PkgFuzz Project:Yet Another Continuous Fuzzing for Open Source Software
DAY 2
9:50-
10:30
The OSS-Fuzz project, launched by Google in 2016, has discovered over 36,000 software bugs as of August 2023. This project primarily utilizes a technique called “fuzzing,” which is an automated bug detection technology. Although fuzzing is often referred to as an automatic bug detection technique, several manual tasks are required to actually perform fuzzing. These tasks include creating a harness (a program that calls the target software), generating fuzzing binaries, adjusting command-line arguments, and preparing initial seeds. Especially when fuzzing multiple different software programs, these tasks become obstacles (factors hindering automation) that prevent the entire fuzzing workflow from being fully automated. As a result, it becomes difficult to efficiently perform fuzzing across a wide variety of software.
We have developed a system called PkgFuzz, which addresses these obstacles and automates the entire fuzzing workflow. PkgFuzz monitors the build process of software packages and selects packages that can be fuzzed. At the same time, it collects the necessary information for fuzzing. In this presentation, we will introduce the fuzzing campaign called the PkgFuzz Project, which utilized PkgFuzz. In the PkgFuzz Project, we conducted a fuzzing campaign on the Debian packages of Ubuntu 23.10, which includes a wide variety of software. Without human intervention, we obtained 64,658 crashes from 265 packages. Upon further investigation, we discovered four vulnerabilities that could be exploited in attacks. We reported these vulnerabilities to the Information-Technology Promotion Agency (IPA), which resulted in the issuance of three advisories and the assignment of CVEs.
-
Location :
-
Track 1(HALL B)
-
-
Category :
-
Technical
-
-
Share :
Speakers
-
Yuhei Kawakoya
川古谷 裕平
Yuhei Kawakoya is a Distinguished Researcher at NTT Security Holdings Corporation. Since joining NTT in 2005, he has been engaged in R&D on computer security. His research interests include reverse engineering, malware analysis, and vulnerability discovery.
-
Eitaro Shioji
塩治 榮太朗
Eitaro Shioji is a Senior Research Engineer at NTT Social Informatics Laboratories. Since joining NTT in 2010, he has been engaged in R&D on computer security. His research interests include software security, vulnerability mitigation, and web security.
-
Yuto Otsuki
大月 勇人
Yuto Otsuki is a security researcher. His research interests are memory analysis, reverse engineering and operating system security. He received his D.Eng. degree from Graduate School of Information Science and Engineering, Ritsumeikan University in Japan. From 2016 to 2019, he was engaged in research of malware analysis and digital forensics at NTT Secure Platform Laboratories. He is now with NTT Security Holdings Corporation and mainly focus on research in vulnerability detection and exploitability analysis.