Triggering and Detecting Exploitable Library Vulnerability from the Client by Directed Greybox Fuzzing
This addresses security risks for developers using third-party libraries, offering a novel method for vulnerability detection without PoCs, though it builds incrementally on directed greybox fuzzing.
The paper tackles the problem of detecting exploitable library vulnerabilities from client programs without relying on proof-of-concepts, proposing LiveFuzz, which increases target-reachable paths and improves vulnerability exposure speed, triggering three exclusive vulnerabilities.
Developers utilize third-party libraries to improve productivity, which also introduces potential security risks. Existing approaches generate tests for public functions to trigger library vulnerabilities from client programs, yet they depend on proof-of-concepts (PoCs), which are often unavailable. In this paper, we propose a new approach, LiveFuzz, based on directed greybox fuzzing (DGF) to detect the exploitability of library vulnerabilities from client programs without PoCs. LiveFuzz exploits a target tuple to extend existing DGF techniques to cross-program scenarios. Based on the target tuple, LiveFuzz introduces a novel Abstract Path Mapping mechanism to project execution paths, mitigating the preference for shorter paths. LiveFuzz also proposes a risk-based adaptive mutation to mitigate excessive mutation. To evaluate LiveFuzz, we construct a new dataset including 61 cases of library vulnerabilities exploited from client programs. Results show that LiveFuzz increases the number of target-reachable paths compared with all baselines and improves the average speed of vulnerability exposure. Three vulnerabilities are triggered exclusively by LiveFuzz.