請用此 Handle URI 來引用此文件:
http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/101031完整後設資料紀錄
| DC 欄位 | 值 | 語言 |
|---|---|---|
| dc.contributor.advisor | 蕭旭君 | zh_TW |
| dc.contributor.advisor | Hsu-Chun Hsiao | en |
| dc.contributor.author | 黃俊嘉 | zh_TW |
| dc.contributor.author | Chun-Chia Huang | en |
| dc.date.accessioned | 2025-11-26T16:32:29Z | - |
| dc.date.available | 2025-11-27 | - |
| dc.date.copyright | 2025-11-26 | - |
| dc.date.issued | 2025 | - |
| dc.date.submitted | 2025-09-01 | - |
| dc.identifier.citation | A. Arya, O. Chang, J. Metzman, K. Serebryany, and D. Liu. OSS-Fuzz: Continuous fuzzing for open source software, 2016.
P. Borrello, A. Fioraldi, D. C. D’Elia, D. Balzarotti, L. Querzoni, and C. Giuffrida. Predictive context-sensitive fuzzing. In 31st Annual Network and Distributed System Security Symposium, NDSS 2024, San Diego, California, USA, February 26 - March 1, 2024. The Internet Society, 2024. Y. Chang. yfuzz: Data-driven fuzzing. Master’s thesis, 國立臺灣大學, Jan 2021. Y. Chang, C.-C. Huang, T. Mori, and H.-C. Hsiao. Poster: Yfuzz: Data-driven fuzzing. In Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, CCS ’24, page 4958– 4960, New York, NY, USA, 2024. Association for Computing Machinery. A. Fioraldi, D. C. D’Elia, and D. Balzarotti. The use of likely invariants as feedback for fuzzers. In 30th USENIX Security Symposium (USENIX Security 21), pages 2829–2846. USENIX Association, Aug. 2021. A. Fioraldi, D. Maier, H. Eißfeldt, and M. Heuse. AFL++ : Combining incremental steps of fuzzing research. In 14th USENIX Workshop on Offensive Technologies (WOOT 20). USENIX Association, Aug. 2020. G. Klees, A. Ruef, B. Cooper, S. Wei, and M. Hicks. Evaluating fuzz testing. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS ’18, page 2123– 2138, New York, NY, USA, 2018. Association for Computing Machinery. LLVM Project. LLVM pass infrastructure. https://llvm.org/docs/WritingAnLLVMNewPMPass.html, 2025. Accessed: 2025-07-15. A. Mantovani, A. Fioraldi, and D. Balzarotti. Fuzzing with data dependency information. In 2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P), pages 286–302, 2022. J. Metzman, L. Szekeres, L. Maurice Romain Simon, R. Trevelin Sprabery, and A. Arya. FuzzBench: An Open Fuzzer Benchmarking Platform and Service. In Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC/FSE 2021, page 1393–1403, New York, NY, USA, 2021. Association for Computing Machinery. M. Schloegel, N. Bars, N. Schiller, L. Bernhard, T. Scharnowski, A. Crump, A. Ale-Ebrahim, N. Bissantz, M. Muench, and T. Holz. Sok: Prudent evaluation practices for fuzzing. In 2024 IEEE Symposium on Security and Privacy (SP), pages 1974–1993, 2024. M. Wang, J. Liang, C. Zhou, Z. Wu, J. Fu, Z. Su, Q. Liao, B. Gu, B. Wu, and Y. Jiang. Data coverage for guided fuzzing. In Proceedings of the 33rd USENIX Conference on Security Symposium, SEC ’24, USA, 2024. USENIX Association. | - |
| dc.identifier.uri | http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/101031 | - |
| dc.description.abstract | 程式碼覆蓋率是模糊測試技術中非常重要且有效的指標,但在驅動模糊測試工具發現漏洞方面,仍存在根本性的限制:其無法有效引導工具探索變數的數值,導致即使具漏洞的程式碼已被多次執行,仍可能因未能提供觸發漏洞所需的特定變數數值而錯失漏洞。
