Skip to main content
SpringerLink
Log in

Static Program Analysis as a Fuzzing Aid

  • Conference paper
  • First Online:
Research in Attacks, Intrusions, and Defenses (RAID 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10453))

Abstract

Fuzz testing is an effective and scalable technique to perform software security assessments. Yet, contemporary fuzzers fall short of thoroughly testing applications with a high degree of control-flow diversity, such as firewalls and network packet analyzers. In this paper, we demonstrate how static program analysis can guide fuzzing by augmenting existing program models maintained by the fuzzer. Based on the insight that code patterns reflect the data format of inputs processed by a program, we automatically construct an input dictionary by statically analyzing program control and data flow. Our analysis is performed before fuzzing commences, and the input dictionary is supplied to an off-the-shelf fuzzer to influence input generation. Evaluations show that our technique not only increases test coverage by 10–15% over baseline fuzzers such as afl but also reduces the time required to expose vulnerabilities by up to an order of magnitude. As a case study, we have evaluated our approach on two classes of network applications: nDPI, a deep packet inspection library, and tcpdump, a network packet analyzer. Using our approach, we have uncovered 15 zero-day vulnerabilities in the evaluated software that were not found by stand-alone fuzzers. Our work not only provides a practical method to conduct security evaluations more effectively but also demonstrates that the synergy between program analysis and testing can be exploited for a better outcome.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Ethical Considerations: Vulnerabilities found during our case studies have been responsibly disclosed to the concerned vendors who have subsequently patched them.

References

  1. Aho, A.V., Sethi, R., Ullman, J.D.: Compilers, Principles, Techniques. Addison-Wesley, Boston (1986)

    Google Scholar 

  2. Address Sanitizer. https://clang.llvm.org/docs/AddressSanitizer.html. Accessed 27 Mar 2017

  3. Böhme, M., Pham, V.T., Roychoudhury, A.: Coverage-based greybox fuzzing as Markov chain. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS), pp. 1032–1043. ACM (2016)

    Google Scholar 

  4. Caballero, J., Yin, H., Liang, Z., Song, D.: Polyglot: automatic extraction of protocol message format using dynamic binary analysis. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS), pp. 317–329 (2007)

    Google Scholar 

  5. Cert Secure Coding Standards. https://www.securecoding.cert.org/confluence/display/seccode/SEI+CERT+Coding+Standards. Accessed 01 June 2017

  6. Clusterfuzzer: Heap-buffer-overflow in read. https://bugs.chromium.org/p/chromium/issues/detail?id=609042. Accessed 23 Mar 2017

  7. Comparetti, P.M., Wondracek, G., Kruegel, C., Kirda, E.: Prospex: Protocol specification extraction. In: Proceedings of the IEEE Security & Privacy, pp. 110–125 (2009)

    Google Scholar 

  8. Cui, W., Kannan, J., Wang, H.J.: Discoverer: automatic protocol reverse engineering from network traces. In: Proceedings of the USENIX Security Symposium, vol. 158 (2007)

    Google Scholar 

  9. Cui, W., Peinado, M., Chen, K., Wang, H.J., Irun-Briz, L.: Tupni: automatic reverse engineering of input formats. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS), pp. 391–402 (2008)

    Google Scholar 

  10. Engler, D., Chelf, B., Chou, A., Hallem, S.: Checking system rules using system-specific, programmer-written compiler extensions. In: Proceedings of the OSDI (2000)

    Google Scholar 

  11. Foote, J.: The exploitable GDB plugin (2015). https://github.com/jfoote/exploitable. Accessed 23 Mar 2017

  12. Gallagher, K.B., Lyle, J.R.: Using program slicing in software maintenance. IEEE Trans. Softw. Eng. 17(8), 751–761 (1991)

    Article  Google Scholar 

  13. Godefroid, P., Kiezun, A., Levin, M.Y.: Grammar-based whitebox fuzzing. ACM SIGPLAN Not. 43, 206–215 (2008)

    Article  Google Scholar 

  14. Godefroid, P., Levin, M.Y., Molnar, D.: Sage: whitebox fuzzing for security testing. ACM Queue 10(1), 20 (2012)

    Article  Google Scholar 

  15. Google Inc.: Fuzzer test suite. https://github.com/google/fuzzer-test-suite. Accessed 23 Mar 2017

  16. Holler, C., Herzig, K., Zeller, A.: Fuzzing with code fragments. In: Proceedings of the USENIX Security Symposium, pp. 445–458 (2012)

    Google Scholar 

  17. Hopcroft, J.E., Motwani, R., Ullman, J.D.: Introduction to Automata Theory, Languages, and Computation, 3rd edn. Addison-Wesley, Reading (2006)

    MATH  Google Scholar 

  18. Lam, M.S., Whaley, J., Livshits, V.B., Martin, M.C., Avots, D., Carbin, M., Unkel, C.: Context-sensitive program analysis as database queries. In: Proceedings of the ACM Symposium on Principles of Database Systems, pp. 1–12 (2005)

    Google Scholar 

  19. Lin, Z., Jiang, X., Xu, D., Zhang, X.: Automatic protocol format reverse engineering through context-aware monitored execution. In: Proceedings of Symposium on Network and Distributed System Security (NDSS), pp. 1–15 (2008)

