Description
As software becomes an evermore present aspect of our lives, ensuring its safety has
become increasingly critical. Fuzzing has evolved into a standard approach for finding
potential issues and vulnerabilities. A fuzzer discovers potential issues by repetitively
executing targeted software with generated inputs. Various approaches to improve the
fuzzing process have been proposed since its inception. One method includes using a
sanitizer in combination with fuzzing. Sanitizers are designed to detect errors during
the execution of an application. With the Hardware Address Sanitizer ( HWASan), a
tool for detecting memory safety issues leveraging ARM64 hardware features exists
that improves on purely software-based approaches. HWASanIO extends HWASan by
detecting an additional category of bugs, namely intra-object overflows.
The capability to detect these intra-object overflows comes at the cost of added overhead.
Every memory access is checked, and allocations must be tracked precisely using
additional metadata. In the context of fuzzing, a slowdown in a target execution results
in fewer tests that can be run in a given time frame. With fewer tests run, the time to
discover bugs increases and the probability of finding a bug in a specific time period
decreases compared to a faster-running fuzzer. To make fuzzing using sanitizers more
effective, we aim to reduce this overhead.
In this thesis, we analyze the overheads of combining the HWASanIO sanitizer with
the popular AFL++ fuzzer. We propose five modifications to reduce the identified
overheads to speed up the number of test cases the fuzzer can execute over time. We
evaluate these modifications against six example targets from the OSS-Fuzz project.
Additionally, we provide an environment for our experiments on an Apple M1 processor
by adapting the existing OSS-Fuzz infrastructure to support AArch64 targets.
For three sample targets, our changes increase the executions per second by more than
10% with the highest gain at almost 50% more executions than HWASanIO. In one
example target of the OpenSSH project, we even outperform HWASan while providing
additional intra-object overflow detection.
|
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching