| Fuzzing is an important binary vulnerability mining method.In recent years,a-cademia has tried to improve fuzzing by combining it with other techniques like taint propagation,protocol reverse,genetic algorithm and so on.Taint-directed fuzzing is one of these composite technologies which is well-known and widely accepted.How-ever,due to the complexity of the mechanism of software vulnerability and the lack of the thorough theory of fuzzing,the researchers only verified the taint-directed fuzzing's feasibility commonly,that is,whether it can find software bugs or not.Hence,this tech-nique needs further research on its basic issues such as the limitations and performance.What's more,taint-directed fuzzing can not restrict the semantic level of its associ-ated input,thus,finding a way to enhance its goal-oriented capacity while keeping its lightweight fuzzing speed is a promising research direction.This paper focuses on the basic problems of the taint-directed fuzzing and its im-provement under the condition of guaranteeing its lightweight feature.The main con-tents and achievements are as follows:(1)First,we design and implement a binary dynamic analysis engine and a parallel fuzzing platform.In the design of dynamic analysis engine,the versatility and high scal-ability of the engine are guaranteed by various strategies,including off-line execution trace playback based on Pin and BAP,normalized description of trace file format based on Piqi,BIL intermediate language,and so on.In the design of the parallel fuzzing plat-form,we propose using RAMDisk(a technique using memory to virtualize hard disk)to relief hard disk performance bottleneck,thus the overall throughput of the platform is greatly improved.And we improve the platform's stability and management conve-nience by several intra-machine and inter-machine optimization strategies.These two tools provide an efficient,highly controllable basic platform for subsequent researches.(2)Second,we answer two questions that they are the limitations and the perfor-mance improvement of taint-directed fuzzing.In the limitation analysis,we present a metadata propagation model which is concluded from the manual analysis results of 14 CVEs and the fine grained debugging results outputed by the above mentioned basic tools to explain the main limitations.In the study of the performance improvement,we first abstract the fuzzing into Bernoulli Trail model by assuming the bit length of the input is unchanged in fuzzing.And then we deduce an efficiency improvement for-mula of taint-directed fuzzing compared to the dumb fuzzing using the knowledge of probability theory.And we conclude the change trend according to the lower bound of the formula.The experimental results show that the calculated value of the formula is close to the actual value,thus,the formula has a good reference value.These analyses complement taint-directed fuzzing's basic research in a systematical and mathematical way.(3)Third,an improved method based on constraint verification is proposed and an-alyzed.The improved method is inspired by the dynamic symbolic execution,but uses constraint verification to replace the constraint solving to keep the lightweight feature of the original technique.The improved method collects the constraints,then generates a constraint verifier.When the verifier returns false,it means the mutated input is changed too much to let program executes to the target code area.Thus,that kind of mutated input's real testing will be skiped over to improve the efficiency.Aiming at different vulnerabilities,the improved method presents the different efficiency and the different optimal configurations.A best configuration of the improved method for the integer overflow is provided definitely.In addition,the improved method can achieve greater efficiency enhancements in a multi-threaded environment than a single-threaded envi-ronment.The experimental results show that the improved method is 2-4 times faster than the original technique for the integer overflow. |
PDF Full Text Request