Zeng Yingpei, Zhu Fengming, Zhang Siyi, Yang Yu, Yi Siyu, Pan Yufan, Xie Guojie, Wu Ting
School of Cyberspace, Hangzhou Dianzi University, Hangzhou, China.
Zhejiang Key Laboratory of Open Data, Hangzhou, China.
PeerJ Comput Sci. 2023 Sep 19;9:e1592. doi: 10.7717/peerj-cs.1592. eCollection 2023.
Fuzzing has become an important method for finding vulnerabilities in software. For fuzzing programs expecting structural inputs, syntactic- and semantic-aware fuzzing approaches have been particularly proposed. However, they still cannot fuzz in-memory data stores sufficiently, since some code paths are only executed when the required data are available. In this article, we propose a data-aware fuzzing method, DAFuzz, which is designed by considering the data used during fuzzing. Specifically, to ensure different data-sensitive code paths are exercised, DAFuzz first loads different kinds of data into the stores before feeding fuzzing inputs. Then, when generating inputs, DAFuzz ensures the generated inputs are not only syntactically and semantically valid but also use the data correctly. We implement a prototype of DAFuzz based on Superion and use it to fuzz Redis and Memcached. Experiments show that DAFuzz covers 13~95% more edges than AFL, Superion, AFL++, and AFLNet, and discovers vulnerabilities over 2.7× faster. In total, we discovered four new vulnerabilities in Redis and Memcached. All the vulnerabilities were reported to developers and have been acknowledged and fixed.
模糊测试已成为发现软件漏洞的一种重要方法。对于期望结构化输入的模糊测试程序,尤其提出了语法感知和语义感知的模糊测试方法。然而,它们仍然无法充分地对内存数据存储进行模糊测试,因为某些代码路径仅在所需数据可用时才会执行。在本文中,我们提出了一种数据感知模糊测试方法DAFuzz,它是通过考虑模糊测试期间使用的数据而设计的。具体来说,为了确保不同的数据敏感代码路径得到执行,DAFuzz在输入模糊测试之前首先将不同类型的数据加载到存储中。然后,在生成输入时,DAFuzz确保生成的输入不仅在语法和语义上有效,而且正确使用了数据。我们基于Superion实现了DAFuzz的一个原型,并使用它对Redis和Memcached进行模糊测试。实验表明,DAFuzz比AFL、Superion、AFL++和AFLNet覆盖的边多13%至95%,发现漏洞的速度快2.7倍以上。我们总共在Redis和Memcached中发现了四个新漏洞。所有漏洞均已报告给开发者,且已得到认可并修复。
