研究生: |
譚力 Ikhwan Mohammad Iqbal |
---|---|
論文名稱: |
Enhancing Greybox Fuzzing with Concolic Test Case Generator Enhancing Greybox Fuzzing with Concolic Test Case Generator |
指導教授: |
陳伯奇
Po-ki Chen 呂政修 Jenq-Shiou Leu |
口試委員: |
卓傳育
Ares Cho 鄭欣明 Shin-Ming Cheng |
學位類別: |
碩士 Master |
系所名稱: |
電資學院 - 電子工程系 Department of Electronic and Computer Engineering |
論文出版年: | 2018 |
畢業學年度: | 107 |
語文別: | 英文 |
論文頁數: | 53 |
中文關鍵詞: | Concolic Execution 、Fuzzing 、Test Case Prioritization 、Test Case Generator |
外文關鍵詞: | Concolic Execution, Fuzzing, Test Case Prioritization, Test Case Generator |
相關次數: | 點閱:225 下載:1 |
分享至: |
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
Many researchers have been fair of work and research did in order to provide better ways to discover software vulnerabilities and exploits. Most of the research focuses on how to improve the code coverage and speed to find the crash code. There is some popular technique to discover vulnerabilities such as symbolic execution and fuzzing. However, both technique needs some improvement to tackle some weakness. In this research, we combine both techniques to leverage each benefit. We proposed confuzz tool that using some techniques to provide high-coverage test case generator to produce some initial inputs for fuzzing and develop test case prioritization to prioritize and exercise only the useful test cases. We tested confuzz with jpeg v.9a and compare with previous research. These results confirm that our approach can improve path execution coverage by up to 20% more than AFLFast. Besides, we found two vulnerabilities that exposed as CVE-2018-11213 and CVE-2018-11212.
Many researchers have been fair of work and research did in order to provide better ways to discover software vulnerabilities and exploits. Most of the research focuses on how to improve the code coverage and speed to find the crash code. There is some popular technique to discover vulnerabilities such as symbolic execution and fuzzing. However, both technique needs some improvement to tackle some weakness. In this research, we combine both techniques to leverage each benefit. We proposed confuzz tool that using some techniques to provide high-coverage test case generator to produce some initial inputs for fuzzing and develop test case prioritization to prioritize and exercise only the useful test cases. We tested confuzz with jpeg v.9a and compare with previous research. These results confirm that our approach can improve path execution coverage by up to 20% more than AFLFast. Besides, we found two vulnerabilities that exposed as CVE-2018-11213 and CVE-2018-11212.
[1] J. Li, B. Zhao, and C. Zhang, “Fuzzing: a survey,” Cybersecurity, vol. 1, no. 1, p. 6, 2018.
[2] S. Quadri and S. Umar Farooq, “Software Testing-Goals, Principles, and Limitations,” 2010.
[3] M. Zalewsky, “American Fuzzy Lop,” 2013. [Online]. Available: http://lcamtuf.coredump.cx/afl/. [Accessed: 21-Oct-2018].
[4] “libFuzzer – a library for coverage-guided fuzz testing. — LLVM 8 documentation.” [Online]. Available: https://llvm.org/docs/LibFuzzer.html. [Accessed: 21-Oct-2018].
[5] “Radamsa - OUSPG.” [Online]. Available: https://www.ee.oulu.fi/roles/ouspg/Radamsa. [Accessed: 21-Oct-2018].
[6] G. Klees, A. Ruef, B. Cooper, S. Wei, and M. Hicks, “Evaluating Fuzz Testing,” p. 16, 2018.
[7] G. Yang, C. Feng, and C. Tang, “Static analysis assisted vulnerability-oriented evolutionary fuzzing,” AIP Conf. Proc., vol. 1820, p. 20194, 2017.
[8] Y. Shoshitaishvili, R. Wang, … C. S.-S. and P., and U. 2016, “Sok:(state of) the art of war: Offensive techniques in binary analysis,” 2016.
[9] C. Cadar, D. Dunbar, and D. R. Engler, “KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs,” 2008.
[10] P. Godefroid, M. Y. Levin, and D. a. Molnar, “Automated Whitebox Fuzz Testing,” 2008.
