結合靜態分析與指向式模糊測試作為漏洞挖掘方法

許哲睿; Che-Jui Hsu

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/101159

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	蕭旭君	zh_TW
dc.contributor.advisor	Hsu-Chun Hsiao	en
dc.contributor.author	許哲睿	zh_TW
dc.contributor.author	Che-Jui Hsu	en
dc.date.accessioned	2025-12-31T16:09:26Z	-
dc.date.available	2026-01-01	-
dc.date.copyright	2025-12-31	-
dc.date.issued	2025	-
dc.date.submitted	2025-12-02	-
dc.identifier.citation	[1] N. A. Awed. Towards integrating static code analysis and hybrid fuzzing for more efficient bug detection. Master’s thesis, 2022. [2] M. Böhme, V.-T. Pham, M.-D. Nguyen, and A. Roychoudhury. Directed greybox fuzzing. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS ’17, page 2329–2344, New York, NY, USA, 2017. Association for Computing Machinery. [3] Ericsson AB and Contributors. CodeChecker: Static analysis of C/C++ code using Clang. https://github.com/Ericsson/codechecker, 2023. [Online; accessed 16-July-2025]. [4] GitHub. CodeQL: Semantic code analysis. https://codeql.github.com/, 2023. [Online; accessed 16-July-2025]. [5] A. Hazimeh, A. Herrera, and M. Payer. Magma: A ground-truth fuzzing benchmark. Proc. ACM Meas. Anal. Comput. Syst., 4(3), Nov. 2020. [6] C. Lattner. Llvm and clang: Next generation compiler technology. 2008. [7] C. Lattner and V. Adve. Llvm: a compilation framework for lifelong program analysis & transformation. In International Symposium on Code Generation and Optimization, 2004. CGO 2004., pages 75–86, 2004. [8] P. Li, W. Meng, and C. Zhang. SDFuzz: Target states driven directed fuzzing. In 33rd USENIX Security Symposium (USENIX Security 24), pages 2441–2457, Philadelphia, PA, Aug. 2024. USENIX Association. [9] libtiff Project. Out-of-memory issue in tiffcrop - issue #269, July 2022. Accessed: 2025-07-20. [10] Meta (formerly Facebook). Infer: Static Analysis Tool. https://fbinfer.com/, 2013. Accessed: 2025-07-16. [11] Nick Wellnhofer. Avoid arithmetic on freed pointers. Git commit, Mar. 2022. commit 4951c462eae68562df335ff6d611f4352ea9931d. [12] Nick Wellnhofer. io: Fix a few integer overflows in I/O statistics. Git commit, 2022. commit 249cee4b2a0bcfe4114814fbd65fb4d5e404858e. [13] Sam Leffler and others. libTIFF - tiff library and utilities, 2025. [14] P. Shields. Hybrid testing: Combining static analysis and directed fuzzing, 2023. [15] P. Srivastava, S. Nagy, M. Hicks, A. Bianchi, and M. Payer. One fuzz doesn＇t fit all: Optimizing directed fuzzing via target-tailored program state restriction. In Proceedings of the 38th Annual Computer Security Applications Conference, ACSAC ’22, page 388–399, New York, NY, USA, 2022. Association for Computing Machinery. [16] Y. Sui and J. Xue. Svf: interprocedural static value-flow analysis in llvm. In Proceedings of the 25th International Conference on Compiler Construction, CC ’16, page 265–266, New York, NY, USA, 2016. Association for Computing Machinery. [17] L. Torczon and K. Cooper. Engineering A Compiler. Morgan Kaufmann Publishers Inc., San Francisco, CA, USA, 2nd edition, 2007. [18] D. Veillard and The GNOME Project. Libxml2. https://gitlab.gnome.org/GNOME/libxml2. [19] D. A. Wheeler. Flawfinder: A Static Analysis Tool for C/C++ Security Flaws. https://dwheeler.com/flawfinder/, 2023. [Online; accessed 16-July-2025]. [20] Y. Xiang, X. Zhang, P. Liu, S. Ji, H. Liang, J. Xu, and W. Wang. Critical code guided directed greybox fuzzing for commits. In 33rd USENIX Security Symposium (USENIX Security 24), pages 2459–2474, Philadelphia, PA, Aug. 2024. USENIX Association. [21] F. Yamaguchi, N. Golde, D. Arp, and K. Rieck. Modeling and discovering vulnerabilities with code property graphs. In Proceedings of the 2014 IEEE Symposium on Security and Privacy, SP ’14, page 590–604, USA, 2014. IEEE Computer Society. [22] C.