Research On Directed Grey-box Fuzzing Technology Based On Target

In recent years,grey-box fuzzing has been proven to be the most effective methods for discovering vulnerabilities in software.However,the present grey-box fuzzing still has some shortcomings.Most existing grey-box fuzzers are coverage guided and consider the program code equally,and spend a lot of time on improve the code coverage.However,most of the code in the program does not contain bugs and only a small percentage of the code may have bugs.Therefore,blindly improving code coverage can waste limited resources on a large number of bug independent locations and reduce the efficiency of fuzzing.Compared with the coverage guided fuzzing,the directed fuzzing spend more time on the target positions of the code without wasting resources on the bug independent code.In practice,most vulnerabilities are not triggered immediately after execution,they often require continuous exploration,and existing directed grey-box fuzzers face the problem of not continuously exploring the target location due to the randomly mutate.In order to solve the above problems,we propose a targeted mutation strategy for continuous target exploration.By identifying the key bytes in the input seeds,a mutation algorithm for different stages of mutation is proposed to ensure that the subsequent generation of seeds can still hit the target location as much as possible,so as to realize the continuous exploration of the target location.In addition,based on this mutation strategy,we propose a fuzzing optimization method based on multi-factor seed selection,using LLVM framework to insert the target location information into the test program for preprocessing,and then the multi-factor seed selection strategy is used to select better seeds to explore the target location.In order to solve the problem of too much exploration on the target position which is easy to hit in directed mutation,the concept of rare target is proposed in seed selection strategy.Increased the probability of mutations in less frequent or hard-to-hit target locations,making it easier to detect potential vulnerabilities in the program.Finally,based on the classical grey-box fuzzer AFL(American Fuzzy Loop),DTFuzz is designed and implemented in this paper.DTFuzz was compared with AFL and directed grey-box fuzzer AFLGo on seven real open source software.Experimental results show that DTFuzz can reach the target location and re-trigger the crash,and more target locations can be hit in the same time.DTFuzz performs better for target locations in software with more complex conditions.