[ICSE2020] MemLock: Memory Usage Guided Fuzzing

Overview

MemLock: Memory Usage Guided Fuzzing

MIT License

This repository provides the tool and the evaluation subjects for the paper "MemLock: Memory Usage Guided Fuzzing" accepted for the technical track at ICSE'2020. A pre-print of the paper can be found at ICSE2020_MemLock.pdf.

The repository contains three folders: tool, tests and evaluation.

Tool

MemLock is built on top of the fuzzer AFL. Check out AFL's website for more information details. We provide here a snapshot of MemLock. For simplicity, we provide shell script for the whole installation.

Requirements

  • Operating System: Ubuntu 16.04 LTS (We have tested the artifact on the Ubuntu 16.04)
  • Run the following command to install Docker (Docker version 18.09.7):
    $ sudo apt-get install docker.io
    (If you have any question on docker, you can see Docker's Documentation).
  • Run the following command to install required packages
    $ sudo apt-get install git build-essential python3 cmake tmux libtool automake autoconf autotools-dev m4 autopoint help2man bison flex texinfo zlib1g-dev libexpat1-dev libfreetype6 libfreetype6-dev

Clone the Repository

$ git clone https://github.com/wcventure/MemLock-Fuzz.git MemLock --depth=1
$ cd MemLock

Build and Run the Docker Image

Firstly, system core dumps must be disabled as with AFL.

$ echo core|sudo tee /proc/sys/kernel/core_pattern
$ echo performance|sudo tee /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor

Run the following command to automatically build the docker image and configure the environment.

# build docker image
$ sudo docker build -t memlock --no-cache ./

# run docker image
$ sudo docker run --cap-add=SYS_PTRACE -it memlock /bin/bash

Usage

The running command line is similar to AFL.

To perform stack memory usage guided fuzzing, run following command line after use memlock-stack-clang to compile the program, as an example shown in tests/run_test1_MemLock.sh

tool/MemLock/build/bin/memlock-stack-fuzz -i testcase_dir -o findings_dir -d -- /path/to/program @@

To perform heap memory usage guided fuzzing, run following command line after use memlock-heap-clang to compile the program, as an example shown in tests/run_test2_MemLock.sh.

tool/MemLock/build/bin/memlock-heap-fuzz -i testcase_dir -o findings_dir -d -- /path/to/program @@

Tests

Before you use MemLock fuzzer, we suggest that you first use two simple examples provided by us to determine whether the Memlock fuzzer can work normally. We show two simple examples to shows how MemLock can detect excessive memory consumption and why AFL cannot detect these bugs easily. Example 1 demonstrates an uncontrolled-recursion bug and Example 2 demonstrates an uncontrolled-memory-allocation bug.

Run for testing example 1

Example 1 demonstrates an uncontrolled-recursion bug. The function fact() in example1.c is a recursive function. With a sufficiently large recursive depth, the execution would run out of stack memory, causing stack-overflow. You can perform fuzzing on this example program by following commands.

# enter the tests folder
$ cd tests

# run testing example 1 with MemLock
$ ./run_test1_MemLock.sh

# run testing example 1 with AFL (Open another terminal)
$ ./run_test1_AFL.sh

In our experiments for testing example 1, MemLock can find crashes in a few minutes while AFL can not find any crashes.

Run for testing example 2

Example 2 demonstrates an uncontrolled-memory-allocation bug. At line 25 in example2.c, the length of the user inputs is fed directly into new []. By carefully handcrafting the input, an adversary can provide arbitrarily large values, leading to program crash (i.e., std::bad_alloc) or running out of memory. You can perform fuzzing on this example program by following commands.

# enter the tests folder
$ cd tests

# run testing example 2 with MemLock
$ ./run_test2_MemLock.sh

# run testing example 2 with AFL (Open another terminal)
$ ./run_test2_AFL.sh

In our experiments for testing example 2, MemLock can find crashes in a few minutes while AFL can not find any crashes.

Evaluation

The fold evaluation contains all our evaluation subjects. After having MemLock installed, you can run the script to build and instrument the subjects. After instrument the subjects you can run the script to perform fuzzing on the subjects.

Build Target Program

In BUILD folder, You can run the script ./build_xxx.sh. It shows how to build and instrument the subject. For example:

# build cxxfilt
$ cd BUILD
$ ./build_cxxfilt.sh

Run for Fuzzing

After instrumenting the subjects, In FUZZ folder you can run the script ./run_MemLock_cxxfilt.sh to run a MemLock fuzzer instance on program cxxfilt. If you want to compare its performance with AFL, you can open another terminal and run the script ./run_AFL_cxxfilt.sh.

