Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

HuntFUZZ: Enhancing Error Handling Testing through Clustering Based Fuzzing

Jin Wei, Ping Chen, Jun Dai, Xiaoyan Sun, Zhihao Zhang, Chang Xu, Yi Wanga

TL;DR

HuntFUZZ tackles the scarcity and redundancy of testing error handling by clustering error points that share common CFG paths and applying concolic execution to compute constraints only for each cluster's longest common path. The framework integrates static error-point extraction, conventional fuzzing, and a concolic executor guided by cluster weights to focus testing on high-value, correlated error regions. Empirical evaluation across 42 applications reveals 162 known bugs (including 62 error-handling bugs) and 7 zero-day bugs, with HuntFUZZ achieving about 38.9% higher error coverage than EH-FUZZ and broader error-point testing, while trading off some raw code-coverage due to its error-centric objective. The work demonstrates significant practical impact by accelerating deep-state error discovery and reducing redundant exploration, with broader implications for clustering targets to streamline fuzzing beyond error handling.

Abstract

Testing a program's capability to effectively handling errors is a significant challenge, given that program errors are relatively uncommon. To solve this, Software Fault Injection (SFI)-based fuzzing integrates SFI and traditional fuzzing, injecting and triggering errors for testing (error handling) code. However, we observe that current SFI-based fuzzing approaches have overlooked the correlation between paths housing error points. In fact, the execution paths of error points often share common paths. Nonetheless, Fuzzers usually generate test cases repeatedly to test error points on commonly traversed paths. This practice can compromise the efficiency of the fuzzer(s). Thus, this paper introduces HuntFUZZ, a novel SFI-based fuzzing framework that addresses the issue of redundant testing of error points with correlated paths. Specifically, HuntFUZZ clusters these correlated error points and utilizes concolic execution to compute constraints only for common paths within each cluster. By doing so, we provide the fuzzer with efficient test cases to explore related error points with minimal redundancy. We evaluate HuntFUZZ on a diverse set of 42 applications, and HuntFUZZ successfully reveals 162 known bugs, with 62 of them being related to error handling. Additionally, due to its efficient error point detection method, HuntFUZZ discovers 7 unique zero-day bugs, which are all missed by existing fuzzers. Furthermore, we compare HuntFUZZ with 4 existing fuzzing approaches, including AFL, AFL++, AFLGo, and EH-FUZZ. Our evaluation confirms that HuntFUZZ can cover a broader range of error points, and it exhibits better performance in terms of bug finding speed.

HuntFUZZ: Enhancing Error Handling Testing through Clustering Based Fuzzing

TL;DR

HuntFUZZ tackles the scarcity and redundancy of testing error handling by clustering error points that share common CFG paths and applying concolic execution to compute constraints only for each cluster's longest common path. The framework integrates static error-point extraction, conventional fuzzing, and a concolic executor guided by cluster weights to focus testing on high-value, correlated error regions. Empirical evaluation across 42 applications reveals 162 known bugs (including 62 error-handling bugs) and 7 zero-day bugs, with HuntFUZZ achieving about 38.9% higher error coverage than EH-FUZZ and broader error-point testing, while trading off some raw code-coverage due to its error-centric objective. The work demonstrates significant practical impact by accelerating deep-state error discovery and reducing redundant exploration, with broader implications for clustering targets to streamline fuzzing beyond error handling.

Abstract

Testing a program's capability to effectively handling errors is a significant challenge, given that program errors are relatively uncommon. To solve this, Software Fault Injection (SFI)-based fuzzing integrates SFI and traditional fuzzing, injecting and triggering errors for testing (error handling) code. However, we observe that current SFI-based fuzzing approaches have overlooked the correlation between paths housing error points. In fact, the execution paths of error points often share common paths. Nonetheless, Fuzzers usually generate test cases repeatedly to test error points on commonly traversed paths. This practice can compromise the efficiency of the fuzzer(s). Thus, this paper introduces HuntFUZZ, a novel SFI-based fuzzing framework that addresses the issue of redundant testing of error points with correlated paths. Specifically, HuntFUZZ clusters these correlated error points and utilizes concolic execution to compute constraints only for common paths within each cluster. By doing so, we provide the fuzzer with efficient test cases to explore related error points with minimal redundancy. We evaluate HuntFUZZ on a diverse set of 42 applications, and HuntFUZZ successfully reveals 162 known bugs, with 62 of them being related to error handling. Additionally, due to its efficient error point detection method, HuntFUZZ discovers 7 unique zero-day bugs, which are all missed by existing fuzzers. Furthermore, we compare HuntFUZZ with 4 existing fuzzing approaches, including AFL, AFL++, AFLGo, and EH-FUZZ. Our evaluation confirms that HuntFUZZ can cover a broader range of error points, and it exhibits better performance in terms of bug finding speed.
Paper Structure (24 sections, 5 figures, 2 tables, 3 algorithms)

This paper contains 24 sections, 5 figures, 2 tables, 3 algorithms.

Table of Contents

  1. Introduction
  2. Background and Key Insights
  3. Background
  4. SFI-based Fuzzing for Error-handing Test
  5. Concolic Execution and Hybrid Fuzzing
  6. Key Insights
  7. Design of HuntFUZZ
  8. Error Points Clustering
  9. Cluster Weight Calculation
  10. Optimization of Constraint Solving
  11. Implementation
  12. Evaluation
  13. Found Bugs
  14. Comparison to Existing Fuzzing Approaches
  15. Comparison on Found Bugs
  16. ...and 9 more sections

Figures (5)

  • Figure 1: Framework of HuntFUZZ.
  • Figure 2: A CFG of a tested program along with error points that need testing.
  • Figure 3: Comparsion of HuntFUZZ and EH-FUZZ in terms of error coverage.
  • Figure 4: Comparsion of HuntFUZZ, AFL, AFL++, AFLGo, and EH-FUZZ in terms of code coverage.
  • Figure 5: The influence of $k$, $w1,w2$, and $mutateThreshold$ to error coverage.