3S­-Fuzz: 平行模糊測試中選擇性種子同步

Chien-Yuan Wang; 王建元

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/80015

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	蕭旭君(Hsu-Chun Hsiao)
dc.contributor.author	Chien-Yuan Wang	en
dc.contributor.author	王建元	zh_TW
dc.date.accessioned	2022-11-23T09:21:09Z	-
dc.date.available	2021-08-06
dc.date.available	2022-11-23T09:21:09Z	-
dc.date.copyright	2021-08-06
dc.date.issued	2021
dc.date.submitted	2021-07-26
dc.identifier.citation	[1] Llvm. https://llvm.org/, 2003. [2] fuzzertestsuite. https://github.com/google/fuzzer-test-suite, 2017. [3] libFuzzer–a library for coverageguided fuzz testing. https://llvm.org/docs/ LibFuzzer.html, 2017. [4] Sanitizercoverage in llvm. SanitizerCoverage.html, 2017. https://clang.llvm.org/docs/ [5] Fuzzbench. https://github.com/google/fuzzbench, 2020. [6] R. Agrawal. Sample mean based index policies with o(log n) regret for the multiarmed bandit problem. Advances in Applied Probability, 27(4):1054–1078, 1995. [7] D. Arthur and S. Vassilvitskii. Kmeans++: The advantages of careful seeding. In Proceedings of the Eighteenth Annual ACMSIAM Symposium on Discrete Algorithms, SODA ’07, page 1027–1035, USA, 2007. Society for Industrial and Applied Mathematics. [8] M. Böhme, V. J. M. Manès, and S. K. Cha. Boosting fuzzer efficiency: An information theoretic perspective. In Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC/FSE 2020, page 678– 689, New York, NY, USA, 2020. Association for Computing Machinery. [9] M. Böhme, V.T. Pham, and A. Roychoudhury. Coveragebased greybox fuzzing as markov chain. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS ’16, page 1032–1043, New York, NY, USA, 2016. Association for Computing Machinery. [10] Y. Chen, Y. Jiang, F. Ma, J. Liang, M. Wang, C. Zhou, X. Jiao, and Z. Su. Enfuzz: Ensemble fuzzing with seed synchronization among diverse fuzzers. In 28th USENIX Security Symposium (USENIX Security 19), pages 1967–1983, Santa Clara, CA, Aug. 2019. USENIX Association. [11] A. Fioraldi, D. Maier, H. Eißfeldt, and M. Heuse. Afl++ : Combining incremental steps of fuzzing research. In 14th USENIX Workshop on Offensive Technologies (WOOT 20). USENIX Association, Aug. 2020. [12] Google. Ossfuzz continuous fuzzing of open source software. https://github.com/google/oss-fuzz, 2016. [13] E. Güler, P. Görz, E. Geretto, A. Jemmett, S. Österlund, H. Bos, C. Giuffrida, and T. Holz. Cupid : Automatic fuzzer selection for collaborative fuzzing. In Annual Computer Security Applications Conference, ACSAC ’20, page 360–372, New York, NY, USA, 2020. Association for Computing Machinery. [14] A. Helin. Radamsa. https://gitlab.com/akihe/radamsa, 2016. [15] C. Lemieux and K. Sen. Fairfuzz: A targeted mutation strategy for increasing greybox fuzz testing coverage. In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, ASE 2018, page 475–485, New York, NY, USA, 2018. Association for Computing Machinery. [16] J. Liang, Y. Jiang, Y. Chen, M. Wang, C. Zhou, and J. Sun. Pafl: Extend fuzzing optimizations of single mode to industrial parallel mode. In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC/FSE 2018, page 809814, New York, NY, USA, 2018. Association for Computing Machinery. [17] J. MacQueen. Some methods for classification and analysis of multivariate observations. Proc. 5th Berkeley Symp. Math. Stat. Probab., Univ. Calif. 1965/66, 1, 281297 (1967)., 1967. [18] S. Rawat, V. Jain, A. Kumar, L. Cojocar, C. Giuffrida, and H. Bos. VUzzer : Application aware Evolutionary Fuzzing. NDSS’17. 2017. [19] N. Sarten. Dkm. https://github.com/genbattle/dkm, 2015. [20] J. Wang, C. Song, and H. Yin. Reinforcement learningbased hierarchical seed scheduling for greybox fuzzing. Proceedings 2021 Network and Distributed System Security Symposium, 2021. [21] Wikipedia contributors. kmeans++ — Wikipedia, the free encyclopedia. https://en.wikipedia.org/wiki/K-means%2B%2B, 2021. [Online; accessed 3June2021]. [22] Wikipedia contributors. kmeans clustering — Wikipedia, the free encyclopedia. https://en.wikipedia.org/wiki/K-means_clustering, 2021. [Online; accessed 3June2021]. [23] J. Ye, B. Zhang, R. Li, C. Feng, and C. Tang. Program state sensitive parallel fuzzing for real world software. IEEE Access, 7:42557–42564, 2019. [24] I. Yun, S. Lee, M. Xu, Y. Jang, and T. Kim. QSYM : A practical concolic execution engine tailored for hybrid fuzzing. In 27th USENIX Security Symposium (USENIX Security 18), pages 745–761, Baltimore, MD, Aug. 2018. USENIX Association. [25] I. Yun, S. Lee, M. Xu, Y. Jang, and T. Kim. QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing. In Proceedings of the 27th USENIX Security Symposium (Security), Baltimore, MD, Aug. 2018. [26] M. Zalewski. american fuzzy lop. http://lcamtuf.coredump.cx/afl/, 2015. [27] S. Österlund, E. Geretto, A. Jemmett, E. Güler, P. Görz, T. Holz, C. Giuffrida, and H. Bos. CollabFuzz: A Framework for Collaborative Fuzzing. In EuroSec, Apr. 2021.
