计算机应用 ›› 2019, Vol. 39 ›› Issue (5): 1389-1393.DOI: 10.11772/j.issn.1001-9081.2018102194

• 网络空间安全 • 上一篇    下一篇

面向二进制程序的导向性模糊测试方法

张瀚方1, 周安民1, 贾鹏2, 刘露平2, 刘亮1   

  1. 1. 四川大学 网络空间安全学院, 成都 610065;
    2. 四川大学 电子信息学院, 成都 610065
  • 收稿日期:2018-10-31 修回日期:2018-12-12 出版日期:2019-05-10 发布日期:2019-05-14
  • 通讯作者: 刘亮
  • 作者简介:张瀚方(1996-),女,贵州毕节人,硕士研究生,主要研究方向:移动安全、漏洞挖掘;周安民(1963-),男,四川成都人,研究员,主要研究方向:安全防御管理、移动互联网安全;贾鹏(1988-),男,河南郑州人,博士研究生,主要研究方向:复杂网络、二进制安全;刘露平(1988-),男,四川洪雅人,博士研究生,主要研究方向:二进制安全、漏洞挖掘;刘亮(1982-),男,四川成都人,讲师,硕士,主要研究方向:漏洞挖掘、恶意代码分析。
  • 基金资助:
    国家重点研发计划项目(2017YFB0802900);CCF-启明星辰"鸿雁"科研资助计划项目(CCF-VenustechRP2017002)。

Directed fuzzing method for binary programs

ZHANG Hanfang1, ZHOU Anmin1, JIA Peng2, LIU Luping2, LIU Liang1   

  1. 1. College of Cybersecurity, Sichuan University, Chengdu Sichuan 610065, China;
    2. College of Electronics and Information Engneering, Sichuan University, Chengdu Sichuan 610065, China
  • Received:2018-10-31 Revised:2018-12-12 Online:2019-05-10 Published:2019-05-14
  • Supported by:
    This work is partially supported by the National Key Research and Development Program of China (2017YFB0802900), the CCF-Venustech Hongyan Scientific Research Program (CCF-VenustechRP2017002).

摘要: 为了解决当前模糊测试技术中变异存在一定的盲目性以及变异生成的样本大多经过相同的高频路径的问题,提出并实现了一种基于轻量级程序分析技术的二进制程序模糊测试方法。首先对目标二进制程序进行静态分析来筛选在模糊测试过程中阻碍样本文件深入程序内部的比较指令;随后对目标文件进行插桩来获取比较指令中操作数的具体值,并根据该具体值为比较指令建立实时的比较进度信息,通过比较进度衡量样本的重要程度;然后基于模糊测试过程中实时的路径覆盖信息为经过稀有路径的样本增加其被挑选进行变异的概率;最后根据比较进度信息并结合启发式策略有针对性地对样本文件进行变异,通过变异引导提高模糊测试中生成能够绕过程序规约检查的有效样本的效率。实验结果表明,所提方法发现crash及发现新路径的能力均优于模糊测试工具AFL-Dyninst。

关键词: 导向性模糊测试, 反馈式模糊测试, 二进制模糊测试, 程序插桩, 漏洞挖掘

Abstract: In order to address the problem that the mutation in the current fuzzing has certain blindness and the samples generated by the mutation mostly pass through the same high-frequency paths, a binary fuzzing method based on light-weight program analysis technology was proposed and implemented. Firstly, the target binary program was statically analyzed to filter out the comparison instructions which hinder the sample files from penetrating deeply into the program during the fuzzing process. Secondly, the target binary program was instrumented to obtain the specific values of the operands in the comparison instructions, according to which the real-time comparison progress information for each comparison instruction was established, and the importance of each sample was measured according to the comparison progress information. Thirdly, the real-time path coverage information in the fuzzing process was used to increase the probability that the samples passing through rare paths were selected to be mutated. Finally, the input files were directed and mutated by the comparison progress information combining with a heuristic strategy to improve the efficiency of generating valid inputs that could bypass the comparison checks in the program. The experimental results show that the proposed method is better than the current binary fuzzing tool AFL-Dyninst both in finding crashes and discovering new paths.

Key words: directed fuzzing, feedback fuzzing, binary fuzzing, program instrumentation, vulnerability mining

中图分类号: