《计算机应用》唯一官方网站 ›› 2024, Vol. 44 ›› Issue (8): 2528-2535.DOI: 10.11772/j.issn.1001-9081.2023081177

• 计算机软件技术 • 上一篇    下一篇

基于自适应敏感区域变异的覆盖引导模糊测试

徐航, 杨智(), 陈性元, 韩冰, 杜学绘   

  1. 战略支援部队信息工程大学 密码工程学院,郑州 450004
  • 收稿日期:2023-08-31 修回日期:2023-10-23 接受日期:2023-11-14 发布日期:2024-08-22 出版日期:2024-08-10
  • 通讯作者: 杨智
  • 作者简介:徐航(1999—),男,河南信阳人,硕士研究生,主要研究方向:软件安全分析
    杨智(1975—),男,河南开封人,副教授,博士,主要研究方向:操作系统安全、云计算安全、隐私保护 zynoah@163.com
    陈性元(1963—),男,安徽无为人,教授,博士,主要研究方向:网络与信息安全
    韩冰(1978—),女,河南民权人,讲师,博士,主要研究方向:网络空间信息管理与评估
    杜学绘(1968—),女,河南新乡人,教授,博士,主要研究方向:空间信息网络、云计算安全。
  • 基金资助:
    国家自然科学基金资助项目(62176265)

Coverage-guided fuzzing based on adaptive sensitive region mutation

Hang XU, Zhi YANG(), Xingyuan CHEN, Bing HAN, Xuehui DU   

  1. School of Cryptographic Engineering,Strategic Support Force Information Engineering University,Zhengzhou Henan 450004,China
  • Received:2023-08-31 Revised:2023-10-23 Accepted:2023-11-14 Online:2024-08-22 Published:2024-08-10
  • Contact: Zhi YANG
  • About author:XU Hang, born in 1999, M. S. candidate. His research interests include software security analysis.
    CHEN Xingyuan, born in 1963, Ph. D., professor. His research interests include network and information security.
    HAN Bing, born in 1978, Ph. D., lecturer. Her research interests include cyberspace information management and evaluation.
    DU Xuehui, born in 1968, Ph. D., professor. Her research interests include spatial information network, cloud computing security.
  • Supported by:
    National Natural Science Foundation of China(62176265)

摘要:

针对覆盖引导的模糊测试(CGF)中存在大量无效变异且造成性能浪费的问题,提出一种自适应敏感区域变异算法。首先,根据变异出的测试用例是否执行新路径将对应的变异位置分为有效变异位置集合和无效变异位置集合;然后,基于有效变异位置确定敏感区域,将后续的变异集中在敏感区域内。在后续的模糊测试过程中,根据测试用例的执行结果自适应地调整对应种子的敏感区域,减少无效变异。此外,设计新的种子选择策略配合敏感区域变异。将自适应敏感区域算法集成至美国模糊循环(AFL),并将它命名为SMAFL(Sensitive-region-based Mutation American Fuzzy Lop)。在12个流行的应用程序上评估SMAFL,实验结果表明,与AFL相比,当初始种子数为1时,SMAFL发现的路径数平均提升了31.4%,模糊次数增加了3.4倍;并且在12个程序中都实现了更高的代码覆盖率。在对LAVA-M数据集的测试中,SMAFL比AFL多发现2个bug,并且发现相同bug所用时间更短。整体地,自适应敏感区域变异算法能提升模糊测试器的探索效率。

关键词: 模糊测试, 自适应算法, 软件漏洞, 代码覆盖率, 变异

Abstract:

To solve the problem that there are a lot of invalid mutations, and the performance is wasted in Coverage-Guided Fuzzing (CGF), an adaptive sensitive region mutation algorithm was proposed. Firstly, the mutation locations were divided into effective mutation location set and invalid mutation location set according to whether the mutated test case executed a new path. Then, the sensitive region was determined based on the effective mutation location, and the subsequent mutations were concentrated in the sensitive region. In the subsequent fuzzing process, the sensitive region of the corresponding seed was adjusted adaptively according to the execution results of test cases, so as to reduce the invalid mutations. In addition, a new seed selection strategy was designed to assist the sensitive region mutation algorithm. The adaptive sensitive region mutation algorithm was integrated into the American Fuzzy Lop (AFL) to form Sensitive-region-based Mutation American Fuzzy Lop (SMAFL). SMAFL was evaluated on 12 popular applications and the experimental results showed that compared to AFL,when there was one initial seed, SMAFL found 31.4% more paths on average, increased the number of fuzzed counts by 3.4 times, and achieved higher code coverage across all 12 programs. In the testing of the LAVA-M dataset, SMAFL found 2 more bugs than AFL, and found the same bugs in a shorter time. Overall, the adaptive sensitive region mutation algorithm can improve the exploration efficiency of fuzzers.

Key words: fuzzing, adaptive algorithm, software vulnerability, code coverage, mutation

中图分类号: