摘要: |
模糊测试(fuzzing)具备自动化程度高、可重现性好及易扩展等特点,是软件漏洞挖掘的有效方法之一。针对其固有的测试盲目性和低效性,一批先进的灰盒模糊测试方法被提出并应用在AFL、AFLFast、Vuzzer等工具中。随着高性能芯片和云计算技术的发展,模糊测试可以充分利用其中蕴含的丰富并行计算能力、通过多实例并行的手段进一步提高单位时间内的综合测试效率,典型的代表如Xu等人提出的多核并行方法、谷歌的ClusterFuzz等。但现有并行模糊测试方法,由于不同测试实例在测试用例生成过程中缺少有效的控制,导致生成的畸形样本冗余高、测试综合覆盖率低等问题。针对该问题,本文提出了一种有效控制多测试实例间模糊测试过程的方案,该方案以变异策略为基本粒度进行并行化,定期同步不同测试实例间的有效畸形样本和优化变异策略应用比例,减少不同测试实例间的测试冗余,提高测试综合覆盖率。本文实现了一个变异策略感知的并行模糊测试框架,并选择AFL作为基本模糊测试器,使用5款开源软件及LAVA-M测试集的实验结果表明,相同测试时间内本文的方法比AFL默认调度方法提高目标覆盖率达132%、发现异常数量最多提高50余倍。 |
关键词: 模糊测试 漏洞挖掘 变异策略 并行化 覆盖率 |
DOI:10.19363/J.cnki.cn10-1380/tn.2020.09.01 |
Received:August 27, 2018Revised:January 25, 2019 |
基金项目:本课题得到中国科学院网络测评技术重点实验室和网络安全防护技术北京市重点实验室资助;中国科学院重点实验室基金项目(No.CXJJ-17S049)资助;国家重点研发计划项目(No.2016QY071405)资助。 |
|
Research on Mutator Strategy-aware Parallel Fuzzing |
ZOU Yanyan,ZOU Wei,YIN Jiawei,HUO Wei,YANG Meifang,SUN Dandan,SHI Ji |
Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China |
Abstract: |
Fuzzing has become one of the most effective methods for mining software vulnerabilities due to its high degree of automation, high reproducibility, and good scalability. For its inherent test blindness and inefficiency, a number of advanced grey-box fuzzing approaches have been proposed and applied in AFL, AFLFast, Vuzzer and other tools. As the development of high-performance chips and cloud computing technologies, fuzz testing can make full use of the rich parallel computing capabilities contained therein and further improve the test efficiency through multi-instance parallelism. Typical representatives are Xu's multi-core parallel fuzzing method, Google's ClusterFuzz. However, the existing parallel fuzzing methods have problems such as high repetition rate of the deformed samples generated and low comprehensive test coverage due to the lack of effective control among different instances. Aiming at this problem, we first propose a scheme for effectively controlling the fuzz testing process among multiple instances. It parallelizes the mutation strategies as the basic granularity, regularly synchronizes the effective samples between different instances and optimizes the application ratio of the mutation strategy, reduces the test repeatability between different instances, and improves the coverage rate. We design and implement a parallel fuzzing framework which leverages AFL as the basic fuzzer, and evaluations using 5 popular applications and LAVA-M dataset, showed that, compared to default parallel fuzzing, our framework can improve test coverage rate up to 132%, and the number of crashes triggered increases as high as 50 times. |
Key words: fuzz testing vulnerability mining mutator strategy parallelization coverage |