Research On Directed Fuzzing Technology Based On Keypoint Coverage And Concolic Testing

In recent years,fuzzing technology has made great progress.From the perspective of the whole process,researchers have done a lot of research on relevant technologies in each stage to make them more automatic and intelligent.At the same time combined with the previous symbol execution,software testing and other related technologies,using each other's design advantages to carry out hybrid testing has achieved good results.For example,it is used in conjunction with dynamic symbolic execution to explore branches of complex logical constraints,in conjunction with syntax generation to produce more canonical test cases,or in conjunction with traditional stain analysis for data stream correlation determination.Directed fuzzing is a pointer to specific test the code area or specific function of the target program,which is mainly used for vulnerability discovery,vulnerability recurrence,patch analysis and other scenarios.In the aspect of high-risk vulnerability discovery,directed fuzzing combined with researchers' experience judgment often has better effect than random fuzzing.In the past researches,some of them generate the seed input closer to the target by the distance of the execution path,or use the selective symbol to execute the branch path to solve the reachable target.The distance guided algorithm is not robust,and the failure of path distance calculation will lead to the failure of path distance guided algorithm.Some research use selective symbol execution for directed testing to alleviate path explosion problem but bring high false positive rate.At first,this paper puts forward directed fuzzing based on keypoints covered,program control flow graph is utilized to extract keypoint list,through the runtime pile list covering key information,according to the overall coverage and keypoint coverage using energy calculation of seed testing priority scheduling algorithm,according to a specified mutation strategy to continuously generate target closer test input.The hybrid testing framework is implemented,and the seed queue of critical point coverage is generated by using fuzzy testing of critical point coverage,which is sent to the concolic testing engine.Using descendant generation strategy and concolic testing technology,according to the overall and key point coverage changes,further explore the complex logic branch path that random generation and mutation cannot bypass,and explore the new state of the program.The experimental results show that directed fuzzing based on key point coverage can efficiently induce seed queues to reach the target region,and it is superior to the fuzzing based on edge coverage and path distance in exploring path depth and validity.Directed fuzzzing performed with concolic testing can explore branch paths using seed queues generated by critical coverage tests and perform better in test set coverage than do generated tests.