Programmable Fuzzing Technology

doi:10.13328/j.cnki.jos.005499

微信服务号

微信订阅号

2025-4-5- 10

Home > Archive>Volume 29, Issue 5, 2018 >1258-1274. DOI:10.13328/j.cnki.jos.005499

PDF HTML XML Export Cite reminder

Programmable Fuzzing Technology
DOI:
                        10.13328/j.cnki.jos.005499
                    
Author:
                        YANG Mei-FangYANG Mei-Fang
Institute of Information Engineering, The Chinese Academy of Sciences, Beijing 100195, China;Key Laboratory of Network Assessment Technology(Institute of Information Engineering, The Chinese Academy of Science), The Chinese Academy of Sciences, Beijing 100195, China;Beijing Key Laboratory of Network Security and Protection Technology(Institute of Information Engineering, The Chinese Academy of Sciences), Beijing 100195, China;School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China
Find this author on CNKI
Find this author on BaiDu
Search for this author on this site
HUO WeiHUO Wei
Institute of Information Engineering, The Chinese Academy of Sciences, Beijing 100195, China;Key Laboratory of Network Assessment Technology(Institute of Information Engineering, The Chinese Academy of Science), The Chinese Academy of Sciences, Beijing 100195, China;Beijing Key Laboratory of Network Security and Protection Technology(Institute of Information Engineering, The Chinese Academy of Sciences), Beijing 100195, China;School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China
Find this author on CNKI
Find this author on BaiDu
Search for this author on this site
ZOU Yan-YanZOU Yan-Yan
Institute of Information Engineering, The Chinese Academy of Sciences, Beijing 100195, China;Key Laboratory of Network Assessment Technology(Institute of Information Engineering, The Chinese Academy of Science), The Chinese Academy of Sciences, Beijing 100195, China;Beijing Key Laboratory of Network Security and Protection Technology(Institute of Information Engineering, The Chinese Academy of Sciences), Beijing 100195, China;School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China
Find this author on CNKI
Find this author on BaiDu
Search for this author on this site
YIN Jia-WeiYIN Jia-Wei
Institute of Information Engineering, The Chinese Academy of Sciences, Beijing 100195, China;Key Laboratory of Network Assessment Technology(Institute of Information Engineering, The Chinese Academy of Science), The Chinese Academy of Sciences, Beijing 100195, China;Beijing Key Laboratory of Network Security and Protection Technology(Institute of Information Engineering, The Chinese Academy of Sciences), Beijing 100195, China;School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China
Find this author on CNKI
Find this author on BaiDu
Search for this author on this site
LIU Bao-XuLIU Bao-Xu
Institute of Information Engineering, The Chinese Academy of Sciences, Beijing 100195, China;Key Laboratory of Network Assessment Technology(Institute of Information Engineering, The Chinese Academy of Science), The Chinese Academy of Sciences, Beijing 100195, China;Beijing Key Laboratory of Network Security and Protection Technology(Institute of Information Engineering, The Chinese Academy of Sciences), Beijing 100195, China;School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China
Find this author on CNKI
Find this author on BaiDu
Search for this author on this site
GONG Xiao-RuiGONG Xiao-Rui
Institute of Information Engineering, The Chinese Academy of Sciences, Beijing 100195, China;Key Laboratory of Network Assessment Technology(Institute of Information Engineering, The Chinese Academy of Science), The Chinese Academy of Sciences, Beijing 100195, China;Beijing Key Laboratory of Network Security and Protection Technology(Institute of Information Engineering, The Chinese Academy of Sciences), Beijing 100195, China;School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China
Find this author on CNKI
Find this author on BaiDu
Search for this author on this site
JIA Xiao-QiJIA Xiao-Qi
Institute of Information Engineering, The Chinese Academy of Sciences, Beijing 100195, China;Key Laboratory of Network Assessment Technology(Institute of Information Engineering, The Chinese Academy of Science), The Chinese Academy of Sciences, Beijing 100195, China;Beijing Key Laboratory of Network Security and Protection Technology(Institute of Information Engineering, The Chinese Academy of Sciences), Beijing 100195, China;School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China
Find this author on CNKI
Find this author on BaiDu
Search for this author on this site
ZOU WeiZOU Wei
Institute of Information Engineering, The Chinese Academy of Sciences, Beijing 100195, China;Key Laboratory of Network Assessment Technology(Institute of Information Engineering, The Chinese Academy of Science), The Chinese Academy of Sciences, Beijing 100195, China;Beijing Key Laboratory of Network Security and Protection Technology(Institute of Information Engineering, The Chinese Academy of Sciences), Beijing 100195, China;School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China
Find this author on CNKI
Find this author on BaiDu
Search for this author on this site

                    
Affiliation:
Clc Number:
Fund Project:Program of Key Laboratory of Network Assessment Technology, the Chinese Academy of Sciences; Program of Beijing Key Laboratory of Network Security and Protection Technology; Foundation of Key Laboratory of Network Assessment Technology, the Chinese Academy of Sciences (CXJJ-17S049); National Key Research and Development Program of China (2016QY0714 05)

Article

Figures

Metrics

Reference [31]

Cited by

Materials

Comments

Abstract:

Fuzzing is an effective vulnerability discovery technology.In order to solve the inefficiency problem caused by blind mutation in fuzzing,safety engineers need to customize fuzzer from all aspects,such as input characteristics,mutation method,seed samples screening,abnormal samples found and analysis,which will result in huge expenditure.To meet the need of low cost customization and high scalability of the universal fuzzer (i.e.fuzzer that supports multi-type input formats and softwares),this paper first proposes a programmable fuzzing framework.Based on the framework,the only thing safety engineers need to do is writing directive programs when they want to customize fuzzing.It can sharply improve the efficiency of developing fuzzer without reducing effectiveness of fuzzing.The framework contains a set of fuzzing primitives,fuzzing directive specification (FDS) and FDS parser.Fuzzing primitives which involve mutation,monitoring and guiding are basic statements of directive program.FDS and FDS parser can support writing and parsing directive programs,as well as generating fuzzers.Based on the implementation of a prototype framework called Puzzer,safety engineers can accomplish core functions and cover 87.8% of total basic operations of five mainstream fuzzers with only about 54 lines of code.A fuzzer which has equivalent function of AFL can be accomplished using Puzzer to achieve the same effectiveness with only 51 lines of code.

Key words:fuzzing;vulnerability discovery;programmable;directive program;abstract syntax tree

Reference

[1] Sutton M, Greene A, Amini P, Wrote; Huang L, Yu LL, Li H, Trans. Fuzzing:Brute Force Vulnerability Discovery. Beijing:China Machine Press, 2009(in Chinese).

[2] American fuzzy lop (AFL). 2017. http://lcamtuf.coredump.cx

[3] OSS-Fuzz. 2017. https://github.com/google/oss-fuzz

[4] Pham VT, Böhme M, Roychoudhury A. Model-Based whitebox fuzzing for program binaries. In:Proc. of the 31st IEEE/ACM Int'l Conf. on Automated Software Engineering (ASE). 2016. 552-562.[doi:10.1145/2970276.2970316]

[5] Rawat S, Jainz V, Kumarz A, Cojocar L, Giuffrida C, Bos H. VUzzer:Application-Aware evolutionary fuzzing. In:Proc. of the NDSS 2017. 2017. 1-16.[doi:10.14722/ndss.2017.23404]

[6] Stephens N, Grosen J, Salls C, Dutcher A, Wang RY, Corbetta J, Shoshitaishvili Y, Kruegel C, Vigna G. Driller:Augmenting fuzzing through selective symbolic execution. In:Proc. of the NDSS 2016. 2016. 1-16.[doi:10.14722/ndss.2016.23368]

[7] Wang MT, Wei T, Gu G, Zou W. Taintscope:A checksum-aware directed fuzzing tool for automatic software vulnerability detection. In:Proc. of the 2010 IEEE Symp. on Security and Privacy (IEEE S&P 2010). 2010. 497-512.[doi:10.1109/SP.2010.37]

[8] Gascon H, Wressnegger C, Yamaguchi F, Arp D, Rieck K. PULSAR:Stateful black-box fuzzing of proprietary network protocols. In:Proc. of the SecureComm. 2015. 330-347.[doi:10.1007/978-3-319-28865-9_18]

[9] Tsankov P, Dashti MT, Basin D. SECFUZZ:Fuzz-Testing security protocols. In:Proc. of the Automation of Software Test (AST). 2012. 1-7.[doi:10.1109/IWAST.2012.6228985]

[10] Woo M, Cha SK, Gottlieb S, Brumley D. Scheduling black-box mutational fuzzing. In:Proc. of the 20th ACM Conf. on Computer and Communications Security (CCS 2013). 2013. 511-522.[doi:10.1145/2508859.2516736]

[11] Huang Y, Zeng FP, Cao Q. Fuzzing test approach based on dynamic tracking of library functions. Computer Engineering, 2010, 36(16):39-41(in Chinese with English abstract).

