Integrated method of inference and taint analysis for nested branch breakthrough

doi:10.11772/j.issn.1001-9081.2023121738

Abstract

Abstract:

In view of the problem that the current fuzzing based on taint inference mainly focuses on the analysis of a single code branch in the target code block， but does not fully consider the correlation between context branches， which leads to the inaccurate inference of the relevant byte position of the code branch in the face of nested branches， an integrated method of inference and taint analysis for nested branch breakthrough was proposed. Firstly， the stage coverage information was used to evaluate the obstacle points that needed to be broken， and the priorities of the obstacle points were evaluated according to the coverage information of the obstacle points during the execution of the test cases， so as to focus on the test cases with more potential. Secondly， the taint inference algorithm was optimized， which meant that combined with the control flow information， the position of input bytes related to the nested branch were inferred more accurately， and the pre-order branch inference information was reused to speed up the inference. Finally， a lightweight taint analysis was performed to the inferred obstacle point related positions to guide the mutation process， so as to avoid the nested branch unreachable problem caused by random mutation. The prototyping tool DTFuzz was evaluated in 6 popular applications. Experimental results show that DTFuzz's node coverage rate is 9.85% higher than that of the existing fuzzing tools REDQUEEN averagely， and 5 unknown vulnerabilities are found by this tool. At the same time， compared with the benchmark tool， all of different modules have the coverage rate improved， and the highest improvement is 29.23%. It can be seen that the proposed method can breakthrough the complex nested branches effectively and improve the test coverage rate， as well as improves the efficiency of vulnerability mining.

Key words: fuzzing, taint inference, taint analysis, program instrumentation, vulnerability mining

摘要：

针对当前基于污点推断的模糊测试主要集中于目标代码块内单一代码分支的分析，而未充分考虑上下文分支间的关联关系，导致面对嵌套分支时对代码分支相关字节位置推断不够精确的问题，提出一种面向嵌套分支突破的推断与污点分析融合的方法。首先，利用阶段覆盖信息评估需要突破的障碍点，并根据测试用例执行时障碍点的覆盖信息评估障碍点的优先级，从而聚焦更有潜力的测试用例；其次，优化污点推断算法，即结合控制流信息更精确地推断嵌套分支相关输入字节的位置，并重用前序分支推断信息以提升推断速度；最后，对推断出的障碍点相关位置进行轻量级的污点分析以指导变异过程，从而避免随机变异导致的嵌套分支不可达问题。在6个流行的应用中评估原型工具DTFuzz。实验结果表明，DTFuzz的节点覆盖率比现有模糊测试工具REDQUEEN平均提高了9.85%，并且DTFuzz发现了5个未知漏洞；同时，DTFuzz不同模块的节点覆盖率相较于基准工具均有所提高，最高提高了29.23%。可见，所提方法能有效突破复杂嵌套分支并实现测试覆盖率的提升，提升漏洞挖掘的效率。

关键词: 模糊测试, 污点推断, 污点分析, 程序插桩, 漏洞挖掘

CLC Number:

TP311

Jinhui CAI, Zhongxu YIN, Guoxiao ZONG, Junru LI. Integrated method of inference and taint analysis for nested branch breakthrough[J]. Journal of Computer Applications, 2024, 44(12): 3823-3830.

蔡锦辉, 尹中旭, 宗国笑, 李俊儒. 面向嵌套分支突破的推断与污点分析融合的方法[J]. 《计算机应用》唯一官方网站, 2024, 44(12): 3823-3830.

