BEACON: Directed Grey-Box Fuzzing with Provable Path Pruning
Unlike coverage-based fuzzing that gives equal attention to every part of a code, directed fuzzing aims to direct a fuzzer to a specific target in the code, e.g., the code with potential vulnerabilities. Despite much progress, we observe that existing directed fuzzers are still not efficient as they...
Uložené v:
| Vydané v: | Proceedings - IEEE Symposium on Security and Privacy s. 36 - 50 |
|---|---|
| Hlavní autori: | , , , , , |
| Médium: | Konferenčný príspevok.. |
| Jazyk: | English |
| Vydavateľské údaje: |
IEEE
01.05.2022
|
| Predmet: | |
| ISSN: | 2375-1207 |
| On-line prístup: | Získať plný text |
| Tagy: |
Pridať tag
Žiadne tagy, Buďte prvý, kto otaguje tento záznam!
|
| Abstract | Unlike coverage-based fuzzing that gives equal attention to every part of a code, directed fuzzing aims to direct a fuzzer to a specific target in the code, e.g., the code with potential vulnerabilities. Despite much progress, we observe that existing directed fuzzers are still not efficient as they often symbolically or concretely execute a lot of program paths that cannot reach the target code. They thus waste a lot of computational resources. This paper presents BEACON, which can effectively direct a grey-box fuzzer in the sea of paths in a provable manner. That is, assisted by a lightweight static analysis that computes abstracted preconditions for reaching the target, we can prune 82.94% of the executing paths at runtime with negligible analysis overhead (<5h) but with the guarantee that the pruned paths must be spurious with respect to the target. We have implemented our approach, BEACON, and compared it to five state-of-the-art (directed) fuzzers in the application scenario of vulnerability reproduction. The evaluation results demonstrate that BEACON is 11.50x faster on average than existing directed grey-box fuzzers and it can also improve the speed of the conventional coverage-guided fuzzers, AFL, AFL++, and Mopt, to reproduce specific bugs with 6.31x, 11.86x, and 10.92x speedup, respectively. More interestingly, when used to test the vulnerability patches, BEACON found 14 incomplete fixes of existing CVE-identified vulnerabilities and 8 new bugs while 10 of them are exploitable with new CVE ids assigned. |
|---|---|
| AbstractList | Unlike coverage-based fuzzing that gives equal attention to every part of a code, directed fuzzing aims to direct a fuzzer to a specific target in the code, e.g., the code with potential vulnerabilities. Despite much progress, we observe that existing directed fuzzers are still not efficient as they often symbolically or concretely execute a lot of program paths that cannot reach the target code. They thus waste a lot of computational resources. This paper presents BEACON, which can effectively direct a grey-box fuzzer in the sea of paths in a provable manner. That is, assisted by a lightweight static analysis that computes abstracted preconditions for reaching the target, we can prune 82.94% of the executing paths at runtime with