Context

Bugs! They are everywhere and everybody is bound to write some in their programming life. Bugs lead to major problems in the reliability, safety, and security of systems both large and small, and it is neither easy nor always feasible to find all bugs by hand. Although it is not a substitute to code review, testing, and program verification, automated bug finding tools can alleviate some of the pain of finding bugs. Numerous techniques have been developed in the past decades, such as fuzzing, dataflow analysis, symbolic execution, model checking, or abstract interpretation. This project should give you a glimpse of this large domain and its current challenges.

Aim

Explore a few bug finding techniques on different pieces of software and compare them: what are their advantages/drawbacks? how many bugs did they find? how many real bugs?

• AFL++: a reference fuzzer (AFL with a few patches) that instruments the binary to increase the coverage and discover interesting test cases that trigger new internal states in the targeted binary.
• VUzzer: a more evolved fuzzer.
• AFL++ with ASan: ASan (or Address Sanitizer) is a compiler extension module designed to find memory errors in C/C++ programs.

We’re bored

Finished everything early/want to do more? Several options ahead:

• Clang static analyzer: clang is a compiler, and the clang static analyzer is a tool that uses static analysis, i.e., a collection of algorithms to find bugs without ever running the program. You can try to run the clang static analyzer on the same datasets and compare the results with fuzzing.
• If you like competition: https://rode0day.mit.edu/. Every month, a new corpus of buggy binaries is released, and a new competition starts. The authors of the challenge also release previous months corpus with answers describing the root cause of each bug and a triggering input. May be useful to have a look at it, even without participating in the challenge.
• Fix some bugs you found! That’s right, in real life, we do find bug to fix them ;)
• Exploit some bugs!
• Experiment on real life programs, preferably that parse complex structures such as images of videos.
• Try some other state-f-the-art fuzzers (T-Fuzz, Driller...)

Bibliography

During the final presentation, you should summarize these two papers:

• Dominik Maier, Heiko Eißfeldt, Andrea Fioraldi, Marc Heuse: AFL++ : Combining Incremental Steps of Fuzzing Research. WOOT @ USENIX Security Symposium 2020 https://www.usenix.org/system/files/woot20-paper-fioraldi.pdf
• Sanjay Rawat, Vivek Jain, Ashish Kumar, Lucian Cojocar, Cristiano Giuffrida, Herbert Bos: VUzzer: Application-aware Evolutionary Fuzzing. NDSS 2017 https://www.cs.vu.nl/~giuffrida/papers/vuzzer-ndss-2017.pdf

This additional paper is meant to give you a bit more context about fuzzing:

• Mathias Payer: The Fuzzing Hype-Train: How Random Testing Triggers Thousands of Crashes. IEEE Security & Privacy 17(1): 78-82 (2019) http://nebelwelt.net/publications/files/19SP.pdf