|
|
Directed grey-box fuzzing technology based on dynamic energy regulation |
Wei DAI(),Yu-liang LU*(),Kai-long ZHU |
College of Electronic Engineering, National University of Defense Technology, Hefei 230037, China |
|
|
Abstract Directed gray-box fuzzing (DGF) is a kind of fuzzing technology which can quickly generate test cases to reach a given target area of the program and find vulnerabilities. A DGF technology based on dynamic energy regulation was proposed, aiming at the inefficiency of existing DGF technology. The function call graph (CG) and control flow graphs (CFGs) of the program are constructed by static analysis technology, and the more accurate target distance at function level and basic block level is defined and calculated. The distance from seed to the target area is calculated by tracking the execution trajectory of the seed. The dynamic energy regulation function is used to effectively control the mutation quantity of seeds in the process of fuzzing, and to guide the generation of test cases that can reach the target area. A prototype system AFL-Ant for DGF was implemented based on this method, and the comparison experiments with the existing DGF method were carried out. Results demonstrate that the proposed method can test the target area faster and more effectively, and it has strong application value in patch testing and vulnerability reproduction.
|
Received: 04 July 2019
Published: 28 August 2020
|
|
Corresponding Authors:
Yu-liang LU
E-mail: 1821007360@qq.com;451762681@qq.com
|
基于动态能量调控的导向式灰盒模糊测试技术
导向式灰盒模糊测试(DGF)是能够快速生成测试用例,达到给定的程序目标区域并且发现漏洞的模糊测试技术. 针对当前DGF技术测试效率较低的问题,提出基于动态能量调控的DGF技术. 通过静态分析技术构建程序的函数调用图(CG)和控制流图(CFGs),定义并计算更准确的函数级别、基本块级别的目标距离;通过跟踪种子的执行轨迹,计算种子到目标区域的距离;基于动态能量调控函数对模糊测试中种子的变异数量进行更有效的调控,引导生成到达目标区域的测试用例. 基于该方法,实现导向式模糊测试原型系统AFL-Ant,并与现有的导向式模糊测试方法进行对比实验. 结果表明,本研究所提出的方法能够更加快速、有效地对目标区域进行测试,在补丁测试、漏洞复现方面具有较强的应用价值.
关键词:
灰盒模糊测试,
静态分析,
距离计算,
动态能量调控,
导向式模糊测试
|
|
[1] |
吴世忠, 郭涛, 董国伟, 等. 软件漏洞分析技术[M]. 北京: 科学出版社, 2014.
|
|
|
[2] |
SANG K C, AVGERINOS T, REBERT A, et al. Unleashing mayhem on binary code [C]// IEEE Symposium on Security and Privacy. Washington, DC: Institute of Electrical and Electronics Engineers, 2012: 380-394.
|
|
|
[3] |
STEPHENS N, GROSEN J, SALLS C, et al. Driller: augmenting fuzzing through selective symbolic execution [C]// Network and Distributed System Security Symposium. San Diego: Internet Society, 2016: 21-24.
|
|
|
[4] |
RAWAT S, JAIN V, KUMAR A, et al. VUzzer: application-aware evolutionary fuzzing [C]// Network and Distributed System Security Symposium. San Diego: Internet Society, 2017: 1-16.
|
|
|
[5] |
JOHANSSON W, SVENSSON M, LARSON U E, et al. T-Fuzz: model-based fuzzing for robustness testing of telecommunication protocols [C]// IEEE International Conference on Software Testing. Washington: IEEE Computer Society, 2014: 323-332.
|
|
|
[6] |
B?HME M, PHAM V T, ROYCHOUDHURY A. Coverage-based greybox fuzzing as Markov chain [C]// IEEE Transactions on Software Engineering. Los Alamitos: Institute of Electrical and Electronics Engineers, 2016: 1032-1043.
|
|
|
[7] |
B?HME M, PHAM V T, NGUYEN M D, et al. Directed greybox fuzzing [C]// Acm Sigsac Conference on Computer and Communications Security. New York: Association for Computing Machinery, 2017: 2329-2344.
|
|
|
[8] |
ZALEWSKI M. American fuzzy lop. [EB/OL]. [2014-11-01]. http://lcamtuf.coredump.cx/afl/.
|
|
|
[9] |
MARINESCU P D, CADAR C. KATCH: high-coverage testing of software patches [C]// Joint Meeting on Foundations of Software Engineering. New York: Association for Computing Machiner, 2013: 235-245.
|
|
|
[10] |
GANESH V, LEEK T, RINARD M. Taint-based directed whitebox fuzzing [C]// IEEE 31st International Conference on Software Engineering. Vancouver: Association for Computing Machinery, 2009: 474-484.
|
|
|
[11] |
MEHLHORN K. Data structures and algorithms: Searching and sorting [M]. Berlin: Springer, 1984: 90.
|
|
|
[12] |
LibFuzzer: a library for coverage-guided fuzz testing [EB/OL]. [2017-05-13]. http://llvm.org/docs/LibFuzzer.html.
|
|
|
[13] |
DORIGO M, GAMBARDELLA L M. A study of some properties of Ant-Q [C]// International Conference on Parallel Problem Solving from Nature. Berlin: Springer, 1996: 656-665.
|
|
|
[14] |
SEREBRYANY K, BRUENING D, POTAPENKO A, et al. AddressSanitizer: a fast address sanity checker [C]// Usenix Conference on Technical Conference. Berkeley: USENIX Association, 2012: 28-37.
|
|
|
[15] |
PHAM V T, NG W B, RUBINOV K, et al. Hercules: reproducing crashes in real-world application binaries [C]// Proceedings of 37th International Conference. on Software Engineering (ICSE). Firenze: Institute of Electrical and Electronics Engineers, 2015: 891-901.
|
|
|
[16] |
LibPNG: a library for processing PNG files. [EB/OL]. [2017-05-13]. http://www.libpng.org/pub/png/libpng.html.
|
|
|
[17] |
US National Vulnerability Database. [DB/OL]. [2017-05-13]. https://nvd.nist.gov/vuln/search.
|
|
|
[18] |
VARGHA A, DELANEY H D. A Critique and improvement of the "CL" common language effect size statistics of McGraw and Wong[J]. Journal of Educational and Behavioral Statistics, Thousand oaks: BLANK, 2000, 25(2): 101-132.
|
|
|
[19] |
NEWSOME J Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software[J]. Chinese Journal of Engineering Mathematics, Xian, China: China National Publishing Industry Trading Corporation, 2005, 29 (5): 720- 724
|
|
|
|
Viewed |
|
|
|
Full text
|
|
|
|
|
Abstract
|
|
|
|
|
Cited |
|
|
|
|
|
Shared |
|
|
|
|
|
Discussed |
|
|
|
|