Name
Abstract | ||
|---|---|---|
ABSTRACTThe popularity of coverage-guided greybox fuzzers has led to a tsunami of security-critical bugs that developers must prioritize and fix. Knowing the capabilities a bug exposes (e.g., type of vulnerability, number of bytes read/written) enables prioritization of bug fixes. Unfortunately, understanding a bug's capabilities is a time consuming process, requiring (a) an understanding of the bug's root cause, (b) an understanding how an attacker may exploit the bug, and (c) the development of a patch mitigating these threats. This is a mostly-manual process that is qualitative and arbitrary, potentially leading to a misunderstanding of the bug's capabilities. Evocatio automatically discovers a bug's capabilities. Evocatio analyzes a crashing test case (i.e., an input exposing a bug) to understand the full extent of how an attacker can exploit a bug. Evocatio leverages a capability-guided fuzzer to efficiently uncover new bug capabilities (rather than only generating a single crashing test case for a given bug, as a traditional greybox fuzzer does). We evaluate Evocatio on 38 bugs (34 CVEs and four bug reports) across eight open-source applications. From these bugs, Evocatio: (i) discovered 10× more capabilities (that is, the number of unique capabilities induced by a set of crashes was 10× higher) than AFL++'s crash exploration mode; (ii) converted 19 of the 38 bugs to new bug types (demonstrating the limitations of manual qualitative analysis); and (iii) generated new proof-of-concept (PoC) test cases violating patches for 7 out of 16 tested CVEs, one of which still triggers in the latest version of the software. |
Year | DOI | Venue |
|---|---|---|
2022 | 10.1145/3548606.3560575 | Computer and Communications Security |
DocType | Citations | PageRank |
Conference | 0 | 0.34 |
References | Authors | |
0 | 9 | |
Name | Order | Citations | PageRank |
|---|---|---|---|
| Zhiyuan Jiang | 1 | 0 | 1.01 |
| Shuitao Gan | 2 | 0 | 1.35 |
| Adrian Herrera | 3 | 6 | 1.52 |
| Flavio Toffalini | 4 | 9 | 4.23 |
| Lucio Romerio | 5 | 0 | 0.34 |
| Chaojing Tang | 6 | 29 | 15.21 |
| Manuel Egele | 7 | 1613 | 102.07 |
| Chao Zhang | 8 | 423 | 38.17 |
| Mathias Payer | 9 | 0 | 0.34 |