PTrix: Efficient hardware-assisted fuzzing for COTS binary

Yaohui Chen, Dongliang Mu, Jun Xu, Zhichuang Sun, Wenbo Shen, Xinyu Xing, Long Lu, Bing Mao

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Despite its effectiveness in uncovering software defects, American Fuzzy Lop (AFL), one of the best grey-box fuzzers, is inefficient when fuzz-testing source-unavailable programs. AFL's binary-only fuzzing mode, QEMU-AFL, is typically 2-5x slower than its sourceavailable fuzzing mode. The slowdown is largely caused by the heavy dynamic instrumentation. Recent fuzzing techniques use Intel Processor Tracing (PT), a light-weight tracing feature supported by recent Intel CPUs, to remove the need of dynamic instrumentation. However,we found that these PT-based fuzzing techniques are even slower than QEMU-AFL when fuzzing real-world programs, making them less effective than QEMU-AFL. This poor performance is caused by the slow extraction of code coverage information from highly compressed PT traces. In this work, we present the design and implementation of PTrix, which fully unleashes the benefits of PT for fuzzing via three novel techniques. First, PTrix introduces a scheme to highly parallel the processing of PT trace and target program execution. Second, it directly takes decoded PT trace as feedback for fuzzing, avoiding the expensive reconstruction of code coverage information. Third, PTrix maintains the new feedback with stronger feedback than edge-based code coverage, which helps reach new code space and defects that AFL may not. We evaluated PTrix by comparing its performance with the stateof- the-art fuzzers. Our results show that, given the same amount of time, PTrix achieves a significantly higher fuzzing speed and reaches into code regions missed by the other fuzzers. In addition, PTrix identifies 35 new vulnerabilities in a set of previously wellfuzzed binaries, showing its ability to complement existing fuzzers.

Original languageEnglish (US)
Title of host publicationAsiaCCS 2019 - Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security
PublisherAssociation for Computing Machinery, Inc
Pages633-645
Number of pages13
ISBN (Electronic)9781450367523
DOIs
StatePublished - Jul 2 2019
Event2019 ACM Asia Conference on Computer and Communications Security, AsiaCCS 2019 - Auckland, New Zealand
Duration: Jul 9 2019Jul 12 2019

Publication series

NameAsiaCCS 2019 - Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security

Conference

Conference2019 ACM Asia Conference on Computer and Communications Security, AsiaCCS 2019
CountryNew Zealand
CityAuckland
Period7/9/197/12/19

Fingerprint

Feedback
Hardware
Defects
Program processors
Testing
Processing

All Science Journal Classification (ASJC) codes

  • Software
  • Computer Networks and Communications
  • Computer Science Applications

Cite this

Chen, Y., Mu, D., Xu, J., Sun, Z., Shen, W., Xing, X., ... Mao, B. (2019). PTrix: Efficient hardware-assisted fuzzing for COTS binary. In AsiaCCS 2019 - Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security (pp. 633-645). (AsiaCCS 2019 - Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security). Association for Computing Machinery, Inc. https://doi.org/10.1145/3321705.3329828
Chen, Yaohui ; Mu, Dongliang ; Xu, Jun ; Sun, Zhichuang ; Shen, Wenbo ; Xing, Xinyu ; Lu, Long ; Mao, Bing. / PTrix : Efficient hardware-assisted fuzzing for COTS binary. AsiaCCS 2019 - Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security. Association for Computing Machinery, Inc, 2019. pp. 633-645 (AsiaCCS 2019 - Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security).
@inproceedings{a40d68f652054d66ac859c7c78690956,
title = "PTrix: Efficient hardware-assisted fuzzing for COTS binary",
abstract = "Despite its effectiveness in uncovering software defects, American Fuzzy Lop (AFL), one of the best grey-box fuzzers, is inefficient when fuzz-testing source-unavailable programs. AFL's binary-only fuzzing mode, QEMU-AFL, is typically 2-5x slower than its sourceavailable fuzzing mode. The slowdown is largely caused by the heavy dynamic instrumentation. Recent fuzzing techniques use Intel Processor Tracing (PT), a light-weight tracing feature supported by recent Intel CPUs, to remove the need of dynamic instrumentation. However,we found that these PT-based fuzzing techniques are even slower than QEMU-AFL when fuzzing real-world programs, making them less effective than QEMU-AFL. This poor performance is caused by the slow extraction of code coverage information from highly compressed PT traces. In this work, we present the design and implementation of PTrix, which fully unleashes the benefits of PT for fuzzing via three novel techniques. First, PTrix introduces a scheme to highly parallel the processing of PT trace and target program execution. Second, it directly takes decoded PT trace as feedback for fuzzing, avoiding the expensive reconstruction of code coverage information. Third, PTrix maintains the new feedback with stronger feedback than edge-based code coverage, which helps reach new code space and defects that AFL may not. We evaluated PTrix by comparing its performance with the stateof- the-art fuzzers. Our results show that, given the same amount of time, PTrix achieves a significantly higher fuzzing speed and reaches into code regions missed by the other fuzzers. In addition, PTrix identifies 35 new vulnerabilities in a set of previously wellfuzzed binaries, showing its ability to complement existing fuzzers.",
author = "Yaohui Chen and Dongliang Mu and Jun Xu and Zhichuang Sun and Wenbo Shen and Xinyu Xing and Long Lu and Bing Mao",
year = "2019",
month = "7",
day = "2",
doi = "10.1145/3321705.3329828",
language = "English (US)",
series = "AsiaCCS 2019 - Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security",
publisher = "Association for Computing Machinery, Inc",
pages = "633--645",
booktitle = "AsiaCCS 2019 - Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security",

