有效覆盖引导的定向灰盒模糊测试
作者:
作者简介:

杨克(1989-),男,博士,主要研究领域为软件安全分析,操作系统安全;蔡春芳(1996-),女,硕士,主要研究领域为软件安全分析;贺也平(1962-),男,博士,研究员,博士生导师,主要研究领域为系统安全,隐私保护;谢异(1995-),男,硕士,主要研究领域为软件安全分析,操作系统安全;马恒太(1970-),男,博士,副研究员,主要研究领域为软件安全分析,操作系统安全.<;董柯(1996-),男,硕士,主要研究领域为软件安全分析,操作系统安全.

通讯作者:

贺也平,E-mail:yeping@iscas.ac.cn;马恒太,E-mail:hengtai@iscas.ac.cn

中图分类号:

TP311

基金项目:

中国科学院战略性先导科技专项(XDA-Y01-01,XDC02010600)


Guiding Directed Grey-box Fuzzing by Target-oriented Valid Coverage
Author:
  • 摘要
  • | |
  • 访问统计
  • |
  • 参考文献 [36]
  • |
  • 相似文献 [20]
  • |
  • 引证文献
  • | |
  • 文章评论
    摘要:

    定向灰盒模糊测试技术在度量种子对目标执行状态的搜索能力时,除了考虑种子逼近目标代码的程度之外,还需要分析种子对多样化执行状态的发现能力,从而避免陷入局部最优.现有的定向灰盒模糊测试主要根据全程序的覆盖统计来度量种子搜索多样化执行路径的能力.然而,目标执行状态仅依赖于部分程序代码.如果带来新覆盖的种子并未探索到目标状态计算所依赖的新执行状态,其不仅不能扩大种子队列对目标执行状态的搜索能力,而且会诱导测试目标无关的代码和功能,阻碍定向测试向目标代码的收敛.为了缓解该问题,从待发现目标执行状态依赖代码的覆盖统计着手,提出了一种有效覆盖引导的定向灰盒模糊测试方法.利用程序切片技术提取影响目标执行状态计算的代码.通过能量调度(即控制种子后代生成数量),提升引发该部分代码控制流新覆盖变化的种子能量,降低其他冗余种子的能量,使定向灰盒模糊测试专注于搜索目标相关的执行状态.在测试集上的实验结果显示,该方法显著提升了目标状态发现效率.

    Abstract:

    Directed grey-box fuzzing measures the effectiveness of seeds for detecting the execution path towards the target. In addition to the closeness between the triggered execution and the target code lines, the ability to explore diversified execution paths is also important to avoid local optimum. Current directed grey-box fuzzing methods measure this capability by coverage counting of the whole program. But only a part of the program is responsible for the calculation of the target state. If the new seed brings target irrelevant state changes, it cannot enhance the queue for state exploration. What is worse, it may distract the concentration of the fuzzer and waste time on exploring target irrelevant code logic. To solve this problem, this study provides a valid coverage guided directed grey-box fuzzing method. The static program slicing technique is used to locate the code region that can affect the target state and detect interesting seeds that bring new differences in coverage of this code region. By enlarging the energy of these seeds and reducing others (adjusting power schedule), the fuzzer can be guided to focus on seeds that can help explore different control flow that target depends and mitigate the interference of redundant seeds. The experiment on the benchmark provided shows that this strategy brings significant performance improvement for AFLGO.

