语义可感知的灰盒编译器模糊测试
作者:
通讯作者:

蒋炎岩,E-mail:jyy@nju.edu.cn

中图分类号:

TP311

基金项目:

科技部重点研发项目课题(2022YFB4501801);国家自然科学基金(62025202、62272218);江苏省自然科学基金前沿引领技术基础研究专项课题(BK20202001);感谢江苏省软件新技术与产业化协同创新中心的支持


Semantic Aware Greybox Compiler Fuzzing
Author:
  • 摘要
  • | |
  • 访问统计
  • |
  • 参考文献 [65]
  • |
  • 相似文献 [20]
  • | | |
  • 文章评论
    摘要:

    模糊测试技术在软件质量保障、软件安全测试等领域起到重要作用。然而,在面对编译器这样输入语义复杂的系统时,现有的模糊测试工具由于其变异策略中缺乏对语义的感知能力,导致生成的程序难以通过编译器前端检查。本文提出了一种语义可感知的灰盒模糊测试方法,旨在提高模糊测试工具在编译器测试领域的效能。设计并实现了一系列可保持输入语义合法性并探索上下文多样性的变异操作符,并针对这些操作符的特点开发了高效的选择策略。将这些策略与传统的灰盒模糊测试工具相结合,实现了灰盒模糊测试工具SemaAFL。实验结果表明,通过应用这些变异操作符,SemaAFL在GCC和Clang编译器上的代码覆盖率相比AFL++和同类工具GrayC提高了约14.5%和11.2%。在近一个星期的实验期间,SemaAFL发现并报告了6个以前未被发现的GCC和Clang缺陷。

    Abstract:

    Fuzz testing techniques play a significant role in software quality assurance and software security testing. However, when dealing with systems like compilers, which have complex input semantics, existing fuzz testing tools often struggle due to a lack of semantic awareness in their mutation strategies, resulting in generated programs that fail compiler frontend checks. This paper proposes a semantically-aware greybox fuzz testing method aimed at enhancing the efficiency of fuzz testing tools in the domain of compiler testing. We designed and implemented a series of mutation operators that maintain input semantic validity and explore contextual diversity, and developed efficient selection strategies tailored to these operators. By integrating these strategies with traditional greybox fuzz testing tools, we developed the greybox fuzz testing tool SemaAFL. Experimental results indicate that with the application of these mutation operators, SemaAFL achieved approximately 14.5% and 11.2% higher code coverage on GCC and Clang compilers compared to AFL++ and similar tools like GrayC. During a week-long experimental period, SemaAFL discovered and reported six previously unknown bugs in GCC and Clang.

