| Fuzzing' technology is an effective automatic technology that continuously generates test inputs and detects program vulnerabilities.Traditional coverage-based fuzzing seeks to achieve high code coverage in order to find as many vulnerabilities in the program as possible.Unlike traditional coverage-based fuzzing,directed fuzzing focuses more on the target statements of the program under test,such as crash call stacks or static analysis reports.It aims to generate test inputs that reach the target statements as soon as possible,and then trigger bugs in the program.Directed white-box fuzzing,such as concolic execution,generates test cases through constraint solving,which is efficient but not scalable.Existing directed grey-box fuzzers are effective compared with coverage-based fuzzers.However,they fail to achieve a balance between effectiveness and efficiency,and it is difficult to cover complex paths due to random mutation.To mitigate the issue,we propose a novel approach,sequence directed hybrid fuzzing(SDHF),which leverages a sequence-directed strategy and concolic execution technique to enhance the effectiveness of fuzzing.Given a set of target statement sequences of a program,SDHF aims to generate inputs that can reach the statements in each sequence in order and trigger potential bugs in the program.We implement the proposed approach in a tool called Berry and evaluate its capability on crash reproduction,true positive verification,and vulnerability detection.Experimental results demonstrate that Berry outperforms four state-of-the-art fuzzers,including directed fuzzers BugRedux,AFLGo and Lolly,and undirected hybrid fuzzer,QSYM.Moreover,Berry found 7 new vulnerabilities in real-world programs such as UPX and GNU Libextractor,and 3 new CVEs were assigned. |
PDF Full Text Request