Directed Grey-Box Fuzzing Technology Based on LSTM and Dynamic Strategy

doi:10.3778/j.issn.1002-8331.2106-0507

Abstract

Abstract: Directed fuzzing is designed to quickly produce test cases, reach a series of given target locations, and discover program errors. However, the current directed fuzzing tools generally have the problem of low test efficiency. So a directed grey-box method based on neural network is proposed which builds a model to predict where the current seed can produce input gain by learning variation patterns in different locations in the input files from past fuzzing explorations, so as to guide the fuzzer to optimize mutation. At the same time, in order to solve the tradeoff of exploration-exploitation problem in directed fuzzers, a dynamic strategy is introduced to adaptively coordinate two stages in the process of fuzzy testing. A prototype system named DYNFuzz is implemented based on the existing fuzzing framework AFL, and is tested and evaluated on three benchmarks, which shows that DYNFuzz has higher directed performance and test efficiency than other fuzzers and would not be caught up in local dilemmas caused by the exploration-exploitation imbalance.

Key words: directed fuzzing, neural network, optimize mutations, dynamic strategy

摘要： 定向模糊测试旨在快速生产测试用例，达到给定的程序目标位置区域并发现程序错误。但目前的定向模糊测试工具普遍存在测试效率较低的问题，为此提出了一种基于神经网络的定向灰盒模糊测试方法，通过学习过去的模糊探索输入文件中不同位置的变异模式以生成模型来预测当前种子能够产生输入增益的位置，从而指导模糊器进行优化突变。同时为了解决定向灰盒模糊器中探索与开发的权衡问题，引入了一种动态策略在模糊测试过程中自适应协调两个阶段。基于现有的模糊测试框架AFL实现了一个原型系统，命名为DYNFuzz，并在3个基准上对其进行了测试和评估，实验结果表明，DYNFuzz具有比其他模糊器更高的定向性能和测试效率，并且不会陷入由探索开发不平衡导致的局部困境。

关键词: 定向模糊测试, 神经网络, 优化突变, 动态策略

LI Zhaoji, WANG Tianyuan, ZHOU Ziqiang, WANG Yao, CHEN Yongle. Directed Grey-Box Fuzzing Technology Based on LSTM and Dynamic Strategy[J]. Computer Engineering and Applications, 2022, 58(18): 147-153.

李兆基, 王田原, 周自强, 王尧, 陈永乐. 基于LSTM和动态策略的定向灰盒模糊测试技术[J]. 计算机工程与应用, 2022, 58(18): 147-153.

References

[1] WANG P，ZHOU X，LU K，et al.SoK：the progress，challenges，and perspectives of directed greybox fuzzing[J].arXiv：2005.11907，2020.
[2] GANESH V，LEEK T，RINARD M.Taint-based directed whitebox fuzzing[C]//2009 IEEE 31st International Conference on Software Engineering，2009：474-484.
[3] MA K K，PHANG K Y，FOSTER J S，et al.Directed symbolic execution[C]//International Static Analysis Symposium.Berlin，Heidelberg：Springer，2011：95-111.
[4] PERSON S，YANG G，RUNGTA N，et al.Directed incremental symbolic execution[J].ACM Sigplan Notices，2011，46（6）：504-515.
[5] MARINESCU P D，CADAR C.KATCH：high-coverage testing of software patches[C]//Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering，2013：235-245.
[6] CHRISTAKIS M，MULLER P，WUSTHOLZ V.Guiding dynamic symbolic execution toward unverified program executions[C]//Proceedings of the 38th International Conference on Software Engineering，2016：144-155.
[7] BOHME M，PHAM V T，NGUYEN M D，et al.Directed greybox fuzzing[C]//Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security，2017：2329-2344.
[8] YE J，LI R，ZHANG B.RDFuzz：accelerating directed fuzzing with intertwined schedule and optimized mutation[J].Mathematical Problems in Engineering，2020：1-12.
[9] LI Y，JI S，LV C，et al.V-fuzz：vulnerability-oriented evolutionary fuzzing[J].arXiv：1901.01142，2019.
[10] ZHAO Y，LI Y，YANG T，et al.Suzzer：a vulnerability-guided fuzzer based on deep learning[C]//International Conference on Information Security and Cryptology.Cham：Springer，2019：134-153.
[11] ZONG P，LV T，WANG D，et al.Fuzzguard：filtering out unreachable inputs in directed grey-box fuzzing through deep learning[C]//29th USENIX Security Symposium，2020：2255-2269.
[12] VEILLARD D.The XML C parser and toolkit of Gnome：libxml[EB/OL].[2020].http：//www.xmlsoft.org/.
[13] Artifex Software Inc.Mupdf[EB/OL].（2019-01-18）[2020].https：//mupdf.com/.
[14] Free Software Foundation Inc.GNU binutils[EB/OL].[2020].https：//www.gnu.org/software/binutils/.
[15] HOCHREITER S，SCHMIDHUBER J.Long short-term memory[J].Neural Computation，1997，9（8）：1735-1780.
[16] CHEN H，XUE Y，LI Y，et al.Hawkeye：towards a desired directed grey-box fuzzer[C]//Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security，2018：2095-2108.
[17] LATTNER C，ADVE V.LLVM：a compilation framework for lifelong program analysis & transformation[C]//International Symposium on Code Generation and Optimization，2004：75-86.
[18] CHOLLET F.Keras：deep learning for humans[EB/OL].[2020].https：//github.com/fchollet/keras.
[19] ABADI M，AGARWAL A，BARHAM P，et al.Tensorflow：large-scale machine learning on heterogeneous distributed systems[J].arXiv：1603.04467，2016.
[20] ZALEWSKI M.American fuzzy lop[EB/OL].[2019].https：//lcamtuf.coredump.cx/afl/.
[21] NEWSOME J，SONG D X.Dynamic taint analysis for automatic detection，analysis，and signature generation of exploits on commodity software[C]//Proceedings of the 12th Annual Network and Distributed System Security Symposium，2005：3-4.
[22] GODEFROID P，KLARLUND N，SEN K.DART：directed automated random testing[C]//Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation，2005：213-223.