    参考文献
    [1] Böhme M, Pham VT, Nguyen MD, Roychoudhury A. Directed grey-box fuzzing. In:Thuraisingham B, ed. Proc. of the ACM SIGSAC Conf. on Computer and Communications Security (CCS 2017). New York:ACM, 2017. 2329-2344.[doi:10.1145/3133956.3134020]
    [2] Chen HX, Xue YX, Li YK, Chen BH, Xie XF, Wu XH, Liu Y. Hawkeye:Towards a desired directed grey-box fuzzer. In:Lie D, Mannan M, eds. Proc. of the ACM SIGSAC Conf. on Computer and Communications Security (CCS 2018). New York:ACM, 2018. 2095-2108.[doi:10.1145/3243734.3243849]
    [3] Liang HL, Zhang YN, Yu Y, Xie ZS, Jiang L. Sequence coverage directed greybox fuzzing. In:Guerrero J, ed. Proc. of the IEEE/ACM 27th Int'l Conf. on Program Comprehension (ICPC 2019). New York:ACM, 2019. 249-259.[doi:10.1109/ICPC.2019. 00044]
    [4] Zhang YN. Research and implementation of defects detection system based on directed fuzzing technology[MS. Thesis]. Beijing:Beijing University of Posts and Telecommunications, 2019(in Chinese with English abstract).
    [5] Zong PY, Lv T, Wang DV, Deng ZZ, Liang RG, Chen K. FuzzGuard:Filtering out unreachable inputs in directed grey-box fuzzing through deep learning. In:Capkun S, Roesner F, eds. Proc. of the 29th USENIX Security Symp. (USENIX Security 2020). Berkeley:USENIX Association, 2020. 2255-2269.
    [6] Ye J, Li R, Zhang B. RDFuzz:Accelerating directed fuzzing with intertwined schedule and optimized mutation. In:Proc. of the Mathematical Problems in Engineering 2020. London:Hindawi, 2020. Article ID 7698916.[doi:10.1155/2020/7698916]
    [7] Rebert A, Cha SK, Avgerinos T, Foote J, Warren D, Grieco G, Brumley D. Optimizing seed selection for fuzzing. In:Fu K, Jung J, eds. Proc. of the 23rd USENIX Security Symp. (USENIX Security 2014). Berkeley:USENIX Association, 2014. 861-875.[doi:10.5555/2671225]
    [8] Chalupa M. Slicing of LLVM bitcode[MS. Thesis]. Brno:Masaryk University, 2016.
    [9] Vargha A, Delaney HD. A critique and improvement of the "CL" common language effect size statistics of McGraw and Wong. Journal of Educational and Behavioral Statistics. 2000, 25(2):101-132.[doi:10.3102/10769986025002101]
    [10] Mann HB, Whitney DR. On a test of whether one of two random variables is stochastically larger than the other. Annals of Mathematical Statistics, 1947, 18(1):50-60.[doi:10.1214/aoms/1177730491]
    [11] Böhme M, Pham VT, Roychoudhury A. Coverage-based greybox fuzzing as Markov chain. In:Weippl E, Katzenbeisser S, eds. Proc. of the ACM SIGSAC Conf. on Computer and Communications. New York:ACM, 2016. 1032-1043.[doi:10.1145/2976749.2978428]
    [12] Rawat S, Jain V, Kumar A, Cojocar L, Giuffrida C, Bos H. VUzzer:Application-aware evolutionary fuzzing. In:Proc. of the Network and Distributed System Security Symp. San Diego:Internet Society, 2017. 1-14.
    [13] Lemieux C, Sen K. Fairfuzz:A targeted mutation strategy for increasing greybox fuzz testing coverage. In:Huchard M, Kästner C, Fraser G, eds. Proc. of the 33rd ACM/IEEE Int'l Conf. on Automated Software Engineering. New York:ACM, 2018. 475-485.[doi:10.1145/3238147.3238176]
    [14] Wüstholz V, Christakis M. Targeted grey-box fuzzing with static lookahead analysis. In:Rothermel G, Bae DH, eds. Proc. of the 42nd ACM/IEEE Int'l Conf. on Software Engineering. New York:ACM, 2020. 789-800.[doi:10.1145/3377811.3380388]
    [15] Yue T, Wang P, Tang Y, Yu B, Lu K, Zhou X. EcoFuzz:Adaptive energy-saving greybox fuzzing as a variant of the adversarial multi-armed bandit. In:Capkun S, Roesner F, eds. Proc. of the 29th USENIX Security Symp. (USENIX Security 2020). Berkeley:USENIX Association, 2020. 2307-2324.
    [16] Gan S, Zhang C, Qin X, Tu XW, Pei ZY, Chen ZN. CollAFL:Path sensitive fuzzing. In:Li JH, ed. Proc. of the IEEE Symp. on Security and Privacy (S&P). Piscataway:IEEE, 2018. 679-696.[doi:10.1109/SP.2018.00040]
    [17] Chen P, Chen H. Angora:Efficient fuzzing by principled search. In:O'Conner L, ed. Proc. of the IEEE Symp. on Security and Privacy (S&P 2018). Piscataway:IEEE, 2018. 711-725.[doi:10.1109/SP.2018.00046]
    [18] Li YK, Chen B, Chandramohan M, Lin SW, Liu Y, Tiu A. Steelix:Program-state based binary fuzzing. In:Bodden E, Schäfer W, Deursen AV, Zisman A, eds. Proc. of the 11th Joint Meeting on Foundations of Software Engineering. New York:ACM, 2017. 627-637.[doi:10.1145/3106237.3106295]