-M. Yang, C.-J. Hsu, T. Ban, T. Takahashi, and H.-C. Hsiao. Uncovering recurring vulnerabilities through taint-extracted operator sequences. In 2024 IEEE Conference on Communications and Network Security (CNS), pages 1–9, 2024. [23] S. Yang, Y. He, K. Chen, Z. Ma, X. Luo, Y. Xie, J. Chen, and C. Zhang. 1dfuzz: Reproduce 1-day vulnerabilities with directed differential fuzzing. In Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2023, page 867–879, New York, NY, USA, 2023. Association for Computing Machinery. [24] I. Yun, S. Lee, M. Xu, Y. Jang, and T. Kim. QSYM : A practical concolic execution engine tailored for hybrid fuzzing. In 27th USENIX Security Symposium (USENIX Security 18), pages 745–761, Baltimore, MD, Aug. 2018. USENIX Association. [25] M. Zalewski. american fuzzy lop. http://lcamtuf.coredump.cx/afl/, 2018. [Online; accessed July 16, 2025].	-
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/101159	-
dc.description.abstract	本研究以靜態分析的結果導引指向式模糊測試發展漏洞挖掘的工具，發展一套漏洞挖掘系統。有別於類似架構的漏洞挖掘系統，直接組合現有的靜態分析工具與指向式模糊測試工具，我們希望能完整利用靜態分析工具給予的潛在漏洞成因作為引導指向式模糊測試的資訊，為此我們另外修改指向式模糊測試工具。我們在指向式模糊測試工具中加入漏洞路徑延長的額外功能，並發展漏洞路徑導向的能量分配策略以協助指向式模糊測試。我們另外對整個漏洞挖掘系統與漏洞路徑導向式指向式模糊測試進行效能的衡量。雖然在衡量本系統後確認本研究設計的方法並未對漏洞挖掘的效能造成顯著影響，我們接續討論潛在原因與未來可能的改正方向，期望對未來想使用類似架構的研究者有所幫助。	zh_TW
dc.description.abstract	This thesis presents a novel framework for vulnerability detection that integrates static analyzers with directed fuzzers. Unlike prior approaches that naively combine offthe-shelf tools, this work aims to make bug trace reports and guided fuzzing input strategies cooperate with each others. The proposed framework begins by extracting bug traces and root causes from advanced static analyzers, such as Infer and OpSMatcher. These traces are then extended via dominator tree traversal, enriching the granularity of control-flow information available to the fuzzer. A customized version of the directed fuzzer AFLGo is then employed, modified to incorporate a trace similarity-based energy assignment strategy. Despite these technical innovations, empirical evaluations reveal that the framework did not achieve the expected improvements in crash detection performance. We further discuss the potential reasons behind this. We conclude the work by pointing out potential improvements for anyone who wants to follow the same direction, in the hope that anyone who wants to follow a similar idea can avoid the dead ends we took.	en
dc.description.provenance	Submitted by admin ntu (admin@lib.ntu.edu.tw) on 2025-12-31T16:09:26Z No. of bitstreams: 0	en
dc.description.provenance	Made available in DSpace on 2025-12-31T16:09:26Z (GMT). No. of bitstreams: 0	en
dc.description.tableofcontents	Acknowledgements i 摘要 iii Abstract v Contents vii List of Figures xi List of Tables xiii Chapter 1 Introduction 1 Chapter 2 Related Work 3 2.1 Static Analyzers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.2 Directed Fuzzers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.3 Integrated Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Chapter 3 Design 7 3.1 Utilizing Static Analyzers for Bug Traces . . . . . . . . . . . . . . . 8 3.2 Extending the Bug Traces . . . . . . . . . . . . . . . . . . . . . . . 8 3.3 New Design on Directed Fuzzers . . . . . . . . . . . . . . . . . . . 