WEIZZ: Automatic Grey-box Fuzzing for Structured Binary Formats

TL;DR

WEIZZ is an automatic grey-box fuzzing tool that efficiently uncovers bugs in programs handling complex, unknown binary formats by automatically generating and mutating inputs based on program dependencies.

Contribution

The paper introduces a novel technique to automatically generate and mutate inputs for unknown binary formats using dependency analysis and tagging, reducing reliance on manual specifications.

Findings

Discovered 16 previously unknown bugs in real-world programs.

Performed comparably to structure-aware fuzzers requiring manual format specifications.

Effectively identifies dependencies between input bytes and program logic.

Abstract

Fuzzing technologies have evolved at a fast pace in recent years, revealing bugs in programs with ever increasing depth and speed. Applications working with complex formats are however more difficult to take on, as inputs need to meet certain format-specific characteristics to get through the initial parsing stage and reach deeper behaviors of the program. Unlike prior proposals based on manually written format specifications, in this paper we present a technique to automatically generate and mutate inputs for unknown chunk-based binary formats. We propose a technique to identify dependencies between input bytes and comparison instructions, and later use them to assign tags that characterize the processing logic of the program. Tags become the building block for structure-aware mutations involving chunks and fields of the input. We show that our techniques performs comparably to structure-aware fuzzing proposals that require human assistance. Our prototype implementation WEIZZ revealed 16 unknown bugs in widely used programs.