[ICSE2020] MemLock: Memory Usage Guided Fuzzing

Overview

MemLock: Memory Usage Guided Fuzzing

MIT License

This repository provides the tool and the evaluation subjects for the paper "MemLock: Memory Usage Guided Fuzzing" accepted for the technical track at ICSE'2020. A pre-print of the paper can be found at ICSE2020_MemLock.pdf.

The repository contains three folders: tool, tests and evaluation.

Tool

MemLock is built on top of the fuzzer AFL. Check out AFL's website for more information details. We provide here a snapshot of MemLock. For simplicity, we provide shell script for the whole installation.

Requirements

  • Operating System: Ubuntu 16.04 LTS (We have tested the artifact on the Ubuntu 16.04)
  • Run the following command to install Docker (Docker version 18.09.7):
    $ sudo apt-get install docker.io
    (If you have any question on docker, you can see Docker's Documentation).
  • Run the following command to install required packages
    $ sudo apt-get install git build-essential python3 cmake tmux libtool automake autoconf autotools-dev m4 autopoint help2man bison flex texinfo zlib1g-dev libexpat1-dev libfreetype6 libfreetype6-dev

Clone the Repository

$ git clone https://github.com/wcventure/MemLock-Fuzz.git MemLock --depth=1
$ cd MemLock

Build and Run the Docker Image

Firstly, system core dumps must be disabled as with AFL.

$ echo core|sudo tee /proc/sys/kernel/core_pattern
$ echo performance|sudo tee /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor

Run the following command to automatically build the docker image and configure the environment.

# build docker image
$ sudo docker build -t memlock --no-cache ./

# run docker image
$ sudo docker run --cap-add=SYS_PTRACE -it memlock /bin/bash

Usage

The running command line is similar to AFL.

To perform stack memory usage guided fuzzing, run following command line after use memlock-stack-clang to compile the program, as an example shown in tests/run_test1_MemLock.sh

tool/MemLock/build/bin/memlock-stack-fuzz -i testcase_dir -o findings_dir -d -- /path/to/program @@

To perform heap memory usage guided fuzzing, run following command line after use memlock-heap-clang to compile the program, as an example shown in tests/run_test2_MemLock.sh.

tool/MemLock/build/bin/memlock-heap-fuzz -i testcase_dir -o findings_dir -d -- /path/to/program @@

Tests

Before you use MemLock fuzzer, we suggest that you first use two simple examples provided by us to determine whether the Memlock fuzzer can work normally. We show two simple examples to shows how MemLock can detect excessive memory consumption and why AFL cannot detect these bugs easily. Example 1 demonstrates an uncontrolled-recursion bug and Example 2 demonstrates an uncontrolled-memory-allocation bug.

Run for testing example 1

Example 1 demonstrates an uncontrolled-recursion bug. The function fact() in example1.c is a recursive function. With a sufficiently large recursive depth, the execution would run out of stack memory, causing stack-overflow. You can perform fuzzing on this example program by following commands.

# enter the tests folder
$ cd tests

# run testing example 1 with MemLock
$ ./run_test1_MemLock.sh

# run testing example 1 with AFL (Open another terminal)
$ ./run_test1_AFL.sh

In our experiments for testing example 1, MemLock can find crashes in a few minutes while AFL can not find any crashes.

Run for testing example 2

Example 2 demonstrates an uncontrolled-memory-allocation bug. At line 25 in example2.c, the length of the user inputs is fed directly into new []. By carefully handcrafting the input, an adversary can provide arbitrarily large values, leading to program crash (i.e., std::bad_alloc) or running out of memory. You can perform fuzzing on this example program by following commands.

# enter the tests folder
$ cd tests

# run testing example 2 with MemLock
$ ./run_test2_MemLock.sh

# run testing example 2 with AFL (Open another terminal)
$ ./run_test2_AFL.sh

In our experiments for testing example 2, MemLock can find crashes in a few minutes while AFL can not find any crashes.

Evaluation

The fold evaluation contains all our evaluation subjects. After having MemLock installed, you can run the script to build and instrument the subjects. After instrument the subjects you can run the script to perform fuzzing on the subjects.

Build Target Program

In BUILD folder, You can run the script ./build_xxx.sh. It shows how to build and instrument the subject. For example:

# build cxxfilt
$ cd BUILD
$ ./build_cxxfilt.sh

Run for Fuzzing

After instrumenting the subjects, In FUZZ folder you can run the script ./run_MemLock_cxxfilt.sh to run a MemLock fuzzer instance on program cxxfilt. If you want to compare its performance with AFL, you can open another terminal and run the script ./run_AFL_cxxfilt.sh.

