Coverage based fuzzing is a widespread vulnerability detection technique,and it has exposed many bugs in many real-world programs.However,its attention is to eliminate the testing on the repeated paths,yet it still em...Coverage based fuzzing is a widespread vulnerability detection technique,and it has exposed many bugs in many real-world programs.However,its attention is to eliminate the testing on the repeated paths,yet it still employs random mutation to generate inputs,which is blind to penetrate complex comparisons in the program.As a result,the testing coverage is limited.Despite some solution proposals are presented,this problem is still partially solved.This paper argues that random mutation is mainly limited by two challenges,the sizable search space and the lack of a useful feedback to direct the search.Then we present an augmented fuzzing technique by addressing these two challenges.First of all,we point out a black relationship between input contents and comparison operands,which is dubbed connection.Second,we present a novel method to collect the comparison operands during execution,which is leveraged to infer the connections.Based on the connections,the fuzzer can learn about which input byte affects on which comparison instruction to establish a smaller search space.Third,the connection provides a useful feedback to direct the search.We resort to a modern metaheuristic algorithm to satisfy this searching requirement.We developed a prototype Pusher and evaluated its performance on several benchmarks and four real-world programs.The experimental results demonstrate that Pusher works better than some other state-of-the-art fuzzers on bug detection,and can achieve a higher testing coverage.Moreover,we take a detailed statistic about the execution overhead in Pusher,and the results indicate that the execution overhead introduced by our approach is within an acceptable scope.展开更多
基金supported by the National Natural Science Foundation of China(Grant No.61702540)Hunan Provincial Natural ScienceFoundation of China(2018j3615).
文摘Coverage based fuzzing is a widespread vulnerability detection technique,and it has exposed many bugs in many real-world programs.However,its attention is to eliminate the testing on the repeated paths,yet it still employs random mutation to generate inputs,which is blind to penetrate complex comparisons in the program.As a result,the testing coverage is limited.Despite some solution proposals are presented,this problem is still partially solved.This paper argues that random mutation is mainly limited by two challenges,the sizable search space and the lack of a useful feedback to direct the search.Then we present an augmented fuzzing technique by addressing these two challenges.First of all,we point out a black relationship between input contents and comparison operands,which is dubbed connection.Second,we present a novel method to collect the comparison operands during execution,which is leveraged to infer the connections.Based on the connections,the fuzzer can learn about which input byte affects on which comparison instruction to establish a smaller search space.Third,the connection provides a useful feedback to direct the search.We resort to a modern metaheuristic algorithm to satisfy this searching requirement.We developed a prototype Pusher and evaluated its performance on several benchmarks and four real-world programs.The experimental results demonstrate that Pusher works better than some other state-of-the-art fuzzers on bug detection,and can achieve a higher testing coverage.Moreover,we take a detailed statistic about the execution overhead in Pusher,and the results indicate that the execution overhead introduced by our approach is within an acceptable scope.
