HTFuzz: Heap Operation Sequence Sensitive Fuzzing

Heap-based temporal vulnerabilities (e.g., use-after-free and double-free) are highly sensitive to heap operation (e.g., memory allocation, deallocation and access) sequences. To efficiently find such vulnerabilities, traditional code coverage-guided fuzzing solutions could be promoted by integrating heap operation sequence feedback. But current sequence sensitive solutions have limitations in practice. In this paper, we propose a novel fuzzing solution named HTFuzz, to find heap-based temporal vulnerabilities. At the core, we utilize fuzzing to increase the coverage of runtime heap operation sequences and the diversity of pointers accessed by these operations, where the former reflects the control-flow and the latter reflects the data-flow of heap operation sequences. With such increases, the fuzzer could find more heap-based temporal vulnerabilities. We have developed a prototype of HTFuzz and evaluated it on 14 real-world applications, and compared it with 11 state-of-the-art fuzzers. The results showed that, HTFuzz outperformed all the baselines and was statistically better on the number of heap-based temporal vulnerabilities discovered. In detail, HTFuzz found (1.82x, 2.62x, 2.66x, 2.02x, 2.21x, 2.06x, 1.47x, 2.98x, 1.98x) more heap operation sequences and (1.45x, 3.56x, 3.56x, 4.57x, 1.78x, 1.78x, 1.68x, 4.00x, 1.45x) more 0day heap-based temporal vulnerabilities than (AFL, AFL-sensitive-ma, AFL-sensitive-mw, Memlock, PathAFL, TortoiseFuzz, MOPT, Angora, Ankou), respectively. HTFuzz discovered 37 new vulnerabilities with 37 CVEs assigned, including 32 new heap-based temporal vulnerabilities and 5 of other types.