sangkilc ( Sang Kil Cha )

commit sha 600cde97ea8a448837c7f226b0ed1d32d14b1f07

Clean up

push time in a day

issue closedSoftSec-KAIST/Fuzzing-Survey

List of target papers:

USENIX 2019

[x] GRIMOIRE: Synthesizing Structure while Fuzzing
[x] EnFuzz: Ensemble Fuzzing with Seed Synchronization among Diverse Fuzzers
[x] RVFUZZER: Finding Input Validation Bugs in Robotic Vehicles Through Control-Guided Testing
[x] FIRM-AFL: High-Throughput Greybox Fuzzing of IoT Firmware via Augmented Process Emulation

S&P 2019

[x] Fuzzing File Systems via Two-Dimensional Input Space Exploration
[x] NEUZZ: Efficient Fuzzing with Neural Program Smoothing
[x] ProFuzzer: On-the-fly Input Type Probing for Better Zero-day Vulnerability Discovery
[x] Razzer: Finding Kernel Race Bugs through Fuzzing
[x] Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane

CCS 2019

[x] Intriguer: Field-Level Constraint Solving for Hybrid Fuzzing
[x] Matryoshka: Fuzzing Deeply Nested Branches
[x] Learning to Fuzz from Symbolic Execution with Application to Smart Contracts

ASE 2019

~~[ ] Coverage-guided Fuzzing for Feedforward Neural Networks~~ poster
~~[ ] DeepMutation++: a Mutation Testing Framework for Deep Learning Systems~~ poster
[x] History-Guided Configuration Diversification for Compiler Test-Program Generation
[x] Learning-Guided Network Fuzzing for Testing Cyber-Physical System Defences
~~[ ] VisFuzz: Understanding and Intervening Fuzzing with Interactive Visualization~~ demo track

ICSE 2019

[x] Deep Differential Testing of JVM Implementations
[x] DIFFUZZ: Differential Fuzzing for Side-Channel Analysis
[x] Grey-box Concolic Testing on Binary Code
[x] Practical GUI Testing of Android Applications via Model Abstraction and Refinement
[x] RESTler: Stateful REST API Fuzzing
[x] SLF: Fuzzing without Valid Seed Inputs
[x] Superion: Grammar-Aware Greybox Fuzzing

FSE 2019

[x] Finding and Understanding Bugs in Software Model Checkers
[x] Cerebro: Context-Aware Adaptive Fuzzing for Effective Vulnerability Detection

NDSS 2020

[x] HYPER-CUBE: High-Dimensional Hypervisor Fuzzing
[x] HFL: Hybrid Fuzzing on the Linux Kernel
~~[ ] Data-Driven Debugging for Functional Side Channels~~ not a fuzzer
[x] HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Guided Micro-Fuzzing
[x] Not All Coverage Measurements Are Equal: Fuzzing by Coverage Accounting for Input Prioritization

USENIX 2020

[x] MUZZ: Thread-aware Grey-box Fuzzing for Effective Bug Hunting in Multithreaded Programs
[x] Analysis of DTLS Implementations Using Protocol State Fuzzing
[x] GREYONE: Data Flow Sensitive Fuzzing
[x] Fuzzing Error Handling Code using Context-Sensitive Software Fault Injection
[x] Montage: A Neural Network Language Model-Guided JavaScript Engine Fuzzer
[x] FANS: Fuzzing Android Native System Services via Automated Interface Analysis
[x] Medusa: Microarchitectural Data Leakage via Automated Attack Synthesis
[x] SpecFuzz
[x] ParmeSan: Sanitizer-guided Greybox Fuzzing
[x] USBFuzz: A Framework for Fuzzing USB Drivers by Device Emulation
[x] Symbolic execution with SYMCC: Don’t interpret, compile!
[x] Frankenstein: Advanced Wireless Fuzzing to Exploit New Bluetooth Escalation Targets
[x] EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit

