FairFuzz: A T argeted Mutation Strategy for Increasing Greybox Fuzz Testing Coverage Caroline Lemieux University of California, Berkeley, USA [email protected] Koushik Sen University of California, Berkeley, USA [email protected] ABSTRACT In recent years, fuzz testing has proven itself to be one of the most effective techniques for finding correctness bugs and security vul- nerabilities in practice. One particular fuzz testing tool, American Fuzzy Lop (AFL), has become popular thanks to its ease-of-use and bug-finding power. However, AFL remains limited in the bugs it can find since it simply does not cover large regions of code. If it does not cover parts of the code, it will not find bugs there. We pro- pose a two-pronged approach to increase the coverage achieved by AFL. First, the approach automatically identifies branches exercised by few AFL-produced inputs (rare branches), which often guard code that is empirically hard to cover by naïvely mutating inputs. The second part of the approach is a novel mutation mask creation algorithm, which allows mutations to be biased towards produc- ing inputs hitting a given rare branch. This mask is dynamically computed during fuzz testing and can be adapted to other testing targets. We implement this approach on top of AFL in a tool named FairFuzz. We conduct evaluation on real-world programs against state-of-the-art versions of AFL. We find that on these programs FairFuzz achieves high branch coverage at a faster rate that state- of-the-art versions of AFL. In addition, on programs with nested conditional structure, it achieves sustained increases in branch cov- erage after 24 hours (average 10.6% increase). In qualitative analysis, we find that FairFuzz has an increased capacity to automatically discover keywords. CCS CONCEPTS • Software and its engineering → Software testing and de- bugging; KEYWORDS fuzz testing, coverage-guided greybox fuzzing, rare branches ACM Reference Format: Caroline Lemieux and Koushik Sen. 2018. FairFuzz: A Targeted Mutation Strategy for Increasing Greybox Fuzz Testing Coverage. In Proceedings of the 2018 33rd ACM/IEEE International Conference on Automated Software Engineering (ASE ’18), September 3–7, 2018, Montpellier, France. ACM, New York, NY, USA, 11 pages. https://doi.org/10.1145/3238147.3238176 Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]. ASE ’18, September 3–7, 2018, Montpellier, France © 2018 Copyright held by the owner/author(s). Publication rights licensed to ACM. ACM ISBN 978-1-4503-5937-5/18/09. . . $15.00 https://doi.org/10.1145/3238147.3238176 1 INTRODUCTION Fuzz testing has emerged as one of the most effective testing tech- niques for finding correctness bugs and security vulnerabilities in real-world software systems. It has been used successfully by major software companies such as Microsoft [21] and Google [6, 18, 40] for security testing and quality assurance. The success of coverage- guided greybox fuzzing (CGF) in particular has gained attention both in practice and in the research community [10, 11, 37, 42, 46]. One of the leading CGF tools, American Fuzzy Lop (or simply AFL) [51], has found vulnerabilities in a broad array of programs, including Web browsers (e.g. Firefox, Internet Explorer), network tools (e.g., tcpdump, wireshark), image processors (e.g., ImageMagick, libtiff), various system libraries (e.g., OpenSSH, PCRE), C compilers (e.g., GCC, LLVM), and interpreters (for Perl, PHP, JavaScript). Coverage-guided greybox fuzzing is based on the observation that increasing program coverage often leads to better crash detection. The actual fuzzing process starts with a set of user-provided seed inputs. It then mutates the seed inputs with byte-level operations. It runs the program under test on the mutated inputs and collects program coverage information. Finally, it saves the mutated inputs which are interesting according to the coverage information—the ones that discover new coverage. It continually repeats the process, but starting with these interesting mutated inputs instead of the user-provided inputs. While many of the individual test inputs it generates may be garbage, due to its low computational overhead, CGF generates test inputs much faster than more sophisticated methods such as sym- bolic execution [17, 34] and dynamic symbolic execution (a.k.a. concolic testing) techniques [5, 7, 13, 16, 21, 22, 36, 45, 47]. In practice, this trade-off has paid off, and CGF has found numer- ous correctness bugs and security vulnerabilities in widely used software [3, 10, 11, 37, 46, 51]. Although the goal of AFL and other CGF tools is to find assertion violations and crashes as quickly as possible, their core search strategies are based on coverage feedback—AFL tries to maximize the coverage it achieves. This is because there is no way to find bugs or crashes at a particular program location unless that location is covered by a test input. However, while experimenting with AFL and its extensions, we observed that AFL often fails to cover key program functionalities. For example, AFL did not cover colorspace conversion code in djpeg, attribute list processing code in xmllint, and a large variety of packet structures in tcpdump. Therefore, AFL cannot be expected to find bugs in these functionalities. Put succinctly, if AFL does not cover some program regions, it will not find bugs in those regions. We propose a lightweight technique, called FairFuzz, which helps AFL achieve better coverage. This technique requires no ex- tra instrumentation beyond AFL’s regular instrumentation, unlike 475
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Your 1200 Calorie Meal Plan
Eating healthy is an important part of managing your diabetes. The food in
your meal plan will provide the calories and nutrients you need each day to manage
your blood sugar and to give you the energy you need for healthy living.
