TransferFuzz: Fuzzing with Historical Trace for Verifying Propagated Vulnerability Code

TL;DR

TransferFuzz is a novel fuzzing framework that verifies propagated vulnerabilities in reused code by leveraging historical runtime traces, significantly improving verification speed and scope expansion over existing methods.

Contribution

It introduces a trace-guided fuzzing approach with Key Bytes Guided Mutation and Nested Simulated Annealing, enabling efficient verification of propagated vulnerabilities.

Findings

Verification speed improved by up to 26.2 times

Expanded affected software scope from 15 to 53 binaries

Validated previously unverifiable vulnerabilities

Abstract

Code reuse in software development frequently facilitates the spread of vulnerabilities, making the scope of affected software in CVE reports imprecise. Traditional methods primarily focus on identifying reused vulnerability code within target software, yet they cannot verify if these vulnerabilities can be triggered in new software contexts. This limitation often results in false positives. In this paper, we introduce TransferFuzz, a novel vulnerability verification framework, to verify whether vulnerabilities propagated through code reuse can be triggered in new software. Innovatively, we collected runtime information during the execution or fuzzing of the basic binary (the vulnerable binary detailed in CVE reports). This process allowed us to extract historical traces, which proved instrumental in guiding the fuzzing process for the target binary (the new binary that reused the vulnerable function). TransferFuzz introduces a unique Key Bytes Guided Mutation strategy and a Nested Simulated Annealing algorithm, which transfers these historical traces to implement trace-guided fuzzing on the target binary, facilitating the accurate and efficient verification of the propagated vulnerability. Our evaluation, conducted on widely recognized datasets, shows that TransferFuzz can quickly validate vulnerabilities previously unverifiable with existing techniques. Its verification speed is 2.5 to 26.2 times faster than existing methods. Moreover, TransferFuzz has proven its effectiveness by expanding the impacted software scope for 15 vulnerabilities listed in CVE reports, increasing the number of affected binaries from 15 to 53. The datasets and source code used in this article are available at https://github.com/Siyuan-Li201/TransferFuzz.