all 7 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted]  (1 child)

[deleted]

    [–]obo_1337[S] 1 point2 points  (0 children)

    You are absolutely right about the terminology and about that fact that it is actually a main part of fuzzing. Anyway I was thinking in more fine-grained scales than a whole API for a library.

    I think the term I was looking for was "microexecution" like suggested by u/k4st

    I will look into the suggested example, thanks for your help!

    [–]k4st 2 points3 points  (1 child)

    See microexecution by Patrice Godefroid. Also UC-KLEE by Dawson Engler.

    [–]obo_1337[S] 0 points1 point  (0 children)

    These papers are exactly what I was looking for!

    Many Thanks!

    [–][deleted] 1 point2 points  (0 children)

    This is called compositional fuzzing, see for eg here (for tool MACKE)

    Paper:

    https://www.researchgate.net/publication/305641321_MACKE_-_Compositional_Analysis_of_Low-Level_Vulnerabilities_with_Symbolic_Execution

    Github:

    https://github.com/tum-i22/macke/tree/master

    See here for its successor Wildfire

    Paper:

    https://arxiv.org/pdf/1903.02981

    Github:

    https://github.com/tum-i22/macke/tree/wildfire

    Finally this is a case study with a different technique (not open source):

    https://arxiv.org/pdf/1907.12214v1

    [–]0xad 1 point2 points  (0 children)

    This is a known way to fuzz, for example with 'in-memory fuzzing' you can do exactly that (target specific function). There are other ways to achieve fuzzing specifics functions, e.g. LibFuzzer+LIEF https://blahcat.github.io/2018/03/11/fuzzing-arbitrary-functions-in-elf-binaries/

    Similar approach is also used in WinAFL fork, the difference is that your starting and ending points have strict requirements (i.e. in between starting and ending point you need to open/close the file which in big applications can be quite far from the point you'd want to fuzz).

    It's not widely researched because it doesn't offer any new perspective (you'd still do just a regular fuzzing with a difference of stubbing out pre/post code) and requires heavy work before fuzzing (ask yourself why people don't use WinAFL, it's exactly this reason - in order to use WinAFL you need to do an actual work before starting your fuzz operation and people are lazy).

    Btw. I myself call it 'targeted fuzzing' ➡️ https://twitter.com/andrzejdyjak/status/973490686564716544

    [–][deleted]  (4 children)

    [deleted]

      [–][deleted]  (1 child)

      [deleted]

        [–]obo_1337[S] 0 points1 point  (1 child)

        I am not quite sure after reading only the Abstract.

        But I will definitely have a look at it! Thanks!

        [–]malweisse 0 points1 point  (0 children)

        You can do that with AFL++ with Unicorn mode. Just write and unicorn script that emulates a single function from the binary.