Coverage based fuzzing is a widespread vulnera-bility detection technique,and it has exposed many bugs in many real-world programs.However,its attention is to elimi-nate the testing on the repeated paths,yet it still employs random mutation to generate inputs,which is blind to penetrate complex comparisons in the program.As a result,the testing coverage is limited.Despite some solution proposals are presented,this problem is still partially solved.This paper argues that random mutation is mainly limited by two chal-lenges,the sizable search space and the lack of a useful feedback to direct the search.Then we present an augmented fuzzing technique by addressing these two challenges.First of all,we point out a black relationship between input contents and comparison operands,which is dubbed connection.Second,we present a novel method to collect the comparison operands during execution,which is leveraged to infer the connections.Based on the connections,the fuzzer can learn about which input byte affects on which comparison instruction to establish a smaller search space.Third,the connection provides a useful feedback to direct the search.We resort to a modern meta-heuristic algorithm to satisfy this searching requirement.We developed a prototype Pusher and evaluated its perfor-mance on several benchmarks and four real-world programs.The experimental results demonstrate that Pusher works better than some other state-of-the-art fuzzers on bug detection,and can achieve a higher testing coverage.Moreover,we take a detailed statistic about the execution overhead in Pusher,and the results indicate that the execution overhead introduced by our approach is within an acceptable scope.

Bin ZHANG;Jiaxi YE;Ruilin LI;Chao FENG;Yunfei SU;Chaojing TANG

College of Electronic Science,National University of Defense Technology,Changsha 410072,China

计算机科学前沿

[1]Bin ZHANG;Jiaxi YE;Ruilin LI;Chao FENG;Yunfei SU;Chaojing TANG-.Pusher:an augmented fuzzer based on the connection between input and comparison operand)[J].计算机科学前沿,2022(04):18-30

Pusher,fuzzer,operand,fuzzing,operands,fuzzers

augmented,between,Coverage,widespread,vulnera,bility,detection,technique,has,exposed,many,bugs,real,world,programs,However,its,attention,elimi,nate,testing,repeated,paths,yet,still,employs,random,mutation,generate,inputs,which,blind,penetrate,complex,comparisons,coverage,limited,Despite,some,solution,proposals,are,presented,this,problem,partially,solved,This,paper,argues,that,mainly,two,sizable,space,useful,feedback,direct,Then,addressing,these,challenges,First,point,black,relationship,contents,dubbed,Second,novel,method,collect,during,execution,leveraged,infer,connections,Based,can,learn,about,byte,affects,instruction,establish,smaller,Third,provides,We,resort,modern,meta,heuristic,algorithm,satisfy,searching,requirement,developed,prototype,evaluated,perfor,mance,several,benchmarks,four,experimental,results,demonstrate,works,better,than,other,state,achieve,higher,Moreover,take,detailed,statistic,overhead,indicate,introduced,approach,within,acceptable,scope

0.513864