    参考文献
    [1] Wang J, Chen B, Wei L, Liu Y. Superion: Grammar-aware greybox fuzzing. In Proceedings of the 41st IEEE/ACM International Conference on Software Engineering 2019 May 25 (pp. 724-735). [doi: 10.1109/ICSE.2019.00081]
    [2] M. Zalewski. American fuzzy lop. [Online]. Available: http: //lcamtuf.coredump.cx/afl/
    [3] Li Y, Chen B, Chandramohan M, Lin SW, Liu Y, Tiu A. Steelix: program-state based binary fuzzing. In Proceedings of the 11th joint meeting on foundations of software engineering 2017 Aug 21 (pp. 627-637). [doi: 10.1145/3106237.3106295]
    [4] Lemieux C, Sen K. Fairfuzz: A targeted mutation strategy for increasing greybox fuzz testing coverage. In Proceedings of the 33rd ACM/IEEE international conference on automated software engineering 2018 Sep 3 (pp. 475-485). [doi: 10.1145/3238147.3238176]
    [5] Gan S, Zhang C, Qin X, Tu X, Li K, Pei Z, Chen Z. Collafl: Path sensitive fuzzing. In IEEE Symposium on Security and Privacy 2018 May 20 (pp. 679-696). [doi: 10.1109/SP.2018.00040]
    [6] Petsios T, Zhao J, Keromytis AD, Jana S. Slowfuzz: Automated domain-independent detection of algorithmic complexity vulnerabilities. In Proceedings of the 2017 ACM SIGSAC conference on computer and communications security 2017 Oct 30 (pp. 2155-2168). [doi: 10.1145/3133956.3134073]
    [7] Lemieux C, Padhye R, Sen K, Song D. Perffuzz: Automatically generating pathological inputs. In Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis 2018 Jul 12 (pp. 254-265). [doi: 10.1145/3213846.3213874]
    [8] Ganesh V, Leek T, Rinard M. Taint-based directed whitebox fuzzing. In Proceedings of the 31st IEEE International Conference on Software Engineering 2009 May 16 (pp. 474-484). [doi: 10.1109/ICSE.2009.5070546]
    [9] Rawat S, Jain V, Kumar A, Cojocar L, Giuffrida C, Bos H. VUzzer: Application-aware evolutionary fuzzing. In Proceedings of the Network and Distributed System Security Symposium 2017 Feb 26 (Vol. 17, pp. 1-14). [doi: 10.14722/ndss.2017.23404]
    [10] Chen P, Chen H. Angora: Efficient fuzzing by principled search. In Proceedings of the IEEE Symposium on Security and Privacy (SP) 2018 May 20 (pp. 711-725). [doi: 10.1109/SP.2018.00046]
    [11] Microsoft Security Development Lifecycle, verification phase. 2019. [Online]. Available: https://www.microsoft.com/en-us/ sdl/process/verification.aspx
    [12] Bounimova E, Godefroid P, Molnar D. Billions and billions of constraints: Whitebox fuzz testing in production. In Proceedings of the 35th International Conference on Software Engineering 2013 May 18 (pp. 122-131). [doi: 10.1109/ICSE.2013.6606558]
    [13] Google chromium security. 2013. [Online]. Available: https://www.chromium.org/Home/chromium-security/bugs
    [14] Aizatsky M, Serebryany K, Chang O, Arya A, Whittaker M. Announcing OSS-Fuzz: Continuous fuzzing for open source software. Google Testing Blog. 2016 Dec. Available: https://testing.googleblog.com/2016/12/announcing-oss-fuzz-continuous-fuzzing.html
    [15] Chrome Security Team. Clusterfuzz. 2012. [Online]. Available: https://google.github.io/clusterfuzz/
    [16] Manès VJ, Han H, Han C, Cha SK, Egele M, Schwartz EJ, Woo M. The art, science, and engineering of fuzzing: A survey. IEEE Transactions on Software Engineering. 2019 Oct 11;47(11):2312-31. [doi: 10.1109/TSE.2019.2946563]
    [17] Li J, Zhao B, Zhang C. Fuzzing: a survey. Cybersecurity. 2018 Dec;1:1-3.
