--[ Unlocking the Compartments

Personal
$ getent passwd jbundt
.
├─── name: Josh Bundt
├──── org: Army Cyber Institute
└─ social:
   └─ twitter: @DynaWhat
Experience

21yr Army LTC, Signal Corps branch. Most recently a PhD student at Northeastern University studying fuzzing. Now serving (for the 2nd time) as a research scientist at the Army Cyber Institute, Cyber Operations Research Team. Previously a coach for the Cadet Competitive Cyber Team (C3T), the host of Army CyberStakes, and instructor of CS483, Digital Forensics.

Abstract

Fuzz testing is often automated, but is also frequently augmented by experts who insert themselves into the workflow in a greedy search for bugs. In this presentation, we demonstrate compartment analysis, in which analyses guide the manual efforts, maximizing benefit. Compartment analysis uses a whole-program dominator analysis to estimate the utility of reaching new code, and combines this with a dynamic analysis indicating drastically under-covered edges guarding that code. This results in a prioritized list of compartments, i.e., large, uncovered parts of the program semantically partitioned and thus largely unreachable given the current corpus of inputs under consideration. A dynamic data flow analysis is further used to sort the conditionals guarding compartments into bins: those dependent on user input, those controlled by the fuzzing harness, and seemingly untainted ones requiring manual analysis. A human can use this categorization and ranking of compartments directly to focus manual effort, finding or fashioning inputs that make the compartments available for future fuzzing. We evaluate the effect of compartment analysis on seven projects within the OSS-Fuzz corpus where we see coverage improvements over AFL++ as high as 94%, with a median of 13%. We further observe that the determination of compartments is highly stable and thus can be done early in a fuzzing campaign, maximizing the potential for impact.