Program Environment Fuzzing

Computer programs are not executed in isolation, but rather interact with the execution environment which drives the program behaviours. Software validation and verification methods, such as greybox fuzzing, thus need to capture the effect of possibly complex environmental interactions, including files, databases, configurations, network sockets, human-user interactions, and more. Conventional approaches for environment capture in symbolic execution and model checking employ environment modelling, which involves manual effort. In this paper, we take a different approach based on an extension of greybox fuzzing. Given a program, we first record all observed environmental interactions at the kernel/user-mode boundary in the form of system calls. Next, we replay the program under the original recorded interactions, but this time with selective mutations applied, in order to get the effect of different program environments -- all without environment modelling. Via repeated (feedback-driven) mutations over a fuzzing campaign, we can search for program environments that induce crashing behaviour. Our EFuzz tool found 33 zero-day bugs in well-known real-world protocol implementations and GUI applications. Many of these are security vulnerabilities and 14 CVEs were assigned.