yFuzz: 資料狀態驅動式模糊測試

Yuan Chang; 張元

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/80773

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	蕭旭君(Hsu-Chun Hsiao)
dc.contributor.author	Yuan Chang	en
dc.contributor.author	張元	zh_TW
dc.date.accessioned	2022-11-24T03:16:04Z	-
dc.date.available	2021-11-05
dc.date.available	2022-11-24T03:16:04Z	-
dc.date.copyright	2021-11-05
dc.date.issued	2021
dc.date.submitted	2021-10-17
dc.identifier.citation	[1] C. Aschermann, S. Schumilo, T. Blazytko, R. Gawlik, and T. Holz. Redqueen: Fuzzing with input-to-state correspondence. In Symposium on Network and Distributed System Security (NDSS), 2019. [2] M. Böhme, V.T. Pham, M.D. Nguyen, and A. Roychoudhury. Directed greybox fuzzing. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS ’17, page 2329–2344, New York, NY, USA, 2017. Association for Computing Machinery. [3] M. Böhme, V.T. Pham, and A. Roychoudhury. Coverage-based greybox fuzzing as markov chain. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS ’16, page 1032–1043, New York, NY, USA, 2016. Association for Computing Machinery. [4] H. Chen, Y. Xue, Y. Li, B. Chen, X. Xie, X. Wu, and Y. Liu. Hawkeye: Towards a desired directed grey-box fuzzer. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS ’18, page 2095–2108, New York, NY, USA, 2018. Association for Computing Machinery. [5] Y. Chen, P. Li, J. Xu, S. Guo, R. Zhou, Y. Zhang, T. Wei, and L. Lu. Savior: Towards bug-driven hybrid testing. In 2020 IEEE Symposium on Security and Privacy (SP), pages 2–2, Los Alamitos, CA, USA, may 2020. IEEE Computer Society. [6] A. Fioraldi, D. C. D’Elia, and D. Balzarotti. The use of likely invariants as feed back for fuzzers. In 30th USENIX Security Symposium (USENIX Security 21), pages 2829–2846. USENIX Association, Aug. 2021. [7] A. Fioraldi, D. Maier, H. Eißfeldt, and M. Heuse. AFL++: Combining incremental steps of fuzzing research. In 14th USENIX Workshop on Offensive Technologies (WOOT 20). USENIX Association, Aug. 2020. [8] S. Gan, C. Zhang, P. Chen, B. Zhao, X. Qin, D. Wu, and Z. Chen. GREYONE: Data flow sensitive fuzzing. In 29th USENIX Security Symposium (USENIX Security 20), pages 2577–2594. USENIX Association, Aug. 2020. [9] V. Ganesh, T. Leek, and M. Rinard. Taintbased directed whitebox fuzzing. In 2009 IEEE 31st International Conference on Software Engineering, pages 474–484, 2009. [10] C. Lattner and V. Adve. Llvm: A compilation framework for lifelong program analysis amp; transformation. In Proceedings of the International Symposium on Code Generation and Optimization: FeedbackDirected and Runtime Optimization, CGO ’04, page 75, USA, 2004. IEEE Computer Society. [11] G. Lee, W. Shim, and B. Lee. Constraint-guided directed greybox fuzzing. In 30th USENIX Security Symposium (USENIX Security 21), pages 3559–3576. USENIX Association, Aug. 2021. [12] C. Lemieux and K. Sen. Fairfuzz: A targeted mutation strategy for increasing grey box fuzz testing coverage. In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, ASE 2018, page 475–485, New York, NY, USA, 2018. Association for Computing Machinery. [13] libfuzzer@googlegroups.com. LibFuzzer – a library for coverage-guided fuzz test ing., 2019. [14] S. Österlund, K. Razavi, H. Bos, and C. Giuffrida. Parmesan: Sanitizer-guided grey box fuzzing. In 29th USENIX Security Symposium (USENIX Security 20), pages 2289–2306. USENIX Association, Aug. 2020. [15] S. Rawat, V. Jain, A. Kumar, L. Cojocar, C. Giuffrida, and H. Bos. VUzzer: Applicationaware Evolutionary Fuzzing. In NDSS, Feb. 2017. [16] K. Serebryany. Ossfuzz google’s continuous fuzzing service for open source soft ware. Vancouver, BC, Aug. 2017. USENIX Association. [17] K. Serebryany, D. Bruening, A. Potapenko, and D. Vyukov. Addresssanitizer: A fast address sanity checker. In 2012 USENIX Annual Technical Conference (USENIX ATC 12), pages 309–318, Boston, MA, June 2012. USENIX Association. [18] Wen,ChengandWang,HaijunandLi,YuekangandQin,ShengchaoandLiu,Yang, and Xu, Zhiwu and Chen, Hongxu and Xie, Xiaofei and Pu, Geguang and Liu, Ting. Memlock: Memory usage guided fuzzing. In 2020 IEEE/ACM 42nd International Conference on Software Engineering, Seoul, South Korea, 2020. [19] M. Zalewski. American Fuzzy Lop (AFL).