}

Chen, Y, Mu, D, Xu, J, Sun, Z, Shen, W, Xing, X, Lu, L & Mao, B 2019, PTrix: Efficient hardware-assisted fuzzing for COTS binary. in AsiaCCS 2019 - Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security. AsiaCCS 2019 - Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security, Association for Computing Machinery, Inc, pp. 633-645, 2019 ACM Asia Conference on Computer and Communications Security, AsiaCCS 2019, Auckland, New Zealand, 7/9/19. https://doi.org/10.1145/3321705.3329828

PTrix : Efficient hardware-assisted fuzzing for COTS binary. / Chen, Yaohui; Mu, Dongliang; Xu, Jun; Sun, Zhichuang; Shen, Wenbo; Xing, Xinyu; Lu, Long; Mao, Bing.

AsiaCCS 2019 - Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security. Association for Computing Machinery, Inc, 2019. p. 633-645 (AsiaCCS 2019 - Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - PTrix

T2 - Efficient hardware-assisted fuzzing for COTS binary

AU - Chen, Yaohui

AU - Mu, Dongliang

AU - Xu, Jun

AU - Sun, Zhichuang

AU - Shen, Wenbo

AU - Xing, Xinyu

AU - Lu, Long

AU - Mao, Bing

PY - 2019/7/2

Y1 - 2019/7/2

N2 - Despite its effectiveness in uncovering software defects, American Fuzzy Lop (AFL), one of the best grey-box fuzzers, is inefficient when fuzz-testing source-unavailable programs. AFL's binary-only fuzzing mode, QEMU-AFL, is typically 2-5x slower than its sourceavailable fuzzing mode. The slowdown is largely caused by the heavy dynamic instrumentation. Recent fuzzing techniques use Intel Processor Tracing (PT), a light-weight tracing feature supported by recent Intel CPUs, to remove the need of dynamic instrumentation. However,we found that these PT-based fuzzing techniques are even slower than QEMU-AFL when fuzzing real-world programs, making them less effective than QEMU-AFL. This poor performance is caused by the slow extraction of code coverage information from highly compressed PT traces. In this work, we present the design and implementation of PTrix, which fully unleashes the benefits of PT for fuzzing via three novel techniques. First, PTrix introduces a scheme to highly parallel the processing of PT trace and target program execution. Second, it directly takes decoded PT trace as feedback for fuzzing, avoiding the expensive reconstruction of code coverage information. Third, PTrix maintains the new feedback with stronger feedback than edge-based code coverage, which helps reach new code space and defects that AFL may not. We evaluated PTrix by comparing its performance with the stateof- the-art fuzzers. Our results show that, given the same amount of time, PTrix achieves a significantly higher fuzzing speed and reaches into code regions missed by the other fuzzers. In addition, PTrix identifies 35 new vulnerabilities in a set of previously wellfuzzed binaries, showing its ability to complement existing fuzzers.

AB - Despite its effectiveness in uncovering software defects, American Fuzzy Lop (AFL), one of the best grey-box fuzzers, is inefficient when fuzz-testing source-unavailable programs. AFL's binary-only fuzzing mode, QEMU-AFL, is typically 2-5x slower than its sourceavailable fuzzing mode. The slowdown is largely caused by the heavy dynamic instrumentation. Recent fuzzing techniques use Intel Processor Tracing (PT), a light-weight tracing feature supported by recent Intel CPUs, to remove the need of dynamic instrumentation. However,we found that these PT-based fuzzing techniques are even slower than QEMU-AFL when fuzzing real-world programs, making them less effective than QEMU-AFL. This poor performance is caused by the slow extraction of code coverage information from highly compressed PT traces. In this work, we present the design and implementation of PTrix, which fully unleashes the benefits of PT for fuzzing via three novel techniques. First, PTrix introduces a scheme to highly parallel the processing of PT trace and target program execution. Second, it directly takes decoded PT trace as feedback for fuzzing, avoiding the expensive reconstruction of code coverage information. Third, PTrix maintains the new feedback with stronger feedback than edge-based code coverage, which helps reach new code space and defects that AFL may not. We evaluated PTrix by comparing its performance with the stateof- the-art fuzzers. Our results show that, given the same amount of time, PTrix achieves a significantly higher fuzzing speed and reaches into code regions missed by the other fuzzers. In addition, PTrix identifies 35 new vulnerabilities in a set of previously wellfuzzed binaries, showing its ability to complement existing fuzzers.

UR - http://www.scopus.com/inward/record.url?scp=85069967534&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85069967534&partnerID=8YFLogxK

U2 - 10.1145/3321705.3329828

DO - 10.1145/3321705.3329828

M3 - Conference contribution

AN - SCOPUS:85069967534

T3 - AsiaCCS 2019 - Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security

SP - 633

EP - 645

BT - AsiaCCS 2019 - Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security

PB - Association for Computing Machinery, Inc

ER -

Chen Y, Mu D, Xu J, Sun Z, Shen W, Xing X et al. PTrix: Efficient hardware-assisted fuzzing for COTS binary. In AsiaCCS 2019 - Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security. Association for Computing Machinery, Inc. 2019. p. 633-645. (AsiaCCS 2019 - Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security). https://doi.org/10.1145/3321705.3329828