摘要
模糊测试是一种有效的漏洞挖掘技术.为了改善模糊测试因盲目变异而导致的效率低下的问题,需要围绕输入特征、变异策略、种子样本筛选、异常样本发现与分析等方面不断定制模糊测试器,从而花费了大量的定制成本.针对通用型模糊测试器(即支持多类输入格式及目标软件的模糊测试器)的低成本定制和高可扩展性需求,提出了一种可编程模糊测试框架,基于该框架,漏洞挖掘人员仅需编写模糊测试制导程序即可完成定制化模糊测试,在不降低模糊测试效果的基础上,可大幅提高模糊测试器开发效率.该框架包含一组涉及变异、监控、反馈等环节的模糊测试原语,作为制导程序的基本语句;还包含一套编程规范(FDS)及FDS解析器,支持制导程序的编写、解析和模糊测试器的生成.基于实现的可编程模糊测试框架原型Puzzer,在26个模糊测试原语的支持下,漏洞挖掘人员平均编写54行代码即可实现当前主流的5款万级代码模糊测试器的核心功能,并可覆盖总计87.8%的基本操作.基于Puzzer实现的AFL等价模糊测试器,仅用51行代码即可达到与AFL相当的模糊测试效果,具有良好的有效性.
Fuzzing is an effective vulnerability discovery technology. In order to solve the inefficiency problem caused by blind mutation in fuzzing, safety engineers need to customize fuzzer from all aspects, such as input characteristics, mutation method, seed samples screening, abnormal samples found and analysis, which will result in huge expenditure. To meet the need of low cost customization and high scalability of the universal fuzzer (i.e. fuzzer that supports multi-type input formats and softwares), this paper first proposes a programmable fuzzing framework. Based on the framework, the only thing safety engineers need to do is writing directive programs when they want to customize fuzzing. It can sharply improve the efficiency of developing fuzzer without reducing effectiveness of fuzzing. The framework contains a set of fuzzing primitives, fuzzing directive specification (FDS) and FDS parser. Fuzzing primitives which involve mutation, monitoring and guiding are basic statements of directive program. FDS and FDS parser can support writing and parsing directive programs, as well as generating fuzzers. Based on the implementation of a prototype framework called Puzzer, safety engineers can accomplish core funetions and cover 87.8% of total basic operations of five mainstream fuzzers with only about 54 lines of code. A fuzzer which has equivalent function of AFL can be accomplished using Puzzer to achieve the same effectiveness with only 51 lines of code.
作者
杨梅芳
霍玮
邹燕燕
尹嘉伟
刘宝旭
龚晓锐
贾晓启
邹维
YANG Mei-Fang1,2,3,4, HUO Wei1,2,3,4, ZOU Yan-Yan1,2,3,4, YIN Jia-Wei1,2,3,4, LIU Bao-Xu1,2,3,4, GONG Xiao-Rui1,2,3,4, JIA Xiao-Qi1,2,3,4, ZOU Wei1,2,3,4(1Institute of Information Engineering, The Chinese Academy of Sciences, Beijing 100195, China; 2.Key Laboratory of Network Assessment Technology (Institute of Information Engineering, The Chinese Academy of Science), The Chinese Academy of Sciences, Beijing 100195, China;3.Beijing Key Laboratory of Network Security and Protection Technology (Institute of Information Engineering, The Chinese Academy of Sciences), Beijing 100195, China; 4.School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China)
出处
《软件学报》
EI
CSCD
北大核心
2018年第5期1258-1274,共17页
Journal of Software
基金
中国科学院网络测评技术重点实验室资助项目
中国科学院重点实验室基金(CXJJ-17S049)
网络安全防护技术北京市重点实验室资助项目
国家重点研发计划(2016QY071405)~~
关键词
模糊测试
漏洞挖掘
可编程
制导程序
抽象语法树
fuzzing
vulnerability discovery
programmable
directive program
abstract syntax tree
