Research On Optimization Methods Of Directed Fuzzing Strategy

Fuzzing,as a general software vulnerability mining technique,has the advantages of high generality,low energy consumption,and high utilization of computing resources.Directed fuzzing adds target-oriented capabilities to the traditional fuzzing strategy,driving seeds to discover vulnerabilities faster on the basis of coverage guidance.However,the existing fuzzing works have limitations in guiding information calculation and strategy design,which makes it difficult to effectively improve testing efficiency.Therefore,this thesis addresses three problems in existing fuzzing works and proposes effective solutions for strategy optimization.The main contributions of this thesis are as follows:(1)Aiming at the problem that existing directed fuzzers have accuracy loss when calculating guiding information,and the static seed scheduling strategy used cannot perform adaptive weight adjustment,dynamic branch selection-based directed fuzzing is proposed.This method takes the missing branch as the overall scheduling object of fuzzing to maintain accurate guidance information at the basic block level,and designs multiple test-related branch attributes to dynamically dispatch branches according to the real-time validity of different branch attributes before each round of fuzzing iteration starts.The experimental results show that compared to the existed fuzzers,based on this method,Dy Fuzz increased the number of path discoveries by 7.22% and the number of vulnerability discoveries by 15.40%.(2)Aiming at the problem that existing directed fuzzers use the wrong way to measure the ability of seeds to find vulnerabilities and does not balance the time overhead between exploration and exploitation,gate node optimization-based directed fuzzing is proposed.In this method,the key basic blocks leading to the set of targets in the program-under-test(PUT)are defined as gate nodes,and the gate nodes are used to quantify the ability of the seed to explore the targets.Based on the benefit information provided by the gate node,a mode conversion strategy based on gain benefit and an energy scheduling strategy based on the nearest average cost are designed to solve the balance between exploration and exploitation.The experimental results show that compared with the existed fuzzers,based on this method,Gno Fuzz increased the number of path discoveries by 22.73% and the number of vulnerability discoveries by38.94%.(3)Aiming at the problem that existing hybrid fuzzers don’t consider the task collaboration when selecting the solution target,and does not maximize the benefit of the symbolic execution under the condition of limited computing resources,pluralistic seed selection-based hybrid fuzzing is proposed.This method quantifies the ability of seeds to discover new paths by diversifying the evaluation of seeds in control flow graph,and perform symbolic execution on seeds that have difficulty discovering paths,forming a task collaboration between fuzzing and symbolic execution.and at the same time using target-oriented thinking to evaluate the ability of seeds to explore vulnerabilities,so that symbolic execution solves seeds that are more likely to find vulnerabilities.Experimental results show that compared with the existed hybrid fuzzers,based on this method,PSSHF increased the number of path discoveries by 8.35%and the number of vulnerability discoveries by 28.69%.