Research On Optimization Method Of Coverage-guided Greybox Fuzzing

Fuzzing has proved to be one of the most effective vulnerability detection technologies due to its high level of automation and fast testing speed.However,the method of generating test cases for fuzzing is too blind and random,which causes it to waste a lot of time for useless testing.Coverage-guided graybox fuzzing is a vulnerability detection technology that combines white-box fuzzing and black-box fuzzing.It obtains key information about the operation of the program through lightweight instrumentation in the program,and uses this part of the key information to guided the generation of test cases to explore new paths for the program.AFL(American Fuzzy Lop)is currently one of the best coverage-guided graybox fuzzing tools,and it is also the research focus in the field of fuzzing.AFL has obvious advantages but still has some shortcomings.First,AFL's mutation strategy treats all byte regions of the seed file as equivalent,which makes AFL waste too much time on the mutation of invalid regions;second,for some larger seed files,AFL will fall into Suspended state,this will lead to a sharp increase in time consumption.In response to the above problems,the work of this thesis is as follows:(1)Propose a mutation strategy optimization method.This method uses the principle of program locality to optimize the AFL mutation strategy.By setting a dynamic offset for each seed,the bytes near the test offset and the first 0x100 bytes is selectively mutated,thereby improving the path coverage and efficiency of the fuzzing test.(2)Propose a scheduling strategy optimization method.For some large seed files;this thesis proposes a method that sets new path thresholds and time thresholds.When the mutation is not enough to generate enough paths or takes too much time,the current mutation stage is immediately skipped to prevent the test from entering a suspended state.(3)This thesis implement the coverage-guided graybox fuzzy testing tool AFLEdge based on AFL using the above methods,and uses AFL and AFLFast as the baseline,and selects four real programs and a public dataset.Conduct comparative experiments to analyze and compare the path coverage and vulnerability detection capabilities of the three.Experiments show that the total path coverage of AFLEdge in24 hours is 92.4% and 49.3% higher than that of AFL and AFLFast,respectively.In terms of vulnerability detection,the number of vulnerabilities discovered by AFLEdge is 75.0% higher than that of AFL within 24 hours,which is basically the same as AFLFast,proving the effectiveness of the optimization method proposed in this paper.