    [19] Gan S, Zhang C, Chen P, Zhao BD, Qin XJ, Wu D, Chen ZN. GREYONE:Data flow sensitive fuzzing. In:Capkun S, Roesner F, eds. Proc. of the 29th USENIX Security Symp. (USENIX Security 2020). Berkeley:USENIX Association, 2020. 2577-2594.
    [20] Aschermann C, Schumilo S, Abbasi A, Holz T. IJON:Exploring deep state spaces via fuzzing. In:Kellenberger P, ed. Proc. of the IEEE Symp. on Security and Privacy (S&P 2020). Piscataway:IEEE, 2020. 1597-1612.[doi:10.1109/SP40000.2020.00117]
    [21] Yang K, He YP, Ma HT, Wang XF. Precise execution reachability analysis. Ruan Jian Xue Bao/Journal of Software, 2018, 29(1):1-22(in Chinese with English abstract). http://www.jos.org.cn/1000-9825/5375.htm[doi:10.13328/j.cnki.jos.005375]
    [22] Marinescu PD, Cadar C. KATCH:High-coverage testing of software patches. In:Meyer B, Baresi L, Mezini M, eds. Proc. of the 9th Joint Meeting on Foundations of Software Engineering. New York:ACM, 2013. 235-245.[doi:10.1145/2491411. 2491438]
    [23] Jin W, Orso A. BugRedux:Reproducing field failures for in-house debugging. In:Glinz M, Murphy G, Pezzè M, eds. Proc. of the 34th Int'l Conf. on Software Engineering. Piscataway:IEEE, 2012. 474-484.[doi:10.1109/ICSE.2012.6227168]
    [24] Peng J, Li F, Liu BC, Xu LL, Liu BH, Chen K, Huo W. 1dVul:Discovering 1-day vulnerabilities through binary patches. In:O'Conner L, ed. Proc. of the 49th Annual IEEE/IFIP Int'l Conf. on Dependable Systems and Networks (DSN). Piscataway:IEEE, 2019. 605-616.[doi:10.1109/DSN.2019. 00066]
    [25] You W, Wang X, Ma S, Zhang XY, Wang XF. ProFuzzer:On-the-fly input type probing for better zero-day vulnerability discovery. In:Kellenberger P, ed. Proc. of the IEEE Symp. on Security and Privacy (S&P). Piscataway:IEEE, 2019. 769-786.[doi:10.1109/SP.2019.00057]
    [26] Wang H, Xie X, Li Y, Qin SB, Wen C, Li YK, Liu Y, Chen HX, Sui YL. Typestate-guided fuzzer for discovering use-after-free vulnerabilities. In:O'Conner L, ed. Proc. of the 42nd Int'l Conf. on Software Engineering. New York:ACM, 2020. 999-1010.[doi:10.1145/3377811.3380386]
    [27] Nguyen MD, Bardin S, Bonichon R, Groz R, Lemerre M. Binary-level directed fuzzing for use-after-free vulnerabilities. In:Proc. of the 23rd Int'l Symp. on Research in Attacks, Intrusions and Defenses (RAID 2020). Berkeley:USENIX Association, 2020. 47-62.
    [28] Wen C, Wang H, Li YK, Qin SC, Liu Y, Xu ZW, Chen HX, Xie XF, Pu GG, Liu T. Memlock:Memory usage guided fuzzing. In:O'Conner L, ed. Proc. of the 42nd Int'l Conf. on Software Engineering. New York:ACM, 2020. 765-777.[doi:10.1145/3377811. 3380396]
    [29] Lemieux C, Padhye R, Sen K, Song D. PerfFuzz:Automatically generating pathological inputs. In:Proc. of the 27th ACM SIGSOFT Int'l Symp. on Software Testing and Analysis. New York:ACM, 2018. 254-265.[doi:10.1145/3213846.3213874]
    [30] Coppik N, Schwahn O, Suri N. MemFuzz:Using memory accesses to guide fuzzing. In:Proc. of the 12th IEEE Conf. on Software Testing, Validation and Verification (ICST 2019). Piscataway:IEEE, 2019. 48-58.[doi:10.1109/ICST.2019.00015]
    [31] Haller I, Slowinska A, Neugschwandtner M, Bos H. Dowsing for overflows:A guided fuzzer to find buffer boundary violations. In:King S, ed. Proc. of the 22nd USENIX Security Symp. Berkeley:USENIX Association, 2013. 49-64.
    [32] Wang YH, Jia XK, Liu YW, Zeng K, Bao T, Wu DH, Su PR. Not all coverage measurements are equal:fuzzing by coverage accounting for input prioritization. In:Proc. of the Network and Distributed System Security Symp. San Diego:Internet Society, 2020.[doi:10.14722/ndss.2020.24422]
    [33] Du X, Chen B, Li Y, Guo J, Zhou Y, Liu Y, Jiang Y. Leopard:Identifying vulnerable code for vulnerability assessment through program metrics. In:Proc. of the 41st Int'l Conf. on Software Engineering. IEEE, 2019. 60-71.[doi:10.1109/ICSE.2019.00024]
    附中文参考文献:
    [4] 张旖旎. 基于定向模糊测试技术的缺陷检测系统研究与实现[硕士学位论文]. 北京:北京邮电大学, 2019.
    [21] 杨克, 贺也平, 马恒太, 王雪飞. 精准执行可达性分析:理论与应用. 软件学报, 2018, 29(1):1-22. http://www.jos.org.cn/1000-9825/5375.htm[doi:10.13328/j.cnki.jos.005375]
    引证文献
    网友评论
    网友评论
    分享到微博
    发 布
引用本文

杨克,贺也平,马恒太,蔡春芳,谢异,董柯.有效覆盖引导的定向灰盒模糊测试.软件学报,2022,33(11):3967-3982

复制
分享
文章指标
  • 点击次数:
  • 下载次数:
  • HTML阅读次数:
  • 引用次数:
历史
  • 收稿日期:2020-11-09
  • 最后修改日期:2021-01-06
  • 在线发布日期: 2021-08-02
  • 出版日期: 2022-11-06
文章二维码
您是第20250560位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号