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/80773	-
dc.description.abstract	覆蓋率引導式模糊測試是當今最成功的主流模糊測試技術，已經在真實世界無數專案程式中展現其自動化挖掘漏洞的能力。然而，覆蓋率引導式模糊測試技術仍面臨著本質上的限制：即使覆蓋了漏洞存在的代碼，也難以觸發漏洞。這是由於現今主流覆蓋率引導式模糊測試僅以代碼覆蓋率作為引導模糊測試的指標，專注於可達性上。事實上，要成功發現漏洞，程式不僅需要能執行達到漏洞代碼，亦需要滿足觸發條件。不幸的是，許多觸發漏洞至關重要的條件資訊無法呈現在代碼覆蓋率中。因此，代碼覆蓋率引導式模糊測試忽略了觸發漏洞條件的探索，導致覆蓋到許多漏洞存在的代碼區域，卻因為無法觸發漏洞而未能發現該漏洞。在這篇論文中，我們提出了一個新模糊測試技術：資料狀態驅動式模糊測試，透過搜集分析具有造成漏洞潛力的變數資料狀態，結合變異策略，驅動模糊器有效地探索垂直於程式路徑的程式狀態搜尋空間維度，並提出一個定向灰箱模糊測試技術，在執行時期分析變數極端值並回饋給模糊器，引導模糊器探索至易觸發漏洞的目標程式狀態，我們將方法實作出模糊器原型 yFuzz。我們的實驗結果顯示，yFuzz 有效地大幅增加程式狀態覆蓋率相較於最先進的代碼覆蓋率引導式模糊器 AFL++，提升覆蓋到滿足漏洞觸發條件的程式狀態機會，結果也證實定向灰箱模糊測試技術可以成功地引導模糊器探索至目標程式狀態，進一步增強漏洞挖掘能力。在許多已被大量模糊測試的真實世界程式中，yFuzz仍能挖掘出位在路徑淺層的漏洞，意即容易覆蓋卻難以觸發的漏洞，更印證了 yFuzz的漏洞觸發能力，其中四個漏洞已被分配 CVE 編號。	zh_TW
dc.description.provenance	Made available in DSpace on 2022-11-24T03:16:04Z (GMT). No. of bitstreams: 1 U0001-1210202113464300.pdf: 708338 bytes, checksum: 3664c3aac42d296c0a329cb3a1839d4c (MD5) Previous issue date: 2021	en
dc.description.tableofcontents	口試委員會審定書 iii 誌謝 v Acknowledgements vii 摘要 ix Abstract xi 1 Introduction 1 2 Background 5 2.1 Fuzz Testing................................. 5 2.2 Coverage-Guided Fuzz Testing....................... 6 3 Motivation 9 3.1 Limitation of Coverage-Guided Fuzz Testing . . . . . . . . . . . . . . . 9 3.2 Motivating Example ............................ 10 4 Methodology 13 4.1 Overview .................................. 13 4.2 Identifying Interesting Variables ...................... 15 4.3 Finding Crucial Inputs Parts ........................ 16 4.4 Data Driven Mutation............................ 18 4.5 Feedback-Guided Mutation......................... 19 5 Implementation 21 5.1 System Design ............................... 21 5.2 Finding Instrumentation Points....................... 22 5.3 Lightweight Data Flow Analysis ...................... 23 5.4 Capturing Extreme Value.......................... 24 5.5 Seed Scoring ................................ 24 6 Evaluation 27 6.1 RQ1: State Coverage ............................ 29 6.2 RQ2: Impact on Code Coverage ...................... 29 6.3 RQ3: Fuzzing Performance......................... 30 6.4 RQ4: Directed Fuzzing........................... 31 6.5 RQ5: Vulnerability Discovery ....................... 32 6.5.1 Case Study ............................. 33 7 Related Work 37 7.1 Other Feedback than Code Coverage.................... 37 7.2 Identifying Input Parts ........................... 37 7.3 Directed Grey-box Fuzzing ......................... 38 8 Conclusion 39 Bibliography 41
dc.language.iso	en
dc.subject	資料狀態驅動式模糊測試	zh_TW
dc.subject	Data-Driven Fuzzing	en
dc.title	yFuzz: 資料狀態驅動式模糊測試	zh_TW
dc.title	yFuzz: Data-Driven Fuzzing	en
dc.date.schoolyear	109-2
dc.description.degree	碩士
dc.contributor.oralexamcommittee	黃世昆(Hsin-Tsai Liu),黃俊穎(Chih-Yang Tseng)
dc.subject.keyword	資料狀態驅動式模糊測試,	zh_TW
dc.subject.keyword	Data-Driven Fuzzing,	en
dc.relation.page	43
dc.identifier.doi	10.6342/NTU202103659
dc.rights.note	同意授權(限校園內公開)
dc.date.accepted	2021-10-19
dc.contributor.author-college	電機資訊學院	zh_TW
dc.contributor.author-dept	資訊工程學研究所	zh_TW
顯示於系所單位：	資訊工程學系

文件中的檔案：

檔案	大小	格式
U0001-1210202113464300.pdf 授權僅限NTU校內IP使用（校園外請利用VPN校外連線服務）	691.74 kB	Adobe PDF

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。