You can use the following guidelines to estimate how many calories are
needed per day to help maintain your weight.
For every pound of weight, calculate:
• 10 calories for an adult who is obese, very inactive, or always dieting
• 13 calories for an adult over 55 years of age, an active woman, or an inactive man
• 15 calories for a very active woman or an active man
• 20 calories for a very active man or an adult athlete
To lose weight, you’ll need to eat fewer calories. To gain weight, you’ll need
to eat more calories. Ask your doctor to refer you to a registered dietitian (RD).
This person can help you make a meal plan. You want to have the right balance
of food, medicine, and activity.
Choose Your Foods: Exchange Lists for Diabetes
The Exchange Lists offer a large selection of foods grouped together because they
have about the same nutritional content. Each serving of a food has about the
same carbohydrate, protein, fat, and calories, as the other foods in that list. Any food
within a list can be “exchanged” for another food in the same list.
Ask your doctor for a copy of the Changing Life With Diabetes booklet, Carb
Counting and Meal Planning from Novo Nordisk. It includes the Exchange Lists
for Diabetes and other useful information on healthy eating. Use the Exchange
Lists in Carb Counting and Meal Planning with this meal planning information.
To become a member of our Changing Life With Diabetes program, enroll on
line at ChangingDiabetes-us.com.
Another resource that can help you manage
your diabetes is our free Novo Nordisk Tip Line at 1-800-260-3730.
Novo Nordisk Inc. grants permission to reproduce this piece for non-profit educational purposes only on condition that the piece is maintained in its original format and that the copyright notice is displayed. Novo Nordisk Inc. reserves the right to revoke this permission at any time.
© 2009 Novo Nordisk Inc. 128293AR-R1 June 2009 ChangingDiabetes-us.com
1200 Calorie Meal PlanThe following sample menu for a 1200 calorie meal plan includes a totalof 5 starch exchanges, 2 fruit exchanges, 2 milk exchanges, 3 non-starchyvegetable exchanges, 5 meat exchanges and 4 fat exchanges daily.
1 starch1 fruit1 fat1 milk
1 starch1 starch 2 meat, lean1 fat1 vegetable
1 fruit
3 meat, lean2 starch2 vegetable2 fatfree food
1 milk
1⁄2 cup cooked oatmeal3⁄4 cup blueberries4 walnut halves, chopped8 ounces (1cup) skim milk
1 cup minestrone soup1⁄2 whole wheat pita2 ounces tuna in water1 tablespoon light mayonnaise1 cup baby carrots
1 small apple
3 ounces grilled chicken breast2/3 cup brown rice1 cup sautéed spinach2 teaspoons olive oil1 cup tossed salad with 1 tablespoon fat free dressing
6 ounces (2/3 cup) light yogurt
Breakfast
Lunch
Snack
Dinner
Snack
Exchanges SampleMeal
For more information about meal planning, go to ChangingDiabetes-us.com and take advantage of our online Menu Planner to create a 7-day menu plan including diabetes-friendly recipes and a customized grocery list.
Novo Nordisk Inc. grants permission to reproduce this piece for non-profit educational purposes only on condition that the piece is maintained in its original format and that the copyright notice is displayed. Novo Nordisk Inc. reserves the right to revoke this permission at any time.
© 2009 Novo Nordisk Inc. 128293AR-R1 June 2009 ChangingDiabetes-us.com
Grams Percent
Carbohydrate:
Protein:
Meal plan for: Date: Fat:
Dietitian: Phone: Calories:
Your Personal Meal Plan
____ Carbohydrate group
____ Starch
____ Fruit
____ Milk
____ Meat and meat substitutes group
____ Fat Group
____ __________________________
____ __________________________
____ Carbohydrate group
____ Starch
____ Fruit
____ Milk
____ Non-starchy vegetables
____ Meat and meat substitutes group
____ Fat Group
____ __________________________
____ __________________________
____ Carbohydrate group
____ Starch
____ Fruit
____ Milk
____ Non-starchy vegetables
____ Meat and meat substitutes group
____ Fat Group
____ __________________________
____ __________________________
Number of exchanges Menu ideasTime
Novo Nordisk Inc. grants permission to reproduce this piece for non-profit educational purposes only on condition that the piece is maintained in its original format and that the copyright notice is displayed. Novo Nordisk Inc. reserves the right to revoke this permission at any time.
© 2009 Novo Nordisk Inc. 128293AR-R1 June 2009 ChangingDiabetes-us.com
Related Documents
