有效覆盖引导的定向灰盒模糊测试  被引量：4

作　　者：杨克[1,2] 贺也平 马恒太[1,2] 蔡春芳 谢异[1,2] 董柯 YANG Ke;HE Ye-Ping;MA Heng-Tai;CAI Chun-Fang;XIE Yi;DONG Ke(National Engineering Research Center of Fundamental Software(Institute of Software,Chinese Academy of Sciences),Beijing 100190,China;University of Chinese Academy of Sciences,Beijing 100049,China;State Key Laboratory of Computer Science(Institute of Software,Chinese Academy of Sciences),Beijing 100190,China)

机构地区：[1]基础软件国家工程研究中心(中国科学院软件研究所),北京100190 [2]中国科学院大学,北京100049 [3]计算机科学国家重点实验室(中国科学院软件研究所),北京100190

出　　处：《软件学报》2022年第11期3967-3982,共16页Journal of Software

基　　金：中国科学院战略性先导科技专项(XDA-Y01-01,XDC02010600)。

摘　　要：定向灰盒模糊测试技术在度量种子对目标执行状态的搜索能力时,除了考虑种子逼近目标代码的程度之外,还需要分析种子对多样化执行状态的发现能力,从而避免陷入局部最优.现有的定向灰盒模糊测试主要根据全程序的覆盖统计来度量种子搜索多样化执行路径的能力.然而,目标执行状态仅依赖于部分程序代码.如果带来新覆盖的种子并未探索到目标状态计算所依赖的新执行状态,其不仅不能扩大种子队列对目标执行状态的搜索能力,而且会诱导测试目标无关的代码和功能,阻碍定向测试向目标代码的收敛.为了缓解该问题,从待发现目标执行状态依赖代码的覆盖统计着手,提出了一种有效覆盖引导的定向灰盒模糊测试方法.利用程序切片技术提取影响目标执行状态计算的代码.通过能量调度(即控制种子后代生成数量),提升引发该部分代码控制流新覆盖变化的种子能量,降低其他冗余种子的能量,使定向灰盒模糊测试专注于搜索目标相关的执行状态.在测试集上的实验结果显示,该方法显著提升了目标状态发现效率.Directed grey-box fuzzing measures the effectiveness of seeds for detecting the execution path towards the target.In addition to the closeness between the triggered execution and the target code lines,the ability to explore diversified execution paths is also important to avoid local optimum.Current directed grey-box fuzzing methods measure this capability by coverage counting of the whole program.But only a part of the program is responsible for the calculation of the target state.If the new seed brings target irrelevant state changes,it cannot enhance the queue for state exploration.What is worse,it may distract the concentration of the fuzzer and waste time on exploring target irrelevant code logic.To solve this problem,this study provides a valid coverage guided directed grey-box fuzzing method.The static program slicing technique is used to locate the code region that can affect the target state and detect interesting seeds that bring new differences in coverage of this code region.By enlarging the energy of these seeds and reducing others(adjusting power schedule),the fuzzer can be guided to focus on seeds that can help explore different control flow that target depends and mitigate the interference of redundant seeds.The experiment on the benchmark provided shows that this strategy brings significant performance improvement for AFLGO.

关 键 词：定向模糊测试 有效覆盖 冗余种子 能量调度 程序切片 

分 类 号：TP311[自动化与计算机技术—计算机软件与理论]