YFuzz 引入「數值狀態覆蓋率」(value state coverage)來因應此問題,藉由監控與安全相關的變數之數值,引導模糊測試工具滿足觸發漏洞所需的數值條件。然而,儘管其概念具說服力,且過去評估中的成果看似顯著,我們的全面性分析揭露 YFuzz 存在重大的實作錯誤與數項評估問題,這些問題削弱了 YFuzz 原始論述中聲稱其效果的有效性。其中最關鍵的發現是一項實作錯誤,使高達 83.44% 的安全變數並非理論中應被監控的變數,導致 YFuzz 的理論方法與實際實作之間出現落差。 為釐清這些問題並深入了解 YFuzz 的實際效果,我們修正了實作錯誤,並使用 15 個程式對其進行全面的性能評估。實驗結果顯示,YFuzz 的數值狀態覆蓋率相較於 AFL++ 提升了 31.62%,但伴隨著 18.30% 的執行速度損耗,以及 29.02% 的程式碼覆蓋率下降。 透過消融實驗,我們發現藉由參數最佳化可使安全相關變數的覆蓋率提升達 93%,並有助於增強漏洞挖掘能力。然而,與 AFL++ 和 DDFuzz 的比較顯示,儘管 YFuzz 在技術指標上表現優異,卻未能發現任何獨特的漏洞,說明數值狀態覆蓋率的提升未必能直接轉化為更佳的漏洞挖掘效果。 我們的研究提供了對 YFuzz 能力更深入的理解,展示數值狀態覆蓋率在目前設計下的限制。我們也討論了改進 YFuzz 與數值狀態覆蓋率方法的可能方向,例如導入自適應引導策略,並分析評估新的模糊測試技術時所面臨的挑戰。這些觀察對以數值狀態為基礎的模糊測試方法的後續研究提供了建議與參考方向。 | zh_TW |
| dc.description.abstract | Despite being one of the most common and effective methods in fuzzing, code coverage-guided fuzzing has limitations in detecting vulnerabilities that require specific variable values to trigger, even when the vulnerable code paths are already covered. YFuzz addresses this issue by introducing value state coverage, which monitors the values of security-sensitive variables to guide fuzzers toward satisfying the data requirements necessary for triggering vulnerabilities.
However, despite its appealing concept and previously reported success, our analysis reveals a critical implementation flaw and several evaluation issues that threaten the validity of YFuzz's original claims. Most significantly, we discover that 83.44% of monitored security-sensitive variables are incorrectly identified, creating a fundamental disconnect between YFuzz's theoretical design and its actual implementation. To address these issues and rigorously evaluate YFuzz, we correct the implementation problem and conduct a comprehensive re-evaluation on 15 programs—more than the original study and typical fuzzing research. Our results show that YFuzz achieves a 31.62% improvement in value state coverage over AFL++ but incurs 18.30% runtime overhead and 29.02% reduction in code coverage. Through ablation studies, we demonstrate a 93% improvement in security-sensitive variable coverage through parameter optimization, which also enhances its bug discovery capability. However, comparison against AFL++ and DDFuzz shows that YFuzz does not discover any unique vulnerabilities despite these technical improvements. This suggests that gains in value state coverage do not necessarily translate into better bug discovery capability. Our findings offer a clearer understanding of YFuzz's strengths and limitations, and highlight the current constraints of value-state coverage in its existing design. We also discuss directions for improving both YFuzz and value state based approaches—such as incorporating adaptive guidance strategies—and examine the challenges of evaluating novel fuzzing techniques like YFuzz. These insights provide guidance for the future development of fuzzing methods grounded in value state coverage. | en |
| dc.description.provenance | Submitted by admin ntu (admin@lib.ntu.edu.tw) on 2025-11-26T16:32:29Z No. of bitstreams: 0 | en |
| dc.description.provenance | Made available in DSpace on 2025-11-26T16:32:29Z (GMT). No. of bitstreams: 0 | en |
