Expediting Binary Fuzzing with Symbolic Analysis

摘要

Fuzzing is an important method for binary vulnerability mining. It can analyze binary programs without their source codes, which is not easy to do by other technologies. But due to the blindness of input generation, binary fuzzing often falls into traps for a long time when the new mutated inputs cannot generate unexplored paths. In this paper, we propose an efficient and flexible fuzzing framework named Tinker. It defines the growth rate of path coverage to measure the current state of fuzzing. If the fuzzing falls into low-speed or blocked states, a symbolic analysis procedure is invoked to generate a new input which can help the fuzzing jump out of the trap. In the symbolic analysis procedure, we employ dynamic execution to track the traversed nodes. The untraversed branches are then identified according to the recorded data of American Fuzzy Lop (AFL) [M. Zalewski, American Fuzzy Lop (2014), http://lcamtuf.coredump.cx/afl/]. At last, we employ control flow graph (CFG) to construct complete paths to these branches and a new input is generated using symbolic execution. Moreover, to expedite the detection of vulnerabilities, we generate inputs which trigger more high-risk system calls first, such that the possibility of finding vulnerabilities can be improved. Tinker has been implemented and the experiments on DARPA CGC benchmark show that Tinker is more efficient in vulnerability mining than state-of-the-art binary vulnerability mining tools.