Laboratoire d'Informatique de Grenoble

Abstract

Fuzzing is a popular security testing technique consisting in generating massive amount of random inputs, very effective in triggering bugs in real-world programs. Although recent research made a lot of progress in solving fuzzing problems such as magic numbers and highly structured inputs, detecting complex vulnerabilities is still hard for current feedback-driven fuzzers, even in case where the targets are known (directed fuzzing). In this thesis, we consider the problem of guiding fuzzing to detect complex vulnerabilities such as Use-After-Free (UAF), as bug-triggering paths must satisfy specific properties of those bug classes. UAF is currently identified as one of the most critical exploitable vulnerabilities and has serious consequences such as data corruption and information leaks. Firstly, we provide a detailed survey on Directed Greybox Fuzzing, which is the core technique of this thesis, aiming to perform stress testing on predefined targets like recent code changes or vulnerable functions. Secondly, we propose new directed fuzzing techniques tailored to detecting UAF vulnerabilities in binary code that we have proven effective and efficient in both bug reproduction and patch testing. Thirdly, we show that our directed techniques can be fruitfully generalized to other typestate bugs like buffer overflows. Finally, our proposed techniques have been implemented in the open-source tools Binsec/UAFuzz and Binsec/TypeFuzz, helping to find security vulnerabilities in real-world programs (39 new bugs, 17 CVEs were assigned and 30 bugs were fixed).