PosFuzz:augmenting greybox fuzzing with effective position distribution

作     者：Yanyan Zou Wei Zou JiaCheng Zhao Nanyu Zhong Yu Zhang Ji Shi Wei Huo Yanyan Zou;Wei Zou;JiaCheng Zhao;Nanyu Zhong;Yu Zhang;Ji Shi;Wei Huo

作者机构：Institute of Information EngineeringChinese Academy of SciencesBeijingChina School of Cyber SecurityUniversity of Chinese Academy of SciencesBeijingChina State Key Lab of ProcessorsInstitute of Computing TechnologyChinese Academy of SciencesBeijingChina Key Laboratory of Network Assessment TechnologyChinese Academy of SciencesBeijingChina Beijing Key Laboratory of Network Security and Protection TechnologyBeijingChina Zhongguancun LaboratoryBeijingChina 

出 版 物：《Cybersecurity》 (网络空间安全科学与技术（英文）)

年 卷 期：2023年第6卷第4期

页      面：123-143页

核心收录：

学科分类：07[理学] 0701[理学-数学] 070101[理学-基础数学] 

基　　金：This research was supported by National Key R&D Program of China(2022YFB3103900) National Natural Science Foundation of China(62032010,62202462) Strategic Priority Research Program of the CAS(XDC02030200) 

主　　题：Greybox fuzzing Mutation position Mutation operator Code coverage Vulnerability discