PyRTFuzz: Detecting Bugs in Python Runtimes via Two-Level Collaborative Fuzzing

Wen Li; Haoran Yang; Xiapu Luo; Long Cheng; Haipeng Cai

doi:10.1145/3576915.3623166

PyRTFuzz: Detecting Bugs in Python Runtimes via Two-Level Collaborative Fuzzing

Wen Li
, Haoran Yang
, Xiapu Luo
, Long Cheng
, Haipeng Cai

Department of Computer Science and Engineering

University at Buffalo

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

12 Scopus citations

Abstract

Given the widespread use of Python and its sustaining impact, the security and reliability of the Python runtime system is highly and broadly critical. Yet with real-world bugs in Python runtimes being continuously and increasingly reported, technique/tool support for automated detection of such bugs is still largely lacking. In this paper, we present PyRTFuzz, a novel fuzzing technique/tool for holistically testing Python runtimes including the language interpreter and its runtime libraries. PyRTFuzz combines generation- and mutation-based fuzzing at the compiler- and application-testing level, respectively, as enabled by static/dynamic analysis for extracting runtime API descriptions, a declarative, specification language for valid and diverse Python code generation, and a custom type-guided mutation strategy for format/structure-aware application input generation. We implemented PyRTFuzz for the primary Python implementation (CPython) and applied it to three versions of the runtime. Our experiments revealed 61 new, demonstrably exploitable bugs including those in the interpreter and most in the runtime libraries. Our results also demonstrated the promising scalability and cost-effectiveness of PyRTFuzz and its great potential for further bug discovery. The two-level collaborative fuzzing methodology instantiated in PyRTFuzz may also apply to other language runtimes especially those of interpreted languages.

Original language	English
Title of host publication	CCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security
Publisher	Association for Computing Machinery, Inc
Pages	1645-1659
Number of pages	15
ISBN (Electronic)	9798400700507
DOIs	https://doi.org/10.1145/3576915.3623166
State	Published - Nov 21 2023
Event	30th ACM SIGSAC Conference on Computer and Communications Security, CCS 2023 - Copenhagen, Denmark Duration: Nov 26 2023 → Nov 30 2023

Publication series

Name	CCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

Conference

Conference	30th ACM SIGSAC Conference on Computer and Communications Security, CCS 2023
Country/Territory	Denmark
City	Copenhagen
Period	11/26/23 → 11/30/23

Keywords

Python
Runtime system
code generation
collaborative fuzzing
fuzz testing
greybox fuzzing
language runtime
software security

Access to Document

10.1145/3576915.3623166

Cite this

Li, W., Yang, H., Luo, X., Cheng, L., & Cai, H. (2023). PyRTFuzz: Detecting Bugs in Python Runtimes via Two-Level Collaborative Fuzzing. In CCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security (pp. 1645-1659). (CCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security). Association for Computing Machinery, Inc. https://doi.org/10.1145/3576915.3623166

Li, Wen ; Yang, Haoran ; Luo, Xiapu et al. / PyRTFuzz : Detecting Bugs in Python Runtimes via Two-Level Collaborative Fuzzing. CCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, Inc, 2023. pp. 1645-1659 (CCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security).

@inproceedings{b0a9d01e30bd4a808984faaff8c93af9,

title = "PyRTFuzz: Detecting Bugs in Python Runtimes via Two-Level Collaborative Fuzzing",

abstract = "Given the widespread use of Python and its sustaining impact, the security and reliability of the Python runtime system is highly and broadly critical. Yet with real-world bugs in Python runtimes being continuously and increasingly reported, technique/tool support for automated detection of such bugs is still largely lacking. In this paper, we present PyRTFuzz, a novel fuzzing technique/tool for holistically testing Python runtimes including the language interpreter and its runtime libraries. PyRTFuzz combines generation- and mutation-based fuzzing at the compiler- and application-testing level, respectively, as enabled by static/dynamic analysis for extracting runtime API descriptions, a declarative, specification language for valid and diverse Python code generation, and a custom type-guided mutation strategy for format/structure-aware application input generation. We implemented PyRTFuzz for the primary Python implementation (CPython) and applied it to three versions of the runtime. Our experiments revealed 61 new, demonstrably exploitable bugs including those in the interpreter and most in the runtime libraries. Our results also demonstrated the promising scalability and cost-effectiveness of PyRTFuzz and its great potential for further bug discovery. The two-level collaborative fuzzing methodology instantiated in PyRTFuzz may also apply to other language runtimes especially those of interpreted languages.",

keywords = "Python, Runtime system, code generation, collaborative fuzzing, fuzz testing, greybox fuzzing, language runtime, software security",

