Research And Implementation Of Coverae-based Fuzzing Test Technology Based On Conditional Branch Backtracking

At present,fuzzing technology has become the most widely used to discover software security vulnerabilities.Fuzzing testing can be divided into white-box fuzzing testing,gray-box fuzzing testing,and black-boxing fuzzing testing according to whether it can obtain the information of the tested program.At present,the coverage-based fuzzing technology is most popular fuzzing technology.Fuzzing based on coverage infomation can guide the generation of test samples through partial information obtained in the fuzzing process,so as to improve the quality of seeds.It can optimize seed execution to deeper code branches and find more hidden vulnerabilities.Among them,AFL is the first fuzzing tool based on the concept of coverage-guided fuzzing.However,due to incomplete coverage information recording and inaccurate calculation of coverage information,the subsequent fuzzing work has great limitations.At present,the coverage-based fuzzing technology is guided by path coverage information,that is,based on state jumps(such as AFL).Researchers believe that most of the vulnerabilities are caused by uncertainty jumps.Experimental data shows that the code coverage of the fuzzing technology based only on path coverage guidance is still very low.At present,researchers have combined symbolic execution with coverage-guided fuzzing technology,using symbolic execution to solve constraints and explore new paths,but the disadvantages of symbolic execution are such path explosion,difficulty in solving constraints,and low efficiency.In software,the number of paths increases exponentially with the increase of basic blocks,which makes it impossible to record complete path coverage information,and incomplete path information coverage and inaccurate records(such as AFL)will bring huge limitations to fuzz testing.In view of the above background,this paper mainly studies two problems faced by fuzzy testing:one is the incomplete and inaccurate coverage information of AFL;the other is how to improve the code coverage of fuzzy testing.The following are two technical solutions.1.The fuzzy test technology based on full basic block coverage is proposed.Firstly,the basic block coverage information is used to replace the path coverage information to guide the test sample generation,and a new bitmap mapping scheme is proposed to solve the problem of incomplete coverage in AFL.2.The conditional branch backtracking technology based on simulated annealing algorithm is proposedFirstly,we use Pin to obtain the conditional control flow of object.When the fuzzy test meets the bottleneck,the conditional branch backtracking algorithm is used to trace the upstream branch to find the optimal path to switch,so as to obtain better timeliness,and improve code coverage of fuzzing.This paper finally implements a coverage-based fuzzing prototype system based on conditional branch backtracking,we called CobraFuzzer.Through comparative experiments with AFL,comparative analysis is carried out from three aspects:code coverage,number of independent crashes found,and average vulnerability found time.From the experimental results,compared with AFL,this system can find more independent crashes in a shorter time and has a higher code coverage.