Coverage-based graybox fuzzer (CGF), such as AFL has gained great success in vulnerability detection thanks to its ease-of-use and bug-finding power. Since some code fragments such as memory allocation are more vulnerable than others, various improving techniques have been proposed to explore the more vulnerable areas by collecting extra information from the program under test or its executions. However, these improvements only consider limited types of information sources and ignore the fact that the priority a seed input to be fuzzed may be influenced by all the code it covers. Based on the above observations, we propose a fuzzing method based on the importance of functions. First, a data structure called Attributed Interprocedural Control Flow Graph (AICFG) is devised to combine different features of code fragments. Second, the importance of each node in the AICFG is calculated based on an improved PageRank algorithm, which also models the influence between connected nodes. During the fuzzing process, the node importance is updated periodically by a propagation algorithm. Then the seed selection and energy scheduling of a seed input are determined by the importance of its execution trace. We implement this approach on top of AFL in a tool named FunAFL and conduct an evaluation on 14 real-world programs against AFL and two of its improvements. FunAFL, with 17% higher branch coverage than others on average, finds 13 bugs and 3 of them are confirmed by CVE after 72 hours.
翻译:以灰色信箱 Fozzer (CGF) 为基础的灰色信箱 Fuzzer (CGF), 诸如AFL (AFL), 由于其使用方便和监听能力, 在识别脆弱性方面取得了巨大成功。 由于记忆分配等某些代码碎片比其他代码更加脆弱, 提出了各种改进技术, 通过在测试或执行中从程序收集额外信息, 探索较易受害地区。 然而, 这些改进只考虑有限的信息来源类型, 忽略了一个事实, 即要模糊的种子输入的优先可能受到它所涵盖的所有代码的影响 。 根据上述观察, 我们提出了一个基于功能重要性的模糊方法。 首先, 设计了一个称为自然间控制流程图( AICFG) 的数据结构, 将代码片断的不同特性结合起来。 其次, AICFCG G中每个节点的重要性都是根据改进的PheRank 算法来计算, 这个算法还模拟了连接节点之间的影响。 在模糊过程中, 以传播算法定期更新和能源安排的种子输入安排取决于其实际执行跟踪的重要性。 我们用AFDL 23 23 23 23 23 的上, 在 AF 23 23 上 3 工具 的升级 的升级 的上, 在 的上, 在 和 FAL 23 23 23 23 23 的 的 的 的 上 的 的 的 的 的 的 的 的 的 的 。