[11] R. Baldoni, E. Coppa, D. C. D’Elia, C. Demetrescu, and I. Finocchi, “A Survey of Symbolic Execution Techniques,” ACM Comput. Surv., vol. 51, no. 3, 2018.
[12] D. Trabish, A. Mattavelli, N. Rinetzky, and C. Cadar, “Chopped Symbolic Execution,” p. 11, 2018.
[13] S. Krishnamoorthy, M. S. Hsiao, and L. Lingappan, “Tackling the path explosion problem in symbolic execution-driven test generation for programs,” Proc. Asian Test Symp., pp. 59–64, 2010.
[14] C. Cadar and K. Sen, “[CS-CACM13] Symbolic Execution for Software Testing - Three Decades Later,” 2013.
[15] S. Anand, “Techniques to facilitate symbolic execution of real-worls programs,” 2012.
[16] V. Kuznetsov, J. Kinder, S. Bucur, and G. Candea, Efficient state merging in symbolic execution, vol. 47, no. 6. 2012.
[17] J. C. King, “A new approach to program testing,” 1975.
[18] R Hastings and B Joyce, “Purify : Fast Detection of Memory Leaks and Access Errors,” 1992.
[19] N. Nethercote and J. Seward, Valgrind - a framework for heavyweight dynamic binary instrumentation. 2007.
[20] P. Godefroid, M. Y. Levin, and D. Molnar, “Sage,” 2012.
[21] P. Godefroid, N. Klarlund, and K. Sen, “DART: Directed Automated Random Testing,” 2005.
[22] C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler, “EXE: Automatically Generating Inputs of Death,” 2006.
[23] I. Hjelt, “The future of grey-box fuzzing,” 2017.
[24] G. Zhang and X. Zhou, AFL Extended with Test Case Prioritization Techniques, vol. 8. 2018.
[25] M. Böhme, V.-T. Pham, M.-D. Nguyen, and A. Roychoudhury, “Directed Greybox Fuzzing,” Proc. 2017 ACM SIGSAC Conf. Comput. Commun. Secur. - CCS ’17, pp. 2329–2344, 2017.
[26] N. Stephens et al., “Driller: Augmenting Fuzzing Through Selective Symbolic Execution,” 2016.
[27] B. Shastry, F. Maggi, F. Yamaguchi, K. Rieck, and J.-P. Seifert, “Static Exploration of Taint-Style Vulnerabilities Found by Fuzzing,” 2017.
[28] M. Böhme, V.-T. Pham, and A. Roychoudhury, “Coverage-based Greybox Fuzzing as Markov Chain.”
[29] C. Lemieux and K. Sen, “FairFuzz: Targeting Rare Branches to Rapidly Increase Greybox Fuzz Testing Coverage,” 2017.
[30] M. Rajpal, W. Blum, and R. Singh, “Not all bytes are equal: Neural byte sieve for fuzzing,” pp. 1–10, 2017.
[31] P. Chen and H. Chen, “Angora: Efficient Fuzzing by Principled Search,” 2018.
[32] B. S. B et al., “Research in Attacks, Intrusions, and Defenses,” vol. 7462, pp. 26–47, 2012.
[33] J. Seyster, K. Dixit, and X. Huang, “INTERASPECT : Aspect-Oriented Instrumentation with GCC,” 2012.
[34] C. Lattner and V. Adve, “LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation,” 2004.
[35] H. Blasum, “Gcov on an embedded system,” 2007.
[36] N. Stephens et al., “Driller: Augmenting Fuzzing Through Selective Symbolic Execution,” Proc. 2016 Netw. Distrib. Syst. Secur. Symp., 2016.
[37] “Overview - rpms/gdb-exploitable - src.fedoraproject.org.” [Online]. Available: https://src.fedoraproject.org/rpms/gdb-exploitable. [Accessed: 02-Dec-2018].
[38] “Linux Test Project: http://sourceforge.net/projects/ltp/.” [Online]. Available: http://ltp.sourceforge.net/coverage/lcov.php. [Accessed: 03-Dec-2018].
[39] “Quick-start: Fuzzing with AFL – Fuzz Stati0n – Medium.” [Online]. Available: https://medium.com/fuzzstation/quick-start-fuzzing-with-afl-ac7bb8fcae52. [Accessed: 28-Nov-2018].