Practical Anti-Fuzzing Techniques With Performance Optimization
Fuzzing, an automated software testing technique, has achieved remarkable success in recent years, aiding developers in identifying vulnerabilities. However, fuzzing can also be exploited by attackers to discover zero-day vulnerabilities. To counter this threat, researchers have proposed anti-fuzzin...
| Main Authors: | , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
IEEE
2023-01-01
|
| Series: | IEEE Open Journal of the Computer Society |
| Subjects: | |
| Online Access: | https://ieeexplore.ieee.org/document/10209185/ |
| _version_ | 1797738981649022976 |
|---|---|
| author | Zhengxiang Zhou Cong Wang |
| author_facet | Zhengxiang Zhou Cong Wang |
| author_sort | Zhengxiang Zhou |
| collection | DOAJ |
| description | Fuzzing, an automated software testing technique, has achieved remarkable success in recent years, aiding developers in identifying vulnerabilities. However, fuzzing can also be exploited by attackers to discover zero-day vulnerabilities. To counter this threat, researchers have proposed anti-fuzzing techniques, which aim to impede the fuzzing process by slowing the program down, providing misleading coverage feedback, and complicating data flow, etc. Unfortunately, current anti-fuzzing approaches primarily focus on enhancing defensive capabilities while underestimating the associated overhead and manual efforts required. In our paper, we present No-Fuzz, an efficient and practical anti-fuzzing technique. No-Fuzz stands out in binary-only fuzzing by accurately determining running environments, effectively reducing unnecessary fake block overhead, and replacing resource-intensive functions with lightweight arithmetic operations in anti-hybrid techniques. We have implemented a prototype of No-Fuzz and conducted evaluations to compare its performance against existing approaches. Our evaluations demonstrate that No-Fuzz introduces minimal performance overhead, accounting for less than 10% of the storage cost for a single fake block. Moreover, it achieves a significant 92.2% reduction in total storage costs compared to prior works for an equivalent number of branch reductions. By emphasizing practicality, our study sheds light on improving anti-fuzzing techniques for real-world deployment. |
| first_indexed | 2024-03-12T13:51:41Z |
| format | Article |
| id | doaj.art-2c51b706df8d4588aaca08cdf51c455c |
| institution | Directory Open Access Journal |
| issn | 2644-1268 |
| language | English |
| last_indexed | 2024-03-12T13:51:41Z |
| publishDate | 2023-01-01 |
| publisher | IEEE |
| record_format | Article |
| series | IEEE Open Journal of the Computer Society |
| spelling | doaj.art-2c51b706df8d4588aaca08cdf51c455c2023-08-22T23:00:32ZengIEEEIEEE Open Journal of the Computer Society2644-12682023-01-01420621710.1109/OJCS.2023.330188310209185Practical Anti-Fuzzing Techniques With Performance OptimizationZhengxiang Zhou0https://orcid.org/0000-0003-4365-0751Cong Wang1https://orcid.org/0000-0003-0547-315XDepartment of Computer Science, City University of Hong Kong, Hong KongDepartment of Computer Science, City University of Hong Kong, Hong KongFuzzing, an automated software testing technique, has achieved remarkable success in recent years, aiding developers in identifying vulnerabilities. However, fuzzing can also be exploited by attackers to discover zero-day vulnerabilities. To counter this threat, researchers have proposed anti-fuzzing techniques, which aim to impede the fuzzing process by slowing the program down, providing misleading coverage feedback, and complicating data flow, etc. Unfortunately, current anti-fuzzing approaches primarily focus on enhancing defensive capabilities while underestimating the associated overhead and manual efforts required. In our paper, we present No-Fuzz, an efficient and practical anti-fuzzing technique. No-Fuzz stands out in binary-only fuzzing by accurately determining running environments, effectively reducing unnecessary fake block overhead, and replacing resource-intensive functions with lightweight arithmetic operations in anti-hybrid techniques. We have implemented a prototype of No-Fuzz and conducted evaluations to compare its performance against existing approaches. Our evaluations demonstrate that No-Fuzz introduces minimal performance overhead, accounting for less than 10% of the storage cost for a single fake block. Moreover, it achieves a significant 92.2% reduction in total storage costs compared to prior works for an equivalent number of branch reductions. By emphasizing practicality, our study sheds light on improving anti-fuzzing techniques for real-world deployment.https://ieeexplore.ieee.org/document/10209185/Anti-fuzzingfuzzingsoftware engineeringsoftware protection |
| spellingShingle | Zhengxiang Zhou Cong Wang Practical Anti-Fuzzing Techniques With Performance Optimization IEEE Open Journal of the Computer Society Anti-fuzzing fuzzing software engineering software protection |
| title | Practical Anti-Fuzzing Techniques With Performance Optimization |
| title_full | Practical Anti-Fuzzing Techniques With Performance Optimization |
| title_fullStr | Practical Anti-Fuzzing Techniques With Performance Optimization |
| title_full_unstemmed | Practical Anti-Fuzzing Techniques With Performance Optimization |
| title_short | Practical Anti-Fuzzing Techniques With Performance Optimization |
| title_sort | practical anti fuzzing techniques with performance optimization |
| topic | Anti-fuzzing fuzzing software engineering software protection |
| url | https://ieeexplore.ieee.org/document/10209185/ |
| work_keys_str_mv | AT zhengxiangzhou practicalantifuzzingtechniqueswithperformanceoptimization AT congwang practicalantifuzzingtechniqueswithperformanceoptimization |