Automatic Self-Adaptation to Mitigate Software Vulnerabilities: A Fuzzbuster Progress Report (Extended Abstract for Poster)

Abstract

As shown in Figure 1, FUZZBUSTER operates proactively to find vulnerabilities before they can be exploited, and reactively to address exploits observed “in the wild.” FUZZBUSTER directs the execution of a set of custom and off-the-shelf fuzz-testing tools to find and characterize vulnerabilities. Fuzz-testing tools find software vulnerabilities by exploring millions of semi-random inputs to a program [1]. Given time and expert guidance, fuzz-testing has proven effective at finding a wide variety of software flaws, including defects that account for the most severe security problems [2]. FUZZBUSTER uses fuzz-testing tools to find and characterize vulnerabilities, determining what inputs to a program can cause a fault. FUZZBUSTER then synthesizes defenses to shield or repair the flaw, protecting against entire classes of exploits that may be encountered in the future. In previous papers [3], [4], we described in detail how FUZZBUSTER works and described preliminary experiments running the system for several hours. In those experiments, we used FUZZBUSTER to proactively search for vulnerabilities in a set of 53 command-line utilities. We ran the exploration on a Debian VM and a laptop running OS X; both systems were fully patched at the time of the experiment. FUZZBUSTER ran 3,380 trials in just over 18 hours, encountering 49 faults. Fifteen of those faults were “duplicates” caused by the same input as another trial but with additional, unnecessary, content at the end. For example, we found a fault in tcsh with a 1,000 byte input created with both printable and non-printable characters, no nulls, and a seed of 1,002; that same fault was subsequently encountered using a 10,000 byte input created with the same parameters. Another eleven faults differed only in that one fault was caused by feeding an input string to standard-input and the other was caused by feeding the same string via a file argument. The remaining 23 faults correspond to unique crashes in five different programs. Since that time, we have made significant improvements to FUZZBUSTER, incorporating additional fuzz-testing tools, including some capable of testing web browsers and web servers. In addition, the system is now able to run fully autonomously, continuously, all day and night. As of August 2, 2012, with over fifty-two days of continuous operation, FUZZBUSTER has conducted more than six million fuzztesting experiments and has found more than 2000 faults in one particular web browser. This poster describes the most up-to-date results from the millions of fuzz-testing operations FUZZBUSTER has conducted, as well as its results in self-adapting to mitigate the vulnerabilities it finds.

DOI: 10.1109/SASO.2012.46

1 Figure or Table

Cite this paper

@inproceedings{Musliner2012AutomaticST, title={Automatic Self-Adaptation to Mitigate Software Vulnerabilities: A Fuzzbuster Progress Report (Extended Abstract for Poster)}, author={David J. Musliner and Jeffrey M. Rye and Timothy Woods and Tom Marble and Kevin Raison}, booktitle={SASO}, year={2012} }