Coverage-based greybox fuzzing (CGF) is a common method utilizing coverage information to guide fuzzing. American Fuzzy Lop (AFL) is one of the most famous CGF fuzzers and has been used to uncover thousands of vulnerabilities in many software. However, AFL has two major drawbacks, which impedes it from boosting path discovery: (1) aggressively growing mutation overhead; (2) ineffective mutation region selection. In this paper, we propose three new approaches to overcome the drawbacks: (1) Interruptible mutation, which uses a hang monitor to avoid unnecessary mutation overhead; (2) Locality-based mutation, which utilizes mutation information in previous rounds to guide fuzzing useful regions in future rounds; (3) Hotspot-aware fuzzing, which exploits a pre-evaluation process to identify metadata and only mutates these regions. We combine these approaches into a tool named AFLTurbo based on AFL 2.52b. Furthermore, the effectiveness of AFLTurbo is evaluated in terms of both path discovery and bug detection on eight programs as well as LAVA-M with state-of-the-art fuzzers. The experimental results manifest that AFLTurbo can find 141%, 101% and 41% more paths, and reveal 14 $imes$, 30$imes$ and 5 $imes$ more bugs than AFL, AFLFast and FairFuzz respectively. Additionally, AFLTurbo discovers 20 vulnerabilities, of which 18 are assigned with CVEs.
展开▼
机译:基于覆盖率的灰盒模糊测试(CGF)是一种利用覆盖率信息指导模糊测试的常用方法。 American Fuzzy Lop(AFL)是最著名的CGF模糊器之一,已被用来发现许多软件中的数千个漏洞。但是,AFL有两个主要缺点,这阻碍了它促进路径发现:(1)积极地增加突变开销; (2)无效的突变区选择。在本文中,我们提出了三种新方法来克服这些缺点:(1)可中断突变,它使用挂起监视器来避免不必要的突变开销; (2)基于位置的突变,它利用前几轮的突变信息来指导未来几轮的模糊有用区域; (3)热点感知的模糊测试,它利用预评估过程来识别元数据,并且仅对这些区域进行突变。我们将这些方法组合到一个基于AFL 2.52b的名为AFLTurbo的工具中。此外,AFLTurbo的有效性通过路径发现和对八个程序的错误检测以及带有最新模糊测试器的LAVA-M进行了评估。实验结果表明,AFLTurbo可以多找到141%,101%和41%的路径,并且分别比AFL,AFLFast和FairFuzz揭示了14个$ \ times $,30 $ \ times $和5 $ \ times $的错误。此外,AFLTurbo还发现20个漏洞,其中18个是与CVE关联的。
展开▼
