Program Environment Fuzzing

TL;DR

This paper introduces EnvFuzz, a greybox fuzzing extension that captures and mutates program environment interactions to discover security vulnerabilities without manual environment modeling.

Contribution

It presents a novel environment mutation approach for fuzzing that records and replays environmental interactions, enabling automatic discovery of environment-induced bugs.

Findings

Found 33 new bugs in real-world applications

Discovered multiple security vulnerabilities and assigned 16 CVEs

Demonstrated effectiveness of environment mutation in bug detection

Abstract

Computer programs are not executed in isolation, but rather interact with the execution environment which drives the program behaviors. Software validation methods thus need to capture the effect of possibly complex environmental interactions. Program environments may come from files, databases, configurations, network sockets, human-user interactions, and more. Conventional approaches for environment capture in symbolic execution and model checking employ environment modeling, which involves manual effort. In this paper, we take a different approach based on an extension of greybox fuzzing. Given a program, we first record all observed environmental interactions at the kernel/user-mode boundary in the form of system calls. Next, we replay the program under the original recorded interactions, but this time with selective mutations applied, in order to get the effect of different program environments -- all without environment modeling. Via repeated (feedback-driven) mutations over a fuzzing campaign, we can search for program environments that induce crashing behaviors. Our EnvFuzz tool found 33 previously unknown bugs in well-known real-world protocol implementations and GUI applications. Many of these are security vulnerabilities and 16 CVEs were assigned.