CAFA: A Checksum-Aware Fuzzing Assistant Tool for Coverage Improvement

Abstract

Fuzzing is an effective technique to discover vulnerabilities that involves testing applications by constructing invalid input data. However, for applications with checksum mechanism, fuzzing can only achieve low coverage because samples generated by the fuzzer are possibly incapable of passing the checksum verification. To solve this problem, most current fuzzers advise the user to comment out the checksum verification code manually, but it requires considerable time to audit the source code to identify the checksum point corresponding to checksum verification. In this paper, we present a novel approach based on taint analysis to identify the checksum point automatically. To implement this approach, the checksum-aware fuzzing assistant tool (CAFA) is designed. After the checksum point is identified, the application is statically patched in an antilogical manner at the checksum point. The fuzzing tool then tests the patched program to bypass the checksum verification. To evaluate CAFA, we use it to assist the American Fuzzy Lop (AFL) tool in fuzzing eight real-world applications with known input specification. The experimental results show that CAFA can accurately and quickly identify the checksum points and greatly improve the coverage of AFL. With the help of CAFA, multiple buffer overflow vulnerabilities have been discovered in the newest ImageMagick and RAR applications.