• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.6
• /
• pp.1115-1130
• /
• 2020

Modern vehicles are equipped with a number of ECUs(Electronic Control Units), and ECUs can control vehicles efficiently by communicating each other through CAN(Controller Area Network). However, CAN bus is known to be vulnerable to cyber attacks because of the lack of message authentication and message encryption, and access control. To find these security issues related to vehicle hacking, CAN Fuzzing methods, that analyze the vulnerabilities of ECUs, have been studied. In the existing CAN Fuzzing methods, fuzzing inputs are randomly generated without considering the structure of CAN messages transmitted by ECUs, which results in the non-negligible fuzzing time. In addition, the existing fuzzing solutions have limitations in how to monitor fuzzing results. To deal with the limitations of CAN Fuzzing, in this paper, we propose a Non-Random CAN Fuzzing, which consider the structure of CAN messages and systematically generates fuzzing input values that can cause malfunctions to ECUs. The proposed Non-Random CAN Fuzzing takes less time than the existing CAN Fuzzing solutions, so it can quickly find CAN messages related to malfunctions of ECUs that could be originated from SW implementation errors or CAN DBC(Database CAN) design errors. We evaluated the performance of Non-Random CAN Fuzzing by conducting an experiment in a real vehicle, and proved that the proposed method can find CAN messages related to malfunctions faster than the existing fuzzing solutions.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.31 no.4
• /
• pp.587-604
• /
• 2021

Because the library cannot be run independently and used by many applications, it is important to detect vulnerabilities in the library. Fuzzing, which is a dynamic analysis, is used to discover vulnerabilities for the library. Although this fuzzing technique shows excellent results in terms of code coverage and unique crash counts, it is difficult to apply its effects to library fuzzing. In particular, a fuzzing executable and a seed corpus are needed that execute the library code by calling a specific function sequence and passing the input of the fuzzer to reproduce the various states of the library. Generating the fuzzing environment such as fuzzing executable and a seed corpus is challenging because it requires both understanding about the library and fuzzing knowledge. We propose a novel method to improve the ease of library fuzzing and enhance code coverage and crash detection performance by using a test framework. The systems's performance in this paper was applied to nine open-source libraries and was verified through comparison with previous studies.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.6
• /
• pp.1079-1085
• /
• 2020

Fuzzing is used to find vulnerabilities for a library. Because library fuzzing only tests the implemented functions, in order to achieve higher code coverage, additional functions that are not implemented should be implemented. However, if a function is added without regard to the calling relationship of the functions in the library, a problem may arise that the function that has already been tested is added. We propose a novel method to improve the code coverage of library fuzzing. First, we analyze the function call graph of the library to efficiently add the functions for library fuzzing, and additionally implement a library function that has not been implemented. Then, we apply a hybrid fuzzing to explore for branches with complex constraints. As a result of our experiment, we observe that the proposed method is effective in terms of increasing code coverage on OpenSSL, mbedTLS, and Crypto++.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.3
• /
• pp.535-545
• /
• 2014

As the software industry has developed, the attacks making use of software vulnerability has become a big issue in society. In particular, because the attacks using the vulnerability of web browsers bypass Windows protection mechanism, web browsers can readily be attacked. To protect web browsers against security threat, research on fuzzing has constantly been conducted. However, most existing web browser fuzzing tools use a simple fuzzing technique which randomly mutates DOM tree. Therefore, this paper analyzed existing web browser fuzzing tools and the patterns of their already-known vulnerability to propose an event and command based fuzzing tool which can detect the latest web browser vulnerability more effectively. Three kinds of existing fuzzing tools were compared with the proposed tool. As a result, it was found that the event and command based fuzzing tool proposed was more effective.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.6
• /
• pp.1463-1474
• /
• 2018

Fuzzing is one of the software testing techniques that find security flaws by inputting invalid values or arbitrary values into the program and various methods have been suggested to increase the efficiency of such fuzzing. In this paper, focusing on the existence of field with high relevance to coverage and software crash, we propose a new method for intensively fuzzing corresponding field part while performing field based fuzzing. In this case, we use a deep learning model called Variational Autoencoder(VAE) to learn the statistical characteristic of input values measured in high coverage and it showed that the coverage of the regenerated files are uniformly higher than that of simple variation. It also showed that new crash could be found by learning the statistical characteristic of the files in which the crash occurred and applying the dropout during the regeneration. Experimental results showed that the coverage is about 10% higher than the files in the queue of the AFL fuzzing tool and in the Hwpviewer binary, we found two new crashes using two crashes that found at the initial fuzzing phase.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.2
• /
• pp.417-437
• /
• 2022

The quality of the fuzzing seed file is one of the important factors to discover vulnerabilities faster. Although the prior seed generation paradigm, using dynamic taint analysis and symbolic execution techniques, enhanced fuzzing efficiency, the yare not extensively applied owing to their high complexity and need for expertise. This study proposed the DDRFuzz system, which creates seed files based on sequence-to-sequence models. We evaluated DDRFuzz on five open-source applications that used multimedia input files. Following experimental results, DDRFuzz showed the best performance compared with the state-of-the-art studies in terms of fuzzing efficiency.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.4
• /
• pp.573-582
• /
• 2020

Fuzzing is a method of testing software by randomly generating test cases. Since its introduction, a variety of fuzzing techniques have been studied. Among them, mutation-based fuzzing is an efficient method that finds real-world bugs even though it uses a simple approach such as probabilistic bit-flipping and character substitution. However, the interpreter fuzzing has difficulty in applying general mutation techniques because the interpreter requires grammar and semantic correctness input values. In this paper, we present a novel mutation-based fuzzing on JavaScript interpreters with a dynamic data flow analysis. To this end, we implement JMFuzzer that can generate various types of mutated test cases that operate normally without runtime errors in JavaScript interpreter considering syntax and semantics. As a result, we found numerous unknown vulnerabilities in the latest JavaScript interpreters. We reported all of them to the vendors.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.2
• /
• pp.327-333
• /
• 2014

The rapid expansion of the software industry has brought a serious security threat and vulnerability. Many softwares are constantly attacked by exploit codes using security vulnerabilities. Smart fuzzing is automated method to find software vulnerabilities. However, Many resources are consumed in fuzzing, because the fuzzing needs to create data model for target software and to analyze a data file and software binary. Therefore, The automated method for efficient smart fuzzing is needed to develop the automated data model. In this paper, through analysing the input file format and optimizing the data structure, we propose an efficient data modeling framework for smart fuzzing and implement the framework for detect software vulnerabilities.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.4
• /
• pp.807-819
• /
• 2019

Greybox fuzzing is known as an effective method to discover unknown security flaws reside in software and has been actively researched today. However, most of greybox fuzzing tools require an executable file. Because of this, a library, which cannot be executed by itself requires an additional executable file for greybox fuzzing. Generating such an executable file is challengeable because it requires both understanding of the library and fuzzing. In this research, we suggest the approach to generate an executable file automatically for a library and implement this approach as a tool based on the LLVM framework. This tool shows that executable files and seed files can be generated automatically by static/dynamic analysis of a unit test in the target project. A generated executable file is compatible with various greybox fuzzers like AFL because it has a common interface for greybox fuzzers. We show the performance of this tool as code coverage and discovered unknown security bugs using generated executable files and seed files from open source projects through this tool.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.14 no.9
• /
• pp.3885-3906
• /
• 2020

Hybrid fuzzing which combines fuzzing and concolic execution, has proved its ability to achieve higher code coverage and therefore find more bugs. However, current hybrid fuzzers usually suffer from inefficiency and poor scalability when applied to complex, real-world program testing. We observed that the performance bottleneck is the inefficient cooperation between the fuzzer and concolic executor and the slow symbolic emulation. In this paper, we propose a novel solution named EPfuzzer to improve hybrid fuzzing. EPfuzzer implements two key ideas: 1) only the hardest-to-reach branch will be prioritized for concolic execution to avoid generating uninteresting inputs; and 2) only input bytes relevant to the target branch to be flipped will be symbolized to reduce the overhead of the symbolic emulation. With these optimizations, EPfuzzer can be efficiently targeted to the hardest-to-reach branch. We evaluated EPfuzzer with three sets of programs: five real-world applications and two popular benchmarks (LAVA-M and the Google Fuzzer Test Suite). The evaluation results showed that EPfuzzer was much more efficient and scalable than the state-of-the-art concolic execution engine (QSYM). EPfuzzer was able to find more bugs and achieve better code coverage. In addition, we discovered seven previously unknown security bugs in five real-world programs and reported them to the vendors.