Download presentation
Presentation is loading. Please wait.
Published byΑγρίππας Βέργας Modified over 5 years ago
1
FOT: A Versatile, Configurable, Extensible Fuzzing Framework
Hongxu Chen, Yuekang Li, Bihuan Chen, Yinxing Xue, Yang Liu
2
Contents Background & Motivation Design & Implementation
Extension & Evaluation Conclusion
3
What is fuzzing? The basic idea is to feed the program under test (PUT) with a large amount of (randomly) generated inputs and observe whether the PUT exercise some abnormal behaviors or not. Abnormal behaviors: Crash Timeout ...
4
What is greybox fuzzing?
Blackbox Fuzzing: know nothing about the program internals just feed the PUT with random inputs Whitebox Fuzzing: often refers to symbolic execution relies on heavy-weight techniques Blackbox fuzzing lacks effectiveness. Whitebox fuzzing lacks scalability.
5
What is greybox fuzzing?
Use light-weight program instrumentation to extract program execution information Extract ONLY the needed information coverage target location … Best of two worlds effective scalable
6
Why another greybox fuzzer?
Existing greybox fuzzers: American Fuzzy Lop (AFL) AFLFast AFLGo … Honggfuzz libfuzzer We want a framework: Versatile Configurable Extensible FOT
7
Contents Background & Motivation Design & Implementation
Extension & Evaluation Conclusion
8
Overall Design Preprocessors Fuzzer Toolchain instrumented program
source code Toolchain results program binary
9
Preprocessors Static Analyzer Binary Rewriter Compiler
Configurable: can extract different information Extensible: can add new static analyzers as long as the generated data follows the specified format Binary Rewriter Compiler
10
Fuzzer Overall Manager Seed Scorer Mutation Manager Executor
Configurable: can select from several built-in strategies Extensible: can implement with the provided interface Mutation Manager Executor Feedback Collector
11
Toolchain For a versatile framework. crash triaging coverage analysis
...
12
Implementation Core fuzzing logic: ~15000 lines of Rust
Library & Tools Preprocessors: ~2600 lines of C/C++ Toolchain: ~2400 lines of Python
13
Contents Background & Motivation Design & Implementation
Extension & Evaluation Conclusion
14
Extension: Hawkeye Hawkeye is a directed greybox fuzzer implemented based on FOT. Directed fuzzing means to reach the predefined target locations as fast as possible. patch testing crash reproduction ... Published in CCS’18.
15
Extension: Hawkeye Prioritize the inputs that execute paths closer to the targets. distance prioritize scheduling mutation More details here:
16
Extension: Hawkeye Static Analyzer
extract the predefined target locations information and the information about the distance to the targets. Compiler Embed the information through instrumentation
17
Extension: Hawkeye Seed Scorer
To give the inputs “closer” to the targets higher scores. Mutation Manager To mutate adaptively according to the distance. Feedback Collector To collect extra feedbacks from the instrumentations.
18
Other extensions examples
Steelix: AFLFast: Connect with other tools (radamsa, KLEE):
19
Trophies (Bugs found with FOT)
Evaluation Feature comparison Trophies (Bugs found with FOT)
20
Contents Background & Motivation Design & Implementation
Extension & Evaluation Conclusion
21
Conclusion FOT Supports most features
versatile configurable extensible Supports most features Finds bugs in real-world programs Contact: Hongxu: Yuekang:
22
Thank you !
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.