基于函数重要度的模糊测试方法

Fuzzing Method Based on Function Importance

针对现有的模糊测试方法缺乏对程序内部信息细粒度的认知,使用孤立的因素进行种子筛选,导致模糊测试时间消耗和增益不对等的问题,提出了一种基于函数重要度的模糊测试方法,首先,本文使用属性标记的过程间控制流图(Attributed Interprocedural Control Flow Graph, AICFG)对函数信息和函数关系进行综合表征,然后,在该表征基础上对种子进行评分和评价,根据评分和评价本文提出了更有效的种子变异策略,同时,本文在测试过程中根据函数命中次数对过程间控制流图的属性范围进行调整,使用图传播算法传播属性的变化.实验结果表明,我们的两个优化策略对软件flvemeta测试中在路径数目发现方面与基线模糊测试工具Azmerican Fuzzy Lop (AFL)相比分别提升了11.6%和13.7%左右,我们实现的工具FunAFL在对jhead、flvmeta和libelfin等软件测试中也获得了比MOPT和FairFuzz更高的覆盖率,在实际应用中在binutils、ffjpeg、xpdf、jhead、libtiff和libelfin等软件上发现了7个bug,获得了1个CVE编号.

We propose a fuzzing method based on function importance, because the existing fuzzing methods lack finegrained knowledge of the program’s internal information, use isolated factors for seed filtering, and result in the unfairness of time consumption and gain. First, the Attributed Interprocedural Control Flow Graph(AICFG) is used to comprehensively characterize function information and functional relationships. Then, the seed is scored and evaluated in light of the characterization and then a more effective seed filtering strategy is proposed. At the same time, the attribute range of the interprocedural control flow graph is adjusted according to the number of function hits, and the graph propagation algorithm is employed to propagate attribute changes. The experimental results show that the two optimization strategies have improved the number of paths by 11.6% and 13.7% respectively compared with the baseline fuzzing tool, Azmerican Fuzzy Lop(AFL), during the testing of flvmeta. The tool FunAFL implemented also achieves higher coverage during the testing of common software such as jhead, flvmate, and libtiffin than mainstream fuzzing tools, MOPT, and FairFuzz. FunAFL finds 7 bugs and gets 1 CVE number during the test of binutils, ffjpeg, xpdf, jhead,libtiff, and libelfin.