10 3.3.1 Calculating Distances . . . . . . . . . . . . . . . . . . . . . . . . . 10 3.3.2 Energy Assignment for Seeds . . . . . . . . . . . . . . . . . . . . . 10 Chapter 4 Implementation 13 4.1 Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 4.2 Static Analyzers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 4.3 Modified AFLGo . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 4.3.1 Distance Calculator and Trace Extension . . . . . . . . . . . . . . . 14 4.3.2 Bitmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 4.3.3 Modified LLVM pass . . . . . . . . . . . . . . . . . . . . . . . . . 16 4.3.4 Modified afl-fuzz . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Chapter 5 Evaluation 19 5.1 Experiment Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 5.1.1 Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 5.1.2 Target Binaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 5.1.3 Fuzzer setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 5.1.4 Experiment Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 5.2 RQ0: Do static analyzers provide real bugs? . . . . . . . . . . . . . . 23 5.3 RQ1: Can our framework find bugs? . . . . . . . . . . . . . . . . . 25 5.4 RQ2: How does the modified directed fuzzers perform? . . . . . . . 26 5.5 RQ3: How well does the trace similarity based energy assignment strategy perform? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Chapter 6 Discussion and Future Work 31 6.1 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 6.1.1 About the fact that our trace similarity quickly hit its peak rather than gradually increasing over time . . . . . . . . . . . . . . . . . . . . 31 6.1.2 Our Trace Similarity Mechanism’s Impact on Crash Detection . . . 32 6.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 6.2.1 Improving the Framework to Make it Serve as a True Positive Verification Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 6.2.2 Introducing Early-Pruning to Boost the Performance of the Fuzzer . 33 6.2.3 High-Quality Seed Generator . . . . . . . . . . . . . . . . . . . . . 33 6.2.4 Introducing Different Static Analyzers . . . . . . . . . . . . . . . . 34 6.2.5 Design A finer Trace Similarity Mechanism . . . . . . . . . . . . . 34 6.2.6 Team up with a More Powerful Directed Fuzzer . . . . . . . . . . . 34 Chapter 7 Conclusion 35 7.1 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 References 37 Appendix A — Third-Party Source Code 41 A.1 Libxml2 source code snippet . . . . . . . . . . . . . . . . . . . . . . 41	-
dc.language.iso	en	-
dc.subject	靜態分析	-
dc.subject	指向式模糊測試	-
dc.subject	復現漏洞偵測	-
dc.subject	static analysis	-
dc.subject	directed fuzzing	-
dc.subject	recurring vulnerability detection	-
dc.title	結合靜態分析與指向式模糊測試作為漏洞挖掘方法	zh_TW
dc.title	Combining Static Analyzers and Directed Fuzzers for Bug Hunting	en
dc.type	Thesis	-
dc.date.schoolyear	114-1	-
dc.description.degree	碩士	-
dc.contributor.oralexamcommittee	黃士昆;黃俊穎;黎士瑋	zh_TW
dc.contributor.oralexamcommittee	Shih-Kun Huang;Chun-Ying Huang;Shih-Wei Li	en
dc.subject.keyword	靜態分析,指向式模糊測試復現漏洞偵測	zh_TW
dc.subject.keyword	static analysis,directed fuzzingrecurring vulnerability detection	en
dc.relation.page	42	-
dc.identifier.doi	10.6342/NTU202504724	-
dc.rights.note	同意授權(全球公開)	-
dc.date.accepted	2025-12-02	-
dc.contributor.author-college	電機資訊學院	-
dc.contributor.author-dept	資訊網路與多媒體研究所	-
dc.date.embargo-lift	2026-01-01	-
顯示於系所單位：	資訊網路與多媒體研究所

文件中的檔案：

檔案	大小	格式
ntu-114-1.pdf	1.2 MB	Adobe PDF	檢視/開啟

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。