While the size and complexity of software are rapidly increasing,not only is the number of vulnerabilities increasing,but their forms are diversifying.Vulnerability has become an important factor in network attack and...While the size and complexity of software are rapidly increasing,not only is the number of vulnerabilities increasing,but their forms are diversifying.Vulnerability has become an important factor in network attack and defense.Therefore,automatic vulnerability discovery has become critical to ensure software security.Fuzzing is one of the most important methods of vulnerability discovery.It is based on the initial input,i.e.,a seed,to generate mutated test cases as new inputs of a tested program in the next execution loop.By monitoring the path coverage,fuzzing can choose high-value test cases for inclusion in the new seed set and capture crashes used for triggering vulnerabilities.Although there have been remarkable achievements in terms of the number of discovered vulnerabilities,the reduction of time cost is still inadequate.This paper proposes a fast directed greybox fuzzing model,FastAFLGo.A fast convergence formula of temperature is designed,and the energy scheduling scheme can quickly determine the best seed to make the program execute toward the target basic blocks.Experimental results show that FastAFLGo can discover more vulnerabilities than the traditional fuzzing method in the same execution time.展开更多
Fuzzing is known to be one of the most effective techniques to uncover security vulnerabilities of large-scale software systems.During fuzzing,it is crucial to distribute the fuzzing resource appropriately so as to ac...Fuzzing is known to be one of the most effective techniques to uncover security vulnerabilities of large-scale software systems.During fuzzing,it is crucial to distribute the fuzzing resource appropriately so as to achieve the best fuzzing performance under a limited budget.Existing distribution strategies of American Fuzzy Lop(AFL)based greybox fuzzing focus on increasing coverage blindly without considering the metrics of code regions,thus lacking the insight regarding which region is more likely to be vulnerable and deserves more fuzzing resources.We tackle the above drawback by proposing a vulnerable region-aware greybox fuzzing approach.Specifically,we distribute more fuzzing resources towards regions that are more likely to be vulnerable based on four kinds of code metrics.We implemented the approach as an extension to AFL named RegionFuzz.Large-scale experimental evaluations validate the effectiveness and efficiency of RegionFuzz-11 new bugs including three new CVEs are successfully uncovered by RegionFuzz.展开更多
Mutation-based greybox fuzzing has been one of the most prevalent techniques for security vulnerability discovery and a great deal of research work has been proposed to improve both its efficiency and effectiveness.Mu...Mutation-based greybox fuzzing has been one of the most prevalent techniques for security vulnerability discovery and a great deal of research work has been proposed to improve both its efficiency and effectiveness.Mutation-based greybox fuzzing generates input cases by mutating the input seed,i.e.,applying a sequence of mutation operators to randomly selected mutation positions of the seed.However,existing fruitful research work focuses on scheduling mutation operators,leaving the schedule of mutation positions as an overlooked aspect of fuzzing efficiency.This paper proposes a novel greybox fuzzing method,PosFuzz,that statistically schedules mutation positions based on their historical performance.PosFuzz makes use of a concept of effective position distribution to represent the semantics of the input and to guide the mutations.PosFuzz first utilizes Good-Turing frequency estimation to calculate an effective position distribution for each mutation operator.It then leverages two sampling methods in different mutating stages to select the positions from the distribution.We have implemented PosFuzz on top of AFL,AFLFast and MOPT,called Pos-AFL,-AFLFast and-MOPT respectively,and evaluated them on the UNIFUZZ benchmark(20 widely used open source programs)and LAVA-M dataset.The result shows that,under the same testing time budget,the Pos-AFL,-AFLFast and-MOPT outperform their counterparts in code coverage and vulnerability discovery ability.Compared with AFL,AFLFast,and MOPT,PosFuzz gets 21%more edge coverage and finds 133%more paths on average.It also triggers 275%more unique bugs on average.展开更多
基金This work was supported by the Natural Science Foundation of China(Grant No.61702013)National Key Research and Development Plan(Grant Nos.2018YFB1800302 and 2019YFA0706404)+1 种基金Beijing Natural Science Foundation(Grant Nos.KZ201810009011,4202020,and 19L2021)Science and Technology Innovation Project of North China University of Technology(19XN108).
