TUM Logo

Modular Greybox Fuzzing

Modular Greybox Fuzzing

Supervisor(s): Ferdinand Jarisch, Philipp Zieris
Status: finished
Topic: Others
Author: Moritz Oettle
Submission: 2020-04-15
Type of Thesis: Masterthesis
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching


Modular Greybox Fuzzing

The research field of fuzz testing has been around for roughly 30
years. The first fuzzers performed software testing by executing a
program with malformed input. The malformed input is supposed to cause
unexpected behavior in the target program. Although fuzz testing is
still used for software testing, the focus nowadays lies rather on
finding security vulnerabilities. The unexpected behavior in the
program can often lead to security vulnerabilities within the program.
Over time, not only the goal of fuzz testing has changed, but also the
techniques for achieving this goal have evolved. Starting with
rudimentary blackbox fuzzers with no insights into the target programs,
researchers have developed more advanced grey and whitebox fuzzers over
time, which gather valuable intel before and while fuzzing the target
Although the research area of fuzzing has progressed fast and published
a variety of advanced fuzzers that work very well in general, these
fuzzers still suffer from a common problem. The problem is executing
code sections, which are hidden deep within the target program behind
hard-to-pass conditional checks. Some fuzzers solve this problem with a
modular fuzzing approach. Instead of finding an execution path that
leads to the deeper sections of the code, a modular fuzzer skips the
conditional checks and directly executes deep "modules" of the target
program. By skipping the checks between the main entry point of the
program and the deep code sections, the problem of false-positive
findings arises from modular fuzzing. Although these findings are
crashing the target program in the isolated context of the module, they
do not crash the target program in the overall context.
This thesis solves both problems simultaneously by combining modular
fuzzing with a directed greybox fuzzer. The results of both techniques
are then combined in the newly developed approach called targeted
probing, which is introduced in this thesis. The overall implementation
that wraps these techniques is called MGFuzz (Modular Greybox Fuzzer),
which is able to reach potentially vulnerable functions identified by
modular fuzzing with a conventional directed greybox fuzzer.
Furthermore, targeted probing, introduced in this thesis, combines the
findings from modular fuzzing and directed fuzzing in order to crash
the target program in an overall context. With these techniques in use,
MGFuzz significantly reduces the false-positive rate of modular fuzzing
and identifies valid findings that are able to induce unintended
behavior in the target program.