Research On Feedback Guided Fuzzing Technology

With the deepening of the information technology revolution,software security has become an important aspect that can not be ignored.Software vulnerability is the most important part of the software security.Software vulnerability mining technology has become a widely-watched technology.The current vulnerability mining technology is mainly based on two ideas.One is a black-box test based on random test cases and the other is a white-box test based on program analysis.The advantage of the former is that it is fast and scalable.The drawback is the difficulty of in-depth analysis of program bugs.The advantage of the latter is the ability to discover vulnerabilities with accurate analysis.The drawback is the large amount of computation and the scalability is not good.To combine these two ideas,we propose a method that combines a lightweight program analysis with a randomized test.We try to analyze the logic structure of the program without using symbolic execution and constraint solving,and use the result as the feedback information to guide the random tester to test the target program.The main content of this article includes three aspects:1.Lots of test cases in a random test pass the same few program paths,and program paths prone to program vulnerabilities are rarely covered by test cases.Those program paths which are passed through by lots of test cases are called high-frequency path,otherwise known as the low-frequency path.Each seed in the seed set is given an energy value.Generating test cases for seed files consumes energy and the test cases are no longer generated after the energy value of the seed is reduced to a negative number.This method avoids that most of the test cases generated pass through some special program path while some low-frequency program paths are passed through by little of test cases.2.It is common that the jump statement need to compare a variable with a constant to determine next program path.General random test method is difficult to deal with such problems.We combine static analysis with lightweight dynamic spot tracking to extract constant values from the program.To adapt to the nested structure in program logic,we propose a fitness-based test case generation method after extracting the constant values in the program.In this method,test cases that can cover deeper nested test cases have greater fitness.By adding such test cases to seed set in the test case generation process,we can make the resulting test cases to continuously improve the fitness so that the fuzzy testers can better cope with the nested structure.3.Many real-world applications have a structure for test-case control bits.These special bits can have a large impact on the program path,while the corresponding other bits have less effect on the program path.On the premise of not using heavy weight method such as symbolic implementation,we propose a method of extracting test case control bits based on BP neural network sensitivity analysis.BP neural network is trained by using the accumulated program path frequency information and test case data.The test case bit is used as the input of BP neural network and the frequency information of the path is taken as the output of BP neural network.Applying BP neural network sensitivity analysis after the network is established can extract the control bits.Tilting computing resources to control bits can increase the code coverage of test cases in a limited time.