Figures/Tables 9

References 25

1	SHI J， WANG Z， FENG Z， et al. AIFORE： smart fuzzing based on automatic input format reverse engineering ［C］// Proceedings of the 32nd USENIX Security Symposium. Berkeley： USENIX Association， 2023： 4967-4984.
2	ZHANG G， WANG P， YUE T， et al. MobFuzz： adaptive multi-objective optimization in gray-box fuzzing ［C］// Proceedings of the 2022 Annual Network and Distributed System Security Symposium. Reston， VA： Internet Society， 2022： 1-18.
3	SHE D， SHAH A， JANA S. Effective seed scheduling for fuzzing with graph centrality analysis ［C］// Proceedings of the 2022 IEEE Symposium on Security and Privacy. Piscataway： IEEE， 2022： 2194-2211.
4	BUNDT J， FASANO A， DOLAN-GAVITT B， et al. Homo in Machina： improving fuzz testing coverage via compartment analysis［C］// Proceedings of the 2023 IEEE Conference on Software Testing， Verification and Validation. Piscataway： IEEE， 2023： 117-128.
5	ZALEWSKI M. American fuzzy lop （2.52b）［EB/OL］. ［2022-01- 13］..
6	GAN S， ZHANG C， QIN X， et al. CollAFL： path sensitive fuzzing［C］// Proceedings of the 2018 IEEE Symposium on Security and Privacy. Piscataway： IEEE， 2018： 679-696.
7	GAN S， ZHANG C， CHEN P， et al. GREYONE： data flow sensitive fuzzing ［C］// Proceedings of the 29th USENIX Security Symposium. Berkeley： USENIX Association， 2020： 2577-2594.
8	NIKOLIĆ I， MANTU R， SHEN S， et al. Refined grey-box fuzzing with SIVO ［C］// Proceedings of the 2021 International Conference on Detection of Intrusions and Malware， and Vulnerability Assessment International Conference， LNCS 12756. Cham： Springer， 2021： 106-129.
9	ASCHERMANN C， SCHUMILO S， BLAZYTKO T， et al. REDQUEEN： fuzzing with input-to-state correspondence［C］// Proceedings of the 2019 Annual Network and Distributed System Security Symposium. Reston， VA： Internet Society， 2019： 1-15.
10	LIANG J， WANG M， ZHOU C， et al. PATA： fuzzing with path aware taint analysis［C］// Proceedings of the 2022 IEEE Symposium on Security and Privacy. Piscataway： IEEE， 2022： 1-17.
11	LUK C K， COHN R， MUTH R， et al. Pin： building customized program analysis tools with dynamic instrumentation［J］. ACM SIGPLAN Notices， 2005， 40（6）： 190-200.
12	KEMERLIS V P， PORTOKALIDIS G， JEE K， et al. libdft： practical dynamic data flow tracking for commodity systems ［J］. ACM SIGPLAN Notices， 2012， 47（7）： 121-132.
13	RAWAT S， JAIN V， KUMAR A， et al. VUzzer： application-aware evolutionary fuzzing ［C］// Proceedings of the 24th Annual Network and Distributed System Security Symposium. Reston， VA： Internet Society， 2017： 1-14.
14	DENG P， YANG Z， ZHANG L， et al. NestFuzz： enhancing fuzzing with comprehensive understanding of input processing logic［C］// Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. New York： ACM， 2023： 1272-1286.
15	CHEN P， CHEN H. Angora： efficient fuzzing by principled search［C］// Proceedings of the 2018 IEEE Symposium on Security and Privacy.Piscataway： IEEE， 2018： 711-725.
16	SHI J， ZOU W， ZHANG C， et al. CAMFuzz： explainable fuzzing with local interpretation ［J］. Cybersecurity， 2022， 5： No.17.
17	倪萍，陈伟. 基于模糊测试的反射型跨站脚本漏洞检测［J］. 计算机应用， 2021， 41（9）： 2594-2601.
	NI P， CHEN W. Reflective cross-site scripting vulnerability detection based on fuzzing test ［J］. Journal of Computer Applications， 2021， 41（9）： 2594-2601.
18	庄园，曹文芳，孙国凯，等. 基于生成对抗网络与变异策略结合的网络协议漏洞挖掘方法［J］. 计算机科学， 2023， 50（9）： 44-51.
	ZHUANG Y， CAO W F， SUN G K， et al. Network protocol vulnerability mining method based on the combination of generative adversarial network and mutation strategy［J］. Computer Science， 2023， 50（9）： 44-51.
19	QIN S， HU F， MA Z， et al. NSFuzz： towards efficient and state-aware network service fuzzing［J］. ACM Transactions on Software Engineering and Methodology， 2023， 32（6）： No.160.
20	ZHAO B， LI Z， QIN S， et al. StateFuzz： system call-based state-aware Linux driver fuzzing ［C］// Proceedings of the 31st USENIX Security Symposium. Berkeley： USENIX Association， 2022： 3273-3289.
21	LEMIEUX C， SEN K. FairFuzz： a targeted mutation strategy for increasing greybox fuzz testing coverage ［C］// Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering. New York： ACM， 2018： 475-485.
22	WANG Y， JIA X， LIU Y， et al. Not all coverage measurements are equal： fuzzing by coverage accounting for input prioritization［C］// Proceedings of the 2020 Annual Network and Distributed System Security Symposium. Reston， VA： Internet Society， 2020： 1-17.
23	FIORALDI A， MAIER D， EIßFELDT H， et al. AFL++： combining incremental steps of fuzzing research ［C］// Proceedings of the 14th USENIX Workshop on Offensive Technologies. Berkeley： USENIX Association， 2020： 3273-3289.
24	DOLAN-GAVITT B， HULIN P， KIRDA E， et al. LAVA： large-scale automated vulnerability addition ［C］// Proceedings of the 2016 IEEE Symposium on Security and Privacy. Piscataway： IEEE， 2016： 110-121.
25	LATTNER C， ADVE V. LLVM： a compilation framework for lifelong program analysis & transformation ［C］// Proceedings of the 2004 International Symposium on Code Generation and Optimization. Piscataway： IEEE， 2004： 75-86.

