• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.14 no.9
• /
• pp.3885-3906
• /
• 2020

Hybrid fuzzing which combines fuzzing and concolic execution, has proved its ability to achieve higher code coverage and therefore find more bugs. However, current hybrid fuzzers usually suffer from inefficiency and poor scalability when applied to complex, real-world program testing. We observed that the performance bottleneck is the inefficient cooperation between the fuzzer and concolic executor and the slow symbolic emulation. In this paper, we propose a novel solution named EPfuzzer to improve hybrid fuzzing. EPfuzzer implements two key ideas: 1) only the hardest-to-reach branch will be prioritized for concolic execution to avoid generating uninteresting inputs; and 2) only input bytes relevant to the target branch to be flipped will be symbolized to reduce the overhead of the symbolic emulation. With these optimizations, EPfuzzer can be efficiently targeted to the hardest-to-reach branch. We evaluated EPfuzzer with three sets of programs: five real-world applications and two popular benchmarks (LAVA-M and the Google Fuzzer Test Suite). The evaluation results showed that EPfuzzer was much more efficient and scalable than the state-of-the-art concolic execution engine (QSYM). EPfuzzer was able to find more bugs and achieve better code coverage. In addition, we discovered seven previously unknown security bugs in five real-world programs and reported them to the vendors.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.7 no.8
• /
• pp.1989-2009
• /
• 2013

How to discover router vulnerabilities effectively and automatically is a critical problem to ensure network and information security. Previous research on router security is mostly about the technology of exploiting known flaws of routers. Fuzzing is a famous automated vulnerability finding technology; however, traditional Fuzzing tools are designed for testing network applications or other software. These tools are not or partly not suitable for testing routers. This paper designs a framework of discovering router protocol vulnerabilities, and proposes a mathematical model Two-stage Fuzzing Test Cases Generator(TFTCG) that improves previous methods to generate test cases. We have developed a tool called RPFuzzer based on TFTCG. RPFuzzer monitors routers by sending normal packets, keeping watch on CPU utilization and checking system logs, which can detect DoS, router reboot and so on. RPFuzzer' debugger based on modified Dynamips, which can record register values when an exception occurs. Finally, we experiment on the SNMP protocol, find 8 vulnerabilities, of which there are five unreleased vulnerabilities. The experiment has proved the effectiveness of RPFuzzer.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.6
• /
• pp.1121-1125
• /
• 2022

HAL-Fuzz, a fuzzing technique to find firmware vulnerabilities, is efficient by using the HAL function of the hardware abstraction layer provided by MCU vendors. However, it cannot handle most firmware that unused the exact HAL function. In this paper, we propose a new method for identifying pseudo-HAL functions to increase the fuzzing availability of HAL-Fuzz. In experiments, we identified not only the HAL but also the pseudo-HAL functions, implemented by the developer, and that fuzzing is possible.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2020.11a
• /
• pp.374-375
• /
• 2020

소프트웨어 보안 취약점을 찾는 기술로서 퍼징(Fuzzing)이 있다. 기존 퍼징 기술은 요구-응답형 프로토콜을 사용하는 소프트웨어를 대상으로 하기 때문에 응답 메시기가 없는 단방향 프로토콜에서는 퍼징을 수행할 수 없는 문제가 있다. 본 논문에서는 단방향 프로토콜 소프트웨어에서 퍼징을 수행하는데 필요한 퍼징 상태 판다 기능을 정의하고 설계한다.

• Proceedings of the Korean Information Science Society Conference
• /
• 2011.06a
• /
• pp.328-331
• /
• 2011

최근 소프트웨어 결함이나 보안 취약점을 분석하고 발견하기 위해 퍼징(fuzzing)에 대한 연구가 활발하다. 퍼징은 무작위 입력 데이터를 대상 프로그램에 주입하여 그 결과를 관찰하면서 결함을 탐지하는 테스팅 방법이다. 본 논문에서는 웹 브라우저를 대상으로 기존의 '변이 기반의 덤 퍼징'(Mutation based Dumb Fuzzing) 방식과 '생성 기반의 지능적 퍼징'(Generation based Smart Fuzzing) 방식을 비교 분석하였다. 그리고 실험을 통해 기존의 퍼징 도구들의 성능을 측정하고 이를 바탕으로 브라우저 퍼징에서' 변이 기반의 덤 퍼징' 이 웹 브라우저의 결함 및 취약점 탐지에 더 효율적이라는 것을 보인다. 그리고 웹 브라우저를 대상으로 '변이 기반의 덤 퍼징' 방식을 적용할 때, 코드 실행 커버리지를 고려한 다수의 입력 템플릿 확보와 다수의 템플릿들에 대한 구성 요소들을 랜덤하게 섞어서 변이를 하는 효과적인 브라우저 퍼징 전략을 제안한다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.23 no.2
• /
• pp.231-242
• /
• 2013

