novel technique that enables fuzzers probe beyond the immediate crash location and uncover new vulnerabilities or variants of known ones. We implemented robust fuzzing in FlakJack, a pioneering fuzzing add-on that leverages binary patching to proactively identify occluded future vulnerabilities hidden behind current crashes. By enabling fuzzers to bypass immediate crash points and delve deeper into the software, FlakJack not only accelerates the vulnerability discovery process but also significantly enhances the efficacy of software testing. With the help of FlakJack, we found 28 new vulnerabilities in projects that have been extensively tested through the OSS-Fuzz project. This approach promises a transformative shift in how vulnerabilities are identified and managed, aiming to shorten the time span of vulnerability discovery over the long term.

KW - Binary Analysis

KW - Fuzzing

KW - Software Security

UR - http://www.scopus.com/inward/record.url?scp=85215522679&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85215522679&partnerID=8YFLogxK

U2 - 10.1145/3658644.3690278

DO - 10.1145/3658644.3690278

M3 - Conference contribution

AN - SCOPUS:85215522679

T3 - CCS 2024 - Proceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security

SP - 3719

EP - 3733

BT - CCS 2024 - Proceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security

PB - Association for Computing Machinery, Inc

Y2 - 14 October 2024 through 18 October 2024

ER -

Fuzz to the Future: Uncovering Occluded Future Vulnerabilities via Robust Fuzzing

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this