输入格式	目标库	版本	程序&参数
pcap	tcpdump	4.99.3	tcpdump -nr @@
JPG	jhead	3.08	jhead @@
GIF	giflib	0.5	gif2tga @@
MP4	libde265	1.0.14	dec265 @@
JPEG	libjpeg	3.0.1	djpeg @@
ELF	objdump	2.40	objdump -x @@

输入格式	目标库	版本	程序&参数
pcap	tcpdump	4.99.3	tcpdump -nr @@
JPG	jhead	3.08	jhead @@
GIF	giflib	0.5	gif2tga @@
MP4	libde265	1.0.14	dec265 @@
JPEG	libjpeg	3.0.1	djpeg @@
ELF	objdump	2.40	objdump -x @@

程序	AFL	TortoiseFuzz	FairFuzz	Angora	REDQUEEN	DTFuzz	相较于REDQUEEN 增加百分比/%
tcpdump	25 304	26 533	26 253	30 501	31 432	33 729	7.31
jhead	1 161	1 160	1 172	1 207	1 198	1 216	0.75
giflib	1 633	1 753	1 805	1 821	1 935	2 050	5.94
libde265	3 633	4 002	3 742	3 802	3 824	4 096	7.11
libjpeg	3 361	3 543	3 526	3 745	4 556	5 910	29.72
objdump	7 232	7 801	7 938	8 182	8 327	9 016	8.27

程序	AFL	TortoiseFuzz	FairFuzz	Angora	REDQUEEN	DTFuzz	相较于REDQUEEN 增加百分比/%
tcpdump	25 304	26 533	26 253	30 501	31 432	33 729	7.31
jhead	1 161	1 160	1 172	1 207	1 198	1 216	0.75
giflib	1 633	1 753	1 805	1 821	1 935	2 050	5.94
libde265	3 633	4 002	3 742	3 802	3 824	4 096	7.11
libjpeg	3 361	3 543	3 526	3 745	4 556	5 910	29.72
objdump	7 232	7 801	7 938	8 182	8 327	9 016	8.27

程序	AFL	NS		TI		NS+TI		NS+TI+TA
程序	AFL	基本块数	增加百分比/%	基本块数	增加百分比/%	基本块数	增加百分比/%	基本块数	增加百分比/%
平均值			9.06		19.15		23.51		29.23
tcpdump	25 268	27 173	7.50	30 432	20.44	31 275	23.77	33 729	33.49
jhead	1 160	1 161	0.09	1 160	0.00	1 161	0.09	1 164	0.34
giflib	1 609	1 753	8.94	1 782	10.75	1 935	20.26	2 051	27.47
libde265	3 621	3 821	5.52	3 924	8.37	4 007	10.66	4 095	13.09
libjpeg	3 356	4 159	23.93	5 364	59.83	5 636	67.94	5 906	75.98
objdump	7 211	7 815	8.37	8 327	15.48	8 532	18.32	9 013	24.99