    Google Scholar 

  20. LLVM Compiler Infrastructure: Clang static analyzer. http://clang-analyzer.llvm.org/. Accessed 23 Mar 2017

  21. LLVM Compiler Infrastructure: libFuzzer: a library for coverage-guided fuzz testing. http://llvm.org/docs/LibFuzzer.html. Accessed 23 Mar 2017

  22. Miller, B.P., Fredriksen, L., So, B.: An empirical study of the reliability of UNIX utilities. Commun. ACM 33(12), 32–44 (1990)

    Article  Google Scholar 

  23. MITRE.org: CVE-2014-0160: The Heartbleed Bug. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160. Accessed 23 Mar 2017

  24. MITRE.org: CVE-2015-8317: Libxml2: several out of bounds reads. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8317. Accessed 23 Mar 2017

  25. MITRE.org: CVE-2016-5180: Project c-ares security advisory. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5180. Accessed 23 Mar 2017

  26. Molnar, D., Li, X.C., Wagner, D.: Dynamic test generation to find integer bugs in x86 binary Linux programs. In: Proceedings of the USENIX Security Symposium, vol. 9, pp. 67–82 (2009)

    Google Scholar 

  27. nDPI: Open and Extensible LGPLv3 Deep Packet Inspection Library. http://www.ntop.org/products/deep-packet-inspection/ndpi/. Accessed 23 Mar 2017

  28. OpenRCE: Sulley. https://github.com/OpenRCE/sulley. Accessed 23 Mar 2017

  29. Peach Fuzzer. http://www.peachfuzzer.com/. Accessed 23 Mar 2017

  30. Reps, T., Horwitz, S., Sagiv, M.: Precise interprocedural dataflow analysis via graph reachability. In: Proceedings of the ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 49–61 (1995)

    Google Scholar 

  31. Snort++ vulnerabilities found. http://blog.snort.org/2017/05/snort-vulnerabilities-found.html. Accessed 05 June 2017

  32. Wondracek, G., Comparetti, P.M., Kruegel, C., Kirda, E.: Automatic network protocol analysis. In: Proceedings of the Symposium on Network and Distributed System Security (NDSS) (2008)

    Google Scholar 

  33. Yamaguchi, F., Maier, A., Gascon, H., Rieck, K.: Automatic inference of search patterns for taint-style vulnerabilities. In: Proceedings of the IEEE Security & Privacy, pp. 797–812 (2015)

    Google Scholar 

  34. Zalewski, M.: American fuzzy lop. http://lcamtuf.coredump.cx/afl/. Accessed 23 Mar 2017

  35. Zalewski, M.: afl-fuzz: making up grammar with a dictionary in hand (2015). https://lcamtuf.blogspot.de/2015/01/afl-fuzz-making-up-grammar-with.html. Accessed 23 Mar 2017

Download references

Acknowledgements

We would like to thank Julian Fietkau for helping customize the Peach fuzzer for our experiments. This work was supported by the following awards and grants: Bundesministerium für Bildung und Forschung (BMBF) under Award No. KIS1DSD032 (Project Enzevalos), Leibniz Prize project by the German Research Foundation (DFG) under Award No. FKZ FE 570/4-1, the Helmholtz Research School in Security Technologies scholarship, and the Danish Villum project ReNet. The opinions, views, and conclusions contained herein are those of the author(s) and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of BMBF, DFG, or, any other funding body involved.

Author information

Authors and Affiliations

  1. TU Berlin, Berlin, Germany

    Bhargava Shastry, Markus Leutner, Tobias Fiebig, Kashyap Thimmaraju, Jean-Pierre Seifert & Anja Feldmann

  2. TU Braunschweig, Braunschweig, Germany

    Fabian Yamaguchi & Konrad Rieck

  3. Aalborg University, Aalborg, Denmark

    Stefan Schmid

Authors
  1. Bhargava Shastry
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Markus Leutner
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Tobias Fiebig
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Kashyap Thimmaraju
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Fabian Yamaguchi
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Konrad Rieck
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Stefan Schmid
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Jean-Pierre Seifert
    View author publications

    You can also search for this author in PubMed Google Scholar

  9. Anja Feldmann
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Bhargava Shastry .

Editor information

Editors and Affiliations

  1. Qatar Computing Research Institute, Doha, Qatar

    Marc Dacier

  2. University of Illinois at Urbana Champaign, Champaign, Illinois, USA

    Michael Bailey

  3. Stony Brook University, Stony Brook, New York, USA

    Michalis Polychronakis

  4. Georgia Institute of Technology, Georgia, USA

    Manos Antonakakis

1 Electronic supplementary material

Below is the link to the electronic supplementary material.

Supplementary material 1 (txt 1 KB)

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Shastry, B. et al. (2017). Static Program Analysis as a Fuzzing Aid. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2017. Lecture Notes in Computer Science(), vol 10453. Springer, Cham. https://doi.org/10.1007/978-3-319-66332-6_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-66332-6_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-66331-9

  • Online ISBN: 978-3-319-66332-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation