Please wait a minute...
浙江大学学报(工学版)
浙江大学学报(工学版)  2020, Vol. 54 Issue (8): 1534-1542    DOI: 10.3785/j.issn.1008-973X.2020.08.011
计算机技术     
基于动态能量调控的导向式灰盒模糊测试技术
戴渭(),陆余良*(),朱凯龙
国防科技大学 电子对抗学院,安徽 合肥 230037
Directed grey-box fuzzing technology based on dynamic energy regulation
Wei DAI(),Yu-liang LU*(),Kai-long ZHU
College of Electronic Engineering, National University of Defense Technology, Hefei 230037, China
 全文: PDF(723 KB)   HTML
摘要:

导向式灰盒模糊测试(DGF)是能够快速生成测试用例,达到给定的程序目标区域并且发现漏洞的模糊测试技术. 针对当前DGF技术测试效率较低的问题,提出基于动态能量调控的DGF技术. 通过静态分析技术构建程序的函数调用图(CG)和控制流图(CFGs),定义并计算更准确的函数级别、基本块级别的目标距离;通过跟踪种子的执行轨迹,计算种子到目标区域的距离;基于动态能量调控函数对模糊测试中种子的变异数量进行更有效的调控,引导生成到达目标区域的测试用例. 基于该方法,实现导向式模糊测试原型系统AFL-Ant,并与现有的导向式模糊测试方法进行对比实验. 结果表明,本研究所提出的方法能够更加快速、有效地对目标区域进行测试,在补丁测试、漏洞复现方面具有较强的应用价值.
关键词: 灰盒模糊测试静态分析距离计算动态能量调控导向式模糊测试    
Abstract:

Directed gray-box fuzzing (DGF) is a kind of fuzzing technology which can quickly generate test cases to reach a given target area of the program and find vulnerabilities. A DGF technology based on dynamic energy regulation was proposed, aiming at the inefficiency of existing DGF technology. The function call graph (CG) and control flow graphs (CFGs) of the program are constructed by static analysis technology, and the more accurate target distance at function level and basic block level is defined and calculated. The distance from seed to the target area is calculated by tracking the execution trajectory of the seed. The dynamic energy regulation function is used to effectively control the mutation quantity of seeds in the process of fuzzing, and to guide the generation of test cases that can reach the target area. A prototype system AFL-Ant for DGF was implemented based on this method, and the comparison experiments with the existing DGF method were carried out. Results demonstrate that the proposed method can test the target area faster and more effectively, and it has strong application value in patch testing and vulnerability reproduction.
Key words: grey-box fuzzing    static analysis    distance calculation    dynamic energy regulation    directed fuzzing
收稿日期: 2019-07-04 出版日期: 2020-08-28
CLC:  TP 309  
基金资助: 国家重点研发计划重点专项资助项目(2017YFB0802900)
通讯作者: 陆余良     E-mail: 1821007360@qq.com;451762681@qq.com
作者简介: 戴渭(1995—),男,硕士生,从事漏洞挖掘与利用技术研究. orcid.org/0000-0002-4970-0169. E-mail: 1821007360@qq.com
服务  
把本文推荐给朋友
加入引用管理器
E-mail Alert
作者相关文章  
戴渭
陆余良
朱凯龙

引用本文:

戴渭,陆余良,朱凯龙. 基于动态能量调控的导向式灰盒模糊测试技术[J]. 浙江大学学报(工学版), 2020, 54(8): 1534-1542.

Wei DAI,Yu-liang LU,Kai-long ZHU. Directed grey-box fuzzing technology based on dynamic energy regulation. Journal of ZheJiang University (Engineering Science), 2020, 54(8): 1534-1542.

链接本文:

http://www.zjujournals.com/eng/CN/10.3785/j.issn.1008-973X.2020.08.011        http://www.zjujournals.com/eng/CN/Y2020/V54/I8/1534

图 1  导向式灰盒模糊测试技术框架
图 2  函数调用示例
图 3  种子的执行路径示例
图 4  迭代次数对种子能量的影响
图 5  种子距离对种子能量的影响
图 6  能量调控因子的变化
漏洞编号 工具 次数 TTE / s F ?12
2016-4487 AFL-Ant 20 161 1.60 0.72
AFLGO 20 181 1.42 0.60
AFL 20 257 ? ?
2016-4488 AFL-Ant 20 531 1.94 0.81
AFLGO 20 683 1.51 0.71
AFL 20 1031 ? ?
2016-4489 AFL-Ant 20 190 2.24 0.72
AFLGO 20 175 2.43 0.68
AFL 20 425 ? ?
2016-4490 AFL-Ant 20 91 0.66 0.31
AFLGO 20 87 0.69 0.28
AFL 20 60 ? ?
2016-4491 AFL-Ant 10 23262 0.87 0.49
AFLGO 5 24121 0.83 0.41
AFL 7 20139 ? ?
2016-4492 AFL-Ant 20 531 1.78 0.89
AFLGO 20 518 1.82 0.83
AFL 20 943 ? ?
2016-6131 AFL-Ant 7 20131 1.32 0.68
AFLGO 5 21230 1.25 0.63
AFL 3 26590 ? ?
表 1  GNU Binutils的漏洞复现结果
漏洞编号 工具 次数 TTE / s F ?12
2011-2501 AFL-Ant 20 341 3.23 0.83
AFLGO 20 373 2.95 0.79
AFL 20 1102 ? ?
2011-3328 AFL-Ant 20 2315 4.67 0.97
AFLGO 20 2508 4.31 0.93
AFL 20 10800 ? ?
2015-8472 AFL-Ant 20 31 8.68 0.84
AFLGO 20 26 10.35 0.91
AFL 20 269 ? ?
2015-8540 AFL-Ant 20 221 2.91 0.76
AFLGO 20 201 3.20 0.74
AFL 20 643 ? ?
2018-13785 AFL-Ant 20 881 2.76 0.75
AFLGO 20 1002 2.43 0.71
AFL 20 2431 ? ?
表 2  Libpng的漏洞复现结果
目标站点 工具 次数 TTE / s F ?12
pngread.c:730 AFL-Ant 10 23 6.50 0.92
Ant-GO 10 40 3.75 0.89
AFLGO 10 61 2.46 0.83
AFL 10 150 ? ?
pngtrans.c:686 AFL-Ant 7 6101 1.42 0.78
Ant-GO 6 6940 1.25 0.64
AFLGO 5 7521 1.16 0.51
AFL 3 8710 ? ?
tif_read.c:447 AFL-Ant 10 69 3.33 0.96
Ant-GO 10 84 2.74 0.94
AFLGO 10 103 2.23 0.91
AFL 10 230 ? ?
tif_jbig.c:211 AFL-Ant 9 2180 2.12 0.88
Ant-GO 7 2317 2.00 0.85
AFLGO 5 2912 1.59 0.79
AFL 4 4620 ? ?
表 3  目标站点覆盖结果
1 吴世忠, 郭涛, 董国伟, 等. 软件漏洞分析技术[M]. 北京: 科学出版社, 2014.
2 SANG K C, AVGERINOS T, REBERT A, et al. Unleashing mayhem on binary code [C]// IEEE Symposium on Security and Privacy. Washington, DC: Institute of Electrical and Electronics Engineers, 2012: 380-394.
3 STEPHENS N, GROSEN J, SALLS C, et al. Driller: augmenting fuzzing through selective symbolic execution [C]// Network and Distributed System Security Symposium. San Diego: Internet Society, 2016: 21-24.
4 RAWAT S, JAIN V, KUMAR A, et al. VUzzer: application-aware evolutionary fuzzing [C]// Network and Distributed System Security Symposium. San Diego: Internet Society, 2017: 1-16.
5 JOHANSSON W, SVENSSON M, LARSON U E, et al. T-Fuzz: model-based fuzzing for robustness testing of telecommunication protocols [C]// IEEE International Conference on Software Testing. Washington: IEEE Computer Society, 2014: 323-332.
6 B?HME M, PHAM V T, ROYCHOUDHURY A. Coverage-based greybox fuzzing as Markov chain [C]// IEEE Transactions on Software Engineering. Los Alamitos: Institute of Electrical and Electronics Engineers, 2016: 1032-1043.
7 B?HME M, PHAM V T, NGUYEN M D, et al. Directed greybox fuzzing [C]// Acm Sigsac Conference on Computer and Communications Security. New York: Association for Computing Machinery, 2017: 2329-2344.
8 ZALEWSKI M. American fuzzy lop. [EB/OL]. [2014-11-01]. http://lcamtuf.coredump.cx/afl/.
9 MARINESCU P D, CADAR C. KATCH: high-coverage testing of software patches [C]// Joint Meeting on Foundations of Software Engineering. New York: Association for Computing Machiner, 2013: 235-245.
10 GANESH V, LEEK T, RINARD M. Taint-based directed whitebox fuzzing [C]// IEEE 31st International Conference on Software Engineering. Vancouver: Association for Computing Machinery, 2009: 474-484.
11 MEHLHORN K. Data structures and algorithms: Searching and sorting [M]. Berlin: Springer, 1984: 90.
12 LibFuzzer: a library for coverage-guided fuzz testing [EB/OL]. [2017-05-13]. http://llvm.org/docs/LibFuzzer.html.
13 DORIGO M, GAMBARDELLA L M. A study of some properties of Ant-Q [C]// International Conference on Parallel Problem Solving from Nature. Berlin: Springer, 1996: 656-665.
14 SEREBRYANY K, BRUENING D, POTAPENKO A, et al. AddressSanitizer: a fast address sanity checker [C]// Usenix Conference on Technical Conference. Berkeley: USENIX Association, 2012: 28-37.
15 PHAM V T, NG W B, RUBINOV K, et al. Hercules: reproducing crashes in real-world application binaries [C]// Proceedings of 37th International Conference. on Software Engineering (ICSE). Firenze: Institute of Electrical and Electronics Engineers, 2015: 891-901.
16 LibPNG: a library for processing PNG files. [EB/OL]. [2017-05-13]. http://www.libpng.org/pub/png/libpng.html.
17 US National Vulnerability Database. [DB/OL]. [2017-05-13]. https://nvd.nist.gov/vuln/search.
18 VARGHA A, DELANEY H D. A Critique and improvement of the "CL" common language effect size statistics of McGraw and Wong[J]. Journal of Educational and Behavioral Statistics, Thousand oaks: BLANK, 2000, 25(2): 101-132.
19 NEWSOME J Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software[J]. Chinese Journal of Engineering Mathematics, Xian, China: China National Publishing Industry Trading Corporation, 2005, 29 (5): 720- 724
[1] 李晓东, 祝跃飞, 刘胜利, 肖睿卿. 基于权限的Android应用程序安全审计方法[J]. 浙江大学学报(工学版), 2017, 51(3): 590-597.
[2] 修思文, 李彦哲, 黄凯, 马德, 晏荣杰, 严晓浪. 面向MPSoC性能评估的高速缓存建模技术[J]. 浙江大学学报(工学版), 2015, 49(7): 1367-1375.
[3] 万志远, 周波. 支持局部调用图生成的指针分析[J]. 浙江大学学报(工学版), 2015, 49(6): 1031-1040.
[4] 万志远, 周波. 基于静态信息流跟踪的输入验证漏洞检测方法[J]. 浙江大学学报(工学版), 2015, 49(4): 683-691.