【打印本页】      【下载PDF全文】   查看/发表评论  下载PDF阅读器  关闭
←前一篇|后一篇→ 过刊浏览    高级检索
本文已被:浏览 2922次   下载 2982 本文二维码信息
码上扫一扫!
SiCsFuzzer: 基于稀疏插桩的闭源软件模糊测试方法
刘丽艳,李丰,邹燕燕,周建华,朴爱花,刘峰,霍玮
分享到: 微信 更多
(中国科学院信息工程研究所信息安全国家重点实验室, 北京 中国 100093;中国科学院大学网络空间安全学院, 北京 中国 100049;中国科学院信息工程研究所, 北京 中国 100093;中国科学院网络测评技术重点实验室, 北京 中国 100195;网络安全防护技术北京市重点实验室, 北京 中国 100195;中国科学院信息工程研究所, 北京 中国 100093;中国科学院网络测评技术重点实验室, 北京 中国 100195;网络安全防护技术北京市重点实验室, 北京 中国 100195;中国科学院大学网络空间安全学院, 北京 中国 100049)
摘要:
传统的基于覆盖率反馈的模糊测试工具通过跟踪代码覆盖率来指导测试用例的变异,从而发现目标程序中潜在的漏洞。但在闭源软件的模糊测试过程中,跟踪覆盖率不仅带来额外的开销,而且在模糊测试开销中占据主导。本文通过对Windows平台闭源软件模糊测试开销的剖析,锁定其中两个主要来源,插桩开销和“预热”开销。基于上述分析,提出了一种基于稀疏插桩跟踪的模糊测试方法,在不影响覆盖率计算精度的前提下,采用基于稀疏插桩的跟踪策略,仅对目标程序中覆盖率不可推导的基本块或分支进行插桩跟踪,并根据跟踪结果推导其余基本块或分支的被覆盖情况;同时结合“预热”优化,避免因动态插桩平台反复启动以及对目标程序代码的重复翻译所引入的时间开销。基于上述方法实现的原型工具SiCsFuzzer,在Windows平台9个规模在286KB~19.3MB,类型涉及图片处理、视频处理、文件压缩、加密和文档处理等类型应用所组成的测试集上,跟踪覆盖率引入的额外开销为程序正常执行时间的1.1倍,比传统的基于覆盖率反馈的模糊测试工具快3倍,并发现PDFtk和XnView程序最新版本中的未知漏洞各1个。
关键词:  基于覆盖率反馈的模糊测试  基于稀疏插桩的跟踪方法  “预热”优化
DOI:10.19363/J.cnki.cn10-1380/tn.2022.07.05
投稿时间:2019-12-24修订日期:2020-03-10
基金项目:本课题得到国家自然基金(No.U1836209,No.61602470)和重点研发计划(No.2016QY071405)资助。
SiCsFuzzer: A Sparse-instrumentation-based Fuzzing Platform for Closed Source Software
LIU Liyan,LI Feng,ZOU Yanyan,ZHOU Jianhua,PIAO Aihua,LIU Feng,HUO Wei
State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Science, Beijing 100093, China.;School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China;Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;Key Laboratory of Network Assessment Technology, Chinese Academy of Sciences Beijing 100195, China;Beijing Key Laboratory of Network security and Protection Technology, Beijing 100195, China;Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;Key Laboratory of Network Assessment Technology, Chinese Academy of Sciences Beijing 100195, China;Beijing Key Laboratory of Network security and Protection Technology, Beijing 100195, China;School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China
Abstract:
Traditional coverage-guided fuzzing tools use code coverage tracing to guide test case mutation so that they could explore previously unseen code regions and trigger potential vulnerabilities in them more efficiently. However, during the fuzzing process of a close source software, code coverage tracing is time consuming and it is a dominant source of overhead. In this paper, we made a detailed analysis of the overhead of the coverage-guided fuzzing and our analysis shows that the overhead mainly comes from two parts: (1) the time spent on program instrumentation and (2) the expense incurred by “warm-up”. Based on the observation, we propose a sparse-instrumentation-based fuzzing approach which leverages a sparse-instrumentation-based tracing strategy without sacrificing the accuracy of coverage computing during fuzzing. The key idea of our approach is instrumenting only blocks or edges whose coverage cannot be implied by others and using their coverage to imply whether those un-instrumented blocks are executed or not. We also implement a warm-up optimal to discard the time cost of re-initializing the dynamic binary instrumentation framework and that of re-generating the same code snippet of the target program during fuzzing. We implement a prototype tool SiCsFuzzer based on the above approach. Evaluation shows that for nine real-world closed source binaries on Windows varying in size from 286KB to 19.3MB and types involving image processing, audio processing, data archiving, cryptography and document processing, SiCsFuzzer incurs an average overhead of 1.1 times compared to native execution, which is 3 times faster than traditional coverage-guided fuzzing tools and found a vulnerability in the latest versions of Windows platform close source software PDFtk and XnView, respectively.
Key words:  coverage-guided fuzzing  sparse-instrumentation-based tracing  warm-up optimization