/uafbench

UAF Fuzzing Benchmark

Primary LanguageC

UAF Fuzzing Benchmark

We create a fuzzing benchmark of Use-After-Free (UAF) and Double-Free (DF) bugs for our evaluations. It includes recent bugs found by existing (directed) greybox fuzzers of real-world programs. We provide scripts, Valgrind's stack traces as targets and initial seeds of each subject. Please follow the instructions to install fuzzers like AFL(-QEMU), AFLGo and UAFuzz.

# Environment variables
export AFL=/path/to/afl-2.52b
export AFLGO=/path/to/aflgo
export IDA_PATH=/path/to/ida-6.9/idaq
export GRAPH_EASY_PATH=/path/to/graph-easy
export UAFUZZ_PATH=/path/to/uafuzz

# Avoid hang when fuzzing
export MALLOC_CHECK_=0

# Checkout the benchmark
git clone https://github.com/strongcourage/uafbench.git
cd uafbench; export UAFBENCH_PATH=`pwd`

# Fuzz CVE-20018-20623 with UAFuzz and timeout 60 minutes
$UAFBENCH_PATH/CVE-2018-20623.sh uafuzz 60 $UAFBENCH_PATH/valgrind/CVE-2018-20623.valgrind

# Fuzz patched version of CVE-2018-6952
$UAFBENCH_PATH/CVE-2019-20633.sh uafuzz 360 $UAFBENCH_PATH/valgrind/CVE-2018-6952.valgrind

You can also fuzz without IDA Pro by specifying the argument --no_ida in the Python scripts. In this case, existing Ida files and call graphs in the folder /ida will be used. For example, the last two commands in CVE-2019-20633.sh should be updated as follows:

$UAFUZZ_PATH/scripts/preprocess.py --no_ida -f $PUT -v $targets -o $FUZZ_DIR
$UAFUZZ_PATH/scripts/run_uafuzz.py --no_ida -f $FUZZ_DIR/$PUT -M fuzz -i $FUZZ_DIR/in -o run -r "$FUZZ_DIR/$PUT -Rf" -I $runmode -T "$FUZZ_DIR/$PUT.tgt" -to $timeout
Bug ID Program Type Crash Command Files
CVE-2018-20623 readelf (923c6a7) UAF readelf -a @@ PoC, Traces, Fuzzing script
giflib-bug-74 gifsponge (72e31ff) DF gifsponge < @@ PoC, Traces, Fuzzing script
yasm-issue-91 yasm (6caf151) UAF yasm @@ PoC, Traces, Fuzzing script
CVE-2016-4487 cxxfilt (2c49145) UAF ✔️ cxxfilt < @@ PoC, Traces, Fuzzing script
CVE-2018-11416 jpegoptim (d23abf2) DF jpegoptim @@ PoC, Traces, Fuzzing script
mjs-issue-78 mjs (9eae0e6) UAF mjs -f @@ PoC, Traces, Fuzzing script
mjs-issue-73 mjs (e4ea33a) UAF mjs -f @@ PoC, Traces, Fuzzing script
CVE-2018-11496 lzrip (ed51e14) UAF lrzip -t @@ PoC, Traces, Fuzzing script
CVE-2018-10685 lzrip (9de7ccb) UAF lrzip -t @@ PoC, Traces, Fuzzing script
CVE-2019-6455 rec2csv (97d20cc) DF rec2csv @@ PoC, Traces, Fuzzing script
CVE-2017-10686 nasm (7a81ead) UAF ✔️ nasm -f bin @@ -o /dev/null PoC, Traces, Fuzzing script
gifsicle-issue-122 gifsicle (fad477c) DF gifsicle @@ test.gif -o /dev/null PoC, Traces, Fuzzing script
CVE-2016-3189 bzip2 (962d606) UAF ✔️ bzip2recover @@ PoC, Traces, Fuzzing script

UAF bugs found by UAFuzz

Bug ID Program Type Command Relevant bugs
CVE-2019-20633 patch DF patch -Rf < @@ CVE-2018-6952
#1269, #1427, #1440 MP4Box UAF MP4Box -info @@ #1340, #1427
#702253 mutool UAF mutool draw -o /dev/null -R 832 -h 22 @@ #701294
#4266 fontforge UAF fontforge -lang=ff -c 'Open($1)' @@ #4084
#134324, #17117 perl UAF perl @@ #16889, #17051
#25821 readelf DF readelf -a @@
#25823 nm-new UAF nm-new -C @@
boolector UAF boolector @@ #41