基于自适应敏感区域变异的覆盖引导模糊测试  

作　　者：徐航 杨智[1] 陈性元[1] 韩冰 杜学绘[1] XU Hang;YANG Zhi;CHEN Xingyuan;HAN Bing;DU Xuehui(School of Cryptographic Engineering,Strategic Support Force Information Engineering University,Zhengzhou Henan 450004,China)

机构地区：[1]战略支援部队信息工程大学密码工程学院,郑州450004

出　　处：《计算机应用》2024年第8期2528-2535,共8页journal of Computer Applications

基　　金：国家自然科学基金资助项目(62176265)。

摘　　要：针对覆盖引导的模糊测试(CGF)中存在大量无效变异且造成性能浪费的问题,提出一种自适应敏感区域变异算法。首先,根据变异出的测试用例是否执行新路径将对应的变异位置分为有效变异位置集合和无效变异位置集合;然后,基于有效变异位置确定敏感区域,将后续的变异集中在敏感区域内。在后续的模糊测试过程中,根据测试用例的执行结果自适应地调整对应种子的敏感区域,减少无效变异。此外,设计新的种子选择策略配合敏感区域变异。将自适应敏感区域算法集成至美国模糊循环(AFL),并将它命名为SMAFL(Sensitive-region-based Mutation American Fuzzy Lop)。在12个流行的应用程序上评估SMAFL,实验结果表明,与AFL相比,当初始种子数为1时,SMAFL发现的路径数平均提升了31.4%,模糊次数增加了3.4倍;并且在12个程序中都实现了更高的代码覆盖率。在对LAVA-M数据集的测试中,SMAFL比AFL多发现2个bug,并且发现相同bug所用时间更短。整体地,自适应敏感区域变异算法能提升模糊测试器的探索效率。To solve the problem that there are a lot of invalid mutations,and the performance is wasted in Coverage-Guided Fuzzing(CGF),an adaptive sensitive region mutation algorithm was proposed.Firstly,the mutation locations were divided into effective mutation location set and invalid mutation location set according to whether the mutated test case executed a new path.Then,the sensitive region was determined based on the effective mutation location,and the subsequent mutations were concentrated in the sensitive region.In the subsequent fuzzing process,the sensitive region of the corresponding seed was adjusted adaptively according to the execution results of test cases,so as to reduce the invalid mutations.In addition,a new seed selection strategy was designed to assist the sensitive region mutation algorithm.The adaptive sensitive region mutation algorithm was integrated into the American Fuzzy Lop(AFL)to form Sensitive-regionbased Mutation American Fuzzy Lop(SMAFL).SMAFL was evaluated on 12 popular applications and the experimental results showed that compared to AFL,when there was one initial seed,SMAFL found 31.4%more paths on average,increased the number of fuzzed counts by 3.4 times,and achieved higher code coverage across all 12 programs.In the testing of the LAVA-M dataset,SMAFL found 2 more bugs than AFL,and found the same bugs in a shorter time.Overall,the adaptive sensitive region mutation algorithm can improve the exploration efficiency of fuzzers.

关 键 词：模糊测试 自适应算法 软件漏洞 代码覆盖率 变异 

分 类 号：TP393.08[自动化与计算机技术—计算机应用技术]