# build cxxfilt
$ cd FUZZ
$ ./run_MemLock_cxxfilt.sh

Publications

@inproceedings{wen2020memlock,
Author = {Wen, Cheng and Wang, Haijun and Li, Yuekang and Qin, Shengchao and Liu, Yang, and Xu, Zhiwu and Chen, Hongxu and Xie, Xiaofei and Pu, Geguang and Liu, Ting},
Title = {MemLock: Memory Usage Guided Fuzzing},
Booktitle= {2020 IEEE/ACM 42nd International Conference on Software Engineering},
Year ={2020},
Address = {Seoul, South Korea},
}

Practical Security Impact

CVE ID Assigned By This Work (26 CVEs)

Our tools have found several security-critical vulnerabilities in widely used open-source projects and libraries, such as Binutils, Elfutils, Libtiff, Mjs.

Vulnerability Package Program Vulnerability Type
CVE-2020-36375 MJS 1.20.1 mjs CWE-674: Uncontrolled Recursion
CVE-2020-36374 MJS 1.20.1 mjs CWE-674: Uncontrolled Recursion
CVE-2020-36373 MJS 1.20.1 mjs CWE-674: Uncontrolled Recursion
CVE-2020-36372 MJS 1.20.1 mjs CWE-674: Uncontrolled Recursion
CVE-2020-36371 MJS 1.20.1 mjs CWE-674: Uncontrolled Recursion
CVE-2020-36370 MJS 1.20.1 mjs CWE-674: Uncontrolled Recursion
CVE-2020-36369 MJS 1.20.1 mjs CWE-674: Uncontrolled Recursion
CVE-2020-36368 MJS 1.20.1 mjs CWE-674: Uncontrolled Recursion
CVE-2020-36367 MJS 1.20.1 mjs CWE-674: Uncontrolled Recursion
CVE-2020-36366 MJS 1.20.1 mjs CWE-674: Uncontrolled Recursion
CVE-2020-18392 MJS 1.20.1 mjs CWE-674: Uncontrolled Recursion
CVE-2019-6293 Flex 2.6.4 flex CWE-674: Uncontrolled Recursion
CVE-2019-6292 Yaml-cpp v0.6.2 prase CWE-674: Uncontrolled Recursion
CVE-2019-6291 NASM 2.14.03rc1 nasm CWE-674: Uncontrolled Recursion
CVE-2019-6290 NASM 2.14.03rc1 nasm CWE-674: Uncontrolled Recursion
CVE-2018-18701 Binutils 2.31 nm CWE-674: Uncontrolled Recursion
CVE-2018-18700 Binutils 2.31 nm CWE-674: Uncontrolled Recursion
CVE-2018-18484 Binutils 2.31 c++filt CWE-674: Uncontrolled Recursion
CVE-2018-17985 Binutils 2.31 c++filt CWE-674: Uncontrolled Recursion
CVE-2019-7704 Binaryen 1.38.22 wasm-opt CWE-789: Uncontrolled Memory Allocation
CVE-2019-7698 Bento4 v1.5.1-627 mp4dump CWE-789: Uncontrolled Memory Allocation
CVE-2019-7148 Elfutils 0.175 eu-ar CWE-789: Uncontrolled Memory Allocation
CVE-2018-20652 Tinyexr v0.9.5 tinyexr CWE-789: Uncontrolled Memory Allocation
CVE-2018-18483 Binutils 2.31 c++filt CWE-789: Uncontrolled Memory Allocation
CVE-2018-20657 Binutils 2.31 c++filt CWE-401: Memory Leak
CVE-2018-20002 Binutils 2.31 nm CWE-401: Memory Leak

Video

Links

Owner
Cheng Wen
I am a Ph.D. student at Shenzhen University. My research interest is in the area of Cyber Security(SEC), Programming Language(PL), and Software Engineering(SE).
Cheng Wen
Open source repository for the code accompanying the paper 'Non-Rigid Neural Radiance Fields Reconstruction and Novel View Synthesis of a Deforming Scene from Monocular Video'.

Non-Rigid Neural Radiance Fields This is the official repository for the project "Non-Rigid Neural Radiance Fields: Reconstruction and Novel View Synt

Facebook Research 296 Dec 29, 2022
GND-Nets (Graph Neural Diffusion Networks) in TensorFlow.