    [18] Zhu X, Wen S, Camtepe S, Xiang Y. Fuzzing: a survey for roadmap. ACM Computing Surveys. 2022 Sep 10;54(11s):1-36. [doi: 10.1145/3512345]
    [19] Zhao X, Qu H, Xu J, Li X, Lv W, Wang GG. A systematic review of fuzzing. Soft Computing. 2024 Mar;28(6):5493-522.
    [20] Fioraldi A, Maier D, Eißfeldt H, Heuse M. {AFL++}: Combining incremental steps of fuzzing research. In Proceedings of the 14th USENIX Workshop on Offensive Technologies 2020.
    [21] Lemieux C, Sen K. Fairfuzz: A targeted mutation strategy for increasing greybox fuzz testing coverage. In Proceedings of the 33rd ACM/IEEE international conference on automated software engineering 2018 Sep 3 (pp. 475-485). [doi: 10.1145/3238147.3238176]
    [22] Even-Mendoza K, Sharma A, Donaldson AF, Cadar C. GrayC: Greybox Fuzzing of Compilers and Analysers for C. In Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis 2023 Jul 12 (pp. 1219-1231). [doi: 10.1145/3597926.3598130]
    [23] Srivastava P, Payer M. Gramatron: Effective grammar-aware fuzzing. In Proceedings of the 30th acm sigsoft international symposium on software testing and analysis 2021 Jul 11 (pp. 244-256). [doi: 10.1145/3460319.3464814]
    [24] Parr TJ, Quong RW. ANTLR: A predicated-LL (k) parser generator. Software: Practice and Experience. 1995 Jul;25(7):789-810. [doi: 10.1002/spe.4380250705]
    [25] Max Brunsfeld. Tree-sitter, 2021. [Online]. Available: https://tree-sitter.github.io/tree-sitter/
    [26] Bünder H. Decoupling Language and Editor-The Impact of the Language Server Protocol on Textual Domain-Specific Languages. In MODELSWARD 2019 Feb 20 (pp. 129-140).
    [27] Miller BP, Fredriksen L, So B. An empirical study of the reliability of UNIX utilities. Communications of the ACM. 1990 Dec 1;33(12):32-44. [doi: 10.1145/96267.96279]
    [28] Li Y, Chen B, Chandramohan M, Lin SW, Liu Y, Tiu A. Steelix: program-state based binary fuzzing. In Proceedings of the 11th joint meeting on foundations of software engineering 2017 Aug 21 (pp. 627-637). [doi: 10.1145/3106237.3106295]
    [29] Gan S, Zhang C, Qin X, Tu X, Li K, Pei Z, Chen Z. Collafl: Path sensitive fuzzing. In IEEE Symposium on Security and Privacy (SP) 2018 May 20 (pp. 679-696). [doi: 10.1109/SP.2018.00040]
    [30] Lemieux C, Sen K. Fairfuzz: A targeted mutation strategy for increasing greybox fuzz testing coverage. In Proceedings of the 33rd ACM/IEEE international conference on automated software engineering 2018 Sep 3 (pp. 475-485). [doi: 10.1145/3238147.3238176]
    [31] Chen Y, Schwahn O, Natella R, Bradbury M, Suri N. SlowCoach: Mutating Code to Simulate Performance Bugs. In Proceedings of the 33rd IEEE International Symposium on Software Reliability Engineering 2022 Oct 31 (pp. 274-285). [doi: 10.1109/ISSRE55969.2022.00035]
    [32] Petsios T, Zhao J, Keromytis AD, Jana S. Slowfuzz: Automated domain-independent detection of algorithmic complexity vulnerabilities. In Proceedings of the ACM SIGSAC conference on computer and communications security 2017 Oct 30 (pp. 2155-2168). [doi: 10.1145/3133956.3134073]
    [33] Blair W, Mambretti A, Arshad S, Weissbacher M, Robertson W, Kirda E, Egele M. HotFuzz: Discovering algorithmic denial-of-service vulnerabilities through guided micro-fuzzing. arXiv preprint arXiv:2002.03416. 2020 Feb 9. [doi: 10.48550/arXiv.2002.03416]
    [34] Wei J, Chen J, Feng Y, Ferles K, Dillig I. Singularity: Pattern fuzzing for worst case complexity. In Proceedings of the 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering 2018 Oct 26 (pp. 213-223). [doi: 10.1145/3236024.3236039]
