Fuzzing the ActionScript virtual machine

Authors:
Guanxing Wen;Yuqing Zhang;Qixu Liu;Dingning Yang
Affiliations:
National Computer Network Intrusion Protection Center, Beijing, China;National Computer Network Intrusion Protection Center, Beijing, China;National Computer Network Intrusion Protection Center, Beijing, China;National Computer Network Intrusion Protection Center, Beijing, China
Venue:
Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
Year:
2013

Citing 11
Cited 0

An empirical study of the reliability of UNIX utilities

Communications of the ACM
ANTLR: a predicated-LL(k) parser generator

Software—Practice & Experience
Violating Assumptions with Fuzzing

IEEE Security and Privacy
Virtual Machines: Versatile Platforms for Systems and Processes (The Morgan Kaufmann Series in Computer Architecture and Design)

Virtual Machines: Versatile Platforms for Systems and Processes (The Morgan Kaufmann Series in Computer Architecture and Design)
Fuzzing: Brute Force Vulnerability Discovery

Fuzzing: Brute Force Vulnerability Discovery
Grammar-based whitebox fuzzing

Proceedings of the 2008 ACM SIGPLAN conference on Programming language design and implementation
Detecting Communication Protocol Security Flaws by Formal Fuzz Testing and Machine Learning

FORTE '08 Proceedings of the 28th IFIP WG 6.1 international conference on Formal Techniques for Networked and Distributed Systems
Interpreter exploitation

WOOT'10 Proceedings of the 4th USENIX conference on Offensive technologies
Finding and understanding bugs in C compilers

Proceedings of the 32nd ACM SIGPLAN conference on Programming language design and implementation
BlendFuzz: A Model-Based Framework for Fuzz Testing Programs with Grammatical Inputs

TRUSTCOM '12 Proceedings of the 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications
Fuzzing with code fragments

Security'12 Proceedings of the 21st USENIX conference on Security symposium

Quantified Score

Hi-index	0.00

Visualization

Abstract

Fuzz testing is an automated testing technique where random data is used as an input to software systems in order to reveal security bugs/vulnerabilities. Fuzzed inputs must be binaries embedded with compiled bytecodes when testing against ActionScript virtual machines (AVMs). The current fuzzing method for JavaScript-like virtual machines is very limited when applied to compiler-involved AVMs. The complete source code should be both grammatically and semantically valid to allow execution by first passing through the compiler. In this paper, we present ScriptGene, an algorithmic approach to overcome the additional complexity of generating valid ActionScript programs. First, nearly-valid code snippets are randomly generated, with some controls on instruction flow. Second, we present a novel mutation method where the former code snippets are lexically analyzed and mutated with runtime information of the AVM, which helps us to build context for undefined behaviours against compiler-check and produce a high code coverage. Accordingly, we have implemented and evaluated ScriptGene on three different versions of Adobe AVMs. Results demonstrate that ScriptGene not only covers almost all the blocks of the official test suite (Tamarin), but also is capable of nearly twice the code coverage. The discovery of six bugs missed by the official test suite demonstrates the effectiveness, validity and novelty of ScriptGene.