結合靜態分析與指向式模糊測試作為漏洞挖掘方法

Abstract

本研究以靜態分析的結果導引指向式模糊測試發展漏洞挖掘的工具，發展一套漏洞挖掘系統。有別於類似架構的漏洞挖掘系統，直接組合現有的靜態分析工具與指向式模糊測試工具，我們希望能完整利用靜態分析工具給予的潛在漏洞成因作為引導指向式模糊測試的資訊，為此我們另外修改指向式模糊測試工具。我們在指向式模糊測試工具中加入漏洞路徑延長的額外功能，並發展漏洞路徑導向的能量分配策略以協助指向式模糊測試。我們另外對整個漏洞挖掘系統與漏洞路徑導向式指向式模糊測試進行效能的衡量。雖然在衡量本系統後確認本研究設計的方法並未對漏洞挖掘的效能造成顯著影響，我們接續討論潛在原因與未來可能的改正方向，期望對未來想使用類似架構的研究者有所幫助。

This thesis presents a novel framework for vulnerability detection that integrates static analyzers with directed fuzzers. Unlike prior approaches that naively combine offthe-shelf tools, this work aims to make bug trace reports and guided fuzzing input strategies cooperate with each others. The proposed framework begins by extracting bug traces and root causes from advanced static analyzers, such as Infer and OpSMatcher. These traces are then extended via dominator tree traversal, enriching the granularity of control-flow information available to the fuzzer. A customized version of the directed fuzzer AFLGo is then employed, modified to incorporate a trace similarity-based energy assignment strategy. Despite these technical innovations, empirical evaluations reveal that the framework did not achieve the expected improvements in crash detection performance. We further discuss the potential reasons behind this. We conclude the work by pointing out potential improvements for anyone who wants to follow the same direction, in the hope that anyone who wants to follow a similar idea can avoid the dead ends we took.