A Fuzzer for Detecting Use-After-Free Vulnerabilities
Fuzzing is an extensively used automated vulnerability detection technique. Most existing fuzzers are guided by edge coverage, which makes them less effective in detecting specific vulnerabilities, especially use-after-free (UAF) vulnerabilities. This is because the triggering of a UAF vulnerability...
Saved in:
| Main Authors: | , , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
MDPI AG
2024-11-01
|
| Series: | Mathematics |
| Subjects: | |
| Online Access: | https://www.mdpi.com/2227-7390/12/21/3431 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1846173292312920064 |
|---|---|
| author | Xiaoqi Zhao Haipeng Qu Jiaohong Yi Jinlong Wang Miaoqing Tian Feng Zhao |
| author_facet | Xiaoqi Zhao Haipeng Qu Jiaohong Yi Jinlong Wang Miaoqing Tian Feng Zhao |
| author_sort | Xiaoqi Zhao |
| collection | DOAJ |
| description | Fuzzing is an extensively used automated vulnerability detection technique. Most existing fuzzers are guided by edge coverage, which makes them less effective in detecting specific vulnerabilities, especially use-after-free (UAF) vulnerabilities. This is because the triggering of a UAF vulnerability must not only cover a specific memory operation but also satisfy a specific sequence of operations. In this paper, we propose UAF-Fuzzer for detecting UAFs, which consists of static analysis and fuzzing stages. In the static analysis stage, UAF-Fuzzer first uses target identification to determine the basic blocks that may cause UAFs as the target basic blocks; subsequently, it then instruments these target basic blocks. Subsequently, we propose a memory operation evaluation method to assess the complexity of memory operations. In the fuzzing stage, UAF-Fuzzer assigns energy to seeds using a memory evaluation operation and employs a novel seed selection algorithm to prioritize the execution of test cases that are likely to trigger UAF vulnerabilities. We designed and implemented a UAF-Fuzzer to improve the detection of UAFs and compared it with AFL, AFLFast, FairFuzz, MOPT, EcoFuzz, and TortoiseFuzz in terms of UAF vulnerability detection, crash detection, and path discovery. The results showed that UAF-Fuzzer is more effective in terms of detecting UAF vulnerabilities. We have also discovered three UAF vulnerabilities, submitted them to the software maintainer for fixing, and obtained CVE IDs. |
| format | Article |
| id | doaj-art-17298ee7fd93488e9ca65b0952168543 |
| institution | Kabale University |
| issn | 2227-7390 |
| language | English |
| publishDate | 2024-11-01 |
| publisher | MDPI AG |
| record_format | Article |
| series | Mathematics |
| spelling | doaj-art-17298ee7fd93488e9ca65b09521685432024-11-08T14:37:53ZengMDPI AGMathematics2227-73902024-11-011221343110.3390/math12213431A Fuzzer for Detecting Use-After-Free VulnerabilitiesXiaoqi Zhao0Haipeng Qu1Jiaohong Yi2Jinlong Wang3Miaoqing Tian4Feng Zhao5School of Information and Control Engineering, Qingdao University of Technology, Qingdao 266520, ChinaSchool of Computer Science and Technology, Ocean University of China, Qingdao 266100, ChinaSchool of Information and Control Engineering, Qingdao University of Technology, Qingdao 266520, ChinaSchool of Information and Control Engineering, Qingdao University of Technology, Qingdao 266520, ChinaSchool of Information and Control Engineering, Qingdao University of Technology, Qingdao 266520, ChinaShandong Zhuowen Information Technology Co., Dongying 257300, ChinaFuzzing is an extensively used automated vulnerability detection technique. Most existing fuzzers are guided by edge coverage, which makes them less effective in detecting specific vulnerabilities, especially use-after-free (UAF) vulnerabilities. This is because the triggering of a UAF vulnerability must not only cover a specific memory operation but also satisfy a specific sequence of operations. In this paper, we propose UAF-Fuzzer for detecting UAFs, which consists of static analysis and fuzzing stages. In the static analysis stage, UAF-Fuzzer first uses target identification to determine the basic blocks that may cause UAFs as the target basic blocks; subsequently, it then instruments these target basic blocks. Subsequently, we propose a memory operation evaluation method to assess the complexity of memory operations. In the fuzzing stage, UAF-Fuzzer assigns energy to seeds using a memory evaluation operation and employs a novel seed selection algorithm to prioritize the execution of test cases that are likely to trigger UAF vulnerabilities. We designed and implemented a UAF-Fuzzer to improve the detection of UAFs and compared it with AFL, AFLFast, FairFuzz, MOPT, EcoFuzz, and TortoiseFuzz in terms of UAF vulnerability detection, crash detection, and path discovery. The results showed that UAF-Fuzzer is more effective in terms of detecting UAF vulnerabilities. We have also discovered three UAF vulnerabilities, submitted them to the software maintainer for fixing, and obtained CVE IDs.https://www.mdpi.com/2227-7390/12/21/3431fuzzinguse-after-freedouble freeinstrumentationbug detection |
| spellingShingle | Xiaoqi Zhao Haipeng Qu Jiaohong Yi Jinlong Wang Miaoqing Tian Feng Zhao A Fuzzer for Detecting Use-After-Free Vulnerabilities Mathematics fuzzing use-after-free double free instrumentation bug detection |
| title | A Fuzzer for Detecting Use-After-Free Vulnerabilities |
| title_full | A Fuzzer for Detecting Use-After-Free Vulnerabilities |
| title_fullStr | A Fuzzer for Detecting Use-After-Free Vulnerabilities |
| title_full_unstemmed | A Fuzzer for Detecting Use-After-Free Vulnerabilities |
| title_short | A Fuzzer for Detecting Use-After-Free Vulnerabilities |
| title_sort | fuzzer for detecting use after free vulnerabilities |
| topic | fuzzing use-after-free double free instrumentation bug detection |
| url | https://www.mdpi.com/2227-7390/12/21/3431 |
| work_keys_str_mv | AT xiaoqizhao afuzzerfordetectinguseafterfreevulnerabilities AT haipengqu afuzzerfordetectinguseafterfreevulnerabilities AT jiaohongyi afuzzerfordetectinguseafterfreevulnerabilities AT jinlongwang afuzzerfordetectinguseafterfreevulnerabilities AT miaoqingtian afuzzerfordetectinguseafterfreevulnerabilities AT fengzhao afuzzerfordetectinguseafterfreevulnerabilities AT xiaoqizhao fuzzerfordetectinguseafterfreevulnerabilities AT haipengqu fuzzerfordetectinguseafterfreevulnerabilities AT jiaohongyi fuzzerfordetectinguseafterfreevulnerabilities AT jinlongwang fuzzerfordetectinguseafterfreevulnerabilities AT miaoqingtian fuzzerfordetectinguseafterfreevulnerabilities AT fengzhao fuzzerfordetectinguseafterfreevulnerabilities |