面向嵌套分支突破的推断与污点分析融合的方法

doi:10.11772/j.issn.1001-9081.2023121738

《计算机应用》唯一官方网站 ›› 2024, Vol. 44 ›› Issue (12): 3823-3830.DOI: 10.11772/j.issn.1001-9081.2023121738

面向嵌套分支突破的推断与污点分析融合的方法

蔡锦辉, 尹中旭(), 宗国笑, 李俊儒

信息工程大学网络空间安全学院，郑州 450001

收稿日期:2023-12-18 修回日期:2024-04-07 接受日期:2024-04-08 发布日期:2024-04-28 出版日期:2024-12-10
通讯作者: 尹中旭
作者简介:蔡锦辉（1998—），男，河南信阳人，硕士研究生，主要研究方向：网络空间安全
宗国笑（1995—），男，河南郑州人，硕士，主要研究方向：网络空间安全
李俊儒（1999—），男，河南新密人，硕士研究生，主要研究方向：网络空间安全。
基金资助:
河南省重点研发专项(221111210300)

Integrated method of inference and taint analysis for nested branch breakthrough

Jinhui CAI, Zhongxu YIN(), Guoxiao ZONG, Junru LI

School of Cyberspace Security，Information Engineering University，Zhengzhou Henan 450001，China

Received:2023-12-18 Revised:2024-04-07 Accepted:2024-04-08 Online:2024-04-28 Published:2024-12-10
Contact: Zhongxu YIN
About author:CAI Jinhui， born in 1998， M. S. candidate. His research interests include cyberspace security.
ZONG Guoxiao， born in 1995， M. S. His research interests include cyberspace security.
LI Junru， born in 1999， M. S. candidate. His research interests include cyberspace security.
Supported by:
Key Research and Development Project in Henan Province(221111210300)

摘要/Abstract

摘要：

针对当前基于污点推断的模糊测试主要集中于目标代码块内单一代码分支的分析，而未充分考虑上下文分支间的关联关系，导致面对嵌套分支时对代码分支相关字节位置推断不够精确的问题，提出一种面向嵌套分支突破的推断与污点分析融合的方法。首先，利用阶段覆盖信息评估需要突破的障碍点，并根据测试用例执行时障碍点的覆盖信息评估障碍点的优先级，从而聚焦更有潜力的测试用例；其次，优化污点推断算法，即结合控制流信息更精确地推断嵌套分支相关输入字节的位置，并重用前序分支推断信息以提升推断速度；最后，对推断出的障碍点相关位置进行轻量级的污点分析以指导变异过程，从而避免随机变异导致的嵌套分支不可达问题。在6个流行的应用中评估原型工具DTFuzz。实验结果表明，DTFuzz的节点覆盖率比现有模糊测试工具REDQUEEN平均提高了9.85%，并且DTFuzz发现了5个未知漏洞；同时，DTFuzz不同模块的节点覆盖率相较于基准工具均有所提高，最高提高了29.23%。可见，所提方法能有效突破复杂嵌套分支并实现测试覆盖率的提升，提升漏洞挖掘的效率。

关键词: 模糊测试, 污点推断, 污点分析, 程序插桩, 漏洞挖掘

Abstract:

In view of the problem that the current fuzzing based on taint inference mainly focuses on the analysis of a single code branch in the target code block， but does not fully consider the correlation between context branches， which leads to the inaccurate inference of the relevant byte position of the code branch in the face of nested branches， an integrated method of inference and taint analysis for nested branch breakthrough was proposed. Firstly， the stage coverage information was used to evaluate the obstacle points that needed to be broken， and the priorities of the obstacle points were evaluated according to the coverage information of the obstacle points during the execution of the test cases， so as to focus on the test cases with more potential. Secondly， the taint inference algorithm was optimized， which meant that combined with the control flow information， the position of input bytes related to the nested branch were inferred more accurately， and the pre-order branch inference information was reused to speed up the inference. Finally， a lightweight taint analysis was performed to the inferred obstacle point related positions to guide the mutation process， so as to avoid the nested branch unreachable problem caused by random mutation. The prototyping tool DTFuzz was evaluated in 6 popular applications. Experimental results show that DTFuzz's node coverage rate is 9.85% higher than that of the existing fuzzing tools REDQUEEN averagely， and 5 unknown vulnerabilities are found by this tool. At the same time， compared with the benchmark tool， all of different modules have the coverage rate improved， and the highest improvement is 29.23%. It can be seen that the proposed method can breakthrough the complex nested branches effectively and improve the test coverage rate， as well as improves the efficiency of vulnerability mining.

