Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

TransferFuzz: Fuzzing with Historical Trace for Verifying Propagated Vulnerability Code

Siyuan Li, Yuekang Li, Zuxin Chen, Chaopeng Dong, Yongpan Wang, Hong Li, Yongle Chen, Hongsong Zhu

TL;DR

This paper introduces TransferFuzz, a novel vulnerability verification framework, to verify whether vulnerabilities propagated through code reuse can be triggered in new software, and shows that it can quickly validate vulnerabilities previously unverifiable with existing techniques.

Abstract

Code reuse in software development frequently facilitates the spread of vulnerabilities, making the scope of affected software in CVE reports imprecise. Traditional methods primarily focus on identifying reused vulnerability code within target software, yet they cannot verify if these vulnerabilities can be triggered in new software contexts. This limitation often results in false positives. In this paper, we introduce TransferFuzz, a novel vulnerability verification framework, to verify whether vulnerabilities propagated through code reuse can be triggered in new software. Innovatively, we collected runtime information during the execution or fuzzing of the basic binary (the vulnerable binary detailed in CVE reports). This process allowed us to extract historical traces, which proved instrumental in guiding the fuzzing process for the target binary (the new binary that reused the vulnerable function). TransferFuzz introduces a unique Key Bytes Guided Mutation strategy and a Nested Simulated Annealing algorithm, which transfers these historical traces to implement trace-guided fuzzing on the target binary, facilitating the accurate and efficient verification of the propagated vulnerability. Our evaluation, conducted on widely recognized datasets, shows that TransferFuzz can quickly validate vulnerabilities previously unverifiable with existing techniques. Its verification speed is 2.5 to 26.2 times faster than existing methods. Moreover, TransferFuzz has proven its effectiveness by expanding the impacted software scope for 15 vulnerabilities listed in CVE reports, increasing the number of affected binaries from 15 to 53. The datasets and source code used in this article are available at https://github.com/Siyuan-Li201/TransferFuzz.

TransferFuzz: Fuzzing with Historical Trace for Verifying Propagated Vulnerability Code

TL;DR

This paper introduces TransferFuzz, a novel vulnerability verification framework, to verify whether vulnerabilities propagated through code reuse can be triggered in new software, and shows that it can quickly validate vulnerabilities previously unverifiable with existing techniques.

Abstract

Code reuse in software development frequently facilitates the spread of vulnerabilities, making the scope of affected software in CVE reports imprecise. Traditional methods primarily focus on identifying reused vulnerability code within target software, yet they cannot verify if these vulnerabilities can be triggered in new software contexts. This limitation often results in false positives. In this paper, we introduce TransferFuzz, a novel vulnerability verification framework, to verify whether vulnerabilities propagated through code reuse can be triggered in new software. Innovatively, we collected runtime information during the execution or fuzzing of the basic binary (the vulnerable binary detailed in CVE reports). This process allowed us to extract historical traces, which proved instrumental in guiding the fuzzing process for the target binary (the new binary that reused the vulnerable function). TransferFuzz introduces a unique Key Bytes Guided Mutation strategy and a Nested Simulated Annealing algorithm, which transfers these historical traces to implement trace-guided fuzzing on the target binary, facilitating the accurate and efficient verification of the propagated vulnerability. Our evaluation, conducted on widely recognized datasets, shows that TransferFuzz can quickly validate vulnerabilities previously unverifiable with existing techniques. Its verification speed is 2.5 to 26.2 times faster than existing methods. Moreover, TransferFuzz has proven its effectiveness by expanding the impacted software scope for 15 vulnerabilities listed in CVE reports, increasing the number of affected binaries from 15 to 53. The datasets and source code used in this article are available at https://github.com/Siyuan-Li201/TransferFuzz.

Paper Structure

This paper contains 25 sections, 3 equations, 5 figures, 4 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Motivation
  3. Methodology
  4. Overview
  5. Historical Trace Extraction
  6. Function-level Traces Extraction
  7. Key-bytes Traces Extraction
  8. Trace Guided Fuzzing
  9. Nested Simulated Annealing
  10. Key Bytes Guided Mutation
  11. Implementation
  12. Evaluation
  13. Dataset
  14. Compared Methods
  15. Answer to RQ 1: Accuracy of Verifying Propagated Vulnerability Code
  16. ...and 10 more sections

Figures (5)

  • Figure 1: Propagated vulnerability code. Red nodes are vulnerability information in CVE reports and historical research, white nodes are binaries that reuse vulnerable code, and gray nodes are binaries affected by the vulnerability.
  • Figure 2: A motivation example. The red node is the vulnerability function of CVE-2016-4487. Gray nodes are functions known to be on the vulnerability-triggering path, and white nodes are functions that may pass through. The blue code in 1(d) is the code in cxxfilt that accesses POC related bytes
  • Figure 3: The workflow of TransferFuzz.
  • Figure 4: State machine diagram in NSA algorithm.
  • Figure 5: CPU and Memory Usage. The green bars represent CPU Usage, while the gray bars indicate Memory Usage (RES).