Skip to content

EMS provided by the paper "EMS: History-Driven Mutation for Coverage-based Fuzzing"

Notifications You must be signed in to change notification settings

puppet-meteor/EMS

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

25 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

EMS

1. Description

Hi guys, we open source the prototype of EMS. EMS is a coverage-based fuzzer that utilizes a customized Probabilistic Byte Orientation Model (PBOM) to reuse the efficient mutation strategies from inter- and intra-trials. As shown in Table 8 of the paper, more than half of the efficient mutation strategies can be collected in 5 hours. So EMS mainly improves the fuzzing performance by utilizing efficient strategies more times.

2. Introduction to Usage

To collect efficient mutation strategies as inter-PBOM, you can run the following cmds.

# export EMS_INTER_TRIAL_PBOM=/path_to_store/random_file_name.txt
# /ems/afl-fuzz -i $input -o $output (-L 0 -t 600+ -m 5000) (-V $time if you would like to control fuzzing duration) -- /path/to/program [...params...] 

After the fuzzing process is done, you can obtain the random_file_name.txt as inter-PBOM for other fuzzing trials.

In our source code, we provide an initial inter-PBOM named ems4.txt, which is collected from a 5-hour trial on pdfimages. Then, to utilize this inter-PBOM, you can run a cmd as follows.

# /ems/afl-fuzz -i $input -o $output  -G /ems/ems4.txt  (-L 0 -t 600+ -m 5000) (-V $time if you would like to control fuzzing duration) -- /path/to/program [...params...] 

We also implement instrumentation similar to the one in CollAFL. To utilize this instrumentation, you need to install llvm 11+. Then, compile the instrumentation in /ems/lto_mode, in which you can obtain afl-clang-lto and afl-clang-lto++. The cmds to utilize this instrumentation are as follows.

# export AFL_LLVM_DOCUMENT_IDS=/path_to_store/ems_lto_edges.txt
# export CC=/ems/lto_mode/afl-clang-lto
# export CXX=/ems/lto_mode/afl-clang-lto++
# [...compile target programs...] 

Then, you achieve to instrument target programs without collision issues and obtain ems_lto_edges.txt, which stores the size of bitmap. Note that if you use this instrumentation, you have to load the bitmap size as follows.

# export AFL_LLVM_DOCUMENT_IDS=/path_to_store/ems_lto_edges.txt

# /ems/afl-fuzz -i $input -o $output  -G /ems/ems4.txt  (-L 0 -t 600+ -m 5000) (-V $time if you would like to control fuzzing duration) -- /path/to/program [...params...] 

We also provide a dockerfile for FuzzBench testing. You can simply copy ems_fuzzbench to /fuzzbench/fuzzers/ and run make format. Then, you can evaluate EMS on FuzzBench. It's a little awkward that our lto_mode instrumentation cannot work on all the target programs of FuzzBench. Users can refer to the instrumentation of AFL++ for more insights. AFL++ is a powerful fuzzer with extremely high update frequency, which contains multiple kinds of instrumentations and new designs like improving the implementation of forkserver.

We may develop more kinds of history-driven operators (like constraint orientation and location orientation models) and construct EMS_plus. I'm not sure, depending on my free time. Having fun with EMS. See you next time!

Citation:

@inproceedings{lyu2022ems,
  title={EMS: History-Driven Mutation for Coverage-based Fuzzing},
  author={Lyu, Chenyang and Ji, Shouling and Zhang, Xuhong and Liang, Hong and Zhao, Binbin and Lu, Kangjie and Beyah, Raheem},
  booktitle={29th Annual Network and Distributed System Security Symposium. https://dx. doi. org/10.14722/ndss},
  year={2022}
}

About

EMS provided by the paper "EMS: History-Driven Mutation for Coverage-based Fuzzing"

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published