Key words: fuzzing, taint inference, taint analysis, program instrumentation, vulnerability mining

中图分类号:

TP311

蔡锦辉, 尹中旭, 宗国笑, 李俊儒. 面向嵌套分支突破的推断与污点分析融合的方法[J]. 计算机应用, 2024, 44(12): 3823-3830.

Jinhui CAI, Zhongxu YIN, Guoxiao ZONG, Junru LI. Integrated method of inference and taint analysis for nested branch breakthrough[J]. Journal of Computer Applications, 2024, 44(12): 3823-3830.

图/表 9

参考文献 25

1	SHI J， WANG Z， FENG Z， et al. AIFORE： smart fuzzing based on automatic input format reverse engineering ［C］// Proceedings of the 32nd USENIX Security Symposium. Berkeley： USENIX Association， 2023： 4967-4984.
2	ZHANG G， WANG P， YUE T， et al. MobFuzz： adaptive multi-objective optimization in gray-box fuzzing ［C］// Proceedings of the 2022 Annual Network and Distributed System Security Symposium. Reston， VA： Internet Society， 2022： 1-18.
3	SHE D， SHAH A， JANA S. Effective seed scheduling for fuzzing with graph centrality analysis ［C］// Proceedings of the 2022 IEEE Symposium on Security and Privacy. Piscataway： IEEE， 2022： 2194-2211.
4	BUNDT J， FASANO A， DOLAN-GAVITT B， et al. Homo in Machina： improving fuzz testing coverage via compartment analysis［C］// Proceedings of the 2023 IEEE Conference on Software Testing， Verification and Validation. Piscataway： IEEE， 2023： 117-128.
5	ZALEWSKI M. American fuzzy lop （2.52b）［EB/OL］. ［2022-01- 13］..
6	GAN S， ZHANG C， QIN X， et al. CollAFL： path sensitive fuzzing［C］// Proceedings of the 2018 IEEE Symposium on Security and Privacy. Piscataway： IEEE， 2018： 679-696.
7	GAN S， ZHANG C， CHEN P， et al. GREYONE： data flow sensitive fuzzing ［C］// Proceedings of the 29th USENIX Security Symposium. Berkeley： USENIX Association， 2020： 2577-2594.
8	NIKOLIĆ I， MANTU R， SHEN S， et al. Refined grey-box fuzzing with SIVO ［C］// Proceedings of the 2021 International Conference on Detection of Intrusions and Malware， and Vulnerability Assessment International Conference， LNCS 12756. Cham： Springer， 2021： 106-129.
9	ASCHERMANN C， SCHUMILO S， BLAZYTKO T， et al. REDQUEEN： fuzzing with input-to-state correspondence［C］// Proceedings of the 2019 Annual Network and Distributed System Security Symposium. Reston， VA： Internet Society， 2019： 1-15.
10	LIANG J， WANG M， ZHOU C， et al. PATA： fuzzing with path aware taint analysis［C］// Proceedings of the 2022 IEEE Symposium on Security and Privacy. Piscataway： IEEE， 2022： 1-17.
11	LUK C K， COHN R， MUTH R， et al. Pin： building customized program analysis tools with dynamic instrumentation［J］. ACM SIGPLAN Notices， 2005， 40（6）： 190-200.
12	KEMERLIS V P， PORTOKALIDIS G， JEE K， et al. libdft： practical dynamic data flow tracking for commodity systems ［J］. ACM SIGPLAN Notices， 2012， 47（7）： 121-132.
13	RAWAT S， JAIN V， KUMAR A， et al. VUzzer： application-aware evolutionary fuzzing ［C］// Proceedings of the 24th Annual Network and Distributed System Security Symposium. Reston， VA： Internet Society， 2017： 1-14.
14	DENG P， YANG Z， ZHANG L， et al. NestFuzz： enhancing fuzzing with comprehensive understanding of input processing logic［C］// Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. New York： ACM， 2023： 1272-1286.
15	CHEN P， CHEN H. Angora： efficient fuzzing by principled search［C］// Proceedings of the 2018 IEEE Symposium on Security and Privacy.Piscataway： IEEE， 2018： 711-725.
16	SHI J， ZOU W， ZHANG C， et al. CAMFuzz： explainable fuzzing with local interpretation ［J］. Cybersecurity， 2022， 5： No.17.
17	倪萍，陈伟. 基于模糊测试的反射型跨站脚本漏洞检测［J］. 计算机应用， 2021， 41（9）： 2594-2601.
	NI P， CHEN W. Reflective cross-site scripting vulnerability detection based on fuzzing test ［J］. Journal of Computer Applications， 2021， 41（9）： 2594-2601.
18	庄园，曹文芳，孙国凯，等. 基于生成对抗网络与变异策略结合的网络协议漏洞挖掘方法［J］. 计算机科学， 2023， 50（9）： 44-51.
	ZHUANG Y， CAO W F， SUN G K， et al. Network protocol vulnerability mining method based on the combination of generative adversarial network and mutation strategy［J］. Computer Science， 2023， 50（9）： 44-51.
19	QIN S， HU F， MA Z， et al. NSFuzz： towards efficient and state-aware network service fuzzing［J］. ACM Transactions on Software Engineering and Methodology， 2023， 32（6）： No.160.
20	ZHAO B， LI Z， QIN S， et al. StateFuzz： system call-based state-aware Linux driver fuzzing ［C］// Proceedings of the 31st USENIX Security Symposium. Berkeley： USENIX Association， 2022： 3273-3289.
21	LEMIEUX C， SEN K. FairFuzz： a targeted mutation strategy for increasing greybox fuzz testing coverage ［C］// Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering. New York： ACM， 2018： 475-485.
22	WANG Y， JIA X， LIU Y， et al. Not all coverage measurements are equal： fuzzing by coverage accounting for input prioritization［C］// Proceedings of the 2020 Annual Network and Distributed System Security Symposium. Reston， VA： Internet Society， 2020： 1-17.
23	FIORALDI A， MAIER D， EIßFELDT H， et al. AFL++： combining incremental steps of fuzzing research ［C］// Proceedings of the 14th USENIX Workshop on Offensive Technologies. Berkeley： USENIX Association， 2020： 3273-3289.
24	DOLAN-GAVITT B， HULIN P， KIRDA E， et al. LAVA： large-scale automated vulnerability addition ［C］// Proceedings of the 2016 IEEE Symposium on Security and Privacy. Piscataway： IEEE， 2016： 110-121.
25	LATTNER C， ADVE V. LLVM： a compilation framework for lifelong program analysis & transformation ［C］// Proceedings of the 2004 International Symposium on Code Generation and Optimization. Piscataway： IEEE， 2004： 75-86.