S&P 2020

[x] Ex-vivo dynamic analysis framework for Android device drivers
[x] Fuzzing JavaScript Engines with Aspect-preserving Mutation
[x] KRACE: Data Race Fuzzing for Kernel File Systems
[x] Neutaint: Efficient Dynamic Taint Analysis with Neural Networks
[x] PANGOLIN: Incremental Hybrid Fuzzing with Polyhedral Path Abstraction
[x] SAVIOR: Towards Bug-Driven Hybrid Testing
[x] TRRespass: Exploiting the Many Sides of Target Row Refresh

ICSE 2020

[x] Typestate-Guided Fuzzer for Discovering Use-after-Free Vulnerabilities
[x] MemLock: Memory Usage Guided Fuzzing
[x] Ankou: Guiding Grey-box Fuzzing towards Combinatorial Difference
[x] JVM Fuzzing for JIT-Induced Side-Channel Detection
[x] Targeted Greybox Fuzzing with Static Lookahead Analysis
[x] Fuzz Testing based Data Augmentation to Improve Robustness of Deep Neural Networks
[x] sFuzz: An Efficient Adaptive Fuzzer for Solidity Smart Contracts
[x] HyDiff: Hybrid Differential Software Analysis

closed time in 2 days

bbb1g

commit sha 1e1a821f5ca04d7312c185ebad417cb83e8a29e8

Reorder

push time in 2 days

commit sha 607a16b01ea96f05f28f999f59bd1212dfcef54e

Add one more

push time in 4 days

commit sha 70f5b7b125268dc8183c9b840f0d2e616f2d42e2

Add ICSE 2020 papers

push time in 4 days

commit sha 471e6a87031676c11ad0a677aec79199f6230da6

Add three more

push time in 4 days

issue commentSoftSec-KAIST/Fuzzing-Survey

Done with NDSS 2020

bbb1g

comment created time in 4 days

commit sha 603dcfd6eeb7d47ebf9b0a1af608f50f8bf25a10

Add three more

push time in 4 days

issue commentSoftSec-KAIST/Fuzzing-Survey

We need to add SlowFuzz from CCS'17: "https://dl.acm.org/doi/10.1145/3133956.3134073". For some reason, it is missing in our db.

bbb1g

comment created time in 6 days

commit sha 2fc749ad50437df3e9294dd68e03cfd3dc24ef11

Add two more from NDSS 2020

push time in 6 days

commit sha e2328d401c2510545f04bbd22c8b0b715f26afaa

Remove nonconforming papers

push time in 6 days

commit sha 347398fef35474140cd7b6be66dd856daff1906c

Remove nonconforming papers

push time in 6 days

issue commentSoftSec-KAIST/Fuzzing-Survey

Added two more

bbb1g

comment created time in 8 days

commit sha 6de5dbb75e2d856cd1ceeea66e4de448f1fec3a4

Add two more

push time in 8 days

issue commentSoftSec-KAIST/Fuzzing-Survey

Fixed the list and added two more

bbb1g

comment created time in 9 days

commit sha c2d2570362bef3315af9b6b1b6ed7298cdc341a0

Remove duplicate

push time in 9 days

commit sha 3646e1fe33fcce7f29fc51d6b0c7dd46cb5e5144

Add two more from ICSE 2019

push time in 9 days

CommitCommentEvent

commit sha 3c859d0266e69d4c65aa391e13d9cc77d44bef87

Add some intro to the stat page

Feature request: Add target filtering

push time in 11 days

issue closedSoftSec-KAIST/Fuzzing-Survey

Hello there,

Clarity of the sub categories i.e targets in the paper is missing in the website. Someone looking for XYZ fuzzer must click on each node to find what XYZ fuzzers are present. Target filtering (e.g via raido buttons) would be so helpful.

closed time in 11 days

figbux

issue commentSoftSec-KAIST/Fuzzing-Survey

Feature request: Add target filtering

Handled by #9

figbux

comment created time in 11 days

issue closedSoftSec-KAIST/Fuzzing-Survey

Add basic filtering

Add a pop-up window that (1) shows basic stats, and (2) shows all the fuzzers based on keywords.

