| Coverage-guided fuzzing is the current mainstream greybox fuzzing approach,which uses code coverage as feedback to guide fuzzing to favor uncovered code areas,enabling rapid code coverage improvement,while higher code coverage has a higher chance of triggering potential vulnerabilities.Researchers have extensively studied the code coverage improvement problem from different perspectives,but there are still open issues to be addressed.The authors observe that for fuzzing,a purely deterministic mutation strategy is too time-consuming because the number of mutations is too large(in terms of 2~,whereis the number of bits),a purely nondeterministic mutation strategy is too blind because it does not take into account path information,and a seed scheduling strategy does not take into account path information and vulnerability-related sensitive function information,which makes scheduling unreasonable.To this end,this paper proposes a grey-box fuzzing mutation strategy improvement method and implements a prototype tool EMASFUZZ(enhanced mutation and schedule for fuzzing),whose ideas are as follows.(1)To address the problem that deterministic mutation strategy is too time-consuming,this paper proposes a fine-grained mutation strategy based on keyword bytes,which only mutates on keyword bytes related to branch constraints,reducing the number of mutation seed bytes and improving the time efficiency of fuzzing.(2)To address the problem that the non-deterministic mutation strategy is too blind,this paper proposes an adaptive mutation strategy based on a multi-armed slot machine,which models the random mutation as a multi-armed slot machine model and dynamically adjusts the random mutation strategy using the UCB1(upper confidence bound,version 1)algorithm,which reduces the blindness of the mutation and improves the fuzzing exploration of new paths probability of exploring new paths.(3)To address the unreasonable scheduling problem that the seed scheduling strategy does not consider the path feedback and sensitive functions,this paper proposes a seed scheduling strategy that combines the information of unvisited neighbor branches and sensitive functions,and achieves optimal seed scheduling by collecting the number of unvisited neighbor branches and sensitive functions related to vulnerabilities at runtime and feeding them to the fuzzer to further improve the probability of exploring new paths and discovering vulnerabilities.Experimental comparisons with several classic and advanced fuzzing tools such as AFL++and Mopt on LAVA-M dataset and open source programs such as objdump and size show that EMASFUZZ has higher path coverage and uncovers more vulnerabilities than AFL++and Mopt in the same time. |
PDF Full Text Request