SSFuzz:状态敏感的网络协议服务灰盒模糊测试技术  

作　　者：林家含 冉猛 彭建山[1] LIN Jiahan;RAN Meng;PENG Jianshan(School of Cyberspace Security,Information Engineering University,Zhengzhou 450001,China)

机构地区：[1]信息工程大学网络空间安全学院,郑州450001

出　　处：《计算机科学》2024年第12期71-78,共8页Computer Science

基　　金：河南省重大科技专项(221100240100)。

摘　　要：网络协议服务作为个人设备与互联网交互的接口,其脆弱性严重威胁用户的隐私和信息安全。最先进的网络协议灰盒模糊测试工具在代码覆盖率的基础上引入了状态反馈,通过分析网络协议服务的状态信息,进一步筛选有效的变异种子。但是,不同的模糊测试工具对网络协议服务状态有着不同的定义,如AFLNET通过分析服务器响应数据包的内容提取状态,StateAFL定义长寿命内存作为程序状态。在状态收集上,SGFuzz通过分析Enum类型数据定义,识别状态变量的赋值语句并插桩。然而,SGFuzz无法识别状态变量的间接赋值语句,对于状态变量的识别并不全面。同时,在构建状态机时,不同的模糊测试技术对状态机节点有着不同的定义,难以在同一个模糊测试工具上同时使用多种状态收集策略。此外,在实验设计上,现有的方案倾向于比较相同时间内的代码覆盖率情况。但是,代码覆盖率的增长受到多方面因素的影响,如吞吐量、种子筛选策略等。相同时间内的代码覆盖率实验适用于不同模糊测试工具之间的比较,对于其中单个模块的改进实验则不适用。针对以上问题,提出了SSFuzz。具体地,SSFuzz研究了基于状态变量的插桩方式,依据代码编译过程中的抽象语法树信息,识别状态变量赋值的间接赋值方法,能够更精准地对状态变量赋值语句进行插桩;其次,SSFuzz对用于指导状态筛选的状态机进行了定义,该方法有助于不同的状态反馈策略共同构建状态机。实验结果表明,SSFuzz能够实现对大部分网络协议服务的插桩,并且相较于SGFuzz,能够实现对间接赋值语句的插桩。此外,讨论了适用于评估状态机有效性的实验方法,并证明了SSFuzz能够以更少的测试样例数量达到更高的路径覆盖率。The vulnerability of network protocol services,as the interface for personal devices to interact with the Internet,poses a serious threat to users’privacy and information security.The state-of-the-art network protocol grey-box fuzzy testing tools introduce state feedback on the basis of code coverage,which further filters effective variant seeds by analysing the state information of network protocol services.However,different fuzz testing tools have different definitions of network protocol service state,e.g.,AFLNET extracts state by analysing the contents of server response packets,and StateAFL defines long-lived memory as program state.For state collection,SGFuzz identifies assignment statements of state variables and inserts stakes by analysing Enum type data definitions.However,SGFuzz cannot identify the indirect assignment statements of state variables,and the identification of state variables is not comprehensive.Meanwhile,when constructing state machines,different fuzzy testing techniques have different definitions of state machine nodes,making it difficult to use multiple state collection strategies on the same fuzzy testing tool at the same time.In addition,in terms of experimental design,existing schemes tend to compare the code cove-rage situation over the same period of time.However,the growth of code coverage is affected by various factors,such as throughput,seed screening strategies,etc.Code coverage experiments within the same time are suitable for comparison between different fuzzy testing tools,not for improvement experiments of individual modules in them.In this paper,we propose SSFuzz.Specifically,SSFuzz first investigates the state-variable based staking approach,which identifies the indirect assignment method of state-variable assignment based on the abstract syntax tree information during the code compilation process,and is able to stake state-variable assignment statements more accurately.Secondly,SSFuzz defines the state machine for guiding state screening,which is able to facilitate the

关 键 词：网络协议 模糊测试 程序插桩 状态反馈 

分 类 号：TP309.1[自动化与计算机技术—计算机系统结构]