Cerebro: Context-aware adaptive fuzzing for effective vulnerability detection
What is Cerebro?
Cerebro is the device created by Professor X and Magneto in X-Men.
Professor X can use Cerebro to look into the minds of mutants.
We hope our fuzzer can look into the "minds" of programs and foresee the benefits of fuzzing certain seeds.
So we name our fuzzer as Cerebro!
Site Map
This website contains the following pages:
- Combination with Dictionary-based Mutation
- In this page, we use experiments to evaluate the performance of Cerebro when combined with dictionary-based mutation.
- Discussion on CVE-2017-13710 (nm)
- In this page, we provide a detailed discussion about the CVE we reproduced in the newer version of nm (aka nm(new) in the paper).
- Together with the discussion, we also provide the necessary materials to reproduce the CVE.
- Extra Explanations
- In this page, we provide extra explanations about the mechanisms of Cerebro.
- Fuzzer, Raw Data and Additional Analysis
- In this page, we provide the materials for a demonstration of Cerebro, together the with the raw experiment data and additional analysis.
- Implementation Details
- In this page, we provide some details about the implementation of Cerebro
- Observations about changes of potential scores
- In this page, we use experiments to observe how the dynamic potential scores change during fuzzing.
- Quality of seeds on the Pareto frontier
- In this page, we use experiments to observe the quality of the seeds on the Pareto Frontier (calculated with the MOO model).
Abstract
Existing greybox fuzzers mainly utilize program coverage as the goal to guide the fuzzing process. To maximize their outputs, coveragebased
greybox fuzzers need to evaluate the quality of seeds properly, which involves making two decisions: 1) which is the most promising seed to fuzz next (seed prioritization), and 2) how many efforts should be made to the current seed (power scheduling).
In this paper, we present our fuzzer, Cerebro, to address the above challenges. For the seed prioritization problem, we propose an online multi-objective based algorithm to balance various metrics such as code complexity, coverage, execution time, etc. To address the power scheduling problem, we introduce the concept of input potential to measure the complexity of uncovered code and propose a cost-effective algorithm to update it dynamically. Unlike previous approaches where the fuzzer evaluates an input solely based on the execution traces that it has covered, Cerebro is able to foresee the benefits of fuzzing the input by adaptively evaluating its input potential.
We perform a thorough evaluation for Cerebro on 6 different real-world programs. The experiments show that Cerebro can find more vulnerabilities and achieve better coverage than state-of-the-art fuzzers such as AFL and AFLFast. Additionally, we found 15 previously unknown bugs in mjs (a light-weight Javascript engine for embedded systems), Intel XED (Intel X86 Encoder Decoder) during the experiments and 1 new CVE in Radare2 (a popular reverse engineering framework). Furthermore, all the new bugs are confirmed by the developers and fixed.