Related issue: #3.

closed time in 11 days

sangkilc

issue commentSoftSec-KAIST/Fuzzing-Survey

Add basic filtering

Closed by a527af032ae3ea51d6da16feaf226c20b3f79a95

sangkilc

comment created time in 11 days

commit sha a527af032ae3ea51d6da16feaf226c20b3f79a95

Support showing stats

push time in 11 days

issue openedSoftSec-KAIST/Fuzzing-Survey

Add basic filtering

Add a pop-up window that (1) shows basic stats, and (2) shows all the fuzzers based on keywords.

Related issue: #3.

created time in 11 days

issue commentSoftSec-KAIST/Fuzzing-Survey

Added two more

bbb1g

comment created time in 13 days

commit sha 556bbcddd0b74d8752dffba867cc56a6a9738b3f

Add LTEFuzz Since the authors did not cite any fuzzing papers, I am connecting it with the closet I think (PROTOS).

commit sha 76275410c9d63be5b794dbef7a2191f74e2b7376

Fix LL-fuzzer Add reference to Sulley

commit sha 6bceebaac66ec8596ef0bf33ceb7dcb99089e3fa

Add Janus

push time in 13 days

commit sha caeb27cb35f9b107d89ea7d8e6432ef703092353

Show other targets as is

commit sha 47f74d525a7da7ac0bc08904182d665812b72a69

Enable keyboard up/down on search results

push time in 16 days

commit sha 5ac50d849bc513d726375a2fdcc671fd22ab6dbd

Add Learn&Fuzz

push time in 17 days

commit sha 39b370bd0f11743912bcaab563020014feffa2e1

Add Echidna

push time in 17 days

commit sha 3c1f6ad0b435bcc3be83abfc7d5fda8fac35bb4b

Add sFuzz

push time in 17 days

issue commentSoftSec-KAIST/Fuzzing-Survey

Added NEUZZ and ILF @ 58c05300920cd09d7a8ad92d5084c40cce3a5cf5

bbb1g

comment created time in 17 days

commit sha 58c05300920cd09d7a8ad92d5084c40cce3a5cf5

Add ContractFuzzer, NEUZZ, and ILF

push time in 17 days

issue commentSoftSec-KAIST/Fuzzing-Survey

Added FIRM-AFL @ 72d39709e425b96a6202dd1f5c1f08ae5080fee5

bbb1g

comment created time in 17 days

commit sha 72d39709e425b96a6202dd1f5c1f08ae5080fee5

Add TriforceAFL and FIRM-AFL

push time in 17 days

PR merged SoftSec-KAIST/Fuzzing-Survey

Fix typo in nautilus toolurl

Nautilus tool has updated to Nautilus 2.0. I found the next note in the origin github url.

NOTE: THIS IS AN OUTDATE REPOSITORY, THE CURRENT RELEASE IS AVAILABLE HERE. THIS REPO ONLY SERVES AS A REFERENCE FOR THE PAPER

+1 -1

1 commit in kordood/Fuzzing-Survey/tree/kordood SoftSec-KAIST/Fuzzing-Survey/tree/master

1 comment

1 changed file

kordood

pr closed time in a month

kordood

commit sha 861e91d2e25564b4cf3c899412ad12555fe4da96

Fix typo in nautilus toolurl

Fix typo in nautilus toolurl

push time in a month

pull request commentSoftSec-KAIST/Fuzzing-Survey

Super! Thanks for your contribution.

kordood

comment created time in a month

push eventKAIST-IS521/docker-template

commit sha bd9029f91c99699f0b5ed14424c501b6ff773636

Update README.md

push time in a month

push eventKAIST-IS521/docker-template

commit sha 3b66e5cca152e7221e6cf2bbcdf65a3145b6ef9c

Create README.md

push time in 2 months

create barnchKAIST-IS521/docker-template

branch : master

created branch time in 2 months

created repositoryKAIST-IS521/docker-template

Docker service template

created time in 2 months

pull request commentB2R2-org/B2R2

Thanks for your contribution. This PR will be rebased in our internal repo, and then pushed to github later.

