Binary-level Directed Fuzzing for Use-After-Free Vulnerabilities

TL;DR

UAFuzz is a novel binary-level directed greybox fuzzer specifically designed to detect Use-After-Free vulnerabilities, outperforming existing tools and discovering new bugs across multiple programs.

Contribution

This paper introduces UAFuzz, the first binary-level directed greybox fuzzer tailored for UAF bugs, with specialized techniques and a new benchmark for evaluation.

Findings

UAFuzz outperforms state-of-the-art directed fuzzers in bug detection.

Discovered 30 new UAF bugs, including 7 CVEs, in real software.

Effective in patch testing and bug triage for UAF vulnerabilities.

Abstract

Directed fuzzing focuses on automatically testing specific parts of the code by taking advantage of additional information such as (partial) bug stack trace, patches or risky operations. Key applications include bug reproduction, patch testing and static analysis report verification. Although directed fuzzing has received a lot of attention recently, hard-to-detect vulnerabilities such as Use-After-Free (UAF) are still not well addressed, especially at the binary level. We propose UAFuzz, the first (binary-level) directed greybox fuzzer dedicated to UAF bugs. The technique features a fuzzing engine tailored to UAF specifics, a lightweight code instrumentation and an efficient bug triage step. Experimental evaluation for bug reproduction on real cases demonstrates that UAFuzz significantly outperforms state-of-the-art directed fuzzers in terms of fault detection rate, time to exposure and bug triaging. UAFuzz has also been proven effective in patch testing, leading to the discovery of 30 new bugs (7 CVEs) in programs such as Perl, GPAC and GNU Patch. Finally, we provide to the community a large fuzzing benchmark dedicated to UAF, built on both real codes and real bugs.