| Malicious individuals can use software vulnerabilities to harm people’s privacy,financial security,and physical safety,and even threaten the security of the country and social stability.Directed Fuzzing(DF)is mainly used for vulnerability detection and reproduction.Compared with classic fuzzer,DF has better performance when there are known vulnerability suspects.However,existing Directed fuzzers still have some problems.One is that after giving incorrect changes or patches,it is not possible to quickly direct the test to the target to identify problems.The other is that it is difficult to breakthrough the magic byte path,resulting in deep vulnerabilities being difficult to mine.To address the problem of DF not being able to breakthrough magic bytes and reach deeper paths,and the problem of not being able to quickly direct the test,this thesis respectively adopts the technique of symbolic Execution(SE)and heuristic energy scheduling to quickly direct and mine vulnerabilities in deeper paths.Firstly,this thesis uses alias analysis to improve the control flow graph between processes and redefine the distance calculation formula to obtain more accurate distance.Secondly,it uses the Newton interpolation method to initialize the energy of each seed to prevent test cases from being selected due to low energy.Moreover,a heuristic energy scheduling algorithm is proposed to reasonably schedule energy for seeds.During the path exploration stage,the energy of seeds is adjusted to make short seeds quickly reach the target? as time passes,seeds are biased towards deep paths.Then,this thesis uses the number of instructions required to reach the target to represent the symbol distance,and studies the shortest path search strategy to achieve path pruning to alleviate path explosion.Finally,based on the above methods,this thesis implemented a vulnerability detection prototype system AFLcc based on DF and SE.Under the same experimental conditions,this thesis conducted vulnerability detection experiments on the LAVA-M dataset and several real software products,and compared it with AFLGO and AFL.This thesis also conducted vulnerability reproduction experiments on some known vulnerabilities,and compared it with AFL and AFLGO.Experimental results show that in terms of path coverage,this thesis is higher than AFL and AFLGO by more than 20%? in terms of vulnerability reproduction,AFLcc takes less time? in terms of vulnerability detection,AFLcc can find more vulnerabilities,and it has currently obtained eight CVEs,which further proves the ability of AFLcc to mine vulnerabilities.All of the results indicate that this framework is more excellent. |
PDF Full Text Request