Umeå universitets logga

umu.sePublikationer
EnglishSvenskaNorsk
Ändra sökning
RefereraExporteraLänk till posten
Permanent länk

Direktlänk
Referera
Referensformat
  • apa
  • ieee
  • vancouver
  • Annat format
Fler format
Språk
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Annat språk
Fler språk
Utmatningsformat
  • html
  • text
  • asciidoc
  • rtf
Confuzzion: a Java Virtual Machine Fuzzer for Type Confusion Vulnerabilities
SnT, University of Luxembourg, Luxembourg, Luxembourg.
SnT, University of Luxembourg, Luxembourg, Luxembourg.
Umeå universitet, Teknisk-naturvetenskapliga fakulteten, Institutionen för datavetenskap.ORCID-id: 0000-0003-1383-0372
SnT, University of Luxembourg, Luxembourg, Luxembourg.
Visa övriga samt affilieringar
2021 (Engelska)Ingår i: 2021 IEEE 21st International Conference on Software Quality, Reliability and Security (QRS), IEEE, 2021, s. 586-597Konferensbidrag, Publicerat paper (Refereegranskat)
Abstract [en]

Current Java Virtual Machine (JVM) fuzzersaim at generating syntactically valid Java programs, without targeting any particular use of the standard Java library. While effective, such fuzzers fail to discover specific kinds of bugs or vulnerabilities, such as type confusion, that are related to the standard API usage. To deal with this issue, we introduce amutation-based feedback-guided black-box JVM fuzzer, called CONFUZZION. CONFUZZION, as the name suggests, targets security-relevant object-oriented flaws with a particular focus on type confusion vulnerabilities. We show that in less than 4 hours, on commodity hardware and without any predefined initialization seed, CONFUZZION automatically generates Java programs that reveal JVM vulnerabilities, i.e., the Common Vulnerabilities and Exposures CVE-2017-3272. We also show that state-of-the-art fuzzers or even traditional automatic testing techniques are not capable of detecting such faults, even after 48 hours of execution in the same environment. To the best of our knowledge, CONFUZZION is the first fuzzer able to detect JVM type confusion vulnerabilities.
Ort, förlag, år, upplaga, sidor
IEEE, 2021. s. 586-597
Serie
IEEE International Conference on Software Quality Reliability and Security, ISSN 2693-9185, E-ISSN 2693-9177
Nyckelord [en]
Fuzzing, vulnerability, Java Virtual Machine
Nationell ämneskategori
Datavetenskap (datalogi) Programvaruteknik
Identifikatorer
URN: urn:nbn:se:umu:diva-198707DOI: 10.1109/qrs54544.2021.00069ISI: 000814747000059Scopus ID: 2-s2.0-85136119401ISBN: 978-1-6654-5813-9 (digital)ISBN: 978-1-6654-5814-6 (tryckt)OAI: oai:DiVA.org:umu-198707DiVA, id: diva2:1688766
Konferens
21st IEEE International Conference on Software Quality, Reliability and Security (QRS), Hainan, China, December 06-10, 2021
Forskningsfinansiär
Knut och Alice Wallenbergs StiftelseWallenberg AI, Autonomous Systems and Software Program (WASP)
Anmärkning

At the time this research was conducted Alexandre Bartel was at the University of Luxembourg and the University of Copenhagen.

Tillgänglig från: 2022-08-19 Skapad: 2022-08-19 Senast uppdaterad: 2024-07-02Bibliografiskt granskad

Open Access i DiVA

Fulltext saknas i DiVA

Övriga länkar

Förlagets fulltextScopus

Person

Bartel, Alexandre

Sök vidare i DiVA

Av författaren/redaktören
Bartel, Alexandre
Av organisationen
Institutionen för datavetenskap
Datavetenskap (datalogi)Programvaruteknik

Sök vidare utanför DiVA

GoogleGoogle Scholar

doi
isbn
urn-nbn

Altmetricpoäng

doi
isbn
urn-nbn
Totalt: 336 träffar
RefereraExporteraLänk till posten
Permanent länk

Direktlänk
Referera
Referensformat
  • apa
  • ieee
  • vancouver
  • Annat format
Fler format
Språk
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Annat språk
Fler språk
Utmatningsformat
  • html
  • text
  • asciidoc
  • rtf
v. 2.47.0
|
WCAG
|
Logga in
|
Manualer
|
Kontakta biblioteket