State Space Search in Fuzzing

Date

2024

Authors

Herrera, Adrian

Journal Title

Journal ISSN

Volume Title

Publisher

Abstract

Coverage-guided fuzzers are an indispensable tool in the software-testing toolbox. They uncover bugs in a target program by subjecting it to a large number of automatically-generated inputs. The fuzzer generates these inputs to search the corners of the target's (potentially vast) state space, where bugs are more likely to lurk. While fuzzers have successfully uncovered bugs in a range of targets, they struggle to discover ``deep bugs'' (i.e., bugs triggered under a complex set of control and data dependencies). Moreover, security professionals deploying fuzzers lack observability into fuzzers' state space search (and thus an understanding of why these deep bugs are missed). This dissertation presents a set of techniques for reasoning about and improving a fuzzer's state space search, ultimately enhancing a fuzzer's bug-finding ability. First, we consider the task of bootstrapping this search process. Fuzzers typically require an initial set of seeds (exemplar inputs accepted by the target) to kickstart their state space search. We empirically evaluate various methods for selecting these seeds, designing an optimal technique for reducing large seed sets in the process. Second, we develop a new state space abstraction. Fuzzers traditionally abstract a target's state space based on control-flow features. We present an abstraction based on data-flow features and demonstrate how our data-flow-based abstraction uncovers bugs that traditional fuzzers fail to find. Finally, we investigate how best to measure a fuzzer's state space search after a fuzzing campaign. We use static analysis to quantify a target's state space, allowing us to measure how much of this state space a fuzzer has explored. We empirically evaluate several modern static analysis frameworks and propose new approaches for assessing a fuzzer's state space search.

Description

Keywords

Citation

Source

Type

Thesis (PhD)

Book Title

Entity type

Access Statement

License Rights

Restricted until

Downloads

File
Description