author = "Wen Li and Haoran Yang and Xiapu Luo and Long Cheng and Haipeng Cai",

note = "Publisher Copyright: {\textcopyright} 2023 Copyright held by the owner/author(s).; 30th ACM SIGSAC Conference on Computer and Communications Security, CCS 2023 ; Conference date: 26-11-2023 Through 30-11-2023",

year = "2023",

month = nov,

day = "21",

doi = "10.1145/3576915.3623166",

language = "English",

series = "CCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security",

publisher = "Association for Computing Machinery, Inc",

pages = "1645--1659",

booktitle = "CCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security",

}

Li, W, Yang, H, Luo, X, Cheng, L & Cai, H 2023, PyRTFuzz: Detecting Bugs in Python Runtimes via Two-Level Collaborative Fuzzing. in CCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. CCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, Association for Computing Machinery, Inc, pp. 1645-1659, 30th ACM SIGSAC Conference on Computer and Communications Security, CCS 2023, Copenhagen, Denmark, 11/26/23. https://doi.org/10.1145/3576915.3623166

PyRTFuzz: Detecting Bugs in Python Runtimes via Two-Level Collaborative Fuzzing. / Li, Wen; Yang, Haoran; Luo, Xiapu et al.
CCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, Inc, 2023. p. 1645-1659 (CCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - PyRTFuzz

T2 - 30th ACM SIGSAC Conference on Computer and Communications Security, CCS 2023

AU - Li, Wen

AU - Yang, Haoran

AU - Luo, Xiapu

AU - Cheng, Long

AU - Cai, Haipeng

PY - 2023/11/21

Y1 - 2023/11/21

N2 - Given the widespread use of Python and its sustaining impact, the security and reliability of the Python runtime system is highly and broadly critical. Yet with real-world bugs in Python runtimes being continuously and increasingly reported, technique/tool support for automated detection of such bugs is still largely lacking. In this paper, we present PyRTFuzz, a novel fuzzing technique/tool for holistically testing Python runtimes including the language interpreter and its runtime libraries. PyRTFuzz combines generation- and mutation-based fuzzing at the compiler- and application-testing level, respectively, as enabled by static/dynamic analysis for extracting runtime API descriptions, a declarative, specification language for valid and diverse Python code generation, and a custom type-guided mutation strategy for format/structure-aware application input generation. We implemented PyRTFuzz for the primary Python implementation (CPython) and applied it to three versions of the runtime. Our experiments revealed 61 new, demonstrably exploitable bugs including those in the interpreter and most in the runtime libraries. Our results also demonstrated the promising scalability and cost-effectiveness of PyRTFuzz and its great potential for further bug discovery. The two-level collaborative fuzzing methodology instantiated in PyRTFuzz may also apply to other language runtimes especially those of interpreted languages.

AB - Given the widespread use of Python and its sustaining impact, the security and reliability of the Python runtime system is highly and broadly critical. Yet with real-world bugs in Python runtimes being continuously and increasingly reported, technique/tool support for automated detection of such bugs is still largely lacking. In this paper, we present PyRTFuzz, a novel fuzzing technique/tool for holistically testing Python runtimes including the language interpreter and its runtime libraries. PyRTFuzz combines generation- and mutation-based fuzzing at the compiler- and application-testing level, respectively, as enabled by static/dynamic analysis for extracting runtime API descriptions, a declarative, specification language for valid and diverse Python code generation, and a custom type-guided mutation strategy for format/structure-aware application input generation. We implemented PyRTFuzz for the primary Python implementation (CPython) and applied it to three versions of the runtime. Our experiments revealed 61 new, demonstrably exploitable bugs including those in the interpreter and most in the runtime libraries. Our results also demonstrated the promising scalability and cost-effectiveness of PyRTFuzz and its great potential for further bug discovery. The two-level collaborative fuzzing methodology instantiated in PyRTFuzz may also apply to other language runtimes especially those of interpreted languages.

KW - Python

KW - Runtime system

KW - code generation

KW - collaborative fuzzing

KW - fuzz testing

KW - greybox fuzzing

KW - language runtime

KW - software security

UR - https://www.scopus.com/pages/publications/85179844757

U2 - 10.1145/3576915.3623166

DO - 10.1145/3576915.3623166

M3 - Conference contribution

T3 - CCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

SP - 1645

EP - 1659

BT - CCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

PB - Association for Computing Machinery, Inc

Y2 - 26 November 2023 through 30 November 2023

ER -

Li W, Yang H, Luo X, Cheng L, Cai H. PyRTFuzz: Detecting Bugs in Python Runtimes via Two-Level Collaborative Fuzzing. In CCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, Inc. 2023. p. 1645-1659. (CCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security). doi: 10.1145/3576915.3623166

PyRTFuzz: Detecting Bugs in Python Runtimes via Two-Level Collaborative Fuzzing

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this