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/80015	-
dc.description.abstract	模糊測試是一個被廣泛使用來自動化偵測軟體漏洞的技術。過去的模糊器使用許多的模糊測試技巧並且在不同的面向表現優異。最近的研究顯示讓不同的模糊器一起合作可以使得它們探索到單一模糊器無法達到的路徑，也可以找到更多一般模糊器找不到的軟體漏洞。然而目前的種子同步機制卻並沒有考慮不同模糊器之間的差異，而是將它們平等的對待。這份研究提出的選擇性種子同步機制就是在處理這個問題，透過使不同模糊器專注在測試不同的種子上來更進一步利用模糊器之間的多樣性。我們基於選擇性種子同步的機制實作了 3S-Fuzz，並且在 Google’s fuzzer-test-suite 上執行 24 小時來進行比較。我們的實驗結果顯示選擇性種子同步的效果比 Enfuzz 好。並且證實合作式平行模糊測試可以透過更細緻的種子同步進行更進一步的優化。	zh_TW
dc.description.provenance	Made available in DSpace on 2022-11-23T09:21:09Z (GMT). No. of bitstreams: 1 U0001-1907202111433400.pdf: 1391531 bytes, checksum: f5eeca00ef5599360c729072a465b1c9 (MD5) Previous issue date: 2021	en
dc.description.tableofcontents	Acknowledgements 2 摘要 3 Abstract 4 Contents 6 List of Figures 8 List of Tables 9 1 Introduction 1 2 Background and Related Work 5 2.1 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1.1 Coverageguided Fuzzing . . . . . . . . . . . . . . . . . . . . . . . 5 2.1.2 Improving Seed Scheduling . . . . . . . . . . . . . . . . . . . . . . 6 2.1.3 Generationbased Fuzzing . . . . . . . . . . . . . . . . . . . . . . 7 2.1.4 Parallel Fuzzing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.2 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.2.1 Clustering Problem . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.2.2 Multiarmed Bandit Problem . . . . . . . . . . . . . . . . . . . . . 11 2.2.3 Upper Confidence Bound Algorithm . . . . . . . . . . . . . . . . . 12 3 Design 14 3.1 Clustering Seeds . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 3.1.1 Seed Distance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 3.1.2 Edge Collision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 3.2 Selecting Seeds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 3.2.1 Seed Selection as Multiarmed Bandit Problem . . . . . . . . . . . 19 3.3 Selective Seed Synchronization Fuzzing (3SFuzz) . . . . . . . . . . 21 3.4 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 4 Result 25 4.1 Environment and Parameters . . . . . . . . . . . . . . . . . . . . . . 26 4.1.1 Computing Resources . . . . . . . . . . . . . . . . . . . . . . . . . 26 4.1.2 Benchmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 4.1.3 Coverage Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 4.1.4 Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 4.2 RQ1. Parallel Fuzzing . . . . . . . . . . . . . . . . . . . . . . . . . 27 4.3 RQ2. Effect of Clustering . . . . . . . . . . . . . . . . . . . . . . . 28 4.4 RQ3. Effect of UCB . . . . . . . . . . . . . . . . . . . . . . . . . . 30 4.5 RQ4. vs Enfuzz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 4.6 RQ5. vs AFL++ . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 4.7 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 5 Conclusion and Future Work 37 5.1 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 5.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 References 39
dc.language.iso	en
dc.subject	種子同步	zh_TW
dc.subject	模糊測試	zh_TW
dc.subject	Seed Synchronization	en
dc.subject	Fuzzing	en
dc.title	3S-Fuzz: 平行模糊測試中選擇性種子同步	zh_TW
dc.title	3S-Fuzz: Selective Seed Synchronization in Parallel	en
dc.date.schoolyear	109-2
dc.description.degree	碩士
dc.contributor.oralexamcommittee	黃世昆(Hsin-Tsai Liu),黃俊穎(Chih-Yang Tseng)
dc.subject.keyword	模糊測試,種子同步,	zh_TW
dc.subject.keyword	Fuzzing,Seed Synchronization,	en
dc.relation.page	42
dc.identifier.doi	10.6342/NTU202101561
dc.rights.note	同意授權(全球公開)
dc.date.accepted	2021-07-27
dc.contributor.author-college	電機資訊學院	zh_TW
dc.contributor.author-dept	資訊工程學研究所	zh_TW
顯示於系所單位：	資訊工程學系

文件中的檔案：

檔案	大小	格式
U0001-1907202111433400.pdf	1.36 MB	Adobe PDF	檢視/開啟

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。