In-Vivo Fuzz Testing for Network Services

Fuzz testing is typically carried out by running the target program and the fuzzing engine offline in a lab environment. The environment setup may depend on specialized test harness code to activate the target program and inject the test data. Also, due to the vast program state space, domain knowledge-dependent optimization is often needed in the environment setup to achieve reasonably efficient fuzz testing. We propose In-Vivo Fuzzing to alleviate the burdens by performing online fuzz testing on live programs. In-Vivo Fuzzing hooks I/O library calls in a live program to collect test seeds. Upon request, the In-Vivo Runtime will create a fork of the target program and carry out fuzz testing on the forked process. The runtime states from the live program provide a vantage point to start the fuzzing process, and the test seeds collected from the live workload also facilitate the generation of effective test inputs. We applied In-Vivo Fuzzing to network service programs and implemented a prototype on top of the AFL fuzzer. Experiment results indicate that In-Vivo Fuzzing can reach vulnerabilities in real-world programs much more quickly than the baseline. We also demonstrate the potential application of In-Vivo Fuzzing in detecting unknown attacks, where live attack states are captured and amplified through fuzz testing.