Ly-xThunder

comment created time in 2 months

push eventB2R2-org/B2R2

commit sha 616298aadf817fd384214f29918acb49fcfd5e6f

[BinFile] Add Wasm binary format parser

commit sha d9b7df33175eeb12441c3b8e4de7fba03a4d02ea

[Test] Clean up Wasm binary parser tests

commit sha 709251961fa123615501f4b0fe462c7481919a53

[Wasm] remove unnecessary code

commit sha fccae2f503e8aa1e65e03b52578da3e9406c1177

[Wasm] Fix custom section contents size update

commit sha 3ab289e1fb939f2221974a11e649b4aea87af120

[Wasm] Improve 'summerizeSections' function, and clean up functions below.

push time in 2 months

PR merged B2R2-org/B2R2

[BinFile] Wasm modules parser

WebAssembly (often shortened to Wasm) is an open standard that defines a portable binary-code format for executable programs, and a corresponding textual assembly language [5]. WebAssembly is widely used in a variety of platforms, ranging from major web browsers [1] to blockchain-based platforms [2][3]...etc. In this PR I'm submitting a parser for the binary format of WebAssembly Modules based on the official specification [4].

What this parser can do: 1- It can only parse the binary format of Wasm modules.
What this parser can't do: 1- It can not parse the textual format of Wasm modules. 2- It can not parse or lift the executable code (Actually it can parse constant expressions but not intended mainly for this purpose).

What needs to be done in the future? 1- Add support for static symbols (by parsing the name section). 2- Add both Code parser and lifter to the Front-End.

References: [1]: https://webassembly.org/ [2]: https://github.com/EOSIO/eos [3]: https://github.com/ewasm [4]: https://webassembly.github.io/spec/core/ [5]: https://en.wikipedia.org/wiki/WebAssembly

