Enhance Fuzz Testing with Static Program Analysis

PhD Thesis Proposal Defence


Title: "Enhance Fuzz Testing with Static Program Analysis"

by

Mr. Heqing HUANG


Abstract:

Vulnerabilities become prevalent and cost great financial and time lost 
nowadays. As one of the most effective ways to detect vulnerabilities, fuzzing 
has been widely applied and optimized in both academia and industry. 
Nonetheless, fuzzing is still deficient in detecting vulnerabilities hidden 
behind sophisticated program behaviors such as complex path conditions and deep 
calling context. Moreover, along with the growing size of the software 
programs, sieving through a specific vulnerability is similar to finding a 
needle in the haystack. In this thesis, we demonstrate our novel designs of 
fuzzing frameworks with the assistance of static analysis by interpreting the 
program behavior for directing fuzzing toward the vulnerabilities more 
effectively. The proposed approach has been successfully deployed in the 
development environment of Huawei, which is one of the biggest companies in the 
world, and awarded by detecting thousands of potential threats.

Our first addressed problem is the non-incremental issue in existing fuzzing: 
fuzzing, which consists of many epochs for analyzing path conditions and 
generating new inputs, is not preserve and reuse the previous exploration 
states in the successive epochs, and thus solve the path condition redundantly. 
To tackle this problem, we present Pangolin, an incremental hybrid fuzzing 
system that preserves the solved path condition as a precise polyhedra path 
abstraction. The preserved abstractions can be reused in further input 
generation by constraining the random mutation and accelerating the following 
constraint solving. Overall, the incremental mechanism enables Pangolin to 
achieve up to 30% coverage improvement with the same time budget compared with 
state of the art. Meanwhile, Pangolin also detects 41 previous unseen bugs, 
with 17 assigned with CVE ids.

Our second addressed problem can be referred to infeasible path explosion: To 
detect specific vulnerabilities in the target programs, existing directed 
fuzzers are still inefficient since they either symbolically or concretely 
execute a large number of paths that cannot reach the target code, and thus 
waste the computational resources. To solve this problem, we design Beacon, a 
directed fuzzing framework that can effectively direct fuzzer in the sea of 
paths in a provable manner. Assisted by a lightweight static 
analysis, Beacon infers the sound preconditions for the values of the program 
variables that directly make the path-to-target infeasible. The evaluation 
results demonstrate that more than 80% of the infeasible path can be rejected 
and thus improve the efficiency of reproducing vulnerabilities with 11.50x 
speedup on average than state of the art. Moreover, Beacon detects 14 
incomplete fixes of previous vulnerabilities and eight new bugs while 10 of 
them are exploitable with new CVE ids assigned.


Date:			Wednesday, 8 December 2021

Time:                  	2:00pm - 4:00pm

Venue: 			Room 5566
 			Lifts 27/28

Committee Members:	Dr. Charles Zhang (Supervisor)
  			Dr. Shuai Wang (Chairperson)
 			Prof. Shing-Chi Cheung
 			Dr. Dimitris Papadopoulos


**** ALL are Welcome ****