Research And Implementation Of Sequence Guided Multi-Target Hybrid Fuzzing

Currently,fuzzing is one of the most effective and practical technologies for automatically discovering program bugs or vulnerabilities.By continuously generating and executing many unexpected inputs from the initial seeds,fuzzing detects abnormal behaviors of a program to find bugs or vulnerabilities in the program.Currently,greybox fuzzing techniques based on code coverage guidance have shown good performance in both academia and industry.However,these techniques which focus on achieving maximum code coverage may waste a lot of resources in code unrelated to bugs.Compared with greybox fuzzing guided by code coverage,directed greybox fuzzing focuses more on exploring the target position in a program,and by generating inputs that can reach the target position of the program,bugs or vulnerabilities in the program can be quickly discovered or reproduced.Because real-world programs usually have multiple potential vulnerabilities,directed greybox fuzzing usually requires to reach multiple targets to detect bugs or vulnerabilities in programs.However,due to the static stage division and coarse-grained energy scheduling of existing directed greybox fuzzing tools,they perform poorly when faced with multiple target locations.This thesis proposes a sequence-guided multi-target hybrid fuzzing technique,which aims to quickly reach multiple target locations in a program,and quickly discover multiple bugs or vulnerabilities in the program.Specifically,this thesis proposes a novel strategy to adaptively coordinate the fuzzing’s exploration stage and exploitation stage,and a novel energy scheduling strategy by considering more relationships between seeds and target locations.We implement the above method in a tool called LeoFuzz and evaluate it in terms of crash reproduction and static analysis report verification in real-world programs.The experimental results show that LeoFuzz outperforms four existing advanced fuzzing tools in both performance and efficiency,including the directed fuzzing tools AFLGo,Lolly and Berry,and the hybrid fuzzing tool QSYM.In addition,we used LeoFuzz to test three real-world programs cxxfilt,Libming,and SWFTools and found 14 unreported vulnerabilities in these programs.