Advanced fuzzing unmasks elusive vulnerabilities
Fuzz testing is a main component of modern software assurance, but some bugs remain elusive to fuzzing. We show how AFL++ can be instrumented to bring some types of bugs into the reach of an advanced fuzzing setup and exemplify the approach with a zero-day bug in libwebp that was found to be exploit...
Hasnain says:
βTo find this β and similar vulnerability is OSS-Fuzz β would require a redesign of how OSS-Fuzz and especially Clusterfuzz work to allow for more diverse target instrumentation, fuzzer orchestration and correct corpus merging.
The lesson that can be learned from this is that some bugs can not be effectively found with CI based fuzzing, and instead need a long running fuzzing campaign, using different techniques to solve path constraints: CMPLOG, COMPCOV, libfuzzer's value profile and in small and medium projects maybe even one or two concolic execution frameworks.β
Posted on 2023-10-17T04:54:18+0000