Going Beyond Coverage-Guided Fuzzing with Structured Fuzzing

Presented at Black Hat USA 2019, Aug. 7, 2019, 5:05 p.m. (25 minutes).

<p class="p1"><span class="s1" style="font-size: 10pt;" data-mce-style="font-size: 10pt;">Coverage-guided fuzzers like AFL and libFuzzer have led to a "fuzzing renaissance". This is because they made it possible for security researchers to write effective fuzzers for formats without knowing about the format's structure. However, structure-aware (aka structured) fuzzing is far from dead. In fact, the combination of structured and coverage-guided (aka coverage) fuzzing has quietly become the state of the art in automated vulnerability discovery.</span></p><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">This talk will:</span><br><br><ul><li class="p1"><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">Explain the problems in coverage fuzzing that structured fuzzing solves and how it solves them, including:</span><ul><li class="p1"><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">How to ensure fuzzing reaches specific code to find vulnerabilities.</span></li><li class="p1"><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">How to ensure fuzzing does not fuzz specific code that makes fuzzing harder.</span></li><li class="p1"><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">How to fuzz code that doesn't accept an array of bytes.</span></li></ul></li><li class="p1"><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">Highlight some of the places where structured coverage fuzzing has shined.</span><ul><li class="p1"><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">Including Chrome's AppCache where it found a vulnerability used in a full-chain exploit and SQLite+Skia where it found bugs that other kinds of fuzzing did not.</span></li></ul></li><li class="p1"><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">Present libprotobuf-mutator and custom mutators, two techniques for structured coverage fuzzing that are supported by libFuzzer. These can be used by anyone who can write a fuzzer.</span></li><li class="p1"><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">Share lessons on writing structured coverage fuzzers and how it can make fuzzing less of an art and more of a science.</span></li><li class="p1"><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">Show how structured coverage fuzzing can find more bugs than coverage fuzzing alone and how this technique is straightforward to use.</span></li></ul><br><p class="p1"><span class="s1" style="font-size: 10pt;" data-mce-style="font-size: 10pt;">The talk will ultimately benefit anyone who is interested in fuzzing. In particular, it will benefit security researchers trying to go beyond coverage fuzzing to find vulnerabilities in real code.</span></p>

Presenters:

  • Jonathan Metzman - Software Engineer, Google
    Jonathan Metzman works on the Chrome security team where he writes fuzzers and infrastructure for running fuzzers (ClusterFuzz and OSS-Fuzz).

Links:

Similar Presentations: