微信服务号

微信订阅号

2025年4月1日 18:26 星期二
首页 > 过刊浏览>2023年第34卷第5期 >2286-2299. DOI:10.13328/j.cnki.jos.006491
PDF HTML阅读 XML下载 导出引用 引用提醒
面向递增累积型缺陷的灰盒模糊测试变异优化
作者:
作者简介:

杨克(1989-),男,博士,主要研究领域为软件安全分析,操作系统安全;贺也平(1962-),男,博士,研究员,博士生导师,主要研究领域为系统安全,隐私保护;马恒太(1970-),男,博士,副研究员,主要研究领域为软件安全分析、操作系统安全;董柯(1996-),男,硕士,主要研究领域为软件安全分析,操作系统安全;谢异(1995-),男,硕士,主要研究领域为软件安全分析、操作系统安全;蔡春芳(1996-)女,硕士,主要研究领域为软件安全分析,操作系统安全

通讯作者:

贺也平,yeping@iscas.ac.cn;马恒太,hengtai@iscas.ac.cn

中图分类号:

TP311

基金项目:

中国科学院战略性先导科技专项(XDA-Y01-01,XDC02010600)


Mutation Optimization of Directional Fuzzing for Cumulative Defects
Author:
  • 摘要
    • | |
  • 访问统计
    • |
  • 参考文献 [30]
    • |
  • 相似文献 [20]
    • | | |
  • 文章评论
    摘要:

    大量访问越界、内存耗尽、性能故障等缺陷是输入中有效数据的规模过大,超过临界值引起的.而现有灰盒模糊测试技术中的数据依赖识别和变异优化技术大都针对固定规模输入数据格式,对规模递增输入数据的构造效率不高.为此,针对这类累积型缺陷模糊测试对应的状态特征值最优化问题,提出一种对特征值依赖的输入数据的格式判别和差分变异方法.根据引发特征值最值更新的有效变异的位置分布和发现频次特征,判别待发现缺陷状态优化是否依赖于输入中相关数据规模的增长,将引发最值更新的有效变异内容应用于规模递增输入数据生成,提升该类累积型缺陷的复现和定向测试效率.依据该思想,实现了模糊测试工具Jigsaw,在测评实验数据集上的实验结果表明提出的判别方法能够高效地区分特征值依赖的输入数据组织形式,且提出的差分变异方法显著提升了需要大量输入才能触发累积型缺陷的复现效率.

    Abstract:

    Many quantifiable state-out-of-bound software defects, such as access violations, memory exhaustion, and performance failures, are caused by a large quantity of input data. However, existing dependent data identification and mutation optimization technologies for grey-box fuzzing mainly focus on fixed-length data formats. They are not efficient in increasing the amount of cumulated data required by the accumulated buggy states. This study proposes a differential mutation method to accelerate feature state optimization during the directed fuzzing. By monitoring the seed that updates the maximum or minimum state value of the cumulative defects, the effective mutate offset and content are determined. The frequency is leveraged and the distribution of the effective mutation is offset to distinguish whether the feature value of the defect depends on a fixed field or cumulative data in the input. The effective mutation content is reused as a material in the cumulative input mutation to accelerate the bug reproduction or directed testing. Based on this idea, this study implements the fuzzing tool Jigsaw. The evaluation results on the experimental data set show that the proposed dependency detection method can efficiently detect the input data type that drives the feature value of cumulative defects and the mutation method significantly shorten the reproduction time of the cumulative defect that requires a large amount of special input data.