输入格式	目标库	版本	程序&参数
pcap	tcpdump	4.99.3	tcpdump -nr @@
JPG	jhead	3.08	jhead @@
GIF	giflib	0.5	gif2tga @@
MP4	libde265	1.0.14	dec265 @@
JPEG	libjpeg	3.0.1	djpeg @@
ELF	objdump	2.40	objdump -x @@

输入格式	目标库	版本	程序&参数
pcap	tcpdump	4.99.3	tcpdump -nr @@
JPG	jhead	3.08	jhead @@
GIF	giflib	0.5	gif2tga @@
MP4	libde265	1.0.14	dec265 @@
JPEG	libjpeg	3.0.1	djpeg @@
ELF	objdump	2.40	objdump -x @@

程序	AFL	TortoiseFuzz	FairFuzz	Angora	REDQUEEN	DTFuzz	相较于REDQUEEN 增加百分比/%
tcpdump	25 304	26 533	26 253	30 501	31 432	33 729	7.31
jhead	1 161	1 160	1 172	1 207	1 198	1 216	0.75
giflib	1 633	1 753	1 805	1 821	1 935	2 050	5.94
libde265	3 633	4 002	3 742	3 802	3 824	4 096	7.11
libjpeg	3 361	3 543	3 526	3 745	4 556	5 910	29.72
objdump	7 232	7 801	7 938	8 182	8 327	9 016	8.27

程序	AFL	TortoiseFuzz	FairFuzz	Angora	REDQUEEN	DTFuzz	相较于REDQUEEN 增加百分比/%
tcpdump	25 304	26 533	26 253	30 501	31 432	33 729	7.31
jhead	1 161	1 160	1 172	1 207	1 198	1 216	0.75
giflib	1 633	1 753	1 805	1 821	1 935	2 050	5.94
libde265	3 633	4 002	3 742	3 802	3 824	4 096	7.11
libjpeg	3 361	3 543	3 526	3 745	4 556	5 910	29.72
objdump	7 232	7 801	7 938	8 182	8 327	9 016	8.27

程序	AFL	NS		TI		NS+TI		NS+TI+TA
程序	AFL	基本块数	增加百分比/%	基本块数	增加百分比/%	基本块数	增加百分比/%	基本块数	增加百分比/%
平均值			9.06		19.15		23.51		29.23
tcpdump	25 268	27 173	7.50	30 432	20.44	31 275	23.77	33 729	33.49
jhead	1 160	1 161	0.09	1 160	0.00	1 161	0.09	1 164	0.34
giflib	1 609	1 753	8.94	1 782	10.75	1 935	20.26	2 051	27.47
libde265	3 621	3 821	5.52	3 924	8.37	4 007	10.66	4 095	13.09
libjpeg	3 356	4 159	23.93	5 364	59.83	5 636	67.94	5 906	75.98
objdump	7 211	7 815	8.37	8 327	15.48	8 532	18.32	9 013	24.99

