/EMS

EMS provided by the paper "EMS: History-Driven Mutation for Coverage-based Fuzzing"

Primary LanguageC

EMS

1. Description

Hi guys, we open source the prototype of EMS. EMS is a coverage-based fuzzer that utilizes a customized Probabilistic Byte Orientation Model (PBOM) to reuse the efficient mutation strategies from inter- and intra-trials. As shown in Table 8 of the paper, more than half of the efficient mutation strategies can be collected in 5 hours. So EMS mainly improves the fuzzing performance by utilizing efficient strategies more times.

2. Introduction to Usage

To collect efficient mutation strategies as inter-PBOM, you can run the following cmds.

# export EMS_INTER_TRIAL_PBOM=/path_to_store/random_file_name.txt
# /ems/afl-fuzz -i $input -o $output (-L 0 -t 600+ -m 5000) (-V $time if you would like to control fuzzing duration) -- /path/to/program [...params...] 

After the fuzzing process is done, you can obtain the random_file_name.txt as inter-PBOM for other fuzzing trials.

In our source code, we provide an initial inter-PBOM named ems4.txt, which is collected from a 5-hour trial on pdfimages. Then, to utilize this inter-PBOM, you can run a cmd as follows.

# /ems/afl-fuzz -i $input -o $output  -G /ems/ems4.txt  (-L 0 -t 600+ -m 5000) (-V $time if you would like to control fuzzing duration) -- /path/to/program [...params...] 

We also implement instrumentation similar to the one in CollAFL. To utilize this instrumentation, you need to install llvm 11+. Then, compile the instrumentation in /ems/lto_mode, in which you can obtain afl-clang-lto and afl-clang-lto++. The cmds to utilize this instrumentation are as follows.

# export AFL_LLVM_DOCUMENT_IDS=/path_to_store/ems_lto_edges.txt
# export CC=/ems/lto_mode/afl-clang-lto
# export CXX=/ems/lto_mode/afl-clang-lto++
# [...compile target programs...] 

Then, you achieve to instrument target programs without collision issues and obtain ems_lto_edges.txt, which stores the size of bitmap. Note that if you use this instrumentation, you have to load the bitmap size as follows.

# export AFL_LLVM_DOCUMENT_IDS=/path_to_store/ems_lto_edges.txt

# /ems/afl-fuzz -i $input -o $output  -G /ems/ems4.txt  (-L 0 -t 600+ -m 5000) (-V $time if you would like to control fuzzing duration) -- /path/to/program [...params...] 

We also provide a dockerfile for FuzzBench testing. You can simply copy ems_fuzzbench to /fuzzbench/fuzzers/ and run make format. Then, you can evaluate EMS on FuzzBench. It's a little awkward that our lto_mode instrumentation cannot work on all the target programs of FuzzBench. Users can refer to the instrumentation of AFL++ for more insights. AFL++ is a powerful fuzzer with extremely high update frequency, which contains multiple kinds of instrumentations and new designs like improving the implementation of forkserver.

We may develop more kinds of history-driven operators (like constraint orientation and location orientation models) and construct EMS_plus. I'm not sure, depending on my free time. Having fun with EMS. See you next time!

Citation:

@inproceedings{lyu2022ems,
  title={EMS: History-Driven Mutation for Coverage-based Fuzzing},
  author={Lyu, Chenyang and Ji, Shouling and Zhang, Xuhong and Liang, Hong and Zhao, Binbin and Lu, Kangjie and Beyah, Raheem},
  booktitle={29th Annual Network and Distributed System Security Symposium. https://dx. doi. org/10.14722/ndss},
  year={2022}
}