| Computer technology is progressing.This led to the current software developed by the increasing scale,function and structure more and more complex.Then there are more and more vulnerabilities in the program.If vulnerabilities are not repaired in time,the will be exploited by hackers for malicious attacks.In order to solve this problem,researchers have proposed using fuzzing to mine vulnerabilities in the program.Fuzzing is an important method for binary vulnerability mining.It can analyze binary programs without the source code of the program,which is not easy to do by other technologies.But due to the blindness of input generation,binary fuzzing often falls into traps for a long time when the new mutated inputs cannot generate unexplored paths.In this paper,we propose an efficient and flexible fuzzing framework.It defines the Growth Rate of Path Coverage to measure the current state of fuzzing.If the fuzzing falls into low-speed or blocked states,a symbolic analysis procedure is invoked to generate a new input which can help the fuzzing jump out of the trap.In the symbolic analysis procedure,we employ dynamic execution to track the traversed nodes.The untraversed branches are then identified according to the recorded data of American Fuzzy Lop(AFL).At last,we employ CFG to construct complete paths to these branches and a new input is generated using symbolic execution.Moreover,to speed up vulnerability detection and improve the guidance of symbolic analysis for fuzzing,symbolic analysis gives priority to the path that generates constraints to solve simple problems,the path that triggers program crashes more likely,and the path that can greatly improve the path coverage to generate valid input,such that the possibility of finding vulnerabilities can be improved.Our method has been implemented and the experiments on DARPA CGC benchmark show that our tool is more efficient in vulnerability mining than state-of-the-art binary vulnerability mining tools. |
PDF Full Text Request