No App? No Problem: Fuzzing Librairies With Automatic Driver Generation

Third-party libraries dominate the modern landscape of software development: nearly every project benefits from available code that solves existing tasks. At the same time, a few errors in any of these libraries generate a cascade effect for millions of projects. Consequently, identifying vulnerabilities in third-party libraries is key to safeguarding final users. To cope with this problem, fuzzing can effectively discover vulnerabilities. Unfortunately, applying this technique to libraries requires non-trivial domain knowledge and manual effort. Specifically, developers need to write dedicated fuzz drivers encoding correct library interactions. Given these barriers, many libraries remain under-tested, even in large-scale efforts like OSS Fuzz. This talk introduces libErator: our tool for discovering errors in third-party libraries automatically. Our tool infers libraries’ usage through static analysis and then synthesizes fuzz drivers. Crucially, libErator requires minimal domain knowledge while maximizing library interaction, thus discovering flaws in otherwise overlooked code segments. We deployed libErator on 15 widely used open source C libraries and discovered 24 confirmed bugs, including one assigned a CVE. Our approach achieves coverage on par with manually written drivers and doubles the true positive rate of prior automated tools. Some of the bugs found were in code already fuzzed for years. This talk will be of interest to security professionals, fuzzing practitioners, and developers who care about scaling vulnerability discovery to complex software components that lack obvious entry points.