negligible analysis overhead (<5h) but with the guarantee that the pruned paths must be spurious with respect to the target. We have implemented our approach, BEACON, and compared it to five state-of-the-art (directed) fuzzers in the application scenario of vulnerability reproduction. The evaluation results demonstrate that BEACON is 11.50x faster on average than existing directed grey-box fuzzers and it can also improve the speed of the conventional coverage-guided fuzzers, AFL, AFL++, and Mopt, to reproduce specific bugs with 6.31x, 11.86x, and 10.92x speedup, respectively. More interestingly, when used to test the vulnerability patches, BEACON found 14 incomplete fixes of existing CVE-identified vulnerabilities and 8 new bugs while 10 of them are exploitable with new CVE ids assigned. |
| Author | Yao, Peisen Huang, Heqing Guo, Yiyuan Wu, Rongxin Shi, Qingkai Zhang, Charles |
| Author_xml | – sequence: 1 givenname: Heqing surname: Huang fullname: Huang, Heqing email: hhuangaz@cse.ust.hk organization: The Hong Kong University of Science and Technology,China – sequence: 2 givenname: Yiyuan surname: Guo fullname: Guo, Yiyuan email: yguoaz@cse.ust.hk organization: The Hong Kong University of Science and Technology,China – sequence: 3 givenname: Qingkai surname: Shi fullname: Shi, Qingkai email: qshiaa@cse.ust.hk organization: The Hong Kong University of Science and Technology,China – sequence: 4 givenname: Peisen surname: Yao fullname: Yao, Peisen email: pyao@cse.ust.hk organization: The Hong Kong University of Science and Technology,China – sequence: 5 givenname: Rongxin surname: Wu fullname: Wu, Rongxin email: wurongxin@xmu.edu.cn organization: Xiamen University,China – sequence: 6 givenname: Charles surname: Zhang fullname: Zhang, Charles email: charlesz@cse.ust.hk organization: The Hong Kong University of Science and Technology,China |
| BookMark | eNotj91OwkAUhFejiYA8gV7sC7Tu2d3uj_EGKqAJkSbqNTltt7oGW7MtIjy9jXI1mfkmk8yQnNVN7Qi5BhYDMHvznEnFQcaccR5bI4RO4ISMrTagVCJBgLKnZMD7PALO9AUZtu0HY5wJKwfkbjqbpKunW3rvgys6V9JFcPto2vzQ-fZw8PUb3fnunWah-cZ842iGf25b9-iSnFe4ad34qCPyOp-9pA_RcrV4TCfLyAOYLhI8R12VTCasqoAb6xCFAyFVqRRYI7USqFXVl6zhhS4sE8qyEnPEBHkuRuTqf9c759ZfwX9i2K-PZ8Uv2G9I0w |
| CODEN | IEEPAD |
| ContentType | Conference Proceeding |
| DBID | 6IE 6IH CBEJK RIE RIO |
| DOI | 10.1109/SP46214.2022.9833751 |
| DatabaseName | IEEE Electronic Library (IEL) Conference Proceedings IEEE Proceedings Order Plan (POP) 1998-present by volume IEEE Xplore All Conference Proceedings IEEE Electronic Library (IEL) IEEE Proceedings Order Plans (POP) 1998-present |
| DatabaseTitleList | |
| Database_xml | – sequence: 1 dbid: RIE name: IEEE Electronic Library (IEL) url: https://ieeexplore.ieee.org/ sourceTypes: Publisher |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Computer Science |
| EISBN | 9781665413169 1665413166 |
| EISSN | 2375-1207 |
| EndPage | 50 |
| ExternalDocumentID | 9833751 |
| Genre | orig-research |
| GrantInformation_xml | – fundername: Microsoft funderid: 10.13039/100004318 |
