Abstract | ||
---|---|---|
Taint-style vulnerabilities comprise a majority of fuzzer discovered program faults. These vulnerabilities usually manifest as memory access violations caused by tainted program input. Although fuzzers have helped uncover a majority of taint-style vulnerabilities in software to date, they are limited by (i) extent of test coverage; and (ii) the availability of fuzzable test cases. Therefore, fuzzing alone cannot provide a high assurance that all taint-style vulnerabilities have been uncovered.In this paper, we use static template matching to find recurrences of fuzzer-discovered vulnerabilities. To compensate for the inherent incompleteness of template matching, we implement a simple yet effective matchranking algorithm that uses test coverage data to focus attention on matches comprising untested code. We prototype our approach using the Clang/LLVM compiler toolchain and use it in conjunction with afl-fuzz, a modern coverage-guided fuzzer. Using a case study carried out on the Open vSwitch codebase, we show that our prototype uncovers corner cases in modules that lack a fuzzable test harness. Our work demonstrates that static analysis can effectively complement fuzz testing, and is a useful addition to the security assessment tool-set. Furthermore, our techniques hold promise for increasing the effectiveness of program analysis and testing, and serve as a building block for a hybrid vulnerability discovery framework. |
Year | Venue | DocType |
---|---|---|
2017 | WOOT | Conference |
Volume | Citations | PageRank |
abs/1706.00206 | 0 | 0.34 |
References | Authors | |
12 | 5 |
Name | Order | Citations | PageRank |
---|---|---|---|
Bhargava Shastry | 1 | 238 | 16.64 |
Federico Maggi | 2 | 524 | 37.68 |
Fabian Yamaguchi | 3 | 346 | 15.79 |
Konrad Rieck | 4 | 1585 | 85.84 |
Jean-Pierre Seifert | 5 | 1946 | 160.31 |