Optimization Of Directed Grey Box Fuzzing

Fuzzing is widely used in vulnerability testing.However,fuzzing has greater randomness and blindness in test inputs generating.Directed grey box fuzzing is a vulnerability detection technology which focuses on locating a specified target location in a program.It faces huge challenges in terms of detection ability(may miss some important bugs)and test efficiency.At present,there are two challenges in the directed grey box fuzzing:(1)unfair power scheduling;(2)incomplete path exploration.The directed grey box fuzzer AFLGo achieves directionality by calculating the distance from the seeds to the target position.However,it only allocates more energy to the seeds that are close to the target position,and ignores the seeds that are far from the target position,resulting in the bugs away from the target location are difficult to expose,and the path away from the target location is difficult to cover.This paper proposes a fuzzing strategy based on path coverage.By extracting the key information in the feedback information of instrumentation,the fitness of the seed is calculated,and the direction of seed mutation is further guided.Achieve more comprehensive coverage of the project under test and commit to digging up potential bugs.Specifically,for the problem of incomplete path exploration,the algorithm based on frequency fitness,new branch fitness and infrequent branch fitness is used to filter highquality seeds;for the one-sided problem of power scheduling,a power scheduling algorithm based on path coverage is proposed.In the exploration phase,increase the code coverage of the project under test;in the exploitation phase,use the effective information in the seed to comprehensively adjust the energy of the seed and improve the directional ability of the seeds.This paper combines the fuzzing strategy based on path coverage with the directed grey box fuzzer AFLGo to construct the directed grey box fuzzer PacoAFL.In this paper,fuzzing tests are performed in some typical application software(such as MJS,libxml2,lrzip,and GNU Binutils),and compared with AFLGo and AFL under the same experimental conditions.The experimental results show that the fuzzing strategy based on path coverage can effectively improve the seed exploration ability,that is,improve code coverage.Branch coverage,line coverage and function coverage compared to AFLGo and AFL have a certain degree of improvement.At the same time,in terms of bug mining,PacoAFL can find more vulnerabilities than AFLGo and AFL.PacoAFL was able to complete the crash reproduction.On lrzip,the stack information of the two vulnerabilities CVE-2017-8846 and CVE-2018-11496 was reproduced,which further proved the directional ability of PacoAFL.