Home

Awesome

MemLock: Memory Usage Guided Fuzzing

MIT License

This repository provides the tool and the evaluation subjects for the paper "MemLock: Memory Usage Guided Fuzzing" accepted for the technical track at ICSE'2020. A pre-print of the paper can be found at ICSE2020_MemLock.pdf.

The repository contains three folders: tool, tests and evaluation.

Tool

MemLock is built on top of the fuzzer AFL. Check out AFL's website for more information details. We provide here a snapshot of MemLock. For simplicity, we provide shell script for the whole installation.

Requirements

Clone the Repository

$ git clone https://github.com/wcventure/MemLock-Fuzz.git MemLock --depth=1
$ cd MemLock

Build and Run the Docker Image

Firstly, system core dumps must be disabled as with AFL.

$ echo core|sudo tee /proc/sys/kernel/core_pattern
$ echo performance|sudo tee /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor

Run the following command to automatically build the docker image and configure the environment.

# build docker image
$ sudo docker build -t memlock --no-cache ./

# run docker image
$ sudo docker run --cap-add=SYS_PTRACE -it memlock /bin/bash

Usage

The running command line is similar to AFL.

To perform stack memory usage guided fuzzing, run following command line after use memlock-stack-clang to compile the program, as an example shown in tests/run_test1_MemLock.sh

tool/MemLock/build/bin/memlock-stack-fuzz -i testcase_dir -o findings_dir -d -- /path/to/program @@

To perform heap memory usage guided fuzzing, run following command line after use memlock-heap-clang to compile the program, as an example shown in tests/run_test2_MemLock.sh.

tool/MemLock/build/bin/memlock-heap-fuzz -i testcase_dir -o findings_dir -d -- /path/to/program @@

Tests

Before you use MemLock fuzzer, we suggest that you first use two simple examples provided by us to determine whether the Memlock fuzzer can work normally. We show two simple examples to shows how MemLock can detect excessive memory consumption and why AFL cannot detect these bugs easily. Example 1 demonstrates an uncontrolled-recursion bug and Example 2 demonstrates an uncontrolled-memory-allocation bug.

Run for testing example 1

Example 1 demonstrates an uncontrolled-recursion bug. The function fact() in example1.c is a recursive function. With a sufficiently large recursive depth, the execution would run out of stack memory, causing stack-overflow. You can perform fuzzing on this example program by following commands.

# enter the tests folder
$ cd tests

# run testing example 1 with MemLock
$ ./run_test1_MemLock.sh

# run testing example 1 with AFL (Open another terminal)
$ ./run_test1_AFL.sh

In our experiments for testing example 1, MemLock can find crashes in a few minutes while AFL can not find any crashes.

Run for testing example 2

Example 2 demonstrates an uncontrolled-memory-allocation bug. At line 25 in example2.c, the length of the user inputs is fed directly into new []. By carefully handcrafting the input, an adversary can provide arbitrarily large values, leading to program crash (i.e., std::bad_alloc) or running out of memory. You can perform fuzzing on this example program by following commands.

# enter the tests folder
$ cd tests

# run testing example 2 with MemLock
$ ./run_test2_MemLock.sh

# run testing example 2 with AFL (Open another terminal)
$ ./run_test2_AFL.sh

In our experiments for testing example 2, MemLock can find crashes in a few minutes while AFL can not find any crashes.

Evaluation

The fold evaluation contains all our evaluation subjects. After having MemLock installed, you can run the script to build and instrument the subjects. After instrument the subjects you can run the script to perform fuzzing on the subjects.

Build Target Program

In BUILD folder, You can run the script ./build_xxx.sh. It shows how to build and instrument the subject. For example:

# build cxxfilt
$ cd BUILD
$ ./build_cxxfilt.sh

Run for Fuzzing

After instrumenting the subjects, In FUZZ folder you can run the script ./run_MemLock_cxxfilt.sh to run a MemLock fuzzer instance on program cxxfilt. If you want to compare its performance with AFL, you can open another terminal and run the script ./run_AFL_cxxfilt.sh.

# build cxxfilt
$ cd FUZZ
$ ./run_MemLock_cxxfilt.sh

Publications

@inproceedings{wen2020memlock,
Author = {Wen, Cheng and Wang, Haijun and Li, Yuekang and Qin, Shengchao and Liu, Yang, and Xu, Zhiwu and Chen, Hongxu and Xie, Xiaofei and Pu, Geguang and Liu, Ting},
Title = {MemLock: Memory Usage Guided Fuzzing},
Booktitle= {2020 IEEE/ACM 42nd International Conference on Software Engineering},
Year ={2020},
Address = {Seoul, South Korea},
}

Practical Security Impact

CVE ID Assigned By This Work (26 CVEs)

Our tools have found several security-critical vulnerabilities in widely used open-source projects and libraries, such as Binutils, Elfutils, Libtiff, Mjs.

VulnerabilityPackageProgramVulnerability Type
CVE-2020-36375MJS 1.20.1mjsCWE-674: Uncontrolled Recursion
CVE-2020-36374MJS 1.20.1mjsCWE-674: Uncontrolled Recursion
CVE-2020-36373MJS 1.20.1mjsCWE-674: Uncontrolled Recursion
CVE-2020-36372MJS 1.20.1mjsCWE-674: Uncontrolled Recursion
CVE-2020-36371MJS 1.20.1mjsCWE-674: Uncontrolled Recursion
CVE-2020-36370MJS 1.20.1mjsCWE-674: Uncontrolled Recursion
CVE-2020-36369MJS 1.20.1mjsCWE-674: Uncontrolled Recursion
CVE-2020-36368MJS 1.20.1mjsCWE-674: Uncontrolled Recursion
CVE-2020-36367MJS 1.20.1mjsCWE-674: Uncontrolled Recursion
CVE-2020-36366MJS 1.20.1mjsCWE-674: Uncontrolled Recursion
CVE-2020-18392MJS 1.20.1mjsCWE-674: Uncontrolled Recursion
CVE-2019-6293Flex 2.6.4flexCWE-674: Uncontrolled Recursion
CVE-2019-6292Yaml-cpp v0.6.2praseCWE-674: Uncontrolled Recursion
CVE-2019-6291NASM 2.14.03rc1nasmCWE-674: Uncontrolled Recursion
CVE-2019-6290NASM 2.14.03rc1nasmCWE-674: Uncontrolled Recursion
CVE-2018-18701Binutils 2.31nmCWE-674: Uncontrolled Recursion
CVE-2018-18700Binutils 2.31nmCWE-674: Uncontrolled Recursion
CVE-2018-18484Binutils 2.31c++filtCWE-674: Uncontrolled Recursion
CVE-2018-17985Binutils 2.31c++filtCWE-674: Uncontrolled Recursion
CVE-2019-7704Binaryen 1.38.22wasm-optCWE-789: Uncontrolled Memory Allocation
CVE-2019-7698Bento4 v1.5.1-627mp4dumpCWE-789: Uncontrolled Memory Allocation
CVE-2019-7148Elfutils 0.175eu-arCWE-789: Uncontrolled Memory Allocation
CVE-2018-20652Tinyexr v0.9.5tinyexrCWE-789: Uncontrolled Memory Allocation
CVE-2018-18483Binutils 2.31c++filtCWE-789: Uncontrolled Memory Allocation
CVE-2018-20657Binutils 2.31c++filtCWE-401: Memory Leak
CVE-2018-20002Binutils 2.31nmCWE-401: Memory Leak

Video

Links