SHFuzz: Selective Hybrid Fuzzing with Branch Scheduling Based on Binary Instrumentation

Xianya Mi; Baosheng Wang; Yong Tang; Pengfei Wang; Bo Yu

doi:10.3390/app10165449

Applied Sciences (Aug 2020)

SHFuzz: Selective Hybrid Fuzzing with Branch Scheduling Based on Binary Instrumentation

Xianya Mi,
Baosheng Wang,
Yong Tang,
Pengfei Wang,
Bo Yu

Affiliations

Xianya Mi: College of Computer, National University of Defense Technology, Changsha 410073, China
Baosheng Wang: College of Computer, National University of Defense Technology, Changsha 410073, China
Yong Tang: College of Computer, National University of Defense Technology, Changsha 410073, China
Pengfei Wang: College of Computer, National University of Defense Technology, Changsha 410073, China
Bo Yu: College of Computer, National University of Defense Technology, Changsha 410073, China

DOI: https://doi.org/10.3390/app10165449
Journal volume & issue: Vol. 10, no. 16
p. 5449

Abstract

Read online

Hybrid fuzzing is a popular software testing technique that combines random fuzzing with concolic execution. It is widely used in the security domain known for its ability to find deeply hidden vulnerabilities and reach high code coverage. Hybrid fuzzing is based on negating branches in the execution path of a specific input to generate new test cases. However, due to numerous inputs and related branches, it does not show the best of its effectiveness without input and branch selection methods. In this paper, we systematically analyze the branch scheduling problem in the internal attributes of hybrid fuzzing, focusing on the synchronization mechanism. To solve the problems, we propose the Selective Hybrid Fuzzing (SHF) approach with branch scheduling based on binary instrumentation. There are two major parts to the SHF approach: (1) we propose a critical branch selection algorithm to select critical branches by three metrics: hit accuracy, solvability, and complexity; (2) we propose a priority score calculation algorithm to select inputs by the number of critical branches. With the SHF approach, we choose only the branches that can be negated to generate new coverage, instead of repeatedly executing the same branches and generating duplicates of inputs. We implement a hybrid fuzzer called SHFuzz with our SHF approach and compare it with the state-of-the-art hybrid fuzzer QSYM. In the evaluation, SHFuzz outperforms QSYM in 20 real-world applications from the Google Fuzzer Test Suite and other program suites in a 12 h test. On average, SHFuzz achieves 8.40% more code coverage and 100 more unique crashes in each application. Our work also finds existing vulnerabilities 7.85× faster than QSYM. We also find new bugs by SHFuzz, which QSYM fails to find. Our evaluation shows that the selective hybrid fuzzing approach can reduce the number of branches executed in concolic execution, enhancing hybrid fuzzing on code coverage and bug finding capabilities.

Published in Applied Sciences

ISSN: 2076-3417 (Online)
Publisher: MDPI AG
Country of publisher: Switzerland
LCC subjects: Technology: Engineering (General). Civil engineering (General); Science: Biology (General); Science: Physics; Science: Chemistry
Website: http://www.mdpi.com/journal/applsci

About the journal

Abstract

Keywords