reFuzz: Reusing Fuzzing Results to Improve Security Assessments
SPRING 2020 RESEARCH INCUBATION AWARDEE
What is the Challenge?
As cybersecurity concerns increasingly move to the forefront of manufacturers’ concerns, their need to perform security assessments of products and systems pre and post-sale receives significant attention. However, though security assessments are time-consuming and have to be started from scratch for every new product, as compared to the ever-accelerating release schedules. Fuzzing is the repeated invocation of a Program Under Test (PUT) on random inputs to elicit erroneous program behavior. Program crashes have advanced as the most popular and successful bug-finding techniques over the last decade. Based on this popularity, it is only natural that fuzzing has gained a prominent spot in the toolkit of security analysts, as it is prolifically used for security assessments.
What is the Solution?
Manuel Egele, is devising a novel static and dynamic program analysis of capabilities that enable fuzzers to carry forward security insights gained during the assessment of an earlier version of a PUT. This essentially enables the reuse of prior security knowledge. Specifically, he aims to direct fuzzers to prioritize the assessment of newly added or modified functionality in a PUT over existing already assessed code. To target a fuzzer towards new or updated functionality in a PUT, three essential steps need to be taken. The first is to identify a capability that can recognize which executable code corresponds to the functionality’s newly added to the PUT. Second, the knowledge is leveraged from earlier fuzzing campaigns to identify candidate inputs that lead to execution paths that are “close” to the new functionality identified in the first step. Finally, by seeding the fuzzing campaign of the updated PUT with the inputs identified in step two, the amount of time the fuzzer needs to spend to reach the new functionality would substantially be reduced.
What is the Process?
By carrying over prior fuzzing results of un-modified code and honing the fuzzing process on updated parts of the PUT, it is easier to address the drawback and ensure that precious fuzzing resources (i.e, time and compute) are invested where they can yield the most benefit. The focus of this research is to identify and develop novel fuzzing solutions that allow leveraging prior fuzzing results when assessing the security of modified PUTs. To achieve these outcomes, Manuel Egele proposes to combine static and dynamic program analysis techniques to address the key challenges.