GNDC For submission to IEEE TKDE. Overview Here we provide the implementation of GND-Nets (Graph Neural Diffusion Networks) in TensorFlow. The reposit

Wei Ye 3 Aug 08, 2022
YOLOv5 detection interface - PyQt5 implementation

所有代码已上传,直接clone后,运行yolo_win.py即可开启界面。 2021/9/29:加入置信度选择 界面是在ultralytics的yolov5基础上建立的,界面使用pyqt5实现,内容较简单,娱乐而已。 功能: 模型选择 本地文件选择(视频图片均可) 开关摄像头

487 Dec 27, 2022
Use stochastic processes to generate samples and use them to train a fully-connected neural network based on Keras

Use stochastic processes to generate samples and use them to train a fully-connected neural network based on Keras which will then be used to generate residuals

Federico Lopez 2 Jan 14, 2022
Outlier Exposure with Confidence Control for Out-of-Distribution Detection

OOD-detection-using-OECC This repository contains the essential code for the paper Outlier Exposure with Confidence Control for Out-of-Distribution De

Nazim Shaikh 64 Nov 02, 2022
Implementation of 'lightweight' GAN, proposed in ICLR 2021, in Pytorch. High resolution image generations that can be trained within a day or two

512x512 flowers after 12 hours of training, 1 gpu 256x256 flowers after 12 hours of training, 1 gpu Pizza 'Lightweight' GAN Implementation of 'lightwe

Phil Wang 1.5k Jan 02, 2023
Source code related to the article submitted to the International Conference on Computational Science ICCS 2022 in London

POTHER: Patch-Voted Deep Learning-based Chest X-ray Bias Analysis for COVID-19 Detection Source code related to the article submitted to the Internati

Tomasz Szczepański 1 Apr 29, 2022
The official implementation of NeurIPS 2021 paper: Finding Optimal Tangent Points for Reducing Distortions of Hard-label Attacks

Introduction This repository includes the source code for "Finding Optimal Tangent Points for Reducing Distortions of Hard-label Attacks", which is pu

machen 11 Nov 27, 2022
Perception-aware multi-sensor fusion for 3D LiDAR semantic segmentation (ICCV 2021)

Perception-Aware Multi-Sensor Fusion for 3D LiDAR Semantic Segmentation (ICCV 2021) [中文|EN] 概述 本工作主要探索一种高效的多传感器(激光雷达和摄像头)融合点云语义分割方法。现有的多传感器融合方法主要将点云投影

ICE 126 Dec 30, 2022
Dilated Convolution for Semantic Image Segmentation

Multi-Scale Context Aggregation by Dilated Convolutions Introduction Properties of dilated convolution are discussed in our ICLR 2016 conference paper

Fisher Yu 764 Dec 26, 2022
PPO Lagrangian in JAX

PPO Lagrangian in JAX This repository implements PPO in JAX. Implementation is tested on the safety-gym benchmark. Usage Install dependencies using th

Karush Suri 2 Sep 14, 2022
Adversarial examples to the new ConvNeXt architecture

Adversarial examples to the new ConvNeXt architecture To get adversarial examples to the ConvNeXt architecture, run the Colab: https://github.com/stan

Stanislav Fort 19 Sep 18, 2022
PyTorch module to use OpenFace's nn4.small2.v1.t7 model

OpenFace for Pytorch Disclaimer: This codes require the input face-images that are aligned and cropped in the same way of the original OpenFace. * I m

Pete Tae-hoon Kim 176 Dec 12, 2022
High-fidelity 3D Model Compression based on Key Spheres

High-fidelity 3D Model Compression based on Key Spheres This repository contains the implementation of the paper: Yuanzhan Li, Yuqi Liu, Yujie Lu, Siy

5 Oct 11, 2022
General Virtual Sketching Framework for Vector Line Art (SIGGRAPH 2021)

General Virtual Sketching Framework for Vector Line Art - SIGGRAPH 2021 Paper | Project Page Outline Dependencies Testing with Trained Weights Trainin

Haoran MO 118 Dec 27, 2022
SegNet-Basic with Keras

SegNet-Basic: What is Segnet? Deep Convolutional Encoder-Decoder Architecture for Semantic Pixel-wise Image Segmentation Segnet = (Encoder + Decoder)

Yad Konrad 81 Jun 30, 2022
A tool to analyze leveraged liquidity mining and find optimal option combination for hedging.

LP-Option-Hedging Description A Python program to analyze leveraged liquidity farming/mining and find the optimal option combination for hedging imper

Aureliano 18 Dec 19, 2022
Random-Afg - Afghanistan Random Old Idz Cloner Tools

AFGHANISTAN RANDOM OLD IDZ CLONER TOOLS Install $ apt update $ apt upgrade $ apt

MAHADI HASAN AFRIDI 5 Jan 26, 2022
A curated list of awesome resources combining Transformers with Neural Architecture Search

A curated list of awesome resources combining Transformers with Neural Architecture Search

Yash Mehta 173 Jan 03, 2023
基于Paddle框架的arcface复现

arcface-Paddle 基于Paddle框架的arcface复现 ArcFace-Paddle 本项目基于paddlepaddle框架复现ArcFace,并参加百度第三届论文复现赛,将在2021年5月15日比赛完后提供AIStudio链接~敬请期待 参考项目: InsightFace Padd

QuanHao Guo 16 Dec 15, 2022