一种高效的软件模糊测试种子生成方法

doi:10.19665/j.issn1001-2400.20230901

摘要/Abstract

摘要：

模糊测试技术作为当前软件工程领域用于挖掘漏洞的有效方式之一,其在发现软件潜在漏洞方面有着非常显著的效果。针对传统模糊测试技术中种子选择策略无法快速有效地生成高质量的种子集,导致变异生成的测试用例无法到达更深路径、触发更多安全漏洞的问题,基于改进生成对抗网络(GAN)提出了一个种子生成方法以实现高效模糊测试。通过优化LeakGAN网络结构提高生成种子的质量和多样性,引入编解码技术实现灵活扩展生成种子的类型,并显著提高了在不同输入格式下目标程序的模糊测试性能。实验结果表明,采取的种子生成策略在覆盖率、触发唯一崩溃等指标上有明显提升,并有效地提高了种子生成速度。文中选择了6个具有不同高度结构化输入的开源程序和不同的模糊测试工具来验证策略的有效性,相较原策略分支覆盖率平均增长约2.79%,并且多发现了约10.35%的唯一路径以及约86.92%的唯一崩溃。

关键词: 漏洞挖掘, 网络安全, 模糊测试, 深度学习

Abstract:

As one of the effective ways to exploit software vulnerabilities in the current software engineering field,fuzzing plays a significant role in discovering potential software vulnerabilities.The traditional seed selection strategy in fuzzing cannot effectively generate high-quality seeds,which results in the testcases generated by mutation being unable to reach deeper paths and trigger more security vulnerabilities.To address these challenges,a seed generation method for efficient fuzzing based on the improved generative adversarial network(GAN) is proposed which can flexibly expand the type of seed generation through encoding and decoding technology and significantly improve the fuzzing performance of most applications with different input types.In experiments,the seed generation strategy adopted in this paper significantly improved the coverage and unique crashes,and effectively increased the seed generation speed.Six open-sourced programs with different highly-structured inputs were selected to demonstrate the effectiveness of our strategy.As a result,the average branch coverage increased by 2.79%,the number of paths increased by 10.35% and additional 86.92% of unique crashes were found compared to the original strategy.

Key words: vulnerability detection, network security, fuzz testing, deep learning

中图分类号:

TP311

刘振岩, 张华, 刘勇, 杨立波, 王梦迪. 一种高效的软件模糊测试种子生成方法[J]. 西安电子科技大学学报, 2024, 51(2): 126-136.

LIU Zhenyan, ZHANG Hua, LIU Yong, YANG Libo, WANG Mengdi. Efficient seed generation method for software fuzzing[J]. Journal of Xidian University, 2024, 51(2): 126-136.

