C has been regarded as a dominant programming language for system software implementation. Meanwhile, it often suffers from various memory vulnerabilities due to its low-level memory control. Quite massive approaches are proposed to enhance memory security, among which Coverage-based Greybox Fuzzing (CGF) is considered to be effective because of its practicality and satisfactory vulnerability detection ability. However, CGF identifies vulnerability based on the verification of detected crashes, thus cannot detect vulnerabilities with non-crash. In this paper, we consider to trace pointer metadata (status, bounds and referents) to detect more various vulnerabilities. Additionally, since pointers in C are often directly related to memory operations, we design two standards to further use pointer metadata as the guidance of CGF, make fuzzing process target to the vulnerable part of programs.

Haibo Chen

School of Computer Science and Communication Engineering, Jiangsu University

Jinfu Chen

Jiangsu University

Coverage-guided Greybox fuzzing is regarded as a practical approach to detect software vulnerabilities, which targets to expand code coverage as much as possible. A common implementation is to assign more energy to such seeds which find new edges with less execution time. However, solely considering new edges may less effective because some hard-to-find branches often exist in the complex code of program. Code complexity is one of the key indicators to measure the code security. Compared to the code with simple structure, the program with higher code complexity is more likely to find more branches and cause security problems. To this end, we propose a novel fuzzing method which further use code complexity to optimize power schedule process in AFL (American Fuzzy Lop) and AFLFAST (American Fuzzy Lop Fast) . The goal of our method is to generate inputs which are more bias toward the code with higher complexity of the program under test. In addition, we conduct a preliminary empirical study under three widely used real-world programs, and the experimental results show that the proposed approach can trigger more crashes as well as improve the coverage discovery.

Shengran Wang

School of Computer Science and Communication Engineering, Jiangsu University

Jinfu Chen

Jiangsu University

Saihua Cai

School of Computer Science and Communication Engineering, Jiangsu University

Chi Zhang

Jiangsu University

Haibo Chen

School of Computer Science and Communication Engineering, Jiangsu University

Jingyi Chen

School of Computer Science and Communication Engineering, Jiangsu University