| dc.description.tableofcontents | Verification Letter from the Oral Examination Committee i
Acknowledgements iii 摘要 v Abstract vii Contents ix List of Figures xiii List of Tables xv Denotation xvii Chapter 1 Introduction 1 Chapter 2 Background and Related Work 7 2.1 Fuzzing 7 2.2 Code Coverage and Its Limitations 8 2.3 YFuzz: Data-Driven Fuzzing 10 2.3.1 YFuzz Methodology 11 2.3.2 Implementation Details 12 2.3.2.1 Identification of Security-Sensitive Variables 12 2.3.2.2 Value State Coverage 13 2.3.2.3 Seed Scheduling and Energy Allocation Strategy 14 2.3.3 Original evaluation and claims 14 2.4 Fuzzing with Data Dependency Information 15 2.5 The Use of Likely Invariants as Feedback for Fuzzers 16 Chapter 3 Issues of YFuzz and Our Solutions 17 3.1 Implementation Issue 17 3.1.1 Incorrect Identification of Security-Sensitive Variables 17 3.2 Design Issues 19 3.2.1 Seed Scheduling and Energy Allocation Strategy 19 3.3 Evaluation Issues 21 3.3.1 Missing State Explosion Analysis 21 3.3.2 Limited Programs for Evaluation 22 3.3.3 Lack Comparison to Related Approaches 22 Chapter 4 Evaluation 25 4.1 Experimental Setup 26 4.1.1 Environment 26 4.1.2 Baseline 26 4.1.3 Dataset 27 4.1.4 Initial Seeds 28 4.2 RQ1: Impact of Security-Sensitive Variable Misidentification 29 4.2.1 RQ1.1: Extent of Misidentification 29 4.2.2 RQ1.2: Performance Impact of Correction 30 4.3 RQ2: Seed Scheduling and Energy Allocation Strategy 31 4.4 RQ3: State Explosion Analysis of Value State 35 4.5 RQ4.1: Value State Coverage 38 4.6 RQ4.2: Code Coverage 39 4.7 RQ4.3: Runtime Overhead 41 4.8 RQ5: Comparison to State-of-the-Art Techniques 42 Chapter 5 Discussion & Future Work 45 5.1 Evaluation Challenges 45 5.2 Improvement Directions for YFuzz and Value State Coverage Related Approaches 47 Chapter 6 Conclusion 51 References 53 Appendix A — Introduction 55 A.1 Type-I Security-Sensitive Variables 55 | - |
| dc.language.iso | en | - |
| dc.subject | 模糊測試 | - |
| dc.subject | 數值狀態覆蓋率 | - |
| dc.subject | 程式碼覆蓋率 | - |
| dc.subject | YFuzz | - |
| dc.subject | 軟體安全 | - |
| dc.subject | Fuzzing | - |
| dc.subject | Value State Coverage | - |
| dc.subject | Code Coverage | - |
| dc.subject | YFuzz | - |
| dc.subject | Software Security | - |
| dc.title | 數值狀態覆蓋率驅動式模糊測試之評估 | zh_TW |
| dc.title | On the Feasibility of Value State Coverage Guided Fuzzing | en |
| dc.type | Thesis | - |
| dc.date.schoolyear | 114-1 | - |
| dc.description.degree | 碩士 | - |
| dc.contributor.oralexamcommittee | 黃俊穎;黃世昆;黎士瑋 | zh_TW |
| dc.contributor.oralexamcommittee | Chun-Ying Huang;Shih-Kun Huang;Shih-Wei Li | en |
| dc.subject.keyword | 模糊測試,數值狀態覆蓋率程式碼覆蓋率YFuzz軟體安全 | zh_TW |
| dc.subject.keyword | Fuzzing,Value State CoverageCode CoverageYFuzzSoftware Security | en |
| dc.relation.page | 55 | - |
| dc.identifier.doi | 10.6342/NTU202504431 | - |
| dc.rights.note | 同意授權(全球公開) | - |
| dc.date.accepted | 2025-09-02 | - |
| dc.contributor.author-college | 電機資訊學院 | - |
| dc.contributor.author-dept | 資訊工程學系 | - |
| dc.date.embargo-lift | 2025-11-27 | - |
| 顯示於系所單位: | 資訊工程學系 | |
文件中的檔案:
| 檔案 | 大小 | 格式 | |
|---|---|---|---|
| ntu-114-1.pdf | 6.94 MB | Adobe PDF | 檢視/開啟 |
系統中的文件,除了特別指名其著作權條款之外,均受到著作權保護,並且保留所有的權利。