面向嵌套分支突破的推断与污点分析融合的方法

Integrated method of inference and taint analysis for nested branch breakthrough

RichHTML

PDF

可视化

摘要/Abstract

引用本文

使用本文

图/表 9

参考文献 25

相关文章 15

编辑推荐

Metrics

程序	AFL	TortoiseFuzz	REDQUEEN	Fairfuzz	VUzzer	Angora	DTFuzz
base64	3	4	48	47	17	48	48
md5sum	0	0	59	59	19	56	59
uniq	0	2	29	28	15	29	29
who	4	3	1 459	1 012	45	1 438	1 530

程序	AFL	DTFuzz
tcpdump	1 033.57	975.84
jhead	2 668.32	2 637.59
giflib	2 459.68	2 398.26
libde265	1 268.94	1 056.18
libjpeg	1 425.67	1 267.43
objdump	1 876.03	1 568.58

[1]	徐航, 杨智, 陈性元, 韩冰, 杜学绘. 基于自适应敏感区域变异的覆盖引导模糊测试[J]. 《计算机应用》唯一官方网站, 2024, 44(8): 2528-2535.
[2]	刘羿希, 何俊, 吴波, 刘丙童, 李子玉. DevSecOps中软件安全性测试技术综述[J]. 《计算机应用》唯一官方网站, 2024, 44(11): 3470-3478.
[3]	刘吉会, 何成万. 基于ECA规则和动态污点分析的SQL注入攻击在线检测[J]. 《计算机应用》唯一官方网站, 2023, 43(5): 1534-1542.
[4]	倪萍, 陈伟. 基于模糊测试的反射型跨站脚本漏洞检测[J]. 计算机应用, 2021, 41(9): 2594-2601.
[5]	任玉柱, 张有为, 艾成炜. 污点分析技术研究综述[J]. 计算机应用, 2019, 39(8): 2302-2309.
[6]	付梦琳, 吴礼发, 洪征, 冯文博. 智能合约安全漏洞挖掘技术研究[J]. 计算机应用, 2019, 39(7): 1959-1966.
[7]	张瀚方, 周安民, 贾鹏, 刘露平, 刘亮. 面向二进制程序的导向性模糊测试方法[J]. 计算机应用, 2019, 39(5): 1389-1393.
[8]	秦彪, 郭帆, 涂风涛. 面向Android应用的静态污点分析结果的正确性验证[J]. 计算机应用, 2019, 39(10): 3018-3027.
[9]	周颖, 方勇, 黄诚, 刘亮. 面向PHP应用程序的SQL注入行为检测[J]. 计算机应用, 2018, 38(1): 201-206.
[10]	周敏, 周安民, 刘亮, 贾鹏, 谭翠江. 组件拒绝服务漏洞自动挖掘技术[J]. 计算机应用, 2017, 37(11): 3288-3293.
[11]	李洁, 俞研, 吴家顺. 基于动态污点分析的DOM XSS漏洞检测算法[J]. 计算机应用, 2016, 36(5): 1246-1249.
[12]	曾祥飞, 郭帆, 涂风涛. 基于对象跟踪的J2EE程序动态污点分析方法[J]. 计算机应用, 2015, 35(8): 2386-2391.
[13]	吴逸伦张博锋赖志权苏金树. 基于消息语义解析的软件网络行为分析[J]. 计算机应用, 2012, 32(01): 25-29.
[14]	陈衍铃赵静. 基于虚拟化技术的动态污点分析[J]. 计算机应用, 2011, 31(09): 2367-2372.
[15]	孙红利王忠民王文浪. 嵌入式软件语句覆盖率测试插桩技术[J]. 计算机应用, 2010, 30(10): 2738-2740.

程序	AFL	TortoiseFuzz	REDQUEEN	FairFuzz	Angora	DTFuzz
jhead	3/0	2/0	2/0	2/1	2/1	1/2
giflib	0/0	0/0	0/0	0/0	0/0	0/1
libde265	2/0	4/0	2/0	3/0	3/1	5/1
libjpeg	0/0	0/0	0/0	0/0	1/0	0/1

程序	AFL	TortoiseFuzz	REDQUEEN	FairFuzz	Angora	DTFuzz
jhead	3/0	2/0	2/0	2/1	2/1	1/2
giflib	0/0	0/0	0/0	0/0	0/0	0/1
libde265	2/0	4/0	2/0	3/0	3/1	5/1
libjpeg	0/0	0/0	0/0	0/0	1/0	0/1