Angora: Efficient Fuzzing by Principled Search
Top Cited Papers
- 1 May 2018
- conference paper
- conference paper
- Published by Institute of Electrical and Electronics Engineers (IEEE)
- p. 711-725
- https://doi.org/10.1109/sp.2018.00046
Abstract
Fuzzing is a popular technique for finding software bugs. However, the performance of the state-of-the-art fuzzers leaves a lot to be desired. Fuzzers based on symbolic execution produce quality inputs but run slow, while fuzzers based on random mutation run fast but have difficulty producing quality inputs. We propose Angora, a new mutation-based fuzzer that outperforms the state-of-the-art fuzzers by a wide margin. The main goal of Angora is to increase branch coverage by solving path constraints without symbolic execution. To solve path constraints efficiently, we introduce several key techniques: scalable byte-level taint tracking, context-sensitive branch count, search based on gradient descent, and input length exploration. On the LAVA-M data set, Angora found almost all the injected bugs, found more bugs than any other fuzzer that we compared with, and found eight times as many bugs as the second-best fuzzer in the program who. Angora also found 103 bugs that the LAVA authors injected but could not trigger. We also tested Angora on eight popular, mature open source programs. Angora found 6, 52, 29, 40 and 48 new bugs in file , jhead , nm , objdump and size , respectively. We measured the coverage of Angora and evaluated how its key techniques contribute to its impressive performance.Keywords
This publication has 20 references indexed in Scilit:
- Coverage-based Greybox Fuzzing as Markov ChainPublished by Association for Computing Machinery (ACM) ,2016
- Program-Adaptive Mutational FuzzingPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2015
- TaintDroidACM Transactions on Computer Systems, 2014
- Symbolic execution for software testingCommunications of the ACM, 2013
- Scheduling black-box mutational fuzzingPublished by Association for Computing Machinery (ACM) ,2013
- DTAMPublished by Association for Computing Machinery (ACM) ,2012
- A Taint Based Approach for Smart FuzzingPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2012
- ArgosACM SIGOPS Operating Systems Review, 2006
- DARTACM SIGPLAN Notices, 2005
- Detecting and Debugging Insecure Information FlowsPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2005