Triggering and Detecting Exploitable Library Vulnerability from the Client by Directed Greybox Fuzzing

TL;DR

LiveFuzz is a directed greybox fuzzing approach that detects exploitable library vulnerabilities from client programs without needing proof-of-concept code, improving reachability and speed.

Contribution

It introduces a novel Abstract Path Mapping and risk-based adaptive mutation to enhance vulnerability detection in cross-program scenarios.

Findings

Increases target-reachable paths compared to baselines.

Triggers three vulnerabilities exclusively.

Improves average speed of vulnerability exposure.

Abstract

Developers utilize third-party libraries to improve productivity, which also introduces potential security risks. Existing approaches generate tests for public functions to trigger library vulnerabilities from client programs, yet they depend on proof-of-concepts (PoCs), which are often unavailable. In this paper, we propose a new approach, LiveFuzz, based on directed greybox fuzzing (DGF) to detect the exploitability of library vulnerabilities from client programs without PoCs. LiveFuzz exploits a target tuple to extend existing DGF techniques to cross-program scenarios. Based on the target tuple, LiveFuzz introduces a novel Abstract Path Mapping mechanism to project execution paths, mitigating the preference for shorter paths. LiveFuzz also proposes a risk-based adaptive mutation to mitigate excessive mutation. To evaluate LiveFuzz, we construct a new dataset including 61 cases of library vulnerabilities exploited from client programs. Results show that LiveFuzz increases the number of target-reachable paths compared with all baselines and improves the average speed of vulnerability exposure. Three vulnerabilities are triggered exclusively by LiveFuzz.