# build cxxfilt
$ cd FUZZ
$ ./run_MemLock_cxxfilt.sh

Publications

@inproceedings{wen2020memlock,
Author = {Wen, Cheng and Wang, Haijun and Li, Yuekang and Qin, Shengchao and Liu, Yang, and Xu, Zhiwu and Chen, Hongxu and Xie, Xiaofei and Pu, Geguang and Liu, Ting},
Title = {MemLock: Memory Usage Guided Fuzzing},
Booktitle= {2020 IEEE/ACM 42nd International Conference on Software Engineering},
Year ={2020},
Address = {Seoul, South Korea},
}

Practical Security Impact

CVE ID Assigned By This Work (26 CVEs)

Our tools have found several security-critical vulnerabilities in widely used open-source projects and libraries, such as Binutils, Elfutils, Libtiff, Mjs.

Vulnerability Package Program Vulnerability Type
CVE-2020-36375 MJS 1.20.1 mjs CWE-674: Uncontrolled Recursion
CVE-2020-36374 MJS 1.20.1 mjs CWE-674: Uncontrolled Recursion
CVE-2020-36373 MJS 1.20.1 mjs CWE-674: Uncontrolled Recursion
CVE-2020-36372 MJS 1.20.1 mjs CWE-674: Uncontrolled Recursion
CVE-2020-36371 MJS 1.20.1 mjs CWE-674: Uncontrolled Recursion
CVE-2020-36370 MJS 1.20.1 mjs CWE-674: Uncontrolled Recursion
CVE-2020-36369 MJS 1.20.1 mjs CWE-674: Uncontrolled Recursion
CVE-2020-36368 MJS 1.20.1 mjs CWE-674: Uncontrolled Recursion
CVE-2020-36367 MJS 1.20.1 mjs CWE-674: Uncontrolled Recursion
CVE-2020-36366 MJS 1.20.1 mjs CWE-674: Uncontrolled Recursion
CVE-2020-18392 MJS 1.20.1 mjs CWE-674: Uncontrolled Recursion
CVE-2019-6293 Flex 2.6.4 flex CWE-674: Uncontrolled Recursion
CVE-2019-6292 Yaml-cpp v0.6.2 prase CWE-674: Uncontrolled Recursion
CVE-2019-6291 NASM 2.14.03rc1 nasm CWE-674: Uncontrolled Recursion
CVE-2019-6290 NASM 2.14.03rc1 nasm CWE-674: Uncontrolled Recursion
CVE-2018-18701 Binutils 2.31 nm CWE-674: Uncontrolled Recursion
CVE-2018-18700 Binutils 2.31 nm CWE-674: Uncontrolled Recursion
CVE-2018-18484 Binutils 2.31 c++filt CWE-674: Uncontrolled Recursion
CVE-2018-17985 Binutils 2.31 c++filt CWE-674: Uncontrolled Recursion
CVE-2019-7704 Binaryen 1.38.22 wasm-opt CWE-789: Uncontrolled Memory Allocation
CVE-2019-7698 Bento4 v1.5.1-627 mp4dump CWE-789: Uncontrolled Memory Allocation
CVE-2019-7148 Elfutils 0.175 eu-ar CWE-789: Uncontrolled Memory Allocation
CVE-2018-20652 Tinyexr v0.9.5 tinyexr CWE-789: Uncontrolled Memory Allocation
CVE-2018-18483 Binutils 2.31 c++filt CWE-789: Uncontrolled Memory Allocation
CVE-2018-20657 Binutils 2.31 c++filt CWE-401: Memory Leak
CVE-2018-20002 Binutils 2.31 nm CWE-401: Memory Leak

Video

Links

Owner
Cheng Wen
I am a Ph.D. student at Shenzhen University. My research interest is in the area of Cyber Security(SEC), Programming Language(PL), and Software Engineering(SE).
Cheng Wen
BraTs-VNet - BraTS(Brain Tumour Segmentation) using V-Net

BraTS(Brain Tumour Segmentation) using V-Net This project is an approach to dete

Rituraj Dutta 7 Nov 27, 2022
An open source implementation of CLIP.