    [35] Lemieux C, Padhye R, Sen K, Song D. Perffuzz: Automatically generating pathological inputs. In Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis 2018 Jul 12 (pp. 254-265). [doi: 10.1145/3213846.3213874]
    [36] Guo R. MongoDB’s JavaScript Fuzzer: The fuzzer is for those edge cases that your testing didn’t catch. Queue. 2017 Feb 1;15(1):38-56.
    [37] Holler C, Herzig K, Zeller A. Fuzzing with code fragments. In Proceedings of the 21st USENIX Security Symposium 2012 (pp. 445-458).
    [38] Veggalam S, Rawat S, Haller I, Bos H. Ifuzzer: An evolutionary interpreter fuzzer using genetic programming. In Computer Security-ESORICS 2016: 21st European Symposium on Research in Computer Security, Heraklion, Greece, September 26-30, 2016, Proceedings, Part I 21 2016 (pp. 581-601). Springer International Publishing. [doi: 10.1007/978-3-319-45744-4_29]
    [39] Appelt D, Nguyen CD, Briand LC, Alshahwan N. Automated testing for SQL injection vulnerabilities: An input mutation approach. In Proceedings of the International Symposium on Software Testing and Analysis 2014 Jul 21 (pp. 259-269). [doi: 10.1145/2610384.2610403]
    [40] Padhye R, Lemieux C, Sen K, Papadakis M, Le Traon Y. Semantic fuzzing with zest. In Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis 2019 Jul 10 (pp. 329-340). [doi: 10.1145/3293882.3330576]
    [41] Yun I, Lee S, Xu M, Jang Y, Kim T. {QSYM}: A practical concolic execution engine tailored for hybrid fuzzing. In Proceedings of the 27th USENIX Security Symposium 2018 (pp. 745-761).
    [42] Chen P, Liu J, Chen H. Matryoshka: Fuzzing deeply nested branches. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security 2019 Nov 6 (pp. 499-513). [doi: 10.1145/3319535.3363225]
    [43] Atlidakis V, Geambasu R, Godefroid P, Polishchuk M, Ray B. Pythia: Grammar-based fuzzing of rest APIs with coverage-guided feedback and learning-based mutations. arXiv preprint arXiv:2005.11498. 2020 May 23. [doi: 10.48550/arXiv.2005.11498]
    [44] Rawat S, Jain V, Kumar A, Cojocar L, Giuffrida C, Bos H. VUzzer: Application-aware evolutionary fuzzing. In Network and Distributed System Security Symposium 2017 Feb 26 (Vol. 17, pp. 1-14). [doi: 10.14722/ndss.2017.23404]
    [45] Aschermann C, Schumilo S, Blazytko T, Gawlik R, Holz T. REDQUEEN: Fuzzing with Input-to-State Correspondence. In Network and Distributed System Security Symposium 2019 Feb 24 (Vol. 19, pp. 1-15).
    [46] Lyu C, Ji S, Zhang C, Li Y, Lee WH, Song Y, Beyah R. {MOPT}: Optimized mutation scheduling for fuzzers. In 28th USENIX Security Symposium 2019 (pp. 1949-1966).
    [47] Wen C, Wang H, Li Y, Qin S, Liu Y, Xu Z, Chen H, Xie X, Pu G, Liu T. Memlock: Memory usage guided fuzzing. In Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering 2020 Jun 27 (pp. 765-777). [doi: 10.1145/3377811.3380396]
    [48] Wang J, Chen B, Wei L, Liu Y. Skyfire: Data-driven seed generation for fuzzing. In Proceedings of the IEEE Symposium on Security and Privacy 2017 May 22 (pp. 579-594). [doi: 10.1109/SP.2017.23]
    [49] Aschermann C, Frassetto T, Holz T, Jauernig P, Sadeghi AR, Teuchert D. NAUTILUS: Fishing for deep bugs with grammars. In Proceedings of the Network and Distributed System Security Symposium 2019 Feb 24.
