Vulnerable Region-Aware Greybox Fuzzing
作者机构:State Key Laboratory for Novel Software TechnologyNanjing UniversityNanjing 210023China School of Information ManagementNanjing UniversityNanjing 210023China Department of Computer ScienceUniversity of GeorgiaAthensGA 30602U.S.A. College of Information Sciences and TechnologyPennsylvania State UniversityState CollegePA 16802U.S.A
出 版 物:《Journal of Computer Science & Technology》 (计算机科学技术学报(英文版))
年 卷 期:2021年第36卷第5期
页 面:1212-1228页
核心收录:
学科分类:081203[工学-计算机应用技术] 08[工学] 0835[工学-软件工程] 0812[工学-计算机科学与技术(可授工学、理学学位)]
基 金:(partially)supported by the National Key Research and Development Program of China under Grant No.2017YFA0700604 the National Natural Science Foundation of China under Grant Nos.62032010 and 61802168 the Leading-Edge Technology Program of Jiangsu Natural Science Foundation under Grant No.BK20202001 the 2021 Double Entrepreneurship Big Data and Theoretical Research Project of Nanjing University
主 题:vulnerability detection greybox fuzzing code metrics resource distribution
摘 要:Fuzzing is known to be one of the most effective techniques to uncover security vulnerabilities of large-scale software *** fuzzing,it is crucial to distribute the fuzzing resource appropriately so as to achieve the best fuzzing performance under a limited *** distribution strategies of American Fuzzy Lop(AFL)based greybox fuzzing focus on increasing coverage blindly without considering the metrics of code regions,thus lacking the insight regarding which region is more likely to be vulnerable and deserves more fuzzing *** tackle the above drawback by proposing a vulnerable region-aware greybox fuzzing ***,we distribute more fuzzing resources towards regions that are more likely to be vulnerable based on four kinds of code *** implemented the approach as an extension to AFL named ***-scale experimental evaluations validate the effectiveness and efficiency of RegionFuzz-11 new bugs including three new CVEs are successfully uncovered by RegionFuzz.
维普期刊数据库