Please wait a minute...
Journal of ZheJiang University (Engineering Science)  2020, Vol. 54 Issue (8): 1534-1542    DOI: 10.3785/j.issn.1008-973X.2020.08.011
    
Directed grey-box fuzzing technology based on dynamic energy regulation
Wei DAI(),Yu-liang LU*(),Kai-long ZHU
College of Electronic Engineering, National University of Defense Technology, Hefei 230037, China
Download: HTML     PDF(723KB) HTML
Export: BibTeX | EndNote (RIS)      

Abstract  

Directed gray-box fuzzing (DGF) is a kind of fuzzing technology which can quickly generate test cases to reach a given target area of the program and find vulnerabilities. A DGF technology based on dynamic energy regulation was proposed, aiming at the inefficiency of existing DGF technology. The function call graph (CG) and control flow graphs (CFGs) of the program are constructed by static analysis technology, and the more accurate target distance at function level and basic block level is defined and calculated. The distance from seed to the target area is calculated by tracking the execution trajectory of the seed. The dynamic energy regulation function is used to effectively control the mutation quantity of seeds in the process of fuzzing, and to guide the generation of test cases that can reach the target area. A prototype system AFL-Ant for DGF was implemented based on this method, and the comparison experiments with the existing DGF method were carried out. Results demonstrate that the proposed method can test the target area faster and more effectively, and it has strong application value in patch testing and vulnerability reproduction.



Key wordsgrey-box fuzzing      static analysis      distance calculation      dynamic energy regulation      directed fuzzing     
Received: 04 July 2019      Published: 28 August 2020
CLC:  TP 309  
Corresponding Authors: Yu-liang LU     E-mail: 1821007360@qq.com;451762681@qq.com
Cite this article:

Wei DAI,Yu-liang LU,Kai-long ZHU. Directed grey-box fuzzing technology based on dynamic energy regulation. Journal of ZheJiang University (Engineering Science), 2020, 54(8): 1534-1542.

URL:

http://www.zjujournals.com/eng/10.3785/j.issn.1008-973X.2020.08.011     OR     http://www.zjujournals.com/eng/Y2020/V54/I8/1534


基于动态能量调控的导向式灰盒模糊测试技术

导向式灰盒模糊测试(DGF)是能够快速生成测试用例,达到给定的程序目标区域并且发现漏洞的模糊测试技术. 针对当前DGF技术测试效率较低的问题,提出基于动态能量调控的DGF技术. 通过静态分析技术构建程序的函数调用图(CG)和控制流图(CFGs),定义并计算更准确的函数级别、基本块级别的目标距离;通过跟踪种子的执行轨迹,计算种子到目标区域的距离;基于动态能量调控函数对模糊测试中种子的变异数量进行更有效的调控,引导生成到达目标区域的测试用例. 基于该方法,实现导向式模糊测试原型系统AFL-Ant,并与现有的导向式模糊测试方法进行对比实验. 结果表明,本研究所提出的方法能够更加快速、有效地对目标区域进行测试,在补丁测试、漏洞复现方面具有较强的应用价值.


