Automated Fuzzing Harness Generation for Library APIs and Binary Protocol Parsers

TL;DR

This paper introduces an automated system that generates fuzzing harnesses for library APIs and binary protocol parsers by analyzing unit tests, improving scalability and prioritization in security testing.

Contribution

The work presents a novel automated approach to generate fuzzing harnesses from unit tests, reducing manual effort and enabling better prioritization of fuzzing targets.

Findings

Successfully automates harness generation from unit tests

Provides a metric to prioritize fuzzing targets

Enhances scalability of fuzzing infrastructure

Abstract

Fuzzing is a widely used software security testing technique that is designed to identify vulnerabilities in systems by providing invalid or unexpected input. Continuous fuzzing systems like OSS-FUZZ have been successful in finding security bugs in many different software systems. The typical process of finding security bugs using fuzzing involves several steps: first, the "fuzz-worthy" functions that are likely to contain vulnerabilities must be identified; second, the setup requirements for the API must be understood before it can be called; third, a fuzzing harness must be written and bound to a coverage-guided fuzzer like LLVM's LibFuzzer; and finally, the security bugs discovered by the fuzzing harness must be triaged and checked for reproducibility. This project focuses on automating the first two steps in this process. In particular, we present an automated system that can generate fuzzing harnesses for library APIs and binary protocol parsers by analyzing unit tests. This allows for the scaling of the fuzzing infrastructure in proportion to the growth of the codebase, without the need for manual coding of harnesses. Additionally, we develop a metric to assess the "fuzz-worthiness" of an API, enabling us to prioritize the most promising targets for testing.