基于多目标支配分析和路径动态修剪优化的定向模糊测试技术

Directional fuzzing based on multi-objective domination analysis andpath dynamic pruning optimization

当前定向模糊测试技术的平均距离模型在多目标测试中缺乏对逐个目标的指向性,在导向同一目标时路径多样化不强,且未根据不同目标的覆盖程度动态调整距离度量,导致多目标测试不均衡和效率降低,难以在结合静态分析告警等多目标环境中开展漏洞挖掘。针对以上问题,提出了一种多目标定向探索的模糊测试技术MTDFuzz,识别待遍历多目标的支配节点,利用基于多目标支配分析的测试用例优选,通过支配节点覆盖评分激励机制引导生成能够覆盖支配节点和目标的测试用例,实现在限定关键覆盖要素的前提下,对目标路径的多样化和指向性探索;根据目标的覆盖状态进行路径动态修剪优化,已被充分测试的路径和目标不参与距离信息反馈,通过剪枝和全局支配节点修正动态调整支配节点和目标基本块评分,利用支配节点覆盖度优化种子调度策略,实现对多目标测试资源的有效分配。实验结果表明:与常用的定向模糊测试工具对比,多目标下MTDFuzz的平均漏洞发现时间缩短了57.6%,且在Glibc、FFmpeg等4个开源程序中发现了12个未公开漏洞,显著提高了定向模糊测试的多目标探索能力和漏洞挖掘效率。

Current directed fuzzing techniques suffer from a lack of specificity towards individual targets in multi-target testing,limited path diversity when aiming at the same target,and a failure to dynamically adjust distance metrics based on the coverage level of different targets,leading to imbalanced testing and reduced efficiency in environments that integrate static analysis alerts for vulnerability mining.To address these issues,this paper introduced MTDFuzz,a multi-target directed exploration fuzzing technique that identified dominating nodes for targeted traversal.By leveraging test case optimization through multi-objective dominance analysis and a coverage score incentive mechanism,MTDFuzz generated test cases that covered both dominating nodes and targets,enabling diversified and directed exploration of target paths within the constraints of key coverage elements.The technique dynamically pruned paths based on target coverage,excluding thoroughly tested paths and targets from distance metric feedback.Through pruning and global dominating node adjustment,it dynamically tuned the scores of dominating nodes and target basic blocks,optimizing seed scheduling strategies based on dominating node coverage to efficiently allocate multi-target testing resources.Experimental results demonstrate that MTDFuzz significantly reduces the average time to discover vulnerabilities by 57.6%compared to commonly used directed fuzzing tools,and has uncovered 120-day vulnerabilities in four open-source programs,including Glibc and FFmpeg,significantly enhancing the multi-target exploration capability and vulnerability mining efficiency of directed fuzzing.