| GroupedDBID | 23M 29O 6IE 6IF 6IH 6IL 6IN AAJGR AAWTH ABLEC ACGFS ADZIZ ALMA_UNASSIGNED_HOLDINGS BEFXN BFFAM BGNUA BKEBE BPEOZ CBEJK CHZPO IEGSK IJVOP M43 OCL RIE RIL RIO RNS |
| ID | FETCH-LOGICAL-i118t-32ba7fd0450ff1289eaa3e1346d661984763a76fa7f982c7c903690dabaa5a2b3 |
| IEDL.DBID | RIE |
| IngestDate | Wed Aug 27 02:37:20 EDT 2025 |
| IsPeerReviewed | false |
| IsScholarly | true |
| Language | English |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-LOGICAL-i118t-32ba7fd0450ff1289eaa3e1346d661984763a76fa7f982c7c903690dabaa5a2b3 |
| PageCount | 15 |
| ParticipantIDs | ieee_primary_9833751 |
| PublicationCentury | 2000 |
| PublicationDate | 2022-May |
| PublicationDateYYYYMMDD | 2022-05-01 |
| PublicationDate_xml | – month: 05 year: 2022 text: 2022-May |
| PublicationDecade | 2020 |
| PublicationTitle | Proceedings - IEEE Symposium on Security and Privacy |
| PublicationTitleAbbrev | SP |
| PublicationYear | 2022 |
| Publisher | IEEE |
| Publisher_xml | – name: IEEE |
| SSID | ssj0020394 |
| Score | 2.5282521 |
| Snippet | Unlike coverage-based fuzzing that gives equal attention to every part of a code, directed fuzzing aims to direct a fuzzer to a specific target in the code,... |
| SourceID | ieee |
| SourceType | Publisher |
| StartPage | 36 |
| SubjectTerms | Codes Computer bugs Costs Directed fuzzing Fuzzing precondition inference Privacy program transformation Runtime Static analysis |
| Title | BEACON: Directed Grey-Box Fuzzing with Provable Path Pruning |
| URI | https://ieeexplore.ieee.org/document/9833751 |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV3PS8MwFH7M4cHT1E38TQ4e7dYmXdKIFzc2PEgt-IPdRtK8wC6bzHXo_nqTtk4EL96SkKTwQvK99yVfH8AVRekzbNPAIvfUjQ7dOZjwgBvnvaNzuFV5g__6INI0mUxk1oDrrRYGEcvHZ9j1xfIu3yzywlNlPZkwJrxeekcIXmm1tsFVyGRcS-OiUPaespjTyJMmlHbrcb8SqJT4MW7978v70PkR4pFsCzEH0MD5IbS-MzGQemO24XYwuhs-pjekOsHQEBf6fwaDxQcZF5uNG0s84ernWnutFMlUWSs8K9KBl_HoeXgf1HkRgpkLB1YBo1oJa5wzFlrr8EWiUgwjFnPj0FY6vOFMCW5dJ5nQXOTSwZQMjdJK9RXV7Aia88Ucj4HwODS55Ub3lY255RKNldpte7Sao7In0PbGmL5Vv76Y1nY4_bv5DPa8vav3gOfQXC0LvIDdfL2avS8vy_X6AjY0lZk |
| linkProvider | IEEE |
| linkToHtml | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV3PT8IwFH4haKInVDD-tgePDkY7utV4EQLBiHOJaLiRbn1NuIDBjSh_ve02MSZevLVN2yWvab_3vvbbA7iiKGyGbepo5Ja6iV1zDgbc4cp472gcbpnf4L-O_DAMJhMRVeB6o4VBxPzxGTZtMb_LV4sks1RZSwSM-VYvvdXxPOoWaq1NeOUy4ZXiuLYrWs-Rx2nb0iaUNsuRv1Ko5AgyqP3v23vQ-JHikWgDMvtQwfkB1L5zMZBya9bhttu_6z2FN6Q4w1ARE_x_Ot3FBxlk67UZSyzlaudaWbUUiWReyywv0oCXQX_cGzplZgRnZgKC1GE0lr5Wxh1ztTYII1BKhm3mcWXwVhjE4Uz6XJtOIqCJnwgDVMJVMpayI2nMDqE6X8zxCAj3XJVoruKO1B7XXKDSIjYbH3XMUepjqFtjTN-Kn19MSzuc_N18CTvD8eNoOroPH05h19q-eB14BtV0meE5bCerdPa-vMjX7gsvVJjg |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=proceeding&rft.title=Proceedings+-+IEEE+Symposium+on+Security+and+Privacy&rft.atitle=BEACON%3A+Directed+Grey-Box+Fuzzing+with+Provable+Path+Pruning&rft.au=Huang%2C+Heqing&rft.au=Guo%2C+Yiyuan&rft.au=Shi%2C+Qingkai&rft.au=Yao%2C+Peisen&rft.date=2022-05-01&rft.pub=IEEE&rft.eissn=2375-1207&rft.spage=36&rft.epage=50&rft_id=info:doi/10.1109%2FSP46214.2022.9833751&rft.externalDocID=9833751 |