深圳大学新葡的京集团350vip8888
College of Computer Science and Software Engineering, SZU

Memlock: Memory Usage Guided Fuzzing

    International Conference on Software Engineering (ICSE)

 

Cheng Wen1    Haijun Wang1,2    Yuekang Li3    Shengchao Qin4    Yang Liu3

Zhiwu Xu1    Hongxu Chen3    Xiaofei Xie3    Geguang Pu5    Ting Liu6

1Shenzhen University    2Ant Financial Services Group    3Nanyang Technological University    

4Teesside University    5East China Normal University    6Xi’an Jiaotong University

 

Abstract

Uncontrolled memory consumption is a kind of critical software security weaknesses. It can also become a security-critical vulnerability when attackers can take control of the input to consume a large amount of memory and launch a Denial-of-Service attack. However, detecting such vulnerability is challenging, as the state-of-the-art fuzzing techniques focus on the code coverage but not memory consumption. To this end, we propose a memory usage guided fuzzing technique, named MemLock, to generate the excessive memory consumption inputs and trigger uncontrolled memory consumption bugs. The fuzzing process is guided with memory consumption information so that our approach is general and does not require any domain knowledge. We perform a thorough evaluation for MemLock on 14 widely-used real-world programs. Our experiment results show that MemLock substantially outperforms the state-of-the-art fuzzing techniques, including AFL, AFLfast, PerfFuzz, FairFuzz, Angora and QSYM, in discovering memory consumption bugs. During the experiments, we discovered many previously unknown memory consumption bugs and received 15 new CVEs.

 

Fig. 1. Code Snippet of CVE-2018-17985. This CVE was found by our MemLock. The function recursively calls itself where the input contains the character ‘P’. The recursive depth depends on the number of characters ‘P’s in the input. With a sufficiently large recursive depth, the execution would run out of stack memory, causing stack overflow. It can be difficult for existing coverage-based grey-box fuzzing to find this bug. Take AFL as an example, it does not differentiate the change when the recursive depth is greater than a certain value. From the table, we can see that AFL simply discards inputs with a large recursive depth, and only maintains inputs with a small recursive depth, making it difficult to find the input that causes the stack overflow.

 

Fig. 2. Code Snippet of CVE-2018-4866. This example demonstrates an uncontrolled-memory-allocation problem. A length is extracted from the user input at line 11. And this value is used as the allocation size at line 4. Note that if the allocation size is large enough, the program would fail to allocate the memory, leading to a crash or running out of memory. Let’s assume AFL already has an input with a small allocation size. If a mutated input tries to allocate more memory but still executes a covered path, it will not be considered as an interesting input, since it has not increased the coverage. AFL may simply discard such mutated inputs. Therefore, it is difficult for AFL to generate an input with a sufficiently large allocation size that causes the failure.

 

Fig. 3. The overview of MemLock. We present MemLock to enhance grey-box fuzzing to find memory consumption bugs. MemLock uses a light-weight program instrumentation to collect the memory consumption information and guide the fuzzing process with memory consumption information. We also propose a novel seed updating scheme to retain the most interesting inputs for each path.

 

Fig. 4. The seed updating scheme. To offer efficient support for retaining the most interesting inputs for each path, MemLock updates the seed queue in two cases. If the test input results in new coverage, it will be added to the seed queue as a new node. This is the same as other coverage-based fuzzers. The difference is that if the test input does not result in new coverage, but it leads to more memory consumption than the corresponding node in the queue, then this node will be replaced with the input that leads to more memory consumption.

 

Fig. 5.  The growth trend of unique crashes found in different fuzzers; higher is better.

 

 

Fig. 6. Seed distribution based on memory consumption. The larger the value on the right side is better. The strategies of MemLock indeed help to generate inputs with high memory consumption.

 

Fig. 7. In this work, we have discovered lots of security-critical vulnerabilities. These vulnerabilities were not previously reported and rated as a medium-security risk. We informed the maintainers, and Mitre assigned 26 CVEs for these issues. Among these 26 CVEs, 18 CVEs are uncontrolled-recursion vulnerabilities, 6 CVEs are vulnerabilities due to uncontrolled-memory-allocation issues, and 2 CVEs are about memory leak vulnerabilities. An attacker might leverage these vulnerabilities to launch an attack, by providing well-conceived inputs that trigger excessive memory consumption. 

 

Data & Code

Note that the DATA and CODE are free for Research and Education Use ONLY.

Please cite our paper (add the bibtex below) if you use any part of our ALGORITHM, CODE, DATA or RESULTS in any publication.

Link:https://wcventure.github.io/MemLock/

 

Acknowledgements

This work was supported in part by the National Natural Science Foundation of China under Grants No. 61772347, 61836005, 61972260, 61772408, 61721002, Ant Financial Services Group through Ant Financial Research Program, Guangdong Basic and Applied Basic Research Foundation under Grant No. 2019A1515011577, National Key R\&D Program of China under Grant No. 2018YFB0803501.

 

Bibtex

@inproceedings{wen2020memlock,

author = {Wen, Cheng and Wang, Haijun and Li, Yuekang and Qin, Shengchao and Liu, Yang and Xu, Zhiwu and Chen, Hongxu and Xie, Xiaofei and Pu, Geguang and Liu, Ting},

title = {MemLock: Memory Usage Guided Fuzzing},

year = {2020},

}

Downloads

XML 地图