图/表 11

图1

图2

图3

图4

图5

表1

表2

表3

图6

图7

图8

参考文献 29

[1]	ZHU X, WEN S, CAMTEPE S, et al. Fuzzing:A Survey for Roadmap[J]. ACM Computing Surveys(CSUR), 2022, 54(11s):1-36.
[2]	GOOGLE. OSS-Fuzz Issue Report Tracker(2022)[EB/OL].[2022-12-28]. https://bugs.chromium.org/p/oss-fuzz/issues/list.
[3]	REBERT A, CHA S K, AVGERINOS T, et al. Optimizing Seed Selection for Fuzzing[C]//Proceedings of the 23rd USENIX Security Symposium(USENIX Security 14). Berkeley:USENIX, 2014:861-875.
[4]	WANG J, CHEN B, WEI L, et al. Skyfire:Data-Driven Seed Generation for Fuzzing[C]//Proceedings of the 32nd IEEE Symposium on Security and Privacy(SP). Piscataway:IEEE, 2017:579-594.
[5]	WARTSCHINSKI L, NOLLER Y, VOGEL T, et al. VUDENC:Vulnerability Detection with Deep Learning on a Natural Codebase for Python[J]. Information and Software Technology, 2022,144:106809.
[6]	ZHANG L, WANG J, WANG W, et al. A Novel Smart Contract Vulnerability Detection Method Based on Information Graph and Ensemble Learning[J]. Sensors, 2022, 22(9):3581.
[7]	CAO S, SUN X, BO L, et al. MVD:Memory-Related Vulnerability Detection Based on Flow-Sensitive Graph Neural Networks[C]//Proceedings of the 44th IEEE/ACM International Conference on Software Engineering(ICSE). Piscataway:IEEE, 2022:1456-1468.
[8]	杜李旭弘, 陈杰, 杨小雪. 一种结合GAN的定向口令猜测方案[J]. 西安电子科技大学学报, 2022, 49(3):129-136.
	DU Lixuhong, CHEN Jie, YANG Xiaoxue. Targeted Password Guessing Scheme Combined with GAN[J]. Journal of Xidian University, 2022, 49(3):129-136.
[9]	GODEFROID P, PELEG H, SINGH R. Learn&Fuzz:Machine Learning for Input Fuzzing[C]//Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering(ASE). Piscataway:IEEE, 2017:50-59.
[10]	CHENG L, ZHANG Y, ZHANG Y, et al. Optimizing Seed Inputs in Fuzzing with Machine Learning[C]//2019 IEEE/ACM 41st International Conference on Software Engineering:Companion Proceedings(ICSE-Companion). Piscataway:IEEE, 2019: 244-245.
[11]	NICHOLS N, RAUGAS M, JASPER R, et al. Faster Fuzzing:Reinitialization with Deep Neural Models(2017)[J/OL].[2023-01-08]. https://arxiv.org/abs/1711.02807.
[12]	GOODFELLOW I, POUGET-ABADIE J, MIRZA M, et al. Generative Adversarial Networks[J]. Communications of the ACM, 2020, 63(11):139-144.
[13]	LYU C, JI S, LI Y, et al. SmartSeed:Smart Seed Generation for Efficient Fuzzing(2019)[J/OL].[2023-01-08]. https://arxiv.org/abs/1807.02606.
[14]	HU Z, SHI J, HUANG Y H, et al. GANFuzz:A GAN-Based Industrial Network Protocol Fuzzing Framework[C]//Proceedings of the 15th ACM International Conference on Computing Frontiers. New York: ACM, 2018:138-145.
[15]	JANG E, GU S, POOLE B. Categorical Reparameterization with Gumbel-Softmax(2017)[J/OL].[2023-05-30]. https://arxiv.org/abs/1611.01144.
[16]	GUO J, LU S, CAI H, et al. Long Text Generation via Adversarial Training with Leaked Information[C]//Proceedings of the 2018 AAAI Conference on Artificial Intelligence. Washington:AAAI, 2018:5141-5148.
[17]	SRIVASTAVA R K, GREFF K, SCHMIDHUBER J. Highway Networks(2015)[J/OL].[2023-01-08]. https://arxiv.org/abs/1505.00387.
[18]	GOOGLE. Google’sFuzzer Test Suite(2022)[EB/OL].[2022-12-28]. https://github.com/google/fuzzer-test-suite.
[19]	WANG M, LIANG J, ZHOU C, et al. Industrial Oriented Evaluation of Fuzzing Techniques[C]//Proceedings of the 14th IEEE Conference on Software Testing,Verification and Validation(ICST). Piscataway:IEEE, 2021:306-317.
[20]	LIU X, YOU W, ZHANG Z, et al. TensileFuzz:Facilitating Seed Input Generation in Fuzzing via String Constraint Solving[C]//Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis. New York: ACM, 2022:391-403.
[21]	MENENDEZ H D, CLARK D. Hashing Fuzzing:Introducing Input Diversity to Improve Crash Detection[J]. IEEE Transactions on Software Engineering, 2021, 48(9):3540-3553.
[22]	HERRERA A, GUNADI H, MAGRATH S, et al. Seed Selection for Successful Fuzzing[C]//Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis. New York: ACM, 2021:230-243.
[23]	LIANG J, JIANG Y, WANG M, et al. Deepfuzzer:Accelerated Deep Greybox Fuzzing[J]. IEEE Transactions on Dependable and Secure Computing, 2019, 18(6):2675-2688.
[24]	ZALEWSKI M. American Fuzzy Lop(2017)[EB/OL].[2022-12-28]. http://lcamtuf.coredump.cx/afl.
[25]	FIORALDI A, MAIER D, EIBFELDT H, et al. AFL++:Combining Incremental Steps of Fuzzing Research[C]//Proceedings of the 14th USENIX Workshop on Offensive Technologies(WOOT 20). Berkeley:USENIX, 2020:1-12.
[26]	KLEES G, RUEF A, COOPER B, et al. Evaluating Fuzz Testing[C]//Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2018:2123-2138.
[27]	YE A, WANG L, ZHAO L, et al. RapidFuzz:Accelerating Fuzzing via Generative Adversarial Networks[J]. Neurocomputing, 2021,460:195-204.
[28]	LI Y, JI S, LIU C, et al. V-Fuzz:Vulnerability Prediction-Assisted Evolutionary Fuzzing for Binary Programs[J]. IEEE Transactions on Cybernetics, 2020, 52(5):3745-3756
[29]	叶嘉羲. 面向软件漏洞自动挖掘的先进模糊测试关键技术研究[D]. 长沙: 国防科技大学, 2020.

目标程序	版本	种子类型	总代码行数/×10³	最大文件/比特	数据粒度/比特	字典规模	种子序列长度
Pcre 2	10.00	Regex	29	512	8	12 000	85
Guetzli	1.0.1	PNG	5.8	549	8	1 700	92
Libxml 2	2.9.2	XML	135	698	10	15 000	95
Libexif	0.6.21	JPEG	15	1 996	20	3 500	140
LibTIFF	4.0.4	TIFF	80	488	8	5 000	82
TCPdump	4.9.2	Pcap	93	512	8	10 000	85

模糊器	目标程序	分支覆盖率						唯一崩溃数量					唯一路径数量
模糊器	目标程序	Ori/%		OLG/%	ER/%	Mix/%	ER/%	Ori	OLG	ER/%	Mix	ER/%	Ori	OLG	ER/%	Mix	ER/%
AFL	Pcre 2		6.35	6.54	2.91	6.43	1.26	154	327	112.3	171	11.04	11 540	13 384	15.98	12 741	10.41
	Guetzli		1.81	1.86	2.76	1.86	2.76	0	0		0		746	859	15.08	1 077	44.30
	Libxml 2		5.94	6.26	5.39	6.31	6.23	6	16	166.7	13	116.7	2 357	2 530	7.32	2 846	20.75
AFL	Libexif		26.94	28.65	3.27	27.09	0.56	27	38	40.74	37	37.04	720	902	25.28	793	10.07
++	LibTIFF		22.58	21.69	-3.94	23.44	3.81	128	211	64.84	136	6.25	1 363	1 357	-0.48	1 407	3.26
	TCPdump		32.64	33.71	3.28	34.59	5.97	2	3	50.00	5	150.0	10 340	10 231	-1.06	10 491	1.46
	平均值		16.04	16.45	2.79	16.62	3.43	53	99	86.92	60	64.20	4 511	4 869	10.35	4 892	15.04