[12] Rebert A, Cha SK, Avgerinos T, Foote J, Warren D, Grieco G, Brumley D. Optimizing seed selection for fuzzing. In:Proc. of the 23rd USENIX Security Symp. (USENIX Security 2014). 2014. 861-875.

[13] Böhme M, Pham VT, Roychoudhury A. Coverage-Based greybox fuzzing as Markov chain. In:Proc. of the 23rd ACM Conf. on Computer and Communications Security (CCS 2016). 2016. 1-12.[doi:10.1145/2976749.2978428]

[14] Zhao YH, Kan JJ. Research and design of symbol execution-based test data generation method. Computer Applications and Software, 2014,31(2):303-306(in Chinese with English abstract).

[15] Ma JX, Zhang T, Li ZJ, Zhang JX. Improved fuzzy analysis methods. Journal of Tsinghua University, 2016,56(5):478-483(in Chinese with English abstract).

[16] Wu ZY, Xia JJ, Sun LC, Zhang M. Survey of multi-dimensional fuzzing technology. Application Research of Computers, 2010, 27(8):2810-2813(in Chinese with English abstract).

[17] Wang ZQ, Zhang YQ, Liu QX, Huang TP. Algorithm for discovering SNMP protocol vulnerability. Journal of Xidian University, 2015,42(4):20-26(in Chinese with English abstract).

[18] Peach fuzzer platform. 2017. http://www.peachfuzzer.com/products/peach-platform/

[19] Honggfuzz. 2017. https://github.com/google/honggfuzz

[20] Choronzon. 2017. https://github.com/CENSUS/choronzon

[21] Sulley fuzzer. 2017. https://github.com/OpenRCE/sulley

[22] ASAN. 2017. https://github.com/google/sanitizers/wiki/AddressSanitizer

[23] Serebryany K. Libfuzzer:A library for coverage-guided fuzz testing (within llvm). 2017. http://llvm.org/docs/LibFuzzer.html

[24] SANCOV. 2017. http://clang.llvm.org/docs/SanitizerCoverage.html

附中文参考文献:

[1] Sutton M, Greene A, Amini P,著;黄陇,于莉莉,李虎,译.模糊测试:强制性安全漏洞发掘.北京:机械工业出版社,2009.

[11] 黄奕,曾凡平,曹青.基于库函数动态跟踪的Fuzzing测试方法.计算机工程,2010,36(16):39-41.

[14] 赵跃华,阚俊杰.基于符号执行的测试数据生成方法的研究与设计.计算机应用与软件,2014,31(2):303-306.

[15] 马金鑫,张涛,李舟军,张江霄.Fuzzing过程中的若干优化方法.清华大学学报,2016,56(5):478-483.

[16] 吴志勇,夏建军,孙乐昌,张旻.多维Fuzzing技术综述.计算机应用研究,2010,27(8):2810-2813.

[17] 王志强,张玉清,刘奇旭,黄庭培.一种简单网络管理协议漏洞挖掘算法.西安电子科技大学学报,2015,42(4):20-26.

Get Citation

杨梅芳,霍玮,邹燕燕,尹嘉伟,刘宝旭,龚晓锐,贾晓启,邹维.可编程模糊测试技术.软件学报,2018,29(5):1258-1274

Copy

Article Metrics

Abstract:4824
PDF: 9383
HTML: 3914
Cited by: 0

History

Received:July 01,2017
Revised:August 29,2017
Adopted:November 21,2017
Online: January 09,2018
Published:

You are the first2033139Visitors
Copyright: Institute of Software, Chinese Academy of Sciences Beijing ICP No. 05046678-4
Address：4# South Fourth Street, Zhong Guan Cun, Beijing 100190,Postal Code：100190
Phone：010-62562563 Fax：010-62562533 Email：jos@iscas.ac.cn
Technical Support：Beijing Qinyun Technology Development Co., Ltd.

Beijing Public Network Security No. 11040202500063

微信服务号

微信订阅号

Get Citation

Share

微信扫一扫：分享

Article Metrics

History