文摘While the size and complexity of software are rapidly increasing,not only is the number of vulnerabilities increasing,but their forms are diversifying.Vulnerability has become an important factor in network attack and defense.Therefore,automatic vulnerability discovery has become critical to ensure software security.Fuzzing is one of the most important methods of vulnerability discovery.It is based on the initial input,i.e.,a seed,to generate mutated test cases as new inputs of a tested program in the next execution loop.By monitoring the path coverage,fuzzing can choose high-value test cases for inclusion in the new seed set and capture crashes used for triggering vulnerabilities.Although there have been remarkable achievements in terms of the number of discovered vulnerabilities,the reduction of time cost is still inadequate.This paper proposes a fast directed greybox fuzzing model,FastAFLGo.A fast convergence formula of temperature is designed,and the energy scheduling scheme can quickly determine the best seed to make the program execute toward the target basic blocks.Experimental results show that FastAFLGo can discover more vulnerabilities than the traditional fuzzing method in the same execution time.
基金(partially)supported by the National Key Research and Development Program of China under Grant No.2017YFA0700604the National Natural Science Foundation of China under Grant Nos.62032010 and 61802168+1 种基金the Leading-Edge Technology Program of Jiangsu Natural Science Foundation under Grant No.BK20202001the 2021 Double Entrepreneurship Big Data and Theoretical Research Project of Nanjing University.
文摘Fuzzing is known to be one of the most effective techniques to uncover security vulnerabilities of large-scale software systems.During fuzzing,it is crucial to distribute the fuzzing resource appropriately so as to achieve the best fuzzing performance under a limited budget.Existing distribution strategies of American Fuzzy Lop(AFL)based greybox fuzzing focus on increasing coverage blindly without considering the metrics of code regions,thus lacking the insight regarding which region is more likely to be vulnerable and deserves more fuzzing resources.We tackle the above drawback by proposing a vulnerable region-aware greybox fuzzing approach.Specifically,we distribute more fuzzing resources towards regions that are more likely to be vulnerable based on four kinds of code metrics.We implemented the approach as an extension to AFL named RegionFuzz.Large-scale experimental evaluations validate the effectiveness and efficiency of RegionFuzz-11 new bugs including three new CVEs are successfully uncovered by RegionFuzz.
基金This research was supported by National Key R&D Program of China(2022YFB3103900)National Natural Science Foundation of China(62032010,62202462)Strategic Priority Research Program of the CAS(XDC02030200).
文摘Mutation-based greybox fuzzing has been one of the most prevalent techniques for security vulnerability discovery and a great deal of research work has been proposed to improve both its efficiency and effectiveness.Mutation-based greybox fuzzing generates input cases by mutating the input seed,i.e.,applying a sequence of mutation operators to randomly selected mutation positions of the seed.However,existing fruitful research work focuses on scheduling mutation operators,leaving the schedule of mutation positions as an overlooked aspect of fuzzing efficiency.This paper proposes a novel greybox fuzzing method,PosFuzz,that statistically schedules mutation positions based on their historical performance.PosFuzz makes use of a concept of effective position distribution to represent the semantics of the input and to guide the mutations.PosFuzz first utilizes Good-Turing frequency estimation to calculate an effective position distribution for each mutation operator.It then leverages two sampling methods in different mutating stages to select the positions from the distribution.We have implemented PosFuzz on top of AFL,AFLFast and MOPT,called Pos-AFL,-AFLFast and-MOPT respectively,and evaluated them on the UNIFUZZ benchmark(20 widely used open source programs)and LAVA-M dataset.The result shows that,under the same testing time budget,the Pos-AFL,-AFLFast and-MOPT outperform their counterparts in code coverage and vulnerability discovery ability.Compared with AFL,AFLFast,and MOPT,PosFuzz gets 21%more edge coverage and finds 133%more paths on average.It also triggers 275%more unique bugs on average.
