Fuzzing is a well-established technique for detecting bugs and vulnerabilities. With the surge of fuzzers and fuzzer platforms being developed such as AFL and OSSFuzz rises the necessity to benchmark these tools' performance. A common problem is that vulnerability benchmarks are based on bugs in old software releases. For this very reason, Magma introduced the notion of forward-porting to reintroduce vulnerable code in current software releases. While their results are promising, the state-of-the-art lacks an update on the maintainability of this approach over time. Indeed, adding the vulnerable code to a recent software version might either break its functionality or make the vulnerable code no longer reachable. We characterise the challenges with forward-porting by reassessing the portability of Magma's CVEs four years after its release and manually reintroducing the vulnerabilities in the current software versions. We find the straightforward process efficient for 17 of the 32 CVEs in our study. We further investigate why a trivial forward-porting process fails in the 15 other CVEs. This involves identifying the commits breaking the forward-porting process and reverting them in addition to the bug fix. While we manage to complete the process for nine of these CVEs, we provide an update on all 15 and explain the challenges we have been confronted with in this process. Thereby, we give the basis for future work towards a sustainable forward-ported fuzzing benchmark.

翻译：模糊测试是一种成熟的检测缺陷与漏洞的技术。随着AFL和OSSFuzz等模糊测试工具及平台的激增，对这些工具性能进行基准测试的需求日益凸显。一个普遍存在的问题是漏洞基准测试往往基于旧版软件中的缺陷。正因如此，Magma提出了前向移植的概念，旨在将易受攻击的代码重新引入当前软件版本。虽然其成果令人鼓舞，但现有研究缺乏对该方法随时间推移可维护性的更新评估。实际上，将易受攻击的代码添加到新版软件中可能导致功能破坏或使漏洞代码无法被触发。我们通过重新评估Magma发布四年后其CVE的可移植性，并手动将漏洞重新引入当前软件版本，系统阐述了前向移植面临的挑战。研究发现，在我们研究的32个CVE中，有17个可通过直接流程高效完成移植。我们进一步探究了其余15个CVE无法通过简单前向移植流程的原因，这涉及识别破坏移植过程的提交记录，并在撤销漏洞修复的同时还原这些提交。虽然我们成功完成了其中9个CVE的移植，但本文对所有15个案例均提供了更新说明，并详细阐述了在此过程中遇到的挑战。由此，我们为构建可持续的前向移植模糊测试基准奠定了未来工作的基础。