CtxFuzz: Discovering Heap-based Memory Vulnerabilities Through Context Heap Operation Sequence Guided Fuzzing

About CtxFuzz

Heap-based memory vulnerabilities are significant contributors to software security and reliability. The presence of these vulnerabilities is influenced by factors such as code coverage, the frequency of heap operations, and the specific execution order. Current fuzzing solutions aim to efficiently detect these vulnerabilities by utilizing static analysis or incorporating feedback on the sequence of heap operations. However, these solutions have limited practical applicability and do not comprehensively address the temporal and spatial aspects of heap operations.  In this paper, we propose a dedicated fuzzing technique called CtxFuzz to efficiently discover heap-based temporal and spatial memory vulnerabilities without requiring any domain knowledge. CtxFuzz utilizes context heap operation sequences (the sequences of heap operations such as allocation, deallocation, read, and write that are associated with corresponding heap memory addresses) as a new feedback mechanism to guide the fuzzing process. By doing so, CtxFuzz can explore more heap states and trigger more heap-based memory vulnerabilities, both temporal and spatial. We evaluate CtxFuzz on 9 real-world open-source programs and compare their performance with 5 state-of-the-art fuzzers (AFL, AFL++, HTFuzz, Memlock, TortoiseFuzz). The results demonstrate that CtxFuzz outperforms most fuzzers in terms of discovering heap-based memory vulnerabilities. Moreover, Our experiments led to the identification of 10 zero-day vulnerabilities (10 CVEs).