TaintPoint:使用活跃轨迹高效挖掘污点风格漏洞
CSTR:
作者:
作者单位:

作者简介:

方浩然(1996-),男,硕士生,主要研究领域为编译器,程序分析;李航宇(1995-),男,硕士生,CCF学生会员,主要研究领域为模糊测试,静态分析,机器学习;郭帆(1977-),男,博士,副教授,CCF专业会员,主要研究领域为网络安全,程序分析,漏洞挖掘

通讯作者:

郭帆,E-mail:fguo@jxnu.edu.cn

中图分类号:

TP311

基金项目:

国家自然科学基金(61562040);江西省教育厅科技项目(GJJ200313)


TaintPoint: Fuzzing Taint Flow Efficiently with Live Trace
Author:
Affiliation:

Fund Project:

  • 摘要
  • |
  • 图/表
  • |
  • 访问统计
  • |
  • 参考文献
  • |
  • 相似文献
  • |
  • 引证文献
  • |
  • 资源附件
  • |
  • 文章评论
    摘要:

    覆盖反馈的灰盒Fuzzing已经成为漏洞挖掘最有效的方式之一.广泛使用的边覆盖是一种控制流信息,然而在面向污点风格(taint-style)的漏洞挖掘时,这种反馈信息过于粗糙.大量污点无关的种子被加入队列,污点相关的种子数量又过早收敛,导致Fuzzing失去进化方向,无法高效测试Source和Sink之间的信息流.首先,详细分析了现有反馈机制在检测污点风格漏洞时不够高效的原因;其次,提出了专门用于污点风格漏洞挖掘的模糊器TaintPoint.TaintPoint在控制流轨迹的基础上加入了活跃污点这一数据流信息,形成活跃轨迹(live trace)作为覆盖反馈,并围绕活跃轨迹分别在插桩、种子过滤、选择和变异阶段改进现有方法.在UAFBench上的实验结果表明:TaintPoint检测污点风格漏洞的效率、产出和速度优于业界领先的通用模糊器AFL++及定向模糊器AFLGO;此外,在两个开源项目上发现了4个漏洞并被确认.

    Abstract:

    Coverage-guided fuzzing has become one of the most effective ways of vulnerability detection. The widely used edge coverage is a kind of control flow information. However this feedback information is too coarse when detecting taint-style vulnerabilities. A large number of taint-independent seeds are added to the queue, and the number of taint-related seeds converges prematurely, which leads to the loss of evolutionary direction of fuzzing and unable to efficiently test the information flow between source and sink. Firstly, the reasons why the existing feedback mechanism is not efficient enough in detecting taint style vulnerabilities are analyzed. Secondly, TaintPoint, a fuzzer dedicated to taint style vulnerability detection, is proposed. TaintPoint adds live taint as data flow information on the basis of control flow traces to form the live trace as coverage feedback, and the live trace is used to improve the existing method in the instrumentation, seed filtering, selection, and mutation stages respectively. Experimental results on UAFBench show that the efficiency, output, and speed of TaintPoint in detecting taint-style vulnerabilities surpass the industry-leading general-purpose fuzzer AFL++ and directed fuzzer AFLGO. In addition, four vulnerabilities arefound and confirmed on two open source projects.

    参考文献
    相似文献
    引证文献
引用本文

方浩然,郭帆,李航宇. TaintPoint:使用活跃轨迹高效挖掘污点风格漏洞.软件学报,2022,33(6):1978-1995

复制
分享
文章指标
  • 点击次数:
  • 下载次数:
  • HTML阅读次数:
  • 引用次数:
历史
  • 收稿日期:2021-09-04
  • 最后修改日期:2021-10-15
  • 录用日期:
  • 在线发布日期: 2022-01-28
  • 出版日期: 2022-06-06
文章二维码
您是第位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号