Binary-level Directed Fuzzing for Use-After-Free Vulnerabilities
This addresses a hard-to-detect vulnerability for software security, with incremental improvements in directed fuzzing for binary-level analysis.
The paper tackled the problem of detecting Use-After-Free vulnerabilities at the binary level by proposing UAFuzz, a directed greybox fuzzer, which outperformed state-of-the-art fuzzers in fault detection rate and time to exposure, and discovered 30 new bugs including 7 CVEs.
Directed fuzzing focuses on automatically testing specific parts of the code by taking advantage of additional information such as (partial) bug stack trace, patches or risky operations. Key applications include bug reproduction, patch testing and static analysis report verification. Although directed fuzzing has received a lot of attention recently, hard-to-detect vulnerabilities such as Use-After-Free (UAF) are still not well addressed, especially at the binary level. We propose UAFuzz, the first (binary-level) directed greybox fuzzer dedicated to UAF bugs. The technique features a fuzzing engine tailored to UAF specifics, a lightweight code instrumentation and an efficient bug triage step. Experimental evaluation for bug reproduction on real cases demonstrates that UAFuzz significantly outperforms state-of-the-art directed fuzzers in terms of fault detection rate, time to exposure and bug triaging. UAFuzz has also been proven effective in patch testing, leading to the discovery of 30 new bugs (7 CVEs) in programs such as Perl, GPAC and GNU Patch. Finally, we provide to the community a large fuzzing benchmark dedicated to UAF, built on both real codes and real bugs.