OpenCLIP Welcome to an open source implementation of OpenAI's CLIP (Contrastive Language-Image Pre-training). The goal of this repository is to enable

2.7k Dec 31, 2022
Explanatory Learning: Beyond Empiricism in Neural Networks

Explanatory Learning This is the official repository for "Explanatory Learning: Beyond Empiricism in Neural Networks". Datasets Download the datasets

GLADIA Research Group 10 Dec 06, 2022
BRepNet: A topological message passing system for solid models

BRepNet: A topological message passing system for solid models This repository contains the an implementation of BRepNet: A topological message passin

Autodesk AI Lab 42 Dec 30, 2022
PanopticBEV - Bird's-Eye-View Panoptic Segmentation Using Monocular Frontal View Images

Bird's-Eye-View Panoptic Segmentation Using Monocular Frontal View Images This r

63 Dec 16, 2022
Official Implementation of "Learning Disentangled Behavior Embeddings"

DBE: Disentangled-Behavior-Embedding Official implementation of Learning Disentangled Behavior Embeddings (NeurIPS 2021). Environment requirement The

Mishne Lab 12 Sep 28, 2022
Segmentation for medical image.

EfficientSegmentation Introduction EfficientSegmentation is an open source, PyTorch-based segmentation framework for 3D medical image. Features A whol

68 Nov 28, 2022
A Nim frontend for pytorch, aiming to be mostly auto-generated and internally using ATen.

Master Release Pytorch - Py + Nim A Nim frontend for pytorch, aiming to be mostly auto-generated and internally using ATen. Because Nim compiles to C+

Giovanni Petrantoni 425 Dec 22, 2022
Mscp jamf - Build compliance in jamf

mscp_jamf Build compliance in Jamf. This will build the following xml pieces to

Bob Gendler 3 Jul 25, 2022
Ladder Variational Autoencoders (LVAE) in PyTorch

Ladder Variational Autoencoders (LVAE) PyTorch implementation of Ladder Variational Autoencoders (LVAE) [1]: where the variational distributions q at

Andrea Dittadi 63 Dec 22, 2022
Code and data for paper "Deep Photo Style Transfer"

deep-photo-styletransfer Code and data for paper "Deep Photo Style Transfer" Disclaimer This software is published for academic and non-commercial use

Fujun Luan 9.9k Dec 29, 2022
Assessing the Influence of Models on the Performance of Reinforcement Learning Algorithms applied on Continuous Control Tasks

Assessing the Influence of Models on the Performance of Reinforcement Learning Algorithms applied on Continuous Control Tasks This is the master thesi

Giacomo Arcieri 1 Mar 21, 2022
RGB-stacking 🛑 🟩 🔷 for robotic manipulation

RGB-stacking 🛑 🟩 🔷 for robotic manipulation BLOG | PAPER | VIDEO Beyond Pick-and-Place: Tackling Robotic Stacking of Diverse Shapes, Alex X. Lee*,

DeepMind 95 Dec 23, 2022
existing and custom freqtrade strategies supporting the new hyperstrategy format.

freqtrade-strategies Description Existing and self-developed strategies, rewritten to support the new HyperStrategy format from the freqtrade-develop

39 Aug 20, 2021
Code for "The Intrinsic Dimension of Images and Its Impact on Learning" - ICLR 2021 Spotlight

dimensions Estimating the instrinsic dimensionality of image datasets Code for: The Intrinsic Dimensionaity of Images and Its Impact On Learning - Phi

Phil Pope 41 Dec 10, 2022
LQM - Improving Object Detection by Estimating Bounding Box Quality Accurately

Improving Object Detection by Estimating Bounding Box Quality Accurately Abstract Object detection aims to locate and classify object instances in ima

IM Lab., POSTECH 0 Sep 28, 2022
POT : Python Optimal Transport

POT: Python Optimal Transport This open source Python library provide several solvers for optimization problems related to Optimal Transport for signa

Python Optimal Transport 1.7k Dec 31, 2022
Code for Mesh Convolution Using a Learned Kernel Basis

Mesh Convolution This repository contains the implementation (in PyTorch) of the paper FULLY CONVOLUTIONAL MESH AUTOENCODER USING EFFICIENT SPATIALLY

Yi_Zhou 35 Jan 03, 2023
Official implementation of the paper ``Unifying Nonlocal Blocks for Neural Networks'' (ICCV'21)

Spectral Nonlocal Block Overview Official implementation of the paper: Unifying Nonlocal Blocks for Neural Networks (ICCV'21) Spectral View of Nonloca

91 Dec 14, 2022
The official implementation of NeurIPS 2021 paper: Finding Optimal Tangent Points for Reducing Distortions of Hard-label Attacks

The official implementation of NeurIPS 2021 paper: Finding Optimal Tangent Points for Reducing Distortions of Hard-label Attacks

machen 11 Nov 27, 2022