Pipe-Cleaner: Flexible Fuzzing Using Security Policies

TL;DR

Pipe-Cleaner enhances fuzzing by allowing developers to specify security policies, enabling more precise detection and analysis of diverse vulnerabilities, including non-crashing bugs, thus improving bug triage and reducing manual effort.

Contribution

We introduce Pipe-Cleaner, a flexible fuzzing system that uses security policies and a tag-based monitor to detect and differentiate various software vulnerabilities.

Findings

Successfully detected heap-related vulnerabilities including memory safety violations.

Identified novel non-crashing bugs like secret disclosure and heap address leaks.

Enhanced bug report clarity and differentiation through customizable policies.

Abstract

Fuzzing has proven to be very effective for discovering certain classes of software flaws, but less effective in helping developers process these discoveries. Conventional crash-based fuzzers lack enough information about failures to determine their root causes, or to differentiate between new or known crashes, forcing developers to manually process long, repetitious lists of crash reports. Also, conventional fuzzers typically cannot be configured to detect the variety of bugs developers care about, many of which are not easily converted into crashes. To address these limitations, we propose Pipe-Cleaner, a system for detecting and analyzing C code vulnerabilities using a refined fuzzing approach. Pipe-Cleaner is based on flexible developer-designed security policies enforced by a tag-based runtime reference monitor, which communicates with a policy-aware fuzzer. Developers are able to customize the types of faults the fuzzer detects and the level of detail in fault reports. Adding more detail helps the fuzzer to differentiate new bugs, discard duplicate bugs, and improve the clarity of results for bug triage. We demonstrate the potential of this approach on several heap-related security vulnerabilities, including classic memory safety violations and two novel non-crashing classes outside the reach of conventional fuzzers: leftover secret disclosure, and heap address leaks.