  • 刘丽艳,李丰,邹燕燕,周建华,朴爱花,刘峰,霍玮.SiCsFuzzer: 基于稀疏插桩的闭源软件模糊测试方法[J].信息安全学报,2022,7(4):55-70    [点击复制]
  • LIU Liyan,LI Feng,ZOU Yanyan,ZHOU Jianhua,PIAO Aihua,LIU Feng,HUO Wei.SiCsFuzzer: A Sparse-instrumentation-based Fuzzing Platform for Closed Source Software[J].Journal of Cyber Security,2022,7(4):55-70   [点击复制]
SiCsFuzzer: 基于稀疏插桩的闭源软件模糊测试方法
刘丽艳1,2, 李丰3,4,5, 邹燕燕3,4,5,2, 周建华3,4,5,2, 朴爱花3,4,5, 刘峰1,2, 霍玮3,4,5,2
(1.中国科学院信息工程研究所信息安全国家重点实验室, 北京 中国 100093;2.中国科学院大学网络空间安全学院, 北京 中国 100049;3.中国科学院信息工程研究所, 北京 中国 100093;4.中国科学院网络测评技术重点实验室, 北京 中国 100195;5.网络安全防护技术北京市重点实验室, 北京 中国 100195)
关键词:  基于覆盖率反馈的模糊测试  基于稀疏插桩的跟踪方法  “预热”优化
SiCsFuzzer: A Sparse-instrumentation-based Fuzzing Platform for Closed Source Software
LIU Liyan1,2, LI Feng3,4,5, ZOU Yanyan3,4,5,2, ZHOU Jianhua3,4,5,2, PIAO Aihua3,4,5, LIU Feng1,2, HUO Wei3,4,5,2
(1.State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Science, Beijing 100093, China.;2.School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China;3.Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;4.Key Laboratory of Network Assessment Technology, Chinese Academy of Sciences Beijing 100195, China;5.Beijing Key Laboratory of Network security and Protection Technology, Beijing 100195, China)
Traditional coverage-guided fuzzing tools use code coverage tracing to guide test case mutation so that they could explore previously unseen code regions and trigger potential vulnerabilities in them more efficiently. However, during the fuzzing process of a close source software, code coverage tracing is time consuming and it is a dominant source of overhead. In this paper, we made a detailed analysis of the overhead of the coverage-guided fuzzing and our analysis shows that the overhead mainly comes from two parts: (1) the time spent on program instrumentation and (2) the expense incurred by “warm-up”. Based on the observation, we propose a sparse-instrumentation-based fuzzing approach which leverages a sparse-instrumentation-based tracing strategy without sacrificing the accuracy of coverage computing during fuzzing. The key idea of our approach is instrumenting only blocks or edges whose coverage cannot be implied by others and using their coverage to imply whether those un-instrumented blocks are executed or not. We also implement a warm-up optimal to discard the time cost of re-initializing the dynamic binary instrumentation framework and that of re-generating the same code snippet of the target program during fuzzing. We implement a prototype tool SiCsFuzzer based on the above approach. Evaluation shows that for nine real-world closed source binaries on Windows varying in size from 286KB to 19.3MB and types involving image processing, audio processing, data archiving, cryptography and document processing, SiCsFuzzer incurs an average overhead of 1.1 times compared to native execution, which is 3 times faster than traditional coverage-guided fuzzing tools and found a vulnerability in the latest versions of Windows platform close source software PDFtk and XnView, respectively.
Key words:  coverage-guided fuzzing  sparse-instrumentation-based tracing  warm-up optimization