| Fuzzing is to test the program by taking the mutated samples as the input of the program and observing whether the program crashes or not.As it does not need in-depth analysis of the program and has good versatility,it is widely used in industry.In order to achieve the purpose of continuously generating better samples,the current fuzzers mainly take the coverage information as feedback,which can be used by genetic algorithm to assist sample generation.Finally the improvement of code coverage is realized,which in turn triggers potential vulnerabilities in the program.However,the control flow information based on coverage can only be used as sample screening by genetic algorithm,it is difficult to guide the modification of samples.The generation of magic number,metadata and other fields can only rely on continuous attempts.As a result,fuzzers waste a lot of time guessing these fields.At the same time,most fuzzers do not aim at discovering vulnerabilities,but at improving coverage.High coverage is a necessary but not sufficient condition for vulnerability discovering.Covering the path where the vulnerability is located does not necessarily ensure the trigger of it.Therefore,the purpose of this paper is to obtain the information of data flow to make sample modification more efficient and targeted.According the above research ideas,the mainly work of this paper is as follows:(1)A sample generation method based on fine-grained taint analysis is proposed.A fine-grained taint analysis engine is designed to analyze magic number,metadata and other fields.The taint analysis engine is used to obtain the run-time data flow information to assist the fuzzers for sample generation,so that it can more effectively generate high coverage samples and realize the program-sensitive sample generation method.(2)A method of key input field identification and vulnerable points acquisition based on taint inferring is proposed.By inserting codes before the memory access instructions during the code compilation stage,these instructions are monitored during the execution stage,and the memory access information is obtained dynamically.After obtaining the information,we use the means of modifying the input data to observe whether the memory access offset changes.Then we can effectively identify the key input fields which can affect the memory access behavior of the program and the vulnerable points which are affected by the input.(3)A heuristic sample generation algorithm based on memory access offset is proposed.In the process of discovering heap overflow vulnerabilities,the obtained memory access information is used to carry out sample mutation by using gradient descent based algorithm.Through continuous feedback and modification,the memory access offset of the vulnerable points in the program changes to the out-of-boundary direction,and then triggers the overflow vulnerability.The corresponding tools are implemented by using the two methods mentioned above.The former focuses on improving the coverage of traditional fuzzers and the latter focuses on sample mutation for heap overflow.The hybrid fuzzing is carried out by sharing the sample pool to improve the efficiency of fuzzing.We use them to test a number of open source tools,and compare them with traditional fuzzers.The experimental results show that the coverage and the number of vulnerability discovered have been effectively improved. |
PDF Full Text Request