Fuzzification: Anti-fuzzing techniques

Jinho Jung, Hong Hu, David Solodukhin, Daniel Pagan, Kyu Hyung Lee, Taesoo Kim

Research output: Chapter in Book/Report/Conference proceedingConference contribution

38 Scopus citations

Abstract

Fuzzing is a software testing technique that quickly and automatically explores the input space of a program without knowing its internals. Therefore, developers commonly use fuzzing as part of test integration throughout the software development process. Unfortunately, it also means that such a blackbox and the automatic natures of fuzzing are appealing to adversaries who are looking for zero-day vulnerabilities. To solve this problem, we propose a new mitigation approach, called FUZZIFICATION, that helps developers protect the released, binary-only software from attackers who are capable of applying state-of-the-art fuzzing techniques. Given a performance budget, this approach aims to hinder the fuzzing process from adversaries as much as possible. We propose three FUZZIFICATION techniques: 1) SpeedBump, which amplifies the slowdown in normal executions by hundreds of times to the fuzzed execution, 2) BranchTrap, interfering with feedback logic by hiding paths and polluting coverage maps, and 3) AntiHybrid, hindering taint-analysis and symbolic execution. Each technique is designed with best-effort, defensive measures that attempt to hinder adversaries from bypassing FUZZIFICATION. Our evaluation on popular fuzzers and real-world applications shows that FUZZIFICATION effectively reduces the number of discovered paths by 70.3% and decreases the number of identified crashes by 93.0% from real-world binaries, and decreases the number of detected bugs by 67.5% from LAVA-M dataset while under user-specified overheads for common workloads. We discuss the robustness of FUZZIFICATION techniques against adversarial analysis techniques. We open-source our FUZZIFICATION system to foster future research.

Original languageEnglish (US)
Title of host publicationProceedings of the 28th USENIX Security Symposium
PublisherUSENIX Association
Pages1913-1930
Number of pages18
ISBN (Electronic)9781939133069
StatePublished - 2019
Event28th USENIX Security Symposium - Santa Clara, United States
Duration: Aug 14 2019Aug 16 2019

Publication series

NameProceedings of the 28th USENIX Security Symposium

Conference

Conference28th USENIX Security Symposium
Country/TerritoryUnited States
CitySanta Clara
Period8/14/198/16/19

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Information Systems
  • Safety, Risk, Reliability and Quality

Fingerprint

Dive into the research topics of 'Fuzzification: Anti-fuzzing techniques'. Together they form a unique fingerprint.

Cite this