Research On Greybox Fuzzing Optimization Based On GSA And Linear Regression

Fuzzing is the most effective automated vulnerability exploiting technique,and its performance is highly depending on mutation strategy and seed selection scheduling.However,there are still some defects in the related strategies.On the one hand,in greybox fuzzing,it uses randomly selected mutation operators to mutate seeds at random offsets.This random mutation strategy may ignore some efficient mutation operators and mutation positions.On the other hand,in the directed greybox fuzzing,there is no reasonable seed evaluation scheme for seed selection scheduling.Some related researches just judged from the execution efficiency of a seed,or from the Control Flow Graph(CFG)to calculate the distance of the seed and then selected the seed by the distance,which is not considering the actual content in basic blocks of the CFG.In addition,directed fuzzing generally has the problem of low coverage of target program.How to reduce their impact on fuzzing has always been the center of research.In order to solve these two problems,this paper proposes two solutions and the main work is as follows:(1)Proposed GSA-Fuzz: a method of greybox fuzzing based on Gravitational Search Algorithm(GSA).GSA-Fuzz utilizes the GSA to improve the efficiency of seed mutation strategy.First,it uses GSA to learn the optimal probability distributions of mutation operators and mutation positions,and also designs a position-sensitive strategy to guide seed mutation with learned probability distributions.Second,GSAFuzz also provides a flip mode to calculate the efficiencies of the deterministic stage and indeterminate stage of AFL,and implements switching between the two stages to further improve the efficiency of seed mutation.GSA-Fuzz outperforms AFL,MOPTAFL,and Eco Fuzz in fuzzing performance on selected 10 real-world open source programs,and it achieves higher code coverage and finds more vulnerabilities.(2)Proposed Reg Fuzz: A linear regression based approach to predict seed validity in directed greybox fuzzing.Reg Fuzz uses linear regression to predict the effectiveness of a seed,and gives more energy and more fuzzing chances to the seed with high effectiveness.First,Reg Fuzz defines four trainable labels and lable weights for a seed.The four labels are the coverage achieved by the seed in each cycle of fuzzing,the fuzzing speed of the seed,the discovered vulnerabilities of the seed and the distance of the seed to the target code basic block.In terms of seed distance calculation,Reg Fuzz not only considers the basic block distance of CFG,but also adds the variable distance contained in the basic block.Second,the linear regression model will optimize the label weights at the end of each cycle of fuzzing,and the optimized weights will be the basis for predicting the effectiveness of seeds in the next cycle.Eventually,the model will get the optimal weight distribution.Among the 7 real-world open source programs,Reg Fuzz achieves higher code coverage and finds more effective bugs.It proves that the performance of directed fuzzing has been improved.