利用環境隔離提升 libFuzzer 模糊器之可比性

Yu-Chuan Liang; 梁友銓

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/80039

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	蕭旭君(Hsu-Chun Hsiao)
dc.contributor.author	Yu-Chuan Liang	en
dc.contributor.author	梁友銓	zh_TW
dc.date.accessioned	2022-11-23T09:22:35Z	-
dc.date.available	2021-08-04
dc.date.available	2022-11-23T09:22:35Z	-
dc.date.copyright	2021-08-04
dc.date.issued	2021
dc.date.submitted	2021-07-19
dc.identifier.citation	[1] FuzzBench - Fuzzer benchmarking as a service., 2020. [2] C. Aschermann, S. Schumilo, T. Blazytko, R. Gawlik, and T. Holz. Redqueen: Fuzzing with input-to-state correspondence. In Symposium on Network and Distributed System Security (NDSS), 2019. [3] M. Böhme, V. J. Manès, and S. K. Cha. Boosting fuzzer efficiency: An information theoretic perspective. In Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pages 678–689, 2020. [4] P. Chen and H. Chen. Angora: Efficient fuzzing by principled search. In 2018 IEEE Symposium on Security and Privacy (SP), pages 711–725, 2018. [5] Y. Chen, Y. Jiang, F. Ma, J. Liang, M. Wang, C. Zhou, X. Jiao, and Z. Su. Enfuzz: Ensemble fuzzing with seed synchronization among diverse fuzzers. In 28th USENIX Security Symposium (USENIX Security 19), pages 1967–1983, Santa Clara, CA, Aug. 2019. USENIX Association. [6] W. Drozd and M. Wagner. Fuzzergym: A competitive framework for fuzzing and learning, 07 2018. [7] A. Fioraldi, D. Maier, H. Eißfeldt, and M. Heuse. Afl++ : Combining incremental steps of fuzzing research. In 14th USENIX Workshop on Offensive Technologies (WOOT 20). USENIX Association, Aug. 2020. [8] V. Herdt, D. Große, J. Wloka, T. Güneysu, and R. Drechsler. Verification of embedded binaries using coverage-guided fuzzing with systemc-based virtual prototypes. In GLSVLSI, 2020. [9] G. Inc. A set of tests (benchmarks) for fuzzing engines (fuzzers)., 2016. [10] K. Ispoglou, D. Austin, V. Mohan, and M. Payer. Fuzzgen: Automatic fuzzer generation. In 29th USENIX Security Symposium (USENIX Security 20), pages 2271–2287. USENIX Association, Aug. 2020. [11] G. Klees, A. Ruef, B. Cooper, S. Wei, and M. Hicks. Evaluating fuzz testing. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS ’18, page 2123–2138, New York, NY, USA, 2018. Association for Computing Machinery. [12] H. Le. LLVM-based Hybrid Fuzzing with LibKluzzer (Competition Contribution), pages 535–539. 04 2020. [13] J. Liang, Y. Jiang, Y. Chen, M. Wang, C. Zhou, and J. Sun. Pafl: Extend fuzzing optimizations of single mode to industrial parallel mode. In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC/FSE 2018, page 809–814, New York, NY, USA, 2018. Association for Computing Machinery. [14] libfuzzer@googlegroups.com. LibFuzzer–a library for coverage-guided fuzz testing., 2019. [15] K. Serebryany. Continuous fuzzing with libfuzzer and addresssanitizer. In 2016 IEEE Cybersecurity Development (SecDev), pages 157–157, 2016. [16] K. Serebryany. Oss-fuzz - google’s continuous fuzzing service for open source software. Vancouver, BC, Aug. 2017. USENIX Association. [17] R. Swiecki. Honggfuzz: A general-purpose, easy-to-use fuzzer with interesting analysis options. 2017. [18] W. Xu, S. Kashyap, C. Min, and T. Kim. Designing new operating primitives to improve fuzzing performance. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS ’17, page 2313–2328, New York, NY, USA, 2017. Association for Computing Machinery. [19] I. Yun, S. Lee, M. Xu, Y. Jang, and T. Kim. QSYM : A practical concolic execution engine tailored for hybrid fuzzing. In 27th USENIX Security Symposium (USENIX Security 18), pages 745–761, Baltimore, MD, Aug. 2018. USENIX Association. [20] M. Zalewski. American Fuzzy Lop (AFL). [21] S. Österlund, K. Razavi, H. Bos, and C. Giuffrida. ParmeSan: Sanitizer-guided Greybox Fuzzing. In USENIX Security, Aug. 2020.
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/80039	-
