GrayC: Greybox Fuzzing of Compilers and Analysers for C
ACM SIGSOFT Distinguished Paper
Fuzzing of compilers and code analysers has led to a large number of bugs being found and fixed in widely-used frameworks such as LLVM, GCC and Frama-C. Most such fuzzing techniques have taken a blackbox approach, with compilers and code analysers starting to become relatively immune to such fuzzers.
We propose a coverage-directed, mutation-based approach for fuzzing C compilers and code analysers, inspired by the success of this type of greybox fuzzing in other application domains. The main challenge of applying mutation-based fuzzing in this context is that naive mutations are likely to generate programs that do not compile. Such programs are not useful for finding deep bugs that affect optimisation, analysis, and code generation routines.
We have designed a novel greybox fuzzer for C compilers and analysers by developing a new set of mutations to target common C constructs, and transforming fuzzed programs so that they produce meaningful output, allowing differential testing to be used as a test oracle, and paving the way for fuzzer-generated programs to be integrated into compiler and code analyser regression test suites.
We have implemented our approach in GrayC, a new open-source LibFuzzer-based tool, and present experiments showing that it provides more coverage on the middle- and back-end stages of compilers and analysers compared to other mutation-based approaches, including Clang-Fuzzer, PolyGlot, and a technique similar to LangFuzz.
We have used GrayC to identify 30 confirmed compiler and code analyser bugs: 25 previously unknown bugs (with 22 of them already fixed in response to our reports) and 5 confirmed bugs reported independently shortly before we found them. A further 3 bug reports are under investigation. Apart from the results above, we have contributed 24 simplified versions of coverage-enhancing test cases produced by GrayC to the Clang/LLVM test suite, targeting 78 previously uncovered functions in the LLVM codebase.
Wed 19 JulDisplayed time zone: Pacific Time (US & Canada) change
13:30 - 15:00
|Guiding Greybox Fuzzing with Mutation TestingACM SIGSOFT Distinguished Paper
Vasudev Vikram Carnegie Mellon University, Isabella Laybourn Carnegie Mellon University, Ao Li Carnegie Mellon University, Nicole Nair Swarthmore College, Kelton OBrien University of Minnesota, Rafaello Sanna University of Rochester, Rohan Padhye Carnegie Mellon UniversityDOI Pre-print Media Attached
|Rare Path Guided Fuzzing
Seemanta Saha University of California at Santa Barbara, Laboni Sarker University of California at Santa Barbara, Md Shafiuzzaman University of California at Santa Barbara, Chaofan Shou University of California at Santa Barbara, Albert Li University of California at Santa Barbara, Ganesh Sankaran University of California at Santa Barbara, Tevfik Bultan University of California at Santa BarbaraDOI
|Finding Short Slow Inputs Faster with Grammar-Based Search
|Fuzzing Embedded Systems using Debug Interfaces
Max Eisele Robert Bosch; Saarland University, Daniel Ebert Robert Bosch, Christopher Huth Robert Bosch, Andreas Zeller CISPA Helmholtz Center for Information SecurityDOI Pre-print
|GrayC: Greybox Fuzzing of Compilers and Analysers for CACM SIGSOFT Distinguished Paper
Karine Even-Mendoza King’s College London, Arindam Sharma Imperial College London, Alastair F. Donaldson Imperial College London, Cristian Cadar Imperial College LondonDOI
|Fuzzing Deep Learning Compilers with HirGen
Haoyang Ma Hong Kong University of Science and Technology, Qingchao Shen Tianjin University, Yongqiang Tian University of Waterloo, Junjie Chen Tianjin University, Shing-Chi Cheung Hong Kong University of Science and TechnologyDOI