关键词: 灰盒模糊测试,  静态分析,  距离计算,  动态能量调控,  导向式模糊测试 
Fig.1 Framework of DFG technology
Fig.2 Example of function call
Fig.3 Example of seed execution path
Fig.4 Effect of iteration number on seed energy
Fig.5 Effect of seed distance on seed energy
Fig.6 Change of energy regulatory factors
漏洞编号 工具 次数 TTE / s F ?12
2016-4487 AFL-Ant 20 161 1.60 0.72
AFLGO 20 181 1.42 0.60
AFL 20 257 ? ?
2016-4488 AFL-Ant 20 531 1.94 0.81
AFLGO 20 683 1.51 0.71
AFL 20 1031 ? ?
2016-4489 AFL-Ant 20 190 2.24 0.72
AFLGO 20 175 2.43 0.68
AFL 20 425 ? ?
2016-4490 AFL-Ant 20 91 0.66 0.31
AFLGO 20 87 0.69 0.28
AFL 20 60 ? ?
2016-4491 AFL-Ant 10 23262 0.87 0.49
AFLGO 5 24121 0.83 0.41
AFL 7 20139 ? ?
2016-4492 AFL-Ant 20 531 1.78 0.89
AFLGO 20 518 1.82 0.83
AFL 20 943 ? ?
2016-6131 AFL-Ant 7 20131 1.32 0.68
AFLGO 5 21230 1.25 0.63
AFL 3 26590 ? ?
Tab.1 Results of GNU Binutils’ vulnerability reproduction
漏洞编号 工具 次数 TTE / s F ?12
2011-2501 AFL-Ant 20 341 3.23 0.83
AFLGO 20 373 2.95 0.79
AFL 20 1102 ? ?
2011-3328 AFL-Ant 20 2315 4.67 0.97
AFLGO 20 2508 4.31 0.93
AFL 20 10800 ? ?
2015-8472 AFL-Ant 20 31 8.68 0.84
AFLGO 20 26 10.35 0.91
AFL 20 269 ? ?
2015-8540 AFL-Ant 20 221 2.91 0.76
AFLGO 20 201 3.20 0.74
AFL 20 643 ? ?
2018-13785 AFL-Ant 20 881 2.76 0.75
AFLGO 20 1002 2.43 0.71
AFL 20 2431 ? ?
Tab.2 Results of Libpng’s vulnerability reproduction
目标站点 工具 次数 TTE / s F ?12
pngread.c:730 AFL-Ant 10 23 6.50 0.92
Ant-GO 10 40 3.75 0.89
AFLGO 10 61 2.46 0.83
AFL 10 150 ? ?
pngtrans.c:686 AFL-Ant 7 6101 1.42 0.78
Ant-GO 6 6940 1.25 0.64
AFLGO 5 7521 1.16 0.51
AFL 3 8710 ? ?
tif_read.c:447 AFL-Ant 10 69 3.33 0.96
Ant-GO 10 84 2.74 0.94
AFLGO 10 103 2.23 0.91
AFL 10 230 ? ?
tif_jbig.c:211 AFL-Ant 9 2180 2.12 0.88
Ant-GO 7 2317 2.00 0.85
AFLGO 5 2912 1.59 0.79
AFL 4 4620 ? ?
Tab.3 Results of target site coverage
[1]   吴世忠, 郭涛, 董国伟, 等. 软件漏洞分析技术[M]. 北京: 科学出版社, 2014.
[2]   SANG K C, AVGERINOS T, REBERT A, et al. Unleashing mayhem on binary code [C]// IEEE Symposium on Security and Privacy. Washington, DC: Institute of Electrical and Electronics Engineers, 2012: 380-394.
[3]   STEPHENS N, GROSEN J, SALLS C, et al. Driller: augmenting fuzzing through selective symbolic execution [C]// Network and Distributed System Security Symposium. San Diego: Internet Society, 2016: 21-24.
[4]   RAWAT S, JAIN V, KUMAR A, et al. VUzzer: application-aware evolutionary fuzzing [C]// Network and Distributed System Security Symposium. San Diego: Internet Society, 2017: 1-16.
[5]   JOHANSSON W, SVENSSON M, LARSON U E, et al. T-Fuzz: model-based fuzzing for robustness testing of telecommunication protocols [C]// IEEE International Conference on Software Testing. Washington: IEEE Computer Society, 2014: 323-332.
[6]   B?HME M, PHAM V T, ROYCHOUDHURY A. Coverage-based greybox fuzzing as Markov chain [C]// IEEE Transactions on Software Engineering. Los Alamitos: Institute of Electrical and Electronics Engineers, 2016: 1032-1043.
[7]   B?HME M, PHAM V T, NGUYEN M D, et al. Directed greybox fuzzing [C]// Acm Sigsac Conference on Computer and Communications Security. New York: Association for Computing Machinery, 2017: 2329-2344.
[8]   ZALEWSKI M. American fuzzy lop. [EB/OL]. [2014-11-01]. http://lcamtuf.coredump.cx/afl/.
[9]   MARINESCU P D, CADAR C. KATCH: high-coverage testing of software patches [C]// Joint Meeting on Foundations of Software Engineering. New York: Association for Computing Machiner, 2013: 235-245.
