Boosting fuzzing performance with differential seed scheduling

Chung Yi Lin, Chia Wei Tien, Chun Ying Huang

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

Fuzzing is a common technique used to perform automated vulnerability discovery. Fuzzing performance could be improved by various means. In this paper, we discuss the impacts of seed scheduling, and propose differential seed scheduling to maximize fuzzing performance by increasing the number of crashes identified within a limited time. Differential seed scheduling works for grey-box fuzzers that generate seeds based on runtime code coverage measurement. It attempts to evaluate the value of fuzzing seeds and selectively pick the best one to achieve balance between fuzzing effectiveness and efficiency. Our contribution is four-fold. First, we proposed differential seed scheduling to improve overall fuzzing performance. Second, we implemented AFLExplorer by integrating differential seed scheduling with the open-source American Fuzzy Lop (AFL) fuzzer. Third, we conducted in-depth experiments with AFLExplorer to show the effectiveness and the efficiency of seed scheduling. Our evaluations showed that AFLExplorer can discover up to 90% more unique crashes compared with a vanilla fuzzer. Last, we reported newly identified vulnerabilities to the authors of the tested applications, had them fixed, and 15 common vulnerabilities and exposures (CVE) numbers were assigned as of writing of this paper.

Original languageEnglish
Title of host publicationProceedings - 2019 14th Asia Joint Conference on Information Security, AsiaJCIS 2019
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages72-79
Number of pages8
ISBN (Electronic)9781728125565
DOIs
StatePublished - Aug 2019
Event14th Annual Asia Joint Conference on Information Security, AsiaJCIS 2019 - Kobe, Japan
Duration: 1 Aug 20192 Aug 2019

Publication series

NameProceedings - 2019 14th Asia Joint Conference on Information Security, AsiaJCIS 2019

Conference

Conference14th Annual Asia Joint Conference on Information Security, AsiaJCIS 2019
CountryJapan
CityKobe
Period1/08/192/08/19

Keywords

  • Fuzz testing
  • Greybox fuzzing
  • Hamming distance
  • Software security

Fingerprint Dive into the research topics of 'Boosting fuzzing performance with differential seed scheduling'. Together they form a unique fingerprint.

Cite this