Research And Implementation Of Fuzzing Test Based On Control-flow Analysis

Network attack caused by software vulnerabilities keeps rising in recent years and leads to losses of large wealth. Many vulnerability discovery methods are proposed and applied in order to seeking out potential security flaw and making the program or software more safe and reliable.Fuzzing is a highly automated testing technique that covers numerous boundary cases using invalid data(from files, network protocols, API calls, and other targets) as application input to better ensure the absence of exploitable vulnerabilities. This technology is effective in testing programs which is intricate in inputs format and has been widely used in binary level, since it is hardly to get the source code of commercial software. Despite all of that, fuzzing test is limited in two aspects. Firstly, malformed inputs are easily rejected by the program which uses validation mechanisms or high syntactic level structure to protect the inputs integrity. Secondly, randomness generated inputs, even accepted and executed by the program, are poorly performed in code coverage.In this paper, a control-flow targeted black-box fuzzing technique is proposed, to deal with above problems. This technique mainly focuses on mutating the inputs that may alter the program execution path to generate well-formed test inputs, in order to improve the test coverage. Our method is designed to locate the control-flow relevant inputs by analyzing instructions which may influence the Flag registers of a processor. The located inputs will be marked as symbols in concolic execute and mutated according to the solution of path constraints.A prototype, ConcolicFuzz is implemented based on this method, The results of experiments suggest that this proposed approach is feasible, correct and valid. Compare with traditional fuzzing techniques, our approach narrows down the range of symbols in concolic execution, and avoids randomly enumeration of inputs. The generated inputs can directly affect the execution path of the target problem, in which way that the code coverage is increased and the efficiency of concolic execution is improved.