PoC for the untriggered bugs

[ZhangZhuoSJTU]

Hi!

Thanks again for the meaningful work!

I have encountered some libpng bugs which seems untriggerable. Other issues (libpng, openssl, and php) discuss those bugs with more details.

Given those untriggerable bugs, it would be hard to gauge the capability of a vulnerability detection technique (i.e., we cannot tell an untriggered bug is hidden from the technique or indeed untriggerable).

Hence, I am wondering whether it is possible to provide the PoC for those untriggered bugs (i.e., not triggered by any measured fuzzers)? It would greatly reduce the manual efforts of calibrating untriggerable bugs.

For those triggered bugs, I believe we can access their PoC from the Magma homepage.

I sincerely understand that we may not have PoC for all the untriggered bugs.

Thanks!

[adrianherrera]

Hi,

Great question! Unfortunately, the only PoCs that we have are those found in the original evaluation (and available on the Magma website). We would be welcome to extend this PoC set if you trigger additional bugs and are happy to share.

Unfortunately, determining which bugs are triggerable is difficult. For example, changes in a newer codebase may render some bugs unreachable. Further, the existing drivers (we use the same driver programs as those provided by the developers) may not be adequate to reach certain bugs (e.g., may rely on specific program state, command-line arguments, etc.). Thus, we recommend you simply compare fuzzers across triggerable bugs.