基于路径风险适应度的模糊测试方法

Fuzzing Method Based on Path Risk Fitness

AFL基于遗传算法和多种变异策略来生成程序测试用例,以检测程序的漏洞,但AFL仅依赖控制流信息决定参与进一步模糊的种子,难以发现c、c++程序中存在的内存操作问题,且AFL简单的favorite策略没有充分考虑种子的特性和执行路径的特征,导致能够触发崩溃的种子迟迟不能被执行。因此,通过插桩获取程序的反馈信息,然后计算路径的风险适应度以指导种子选择,并对favorite策略进行优化,设计实现了模糊测试工具Risk-AFL。在4个应用程序上对该测试工具进行评估,结果表明,相较于其他工具,其路径发现和漏洞发现的效率都有一定提高。

AFL(American Fuzzy Lop) generates test cases based on genetic algorithm and multiple mutation strategies, and inputs them to programs under test to find bugs or vulnerabilities. However, AFL only relies on control flow information to decide the seeds involved in further fuzzing, which makes it difficult to discover memory manipulation problems in C/C++ programs, and AFL’s simple ‘favorite’ strategy does not fully consider the features of seeds and execution paths, resulting in delayed execution of seeds that can trigger crashes. Therefore, this paper designs and implements a fuzz-testing tool Risk-AFL by obtaining feedback from programs through instrumentation, then calculates the risk fitness of paths to guide seed selection, and optimizes the ‘favorite’ strategy. It tests Risk-AFL on four programs and the results indicate improvement on efficiency of path discovery and vulnerability discovery.