Efficient Windows Application Fuzzing with Fork-server
MetadataShow full item record
Fuzzing is an effective technique for automatically uncovering bugs in software. Since it was introduced, it has found thousands of vulnerabilities. Nowadays, fuzzing is an indispensable tool in security researchers' arsenal. Unfortunately, most fuzzing research has been concentrated on Linux systems, and Windows fuzzing has been largely neglected by the fuzzing community. Windows systems still represent a large market share of desktop computers, and as they are end-user systems, they are valuable targets to attackers. Windows fuzzing is still difficult-to-setup, slow, and generally troublesome. There exists a chicken-egg problem: because Windows fuzzing is challenging, little effort is invested in it; yet, because little effort is invested, Windows fuzzing remains challenging. We aim to break this cycle by attacking one of the root problems blocking easy and effective Windows fuzzing. A key difference between Linux and Windows systems for fuzzing is the lack of a fork() functionality on Windows systems. Without a suitable fork() API, a fuzzer cannot quickly and reliably clone processes, an operation that fuzzing relies heavily upon. Existing Windows fuzzers such as WinAFL rely on persistent-mode fuzzing as a work-around for the lack of fast process cloning, unlike Linux fuzzers which rely on a fork-server. In this work, we developed a fork() implementation that provides the necessary fast process cloning machinery and built a working fork-server on top of it. We integrated this fork-server into WinAFL, and applied several other key improvements and insights to bypass the difficulties of fuzzing typical Windows applications. In our evaluation, we ran our fuzzer against 59 fuzzing harnesses for 37 applications, and found 61 new bugs. Comparing the performance of our fork() implementation against other similar APIs on Windows, we found that our implementation was the most suitable and efficient. We believe that this marks the first Windows fork implementation suitable for fuzzing.