+1331 -2

5 commit in Ly-xThunder/B2R2/tree/Wasm-Modules-Parser B2R2-org/B2R2/tree/master

1 comment

13 changed files

Ly-xThunder

pr closed time in 2 months

Pull request review commentB2R2-org/B2R2

+(*+  B2R2 - the Next-Generation Reversing Platform++  Copyright (c) SoftSec Lab. @ KAIST, since 2016++  Permission is hereby granted, free of charge, to any person obtaining a copy+  of this software and associated documentation files (the "Software"), to deal+  in the Software without restriction, including without limitation the rights+  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell+  copies of the Software, and to permit persons to whom the Software is+  furnished to do so, subject to the following conditions:++  The above copyright notice and this permission notice shall be included in all+  copies or substantial portions of the Software.++  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR+  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,+  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE+  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER+  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,+  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE+  SOFTWARE.+*)++module internal B2R2.BinFile.Wasm.Parser++open B2R2+open B2R2.BinFile+open B2R2.BinFile.Wasm.Section+open System++let sectionIdToName (secId: SectionId) (off: int) =+  match secId with+  | SectionId.Custom -> String.Format ("custom_{0:x}", off)+  | SectionId.Type -> "type"+  | SectionId.Import -> "import"+  | SectionId.Function -> "function"+  | SectionId.Table -> "table"+  | SectionId.Memory -> "memory"+  | SectionId.Global -> "global"+  | SectionId.Export -> "export"+  | SectionId.Start -> "start"+  | SectionId.Element -> "element"+  | SectionId.Code -> "code"+  | SectionId.Data -> "data"+  | _ -> ""++let private summerizeSections (reader: BinReader) offset =+  let rec loop (acc: _ list) no =+    if reader.IsOutOfRange no then+      acc+    else+      let id, size, len = peekSectionHeader reader no+      let headerSize = len + 1+      let no' = no + headerSize + int size+      let summary = {+        Id = id+        Name = sectionIdToName id no+        Offset = no+        HeaderSize = uint32 headerSize+        ContentsSize = size+      }+      loop (acc @ [summary]) no'+  loop [] offset++let private idLtId id1 id2 =+  let id1' = LanguagePrimitives.EnumToValue id1+  let id2' = LanguagePrimitives.EnumToValue id2+  id1' < id2'++let private peekSecSummPair (secsSumm: SectionSummary list) =+  let sec1 = List.head secsSumm+  let secsSumm' = List.tail secsSumm+  let sec2 = List.tryHead secsSumm'+  sec1, sec2, secsSumm'++let validateSectionsOrder secsSummary =+  let rec validationLoop secsSumm isValid =+    if List.length secsSumm = 0+    then isValid+    else+    let sec1, sec2, secsSumm' = peekSecSummPair secsSumm+    match sec2 with+      | Some sec ->+        let id1 = sec1.Id+        let id2 = sec.Id+        let isValid' =+          if id1 = SectionId.Custom || id2 = SectionId.Custom+          then true+          else idLtId id1 id2+        if not isValid' then isValid'+        else validationLoop secsSumm' isValid'+      | None -> isValid+  validationLoop secsSummary true++let updateSection wm id updateRec parseSec (secsSumm: SectionSummary list) =+  let secSumm =+    secsSumm+    |> List.filter (fun sm -> sm.Id = id)+    |> List.tryHead+  match secSumm with+    | Some sm ->+      let secsSummary' =+        secsSumm |> List.except [sm]+      let sec =+        parseSec wm.BinReader sm.Offset+      (updateRec wm sec), secsSummary'+    | None -> wm, secsSumm++let updateCustomSection wasmModule secsSummary =+  let ur wm sec =+    {+      wm with+        CustomSections = wm.CustomSections @ [ sec ]+    }

This can be in one liner: which consumes less space and seems concise to me. Similarly for the below constructs too.

Ly-xThunder

comment created time in 2 months

Pull request review commentB2R2-org/B2R2

+(*+  B2R2 - the Next-Generation Reversing Platform++  Copyright (c) SoftSec Lab. @ KAIST, since 2016++  Permission is hereby granted, free of charge, to any person obtaining a copy+  of this software and associated documentation files (the "Software"), to deal+  in the Software without restriction, including without limitation the rights+  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell+  copies of the Software, and to permit persons to whom the Software is+  furnished to do so, subject to the following conditions:++  The above copyright notice and this permission notice shall be included in all+  copies or substantial portions of the Software.++  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR+  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,+  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE+  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER+  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,+  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE+  SOFTWARE.+*)++module internal B2R2.BinFile.Wasm.Parser++open B2R2+open B2R2.BinFile+open B2R2.BinFile.Wasm.Section+open System++let sectionIdToName (secId: SectionId) (off: int) =+  match secId with+  | SectionId.Custom -> String.Format ("custom_{0:x}", off)+  | SectionId.Type -> "type"+  | SectionId.Import -> "import"+  | SectionId.Function -> "function"+  | SectionId.Table -> "table"+  | SectionId.Memory -> "memory"+  | SectionId.Global -> "global"+  | SectionId.Export -> "export"+  | SectionId.Start -> "start"+  | SectionId.Element -> "element"+  | SectionId.Code -> "code"+  | SectionId.Data -> "data"+  | _ -> ""++let private summerizeSections (reader: BinReader) offset =+  let rec loop (acc: _ list) no =+    if reader.IsOutOfRange no then+      acc+    else+      let id, size, len = peekSectionHeader reader no+      let headerSize = len + 1+      let no' = no + headerSize + int size+      let summary = {+        Id = id+        Name = sectionIdToName id no+        Offset = no+        HeaderSize = uint32 headerSize+        ContentsSize = size+      }+      loop (acc @ [summary]) no'

Please use consing (::) and then List.rev later when the function returns. Appending (@) in each loop is much less efficient than consing + rev.

Ly-xThunder

comment created time in 2 months

pull request commentB2R2-org/B2R2