结构状态覆盖导向的灰盒模糊测试技术

doi:10.19665/j.issn1001-2400.2021.01.013

摘要/Abstract

摘要：

为了解决代码覆盖反馈指标无法有效解决程序状态覆盖的问题,提出一种以源码中特定代码结构的状态覆盖率作为反馈指标的模糊测试方法,引入了目标结构状态覆盖分布的概念。通过对特定结构进行插桩,统计目标结构状态分布,依据结构状态分布筛选种子并进行能量调度,以实现程序状态覆盖均匀化。该方法实现了原型系统SFL,并与现存的代码覆盖导向的模糊测试方法AFL进行了对比试验。实验结果表明,文中的方法对程序状态覆盖更充分,能够加速特定类型漏洞的发现速度。

关键词: 漏洞挖掘, 模糊测试, 网络安全

Abstract:

In order to solve the problem of program state coverage that cannot be effectively solved by code coverage feedback indicators,we propose a fuzzing method that uses the state coverage of a specific code structure in the source code as the feedback indicator,and introduce the concept of target structure state coverage distribution.By inserting piles for a specific structure,statistics of the target structure state distribution,seed selection and energy scheduling according to the structure state distribution,in order to achieve uniform program state coverage.This method implements the prototype system SFL,and compares it with the existing code coverage fuzzing method AFL.Experimental results show that the method proposed in this paper can more fully cover the program state and can accelerate the discovery speed of specific types of vulnerabilities.

Key words: vulnerability discovery, Fuzzing, network security

中图分类号:

TP393.08

刘华渊,苏云飞,李瑞林,唐朝京. 结构状态覆盖导向的灰盒模糊测试技术[J]. 西安电子科技大学学报, 2021, 48(1): 117-123.

LIU Huayuan,SU Yunfei,LI Ruilin,TANG Chaojing. Structure-statebased graybox Fuzzing technique[J]. Journal of Xidian University, 2021, 48(1): 117-123.

图/表 10

图1

图2

图3

图4

图5

图6

图7

图8

图9

图10

参考文献 18

[1]	MANES V J M, HAN H S, HAN C, et al.The Art,Science,and Engineering of Fuzzing:a Survey[J/OL].[2020-06-20].https://arxiv.org/abs/1812.00140?context=cs.CR.
[2]	LEMIEUX C, SEN K. Fairfuzz:A Targeted Mutation Strategy for Increasing Greybox Fuzz Testing Coverage [C]//Proceedings of the 2018 33rd ACM/IEEE International Conference on Automated Software Engineering.New York:ACM, 2018: 475-485.
[3]	BOHME M, PHAM V T, ROYCHOUDHURY A. Coverage-based Greybox Fuzzing as Markov Chain[J]. IEEE Transactions on Software Engineering, 2019,45(5):489-506.
[4]	WANG P, ZHOU X. SoK:the Progress,Challenges,and Perspectives of Directed Greybox Fuzzing[J/OL].[2020-06-20].https://arxiv.org/pdf/2005.11907.pdf.
[5]	ASCHERMANN C, SCHUMILO S, BLAZYTKO T, et al. REDQUEEN:Fuzzing with Input-to-state Correspondence[C/OL].[2020-06-20].https://www.ei.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2018/12/17/NDSS19-Redqueen.pdf.
[6]	GAN S, ZHANG C, QIN X, et al. CollAFL:Path Sensitive Fuzzing [C]//Proceedings of the 2018 IEEE Symposium on Security and Privacy.Piscataway:IEEE, 2018: 679-696.
[7]	LI Y, CHEN B, CHANDRAMOHAN M, et al. Steelix:Program-state Based Binary Fuzzing [C]//Proceedings of the 2017 ACM SIGSOFT Symposium on the Foundations of Software Engineering.New York:ACM, 2017: 627-637.
[8]	王志强, 张玉清, 刘奇旭, 等. 一种简单网络管理协议漏洞挖掘算法[J]. 西安电子科技大学学报, 2015,42(4):20-26.
	WANG Zhiqiang, ZHANG Yuqing, LIU Qixu, et al. Algorithm for Discovering SNMP Protocol Vulnerability[J]. Journal of Xidian University, 2015,42(4):20-26.
[9]	SHASTRY B, LEUTNER M, FIEBIG T, et al. Static Program Analysis as a Fuzzing Aid [C]//Lecture Notes in Computer Science:10453,Heidelberg:Springer Verlag, 2017: 26-47.
[10]	LI Y, XUE Y, CHEN H, et al. Cerebro:Context-aware Adaptive Fuzzing for Effective Vulnerability Detection [C]//Proceedings of the 2019 27th ACM Joint Meeting European Software Engineering Conference and Symposium on the Foundations of Software Engineering.New York:ACM, 2019: 533-544.
[11]	NICK S, JOHN G, CHRISTOPHER S, et al. Driller:Augmenting Fuzzing Through Selective Symbolic Execution [C]//Proceedings of the 2016 Network and Distributed System Security Symposium.New York:ACM, 2016: 1-16.
[12]	YUN I, LEE S, XU M, et al. QSYM:a Practical Concolic Execution Engine Tailored for Hybrid Fuzzing [C]//Proceedings of the 2018 27th USENIX Security Symposium.Berkeley:USENIX Association, 2018: 745-761.
[13]	GODEFROID P, KIEZUN A, LEVIN M Y. Grammar-based Whitebox Fuzzing[J]. ACM Sigplan Notices, 2008,43(6):206-215.
[14]	CHEN P, CHEN H. Angora:Efficient Fuzzing by Principled Search [C]//Proceedings of the 2018 IEEE Symposium on Security and Privacy.Piscataway:IEEE, 2018: 711-725.
[15]	RAWAT S, JAIN V, KUMAR A, et al. VUzzer:Application-aware Evolutionary Fuzzing[C/OL].[2020-06-20].https://www.ndss-symposium.org/ndss2017/ndss-2017-programme/vuzzer-application-aware-evolutionary-fuzzing/.
[16]	LI S S, YE J, ZHANG B, et al. Augmented Fuzzing with Promotion on Numerical Dependence [C]//Proceedings of the 2020 10th International Workshop on Computer Science and Engineering.Shanghai:International Workshop on Computer Science and Engineering, 2020: 42-51.
[17]	JOYCE J M. Kullback-Leibler Divergence[M]. Heidelberg:Springer, 2011.
[18]	夏冰冰, 赵险峰, 张弘. 拟合盲隐写分析结果的隐写组合测评方法[J]. 西安电子科技大学学报, 2015,42(4):153-158.
	XIA Bingbing, ZHAO Xianfeng, ZHANG Hong. Assorted Benchmarking for Steganography Based on Blind Steganalyzer Accuracy Fitting[J]. Journal of Xidian University, 2015,42(4):153-158.