    参考文献
    [1] Serebryany K. Continuous fuzzing with LibFuzzer and AddressSanitizer. In: Proc. of the 2016 IEEE Cybersecurity Development (SecDev). Boston: IEEE, 2016. 157.
    [2] Böhme M, Pham VT, Nguyen MD, Roychoudhury A. Directed greybox fuzzing. In: Proc. of the 2017 ACM SIGSAC Conf. on Computer and Communications Security. Texas: ACM Press, 2017. 2329−2344.
    [3] Chen HX, Xue YX, Li YK, Chen BH, Xie XF, Wu XH, Liu Y. Hawkeye: Towards a desired directed grey-box fuzzer. In: Proc. of the 2018 ACM SIGSAC Conf. on Computer and Communications Security. Toronto: ACM Press, 2018. 2095–2108.
    [4] Wen C, Wang HJ, Li YK, Qin SC, Liu Y, Xu ZW, Chen HX, Xie XF, Pu GG, Liu T. MemLock: Memory usage guided fuzzing. In: Proc. of the 42nd Int’l Conf. on Software Engineering. Seoul: ACM Press, 2020. 765–777.
    [5] Petsios T, Zhao J, Keromytis AD, Jana S. SlowFuzz: Automated domain-independent detection of algorithmic complexity vulnerabilities. In: Proc. of the 2017 ACM SIGSAC Conf. on Computer and Communications Security. Texas: ACM Press, 2017. 2155–2168.
    [6] Jeong DR, Kim K, Shivakumar B, Lee B, Shin I. Razzer: Finding kernel race bugs through fuzzing. In: Proc. of the 2019 IEEE Symp. on Security and Privacy (SP). San Francisco: IEEE, 2019. 754–768.
    [7] Xu M, Kashyap S, Zhao HQ, Kim T. Krace: Data race fuzzing for kernel file systems. In: Proc. of the 2020 IEEE Symp. on Security and Privacy (SP). San Francisco: IEEE, 2020. 1643–1660.
    [8] Rawat S, Jain V, Kumar A, Cojocar L, Giuffrida C, Bos H. VUzzer: Application-aware evolutionary fuzzing. In: Proc. of the 24th Annual Network and Distributed System Security Symp. San Diego: Internet Society, 2017. 1–14.
    [9] Li YK, Chen BH, Chandramohan M, Lin SW, Liu Y, Tiu A. Steelix: Program-state based binary fuzzing. In: Proc. of the 11th Joint Meeting on Foundations of Software Engineering. Singapore: ACM Press, 2017. 627–637.
    [10] Aschermann C, Schumilo S, Blazytko T, Gawlik R, Holz T. REDQUEEN: Fuzzing with input-to-state correspondence. In: Proc. of the 26th Annual Network and Distributed System Security Symp. San Diego: Internet Society, 2019. 1–15.
    [11] Gan ST, Zhang C, Chen P, Zhao BD, Qin XJ, Wu D, Chen ZN. GREYONE: Data flow sensitive fuzzing. In: Proc. of the 29th USENIX Conf. on Security Symp. Berkeley: USENIX Association, 2020. 145.
    [12] Mathis B, Gopinath R, Mera M, Kampmann A, Höschele M, Zeller A. Parser-directed fuzzing. In: Proc. of the 40th ACM SIGPLAN Conf. on Programming Language Design and Implementation. San Diego: ACM Press, 2019. 548–560.
    [13] Haller I, Slowinska A, Neugschwandtner M, Bos H. Dowsing for overflows: A guided fuzzer to find buffer boundary violations. In: Proc. of the 22nd USENIX Conf. on Security. Washington: USENIX Association, 2013. 49−64.
    [14] Lemieux C, Padhye R, Sen K, Song D. PerfFuzz: Automatically generating pathological inputs. In: Proc. of the 27th ACM SIGSOFT Int’l Symp. on Software Testing and Analysis. Amsterdam: ACM Press, 2018. 254–265.
    [15] Blair W, Mambretti A, Arshad S, Weissbacher M, Robertson W, Kirda E, Egele M. HotFuzz: Discovering algorithmic denial-of-service vulnerabilities through guided micro-fuzzing. In: Proc. of the 27th Annual Network and Distributed System Security Symp. San Diego: Internet Society, 2020. 1–19.
