Write a Blog >>
ICSE 2020
Wed 24 June - Thu 16 July 2020
ICSE 2020 (series) / Technical Papers /

MemLock: Memory Usage Guided Fuzzing

Artifact ReusableTechnicalArtifact Available
Cheng Wen, Haijun Wang, Yuekang Li, Shengchao Qin, Yang Liu, Zhiwu Xu, Hongxu Chen, Xiaofei Xie, Geguang Pu, Ting Liu
ICSE 2020 Technical Papers
Fri 10 Jul 2020 08:08 - 08:20 at Baekje - I22-Testing Chair(s): Phil McMinn

Uncontrolled memory consumption is a kind of critical software security weaknesses. It can also become a security-critical vulnerability when attackers can take control of the input to consume a large amount of memory and launch a Denial-of-Service attack. However, detecting such vulnerability is challenging, as the state-of-the-art fuzzing techniques focus on the code coverage but not memory consumption. To this end, we propose a memory usage guided fuzzing technique, named MemLock, to generate the excessive memory consumption inputs and trigger uncontrolled memory consumption bugs. The fuzzing process is guided with memory consumption information so that our approach is general and does not require any domain knowledge. We perform a thorough evaluation for MemLock on 14 widely-used real-world programs. Our experiment results show that MemLock substantially outperforms the state-of-the-art fuzzing techniques, including AFL, AFLfast, PerfFuzz, FairFuzz and QSYM, in discovering memory consumption bugs. During the experiments, we discovered many previously unknown memory consumption bugs and received 15 new CVEs.

https://wcventure.github.io/pdf/ICSE2020_MemLock.pdf
https://doi.org/10.1145/3377811.3380396
Cheng Wen
Cheng Wen
Shenzhen University
China
Haijun Wang
Haijun Wang
Ant Financial Services Group, China; CSSE, Shenzhen University, China
small-avatar
Yuekang Li
Nanyang Technological University
Shengchao Qin
Shengchao Qin
University of Teesside
United Kingdom
Yang Liu
Yang Liu
Nanyang Technological University, Singapore
Singapore
small-avatar
Zhiwu Xu
Shenzhen University
small-avatar
Hongxu Chen
Research Associate
Xiaofei Xie
Xiaofei Xie
Nanyang Technological University
small-avatar
Geguang Pu
East China Normal University
Ting Liu
Ting Liu
Xi'an Jiaotong University
China

Conference Day
Fri 10 Jul

Displayed time zone: (UTC) Coordinated Universal Time change

08:05 - 09:05
I22-TestingTechnical Papers / Demonstrations at Baekje
Chair(s): Phil McMinnUniversity of Sheffield
08:05
3m
Talk
FuRong: Fusing Report of Automated Android Testing on Multi-DevicesDemo
Demonstrations
Yuanhan TianNanjing University, Shengcheng YuNanjing University, China, Chunrong FangNanjing University, Peiyuan LiNanjing University
08:08
12m
Talk
MemLock: Memory Usage Guided FuzzingArtifact ReusableTechnicalArtifact Available
Technical Papers
Cheng WenShenzhen University, Haijun WangAnt Financial Services Group, China; CSSE, Shenzhen University, China, Yuekang LiNanyang Technological University, Shengchao QinUniversity of Teesside, Yang LiuNanyang Technological University, Singapore, Zhiwu XuShenzhen University, Hongxu ChenResearch Associate, Xiaofei XieNanyang Technological University, Geguang PuEast China Normal University, Ting LiuXi'an Jiaotong University
DOI Pre-print Media Attached
08:20
12m
Talk
Symbolic Verification of Message Passing Interface ProgramsArtifact ReusableTechnicalArtifact Available
Technical Papers
Hengbiao YuNational University of Defense Technology, Zhenbang ChenCollege of Computer, National University of Defense Technology, Changsha, PR China, Xianjin FuNational University of Defense Technology, Ji WangSchool of Computer, National University of Defense Technology, China, Zhendong SuETH Zurich, Switzerland, Jun SunSingapore Management University, Chun HuangNational University of Defense Technology, Wei DongSchool of Computer, National University of Defense Technology, China
Pre-print
08:32
12m
Talk
SAVER: Scalable, Precise, and Safe Memory-Error RepairArtifact ReusableTechnicalArtifact Available
Technical Papers
Seongjoon HongKorea University, Junhee LeeKorea University, South Korea, Jeongsoo LeeKorea University, Hakjoo OhKorea University, South Korea
08:44
12m
Talk
A Large-Scale Empirical Study on Vulnerability Distribution within Projects and the Lessons LearnedTechnical
Technical Papers
Bingchang LiuKey Laboratory of Network Assessment Technology, Institute of Information Engineering, Chinese Academy of Sciences, China; School of CyberSpace Security at University of Chinese Academy of Sciences, China, Guozhu MengInstitute of Information Engineering, Chinese Academy of Sciences, Chao ZhangInstitute for Network Sciences and Cyberspace of Tsinghua University, Feng LiKey Laboratory of Network Assessment Technology, Institute of Information Engineering, Chinese Academy of Sciences, China; School of CyberSpace Security at University of Chinese Academy of Sciences, China, Qi GongKey Laboratory of Network Assessment Technology, Institute of Information Engineering, Chinese Academy of Sciences, China, Min LinInstitute for Network Sciences and Cyberspace of Tsinghua University, Dandan SunKey Laboratory of Network Assessment Technology, Institute of Information Engineering, Chinese Academy of Sciences, China, Wei HuoInstitute of Information Engineering, Chinese Academy of Sciences, Wei ZouKey Laboratory of Network Assessment Technology, Institute of Information Engineering, Chinese Academy of Sciences, China; School of CyberSpace Security at University of Chinese Academy of Sciences, China
08:56
3m
Talk
MPI-SV: A Symbolic Verifier for MPI ProgramsDemo
Demonstrations
Zhenbang ChenCollege of Computer, National University of Defense Technology, Changsha, PR China, Hengbiao YuNational University of Defense Technology, Xianjin FuNational University of Defense Technology, Ji WangSchool of Computer, National University of Defense Technology, China
Pre-print