基于动态时间切片和高效变异的定向模糊测试  

作　　者：钟远鑫 刘嘉勇 贾鹏 ZHONG Yuanxin;LIU Jiayong;JIA Peng(School of Cyber Science and Engineering,Sichuan University,Chengdu 610065,China)

机构地区：[1]四川大学网络空间安全学院,成都610065

出　　处：《信息网络安全》2023年第8期99-108,共10页Netinfo Security

基　　金：国家自然科学基金[61902265]。

摘　　要：定向灰盒模糊测试(Directed Grey Box Fuzzing,DGF)是一种漏洞挖掘领域的新技术,它的最大优势是高效性。DGF已被广泛应用于补丁测试、信息流检测和崩溃复现等领域。然而,现有的DGF技术存在两个问题,第一,传统的DGF没有考虑到长路径种子也能触发漏洞,并且没有考虑种子的优先级;第二,强随机性的变异会浪费大量资源,从而降低定向模糊测试的效率。文章提出了一种基于动态时间切片和高效变异的定向灰盒模糊测试方法。文章提出了动态时间切片策略,将时间分为3个阶段,包括无差别探索阶段、短路径优先阶段和长路径优先阶段,同时应用了基于种子路径执行频率的模拟退火算法用于能量分配。同时,还使用了ε-贪婪算法来引导变异过程的havoc阶段,以提升变异效率。文章基于这3种策略实现了一个名为DyFuzz的系统并且在8个真实的数据集上与AFLGo进行比较。实验表明,该方法能够有效提高触发漏洞的概率和速度,覆盖更多的边缘和触发更多的崩溃。Directed grey box fuzzing(DGF)is a novel technology in the field of vulnerability mining whose biggest advantage is high efficiency.DGF has been widely used in many fields such as patch testing,information flow detection,and crash reproduction.However,there are two problems with existing DGF technologies.First,traditional DGF does not consider that long-path seeds can also trigger vulnerabilities,and does not consider the priority of seeds.Second,strong random mutation wastes a lot of resources,thereby reducing the efficiency of directed fuzzing.This paper proposed a directed grey-box fuzzing method based on dynamic time slicing and efficient mutation.Firstly,this paper proposed a dynamic time slicing strategy,which divided time into three stages,including indiscriminate exploration stage,short-path priority stage and long-path priority stage,and also applied a simulated annealing algorithm based on the execution frequency of seed paths for energy distribution.Secondly,the ε-greedy algorithm was also used to guide the havoc stage of the mutation process to improve the mutation efficiency.Based on these three strategies,this paper implements a system called DyFuzz and compares it with AFLGo on 8 real datasets,which can effectively improve the probability and speed of triggering vulnerabilities,cover more edges and trigger more crashes.

关 键 词：漏洞挖掘 定向模糊测试 动态时间切片 havoc变异 能量分配 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]