notes

Personal notes
git clone git://git.laack.co/notes.git
Log | Files | Refs

DirectedFuzzer.md (2462B)

      1 # Directed Fuzzer
      2 
      3 **Source:** Where To Fuzz (paper)
      4 
      5 **Definition:** Directed fuzzers are fuzzers that focus on specific parts of source code / a binary. These locations can either be defined manually or using some sort of heuristic.
      6 
      7 ## Examples
      8 
      9 One example is regression greybox fuzzing which focuses on recently changed code. The idea behind this is that recently changed code is more likely to impose regressions than existing code which has been, presumably, more thoroughly tested. 
     10 
     11 Another example are the metrics used in [Orion](Orion.md) for calculating interfaces of interest to write fuzzing harnesses for. Their approach combines deterministic values like cyclomatic complexity and call graph size with LLM derived values coming from the usage of techniques commonly associated with vulnerabilities (eg. pointer arithmetic and the likes).
     12 
     13 ## Categorization
     14 
     15 A simple approach to the categorization of existing directed fuzzers can be done on the basis of
     16 
     17 1. The source of the information
     18     - Source code
     19         - like code complexity
     20     - Binary code
     21         - like sanitizer instrumentation
     22     - External information
     23         - like recently changed code or CVE site information used to find code patterns
     24 2. Discrete or continuous scoring
     25     - Scoring type
     26 3. Granularity
     27     - Block
     28     - Function
     29         - This seems to be the most common approach for the evaluation of selection methods
     30     - Source code line
     31 4. Scoring mechanism
     32     - Two broad categories
     33         1. metrics
     34             - use code metrics to score individual locations
     35             - examples include:
     36                 - TortoiseFuzz & CollAFL
     37                     - Focus on memory access count in selected method
     38                 - Leopard
     39                     - Uses structural complexity and vulnerability metrics which are properties of a code region like pointer arithmetic and nested control structures.
     40         2. patterns
     41             - uses heuristics
     42             - examples include:
     43                 - ODDFuzz
     44                     - selects deserialization methods in Java as targets
     45                 - StrawFuzzer
     46                     - Data storing instructions as targets in an attempt to cause OS crashes
     47                 - AmpFuzz
     48                     - Targets networking related functions for amplification attack searching
     49                 - ParmeSan, SAVIOR, and FishFuzz
     50                     - Uses sanitizer instrumentation as a heuristic for relevant code