    [50] Groß S, Koch S, Bernhard L, Holz T, Johns M. FUZZILLI: Fuzzing for JavaScript JIT Compiler Vulnerabilities. In Proceedings of the Network and Distributed System Security Symposium.
    [51] Blazytko T, Bishop M, Aschermann C, Cappos J, Schlögel M, Korshun N, Abbasi A, Schweighauser M, Schinzel S, Schumilo S, Tsitkin A. {GRIMOIRE}: Synthesizing structure while fuzzing. In 28th USENIX Security Symposium 2019 (pp. 1985-2002).
    [52] She D, Pei K, Epstein D, Yang J, Ray B, Jana S. Neuzz: Efficient fuzzing with neural program smoothing. In Proceedings of the IEEE Symposium on Security and Privacy 2019 May 19 (pp. 803-817). [doi: 10.1109/SP.2019.00052]
    [53] She D, Krishna R, Yan L, Jana S, Ray B. MTFuzz: fuzzing with a multi-task neural network. In Proceedings of the 28th ACM joint meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering 2020 Nov 8 (pp. 737-749). [doi: 10.1145/3368089.3409723]
    [54] Godefroid P, Peleg H, Singh R. Learn&fuzz: Machine learning for input fuzzing. In Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering 2017 Oct 30 (pp. 50-59).
    [55] Liu X, Li X, Prajapati R, Wu D. Deepfuzz: Automatic generation of syntax valid c programs for fuzz testing. In Proceedings of the AAAI Conference on Artificial Intelligence 2019 Jul 17 (Vol. 33, No. 01, pp. 1044-1051). [doi: 10.1609/aaai.v33i01.33011044]
    [56] Zong P, Lv T, Wang D, Deng Z, Liang R, Chen K. {FuzzGuard}: Filtering out unreachable inputs in directed grey-box fuzzing through deep learning. In 29th USENIX security symposium 2020 (pp. 2255-2269).
    [57] Li Y, Xue Y, Chen H, Wu X, Zhang C, Xie X, Wang H, Liu Y. Cerebro: context-aware adaptive fuzzing for effective vulnerability detection. In Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering 2019 Aug 12 (pp. 533-544). [doi: 10.1145/3338906.3338975]
    [58] Han H, Oh D, Cha SK. CodeAlchemist: Semantics-aware code generation to find vulnerabilities in JavaScript engines. In Network and Distributed System Security Symposium 2019 Feb 26.
    [59] Zhang Q, Sun C, Su Z. Skeletal program enumeration for rigorous compiler testing. In Proceedings of the 38th ACM SIGPLAN conference on programming language design and implementation 2017 Jun 14 (pp. 347-361). [doi: 10.1145/3062341.3062379]
    [60] Zang Z, Wiatrek N, Gligoric M, Shi A. Compiler testing using template java programs. In Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering 2022 Oct 10 (pp. 1-13). [doi: 10.1145/3551349.3556958]
    [61] Chen Y, Su T, Sun C, Su Z, Zhao J. Coverage-directed differential testing of JVM implementations. In Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation 2016 Jun 2 (pp. 85-99). [doi: 10.1145/2908080.2908095]
    [62] Xia X, Feng Y. Detecting Interpreter Bugs via Filling Function Calls in Skeletal Program Enumeration. In Proceedings of the 34th IEEE International Symposium on Software Reliability Engineering 2023 Oct 9 (pp. 612-622). [doi: 10.1109/ISSRE59848.2023.00066]
    附中文参考文献:
    [63] 徐浩然, 王勇军, 黄志坚, 解培岱, 范书珲. 基于前馈神经网络的编译器测试用例生成方法. 软件学报. 2022 Jan 28;33(6):1996-2011. [doi: 10.13328/j.cnki.jos.006565]
    [64] 梁杰, 吴志镛, 符景洲, 朱娟, 姜宇, 孙家广. 数据库管理系统模糊测试技术研究综述. 软件学报. 2024 Jan 10:1-25. [doi: 10.13328/j.cnki.jos.007048]
    引证文献
    网友评论
    网友评论
    分享到微博
    发 布
引用本文

欧先飞,蒋炎岩,许畅.语义可感知的灰盒编译器模糊测试.软件学报,2025,36(7):0

复制
分享
文章指标
  • 点击次数:157
  • 下载次数: 199
  • HTML阅读次数: 0
  • 引用次数: 0
历史
  • 收稿日期:2024-08-18
  • 最后修改日期:2024-10-15
  • 在线发布日期: 2024-12-10
文章二维码
您是第19831126位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号