    [16] Coppik N, Schwahn O, Suri N. Memfuzz: Using memory accesses to guide fuzzing. In: Proc. of the 12th IEEE Conf. on Software Testing, Validation and Verification. Xi’an: IEEE, 2019. 48–58.
    [17] Wang YH, Jia XK, Liu YW, Zeng K, Bao T, Wu DH, Su PR. Not all coverage measurements are equal: Fuzzing by coverage accounting for input prioritization. In: Proc. of the 27th Annual Network and Distributed System Security Symp. San Diego: Internet Society, 2020. 1–17.
    [18] Du XN, Chen BH, Li YK, Guo JM, Zhou YQ, Liu Y, Jiang Y. LEOPARD: Identifying vulnerable code for vulnerability assessment through program metrics. In: Proc. of the 41st IEEE/ACM Int’l Conf. on Software Engineering. Montreal: IEEE, 2019. 60–71.
    [19] Aschermann C, Schumilo S, Abbasi A, Holz T. IJON: Exploring deep state spaces via fuzzing. In: Proc. of the 2020 IEEE Symp. on Security and Privacy (SP). San Francisc: IEEE, 2020. 1597–1612.
    [20] Lemieux C, Sen K. Fairfuzz: A targeted mutation strategy for increasing greybox fuzz testing coverage. In: Proc. of the 33rd ACM/IEEE Int’l Conf. on Automated Software Engineering. TBA: ACM Press, 2018. 475–485.
    [21] Lyu CY, Ji SL, Zhang C, Li YW, Lee WH, Song Y, Beyah R. MOPT: Optimized mutation scheduling for fuzzers. In: Proc. of the 28th USENIX Security Symp. Santa Clara: USENIX Association, 2019. 1949–1966.
    [22] 邹燕燕, 邹维, 尹嘉伟, 霍玮, 杨梅芳, 孙丹丹, 史记. 变异策略感知的并行模糊测试研究. 信息安全学报, 2020, 5(5): 1–16. [doi: 10.19363/J.cnki.cn10-1380/tn.2020.09.01]
    Zou YY, Zou W, Yin JW, Huo W, Yang MF, Sun DD, Shi J. Research on mutator strategy-aware parallel fuzzing. Journal of Cyber Security, 2020, 5(5): 1–16 (in Chinese with English Abstract). [doi: 10.19363/J.cnki.cn10-1380/tn.2020.09.01]
    [23] Chen P, Chen H. Angora: Efficient fuzzing by principled search. In: Proc. of the 2018 IEEE Symp. on Security and Privacy (SP). San Francisco: IEEE, 2018. 711–725.
    [24] 许朴, 舒辉, 于颖超. 程序敏感的模糊测试样本生成方法. 计算机工程与设计, 2020, 41(12): 3368–3375. [doi: 10.16208/j.issn1000-7024.2020.12.011]
    Xu P, Shu H, Yu YC. Program sensitive method for generating fuzzing samples. Computer Engineering and Design, 2020, 41(12): 3368–3375 (in Chinese with English Abstract). [doi: 10.16208/j.issn1000-7024.2020.12.011]
    [25] You W, Wang XQ, Ma SQ, Huang JJ, Zhang XY, Wang XF, Liang B. ProFuzzer: On-the-fly input type probing for better zero-day vulnerability discovery. In: Proc. of the 2019 IEEE Symp. on Security and Privacy (SP). San Francisco: IEEE, 2019. 769–786.
    [26] Myers EW. AnO(ND) difference algorithm and its variations. Algorithmica, 1986, 1(1–4): 251–266. [doi: 10.1007/BF01840446]
    [27] Vargha A, Delaney HD. A critique and improvement of the CL common language effect size statistics of McGraw and Wong. Journal of Educational and Behavioral Statistics, 2000, 25(2): 101–132. [doi: 10.3102/10769986025002101]
    [28] Mann HB, Whitney DR. On a test of whether one of two random variables is stochastically larger than the other. Annals of Mathematical Statistics, 1947, 18(1): 50–60. [doi: 10.1214/aoms/1177730491]
    引证文献
    网友评论
    网友评论
    分享到微博
    发 布
引用本文

杨克,贺也平,马恒太,董柯,谢异,蔡春芳.面向递增累积型缺陷的灰盒模糊测试变异优化.软件学报,2023,34(5):2286-2299

复制
分享
文章指标
  • 点击次数:
  • 下载次数:
  • HTML阅读次数:
  • 引用次数:
历史
  • 收稿日期:2021-03-14
  • 最后修改日期:2021-06-17
  • 在线发布日期: 2022-10-14
  • 出版日期: 2023-05-06
文章二维码
友情链接:中国科学院软件研究所中国计算机学会中国科学院国家自然科学基金委员会CCF数字图书馆Int'l J of Softw Info计算机系统应用
您是第19765620位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号