Recently, automated software testing methods such as fuzzing have been researched to find software vulnerabilities. The purpose of fuzzing is to disclose software vulnerabilities by providing a software with malformed data. In order to increase the probability of vulnerability discovery by fuzzing, we must solve the test suite reduction problem because the probability depends on the test case quality. In this paper, we propose a new method to solve the test suite reduction problem which is suitable for the long test case such as file. First, we suggested the length of test case as a measure in addition to old measures such as coverage and redundancy. Next we designed a test suite reduction algorithm using the new measure. In the experimental results, the proposed algorithm showed better performance in the size and length reduction ratio of the test suite than previous studies. Finally, results from an empirical study suggested the viability of our proposed measure and algorithm for file fuzzing.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.3
• /
• pp.443-454
• /
• 2020

The JavaScript engine is a module that receives JavaScript code as input and processes it, among many functions that are loaded into web browsers and display web pages. Many fuzzing test studies have been conducted as vulnerabilities in JavaScript engines could threaten the system security of end-users running JavaScript through browsers. Some of them have increased fuzzing efficiency by guiding test coverage in JavaScript engines, but no coverage guided fuzzing of optimized, dynamically generated machine code was attempted. Optimized JavaScript codes are difficult to perform sufficient iterative testing through fuzzing due to the function of runtime guards to free the code in the event of exceptional control flow. To solve these problems, this paper proposes a method of performing fuzzing tests on optimized machine code by avoiding deoptimization. In addition, we propose a method to measure the coverage of runtime-guards by the dynamic binary instrumentation and to guide increment of runtime-guard coverage. In our experiment, our method has outperformed the existing method at two measures: runtime coverage and iteration by time.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.17 no.2
• /
• pp.51-59
• /
• 2007

Software testing is the process of analyzing a software item to detect the differences between existing and required conditions and to evaluate the features of the software item. A traditional testing focuses on proper functionality, not security testing. Fuzzing is a one of many software testing techniques and security testing. Fuzzing methodology has advantage that low-cost, efficiency and so on. But fuzzing has defects such as intervening experts. Also, if there is no specification, fuzzing is impossible. ROAD Tool is automated testing tool for RPC(Remote Procedure Call) based protocol and software without specification. Existing tools are semi-automated. Therefore we must modify these tools. In this paper, we design and implement ROAD tool. Also we verify utility in testing results.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.13 no.7
• /
• pp.3511-3532
• /
• 2019

Coverage-guided fuzzing is an efficient solution that has been widely used in software testing. By guiding fuzzers through the coverage information, seeds that generate new paths will be retained to continually increase the coverage. However, we observed that most samples follow the same few high-frequency paths. The seeds that exercise a high-frequency path are saved for the subsequent mutation process until the user terminates the test process, which directly affects the efficiency with which the low-frequency paths are tested. In this paper, we propose a fuzzing solution, ER-Fuzz, that truncates the recording of a high-frequency path to influence coverage. It utilizes a deep learning-based classifier to locate the high and low-frequency path transfer points; then, it instruments at the transfer position to promote the probability low-frequency transfer paths while eliminating subsequent variations of the high-frequency path seeds. We implemented a prototype of ER-Fuzz based on the popular fuzzer AFL and evaluated it on several applications. The experimental results show that ER-Fuzz improves the coverage of the original AFL method to different degrees. In terms of the number of crash discoveries, in the best case, ER-Fuzz found 115% more unique crashes than did AFL. In total, seven new bugs were found and new CVEs were assigned.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.1
• /
• pp.31-37
• /
• 2015

As the forms of cyberattacks become diverse, there has been reported another case of exploiting vulnerabilities revealed while processing either a document or multimedia file that was distributed for attacking purpose, which would replace the traditional method of distributing malwares directly. The attack is based upon the observation that the softwares such as document editer or multimedia player may reveal inherent vulnerabilities on some specific inputs. The fuzzing methods that provide invalid random inputs for test purpose could discover such exploits. This paper suggests a new fuzzing method on document applications that could work in mobile environments, in order to resolve the drawback that the existing methods run only in PC environments. Our methods could effectively discover the exploits of mobile applications, and thus could be utilized as a means of dealing with APT attacks in mobile environments.