Yi Li bio photo

Yi Li

Associate Professor

School of Computer Science and Engineering (SCSE)
Nanyang Technological University (NTU)

Address: Block N4-02b-63
50 Nanyang Avenue, Singapore 639798
Phone: +65 6790 4287

Email Twitter LinkedIn GitHub Bitbucket Google Scholar ORCID

Typestate-Guided Fuzzer for Discovering Use-after-Free Vulnerabilities

Haijun Wang, Xiaofei Xie, Yi Li, Cheng Wen, Yuekang Li, Yang Liu, Shengchao Qin, Hongxu Chen, and Yulei Sui

In Proceedings of the 42nd International Conference on Software Engineering (ICSE), 2020

Abstract: Existing coverage-based fuzzers usually use the individual controlflow graph (CFG) edge coverage to guide the fuzzing process, which has shown great potential in finding vulnerabilities. However, CFG edge coverage is not effective in discovering vulnerabilities such as use-after-free (UaF). This is because, to trigger UaF vulnerabilities, one needs not only to cover individual edges, but also to traverse some long sequence of edges in a particular order, which is challenging for existing fuzzers. To this end, we first propose to model UaF vulnerabilities as typestate properties, then develop a typestate-guided fuzzer, named UAFL, for discovering vulnerabilities violating typestate properties. Given a typestate property, we first perform a static typestate analysis to find operation sequences potentially violating the property. Then, the fuzzing process is guided by the operation sequences in order to progressively generate test cases triggering property violations. In addition, we also adopt the information flow analysis to improve the efficiency of the fuzzing process. We performed a thorough evaluation of UAFL on 14 widely-used real-world programs. The experiment results show that UAFL substantially outperforms the state-of-the-art fuzzers, including AFL, AFLFast, FairFuzz, MOpt, Angora and QSYM, interms of the time taken to discover vulnerabilities. We discovered10 previously unknown vulnerabilities, and received 5 new CVEs.

Cite:

@inproceedings{Wang2020TGF,
  author = {Wang, Haijun and Xie, Xiaofei and Li, Yi and Wen, Cheng and Li, Yuekang and Liu, Yang and Qin, Shengchao and Chen, Hongxu and Sui, Yulei},
  booktitle = {Proceedings of the 42nd International Conference on Software Engineering (ICSE)},
  month = jun,
  pages = {999--1010},
  title = {Typestate-Guided Fuzzer for Discovering Use-after-Free Vulnerabilities},
  year = {2020}
}
Paper Site