Ankou: Guiding Grey-box Fuzzing towards Combinatorial Difference - - PowerPoint PPT Presentation
Ankou: Guiding Grey-box Fuzzing towards Combinatorial Difference Valentin Mans 1 , Soomin Kim 2 , Sang Kil Cha 2 1 CSRC, KAIST 2 KAIST The Success of Grey-box Fuzzing OSS-Fuzz has found over 20,000 bugs in 300 open source projects.
Ankou: Guiding Grey-box Fuzzing towards Combinatorial Difference
Valentin Manès1, Soomin Kim2, Sang Kil Cha2
1CSRC, KAIST 2KAIST
2
“OSS-Fuzz has found over 20,000 bugs in 300 open source projects.”
github.com/mrash/afl-cve è Many CVEs
$$$$
3
Program
Test Case Output
Fuzzer
Seed Pool Test Case A Test Case B Test Case C
Fitness Function: if(“interesting”): Add to seed pool
Test Case
4
Cost
N
e e d b a c k s t d
t / s t d e r r B r a n c h C
e r a g e B r a n c h H i t C
n t T a i n t A n a l y s i s
…
…
…
Coverage has proved a good tradeoff between cost and benefits.
Ankou: Opportunity to improve?
Test Case A B C D Value “A” “BB” “AB” “ABC” Branch 1 X X X Branch 2 X X X Branch 3 X
5
Fuzzer
Seed Pool Test Case A Test Case B Test Case D Test Case A B C Value “A” “BB” “AB” Branch 1 X X Branch 2 X X Branch 3 Test Case A B Value “A” “BB” Branch 1 X Branch 2 X Branch 3
Program
Test Case Outputs int combinedBranches(char *data) { int bits = 0; if (data[0] == 'A') bits |= 1; if (data[1] == 'B') bits |= 2; if (data[2] == 'C') bits |= 4; if (bits == 7) printf("BINGO\n"); return 0; }
Fitness Function: if(new branch): Add to seed pool
A more informative Fitness Function is needed!
Ankou goal: developing a fitness function taking into account combinations.
6
7 1 2 3 1 2 3 4 5 6
Branch 2
Branch 1
8 1 2 3 1 2 3 4 5 6
Branch 2
Branch 1
Euclidean Distance
9 1 2 3 1 2 3 4 5 6
Branch 2
Branch 1
Detects Combinatorial Difference!
10 1 2 3 4 5 6 7 1 2 3 4 5 6 7 8
Branch 2
Branch 1 Seed Pool ? Point-to-Pool ?
11 1 2 3 4 5 6 7 1 2 3 4 5 6 7 8
Branch 2
Branch 1 Seed Pool Point-to-Pool = Minimum Point-to-Point
12 5 10 15 20 25 30 35 5 10 15 20 25 30
Branch 2
Branch 1 Seed Pool
The fitness function is computed for every test case.
13
Euclidean Distance = 𝒫(#branch)
14
Euclidean Distance = 𝒫(#branch) Euclidean Distance = 𝒫(#“reprentative branch”)
Dimensionality Reduction
See paper for details on the Dynamic PCA.
Coverage-based fitness function: if(new branch): Add test to seed pool Ankou fitness function: if(new branch): if(Point-to-Pool distance ??): Add test to seed pool
15
16 1 2 3 4 5 1 2 3 4 5 6 7
Branch 2 Branch 1
𝜄!"#
Ankou fitness function: if(new branch): if(Point-to-Pool distance > 𝜄!"#): Add test to seed pool 𝜄!"# ← Minimum inter-seed distance
17
1 S. Gan, C. Zhang, X. Qin, X. Tu, K. Li, Z. Pei, and Z. Chen, “CollAFL: Path sensitive fuzzing,”in Proceedings of the IEEE Symposium on Security and Privacy, 2018, pp. 660–677.
18
19
0.25 1.00 4.00 0.25 1.00 4.00
Subjects Crash ratio (in log) Throughput ratio (in log)
# Crashes Throughput
Distance-based finds 44% more crashes.
20
0.01 0.1 1 10 100
Subjects Crash / Coverage ratio (in log) # Crashes Coverage
21
Ankou finds 41% more unique crashes.
22
0.1 1.0 10.0
Subjects Throughput ratio (in log)
Ankou is 35% slower than AFL.
difference while being fast and adaptive to programs.
23
24