dc.description.abstract	libFuzzer 是一個十分強大的模糊器，人們曾利用他在真實世界的程式中找到了成千上萬的漏洞。然而，其他的模糊器在試圖與 libFuzzer 或其變體比較的時候，遇到了兩個主要的限制。首先，比較的測度相較於較常見的代碼覆蓋程度，被限制在了第一個崩潰發生的時間。因為 libFuzzer 當模糊測試目標崩潰的時候就會立即中止。第二點，儘管 libFuzzer 在開啟忽略崩潰模式時可以在找到崩潰後繼續進行模糊測試，仍然有可能因為程式本身預期一個乾淨的全域環境而導致 libFuzzer 產生出錯誤的結果。因此，那些想要和 libFuzzer 比較的模糊器被限制只能使用仔細修改過的程式，或者是那些沒有痊癒環境相依性的程式。為了解決這個環境汙染的問題並提升 libFuzzer 與其他模糊器之間的的可比較性，我們展示了一種新的 libFuzzer 模式，名叫環境隔離式 icLibFuzzer，他隔絕了模糊器實例和模糊測試目標的環境，讓模糊測試目標的環境可以在每次執行結束之後有效的重新初始化。為了要實作出 icLibFuzzer，我們提取了來自 AFL 的設計靈感及目的，修改了 libFuzzer 的進程中 (in-process) 基礎架構，改成了輕量的分叉服務器，並且提出了架構打包，將模糊測試的速度再進一步提升了兩倍左右。我們拿 icLibFuzzer 來和其他四個最先進的模糊器 (AFL，Angora，QSYM，和 Honggfuzz) 在數個真實世界的程式上進行比較。我們的實驗結果顯示，icLibFuzzer 相比於其他模糊器在大部分我們測試的程式上，在實驗了二十四小時後都取得了較好的結果，並且在二十四小時後繼續保持領先直到七十二小時實驗結束。為了要展示我們能夠輕易地跟上 libFuzzer 的最新更新，我們將 icLibFuzzer 更新為最新版本的 libFuzzer (由 LLVM9 更新至 LLVM11)。我們的實驗結果初步顯示，LLVM11 版本的 icLibFuzzer 相比於 LLVM9 版本的 icLibFuzzer 以及 AFL++ (AFL家族中最先進的其中一個模糊器) 都擁有不錯的結果。我們希望 icLibFuzzer 能夠當作另外一個模糊測試研究的基準線。我們的程式碼已經公布在 Github 上。	zh_TW
dc.description.provenance	Made available in DSpace on 2022-11-23T09:22:35Z (GMT). No. of bitstreams: 1 U0001-1607202112171300.pdf: 1230036 bytes, checksum: 49b48b61a4c3e1494ac6588f44176359 (MD5) Previous issue date: 2021	en
dc.description.tableofcontents	摘要 Abstract 0.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 0.2 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 0.2.1 libFuzzer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4 0.2.2 libFuzzer’s Advanced Instrumentation Features . . . . . . . . . . . 5 0.2.2.1 CMP tracing . . . . . . . . . . . . . . . . . . . . . . . 5 0.2.2.2 Value profiling . . . . . . . . . . . . . . . . . . . . . . 6 0.2.2.3 Compare function . . . . . . . . . . . . . . . . . . . . 7 0.2.2.4 Dataflow trace . . . . . . . . . . . . . . . . . . . . . . 7 0.2.3 libFuzzer’s inprocess infrastructure . . . . . . . . . . . . . . . . . 7 0.3 Comparability Issues . . . . . . . . . . . . . . . . . . . . . . . . . . 9 0.3.1 Lack support of common evaluation metrics . . . . . . . . . . . . . 9 0.3.2 Incorrect results due to context pollution . . . . . . . . . . . . . . . 10 0.4 icLibFuzzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 0.4.1 Efficient context isolation . . . . . . . . . . . . . . . . . . . . . . . 12 0.4.2 Structure Packing . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 0.4.3 Set CPU Affinity . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 0.4.4 Compiler wrapper . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 0.5 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 0.5.1 Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 0.5.2 RQ1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 0.5.3 RQ2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 0.5.4 RQ3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 0.6 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 0.6.1 Effectiveness of each feature . . . . . . . . . . . . . . . . . . . . . 26 0.6.2 Following the latest version of libFuzzer . . . . . . . . . . . . . . . 28 0.6.3 Initial seed selection . . . . . . . . . . . . . . . . . . . . . . . . . . 28 0.6.4 The number of fuzzing threads . . . . . . . . . . . . . . . . . . . . 29 0.6.5 Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 0.7 Guideline for upgrading to newer libFuzzer . . . . . . . . . . . . . . 32 0.8 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 0.8.1 Enhancing libFuzzer . . . . . . . . . . . . . . . . . . . . . . . . . 33 0.8.2 Integrating or Comparing with libFuzzer . . . . . . . . . . . . . . . 34 0.9 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 References 37
dc.language.iso	en
dc.subject	icLibFuzzer	zh_TW
dc.title	利用環境隔離提升 libFuzzer 模糊器之可比性	zh_TW
dc.title	icLibFuzzer: Isolated-context libFuzzer for Improving Fuzzer Comparability	en
dc.date.schoolyear	109-2
dc.description.degree	碩士
dc.contributor.oralexamcommittee	黃世昆(Hsin-Tsai Liu),黃俊穎(Chih-Yang Tseng)
dc.subject.keyword	icLibFuzzer,	zh_TW
dc.relation.page	39
dc.identifier.doi	10.6342/NTU202101508
dc.rights.note	同意授權(全球公開)
dc.date.accepted	2021-07-19
dc.contributor.author-college	電機資訊學院	zh_TW
dc.contributor.author-dept	資訊工程學研究所	zh_TW
顯示於系所單位：	資訊工程學系

文件中的檔案：

檔案	大小	格式
U0001-1607202112171300.pdf	1.2 MB	Adobe PDF	檢視/開啟

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。