[10]   GANESH V, LEEK T, RINARD M. Taint-based directed whitebox fuzzing [C]// IEEE 31st International Conference on Software Engineering. Vancouver: Association for Computing Machinery, 2009: 474-484.
[11]   MEHLHORN K. Data structures and algorithms: Searching and sorting [M]. Berlin: Springer, 1984: 90.
[12]   LibFuzzer: a library for coverage-guided fuzz testing [EB/OL]. [2017-05-13]. http://llvm.org/docs/LibFuzzer.html.
[13]   DORIGO M, GAMBARDELLA L M. A study of some properties of Ant-Q [C]// International Conference on Parallel Problem Solving from Nature. Berlin: Springer, 1996: 656-665.
[14]   SEREBRYANY K, BRUENING D, POTAPENKO A, et al. AddressSanitizer: a fast address sanity checker [C]// Usenix Conference on Technical Conference. Berkeley: USENIX Association, 2012: 28-37.
[15]   PHAM V T, NG W B, RUBINOV K, et al. Hercules: reproducing crashes in real-world application binaries [C]// Proceedings of 37th International Conference. on Software Engineering (ICSE). Firenze: Institute of Electrical and Electronics Engineers, 2015: 891-901.
[16]   LibPNG: a library for processing PNG files. [EB/OL]. [2017-05-13]. http://www.libpng.org/pub/png/libpng.html.
[17]   US National Vulnerability Database. [DB/OL]. [2017-05-13]. https://nvd.nist.gov/vuln/search.
[18]   VARGHA A, DELANEY H D. A Critique and improvement of the "CL" common language effect size statistics of McGraw and Wong[J]. Journal of Educational and Behavioral Statistics, Thousand oaks: BLANK, 2000, 25(2): 101-132.
[19]   NEWSOME J Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software[J]. Chinese Journal of Engineering Mathematics, Xian, China: China National Publishing Industry Trading Corporation, 2005, 29 (5): 720- 724
[1] Xie-lian ZHU,Shi-lin DONG. Configuration, static and stability behavior of hyperboloidal cooling tower lattice shell composed of six-bar tetrahedral units[J]. Journal of ZheJiang University (Engineering Science), 2019, 53(10): 1907-1915.
[2] DONG Shi-lin, MIAO Feng, CHEN Wei-gang, ZHOU Guan-gen, TENG Qi, DONG Sheng-hao. Configuration, static and stability analysis on new-type six-bar tetrahedral cylindrical lattice shells[J]. Journal of ZheJiang University (Engineering Science), 2017, 51(3): 508-513.
[3] LI Xiao-dong, ZHU Yue-fei, LIU Sheng-li, XIAO Rui-qing. Permission-based Android application security evaluation method[J]. Journal of ZheJiang University (Engineering Science), 2017, 51(3): 590-597.
[4] YU Dong, ZHANG Jin-hua, WANG Dong-feng, LI Xiao-hu, HONG Jun. Theoretical calculation and analysis on friction torque in RV reducer main bearing[J]. Journal of ZheJiang University (Engineering Science), 2017, 51(10): 1928-1936.
[5] XIU Si-wen, LI Yan-zhe, HUANG Kai, MA De, YAN Rong-jie, YAN Xiao-lang. Cache modeling for MPSoC performance estimation[J]. Journal of ZheJiang University (Engineering Science), 2015, 49(7): 1367-1375.
[6] WAN Zhi-yuan, ZHOU Bo.
Points-to analysis for partial call graph construction
 
[J]. Journal of ZheJiang University (Engineering Science), 2015, 49(6): 1031-1040.
[7] WAN Zhi-yuan, ZHOU Bo. Static information flow tracking based approach to detect input validation vulnerabilities[J]. Journal of ZheJiang University (Engineering Science), 2015, 49(4): 683-691.
[8] YAO Yun-long,DONG Shi-lin,LIU Hong-chuang,XIA Ju-wei,ZHANG Min-rui,ZU Yi-zhen. Model designing and static experimental study on double inner and outer latticed shell string structure  [J]. Journal of ZheJiang University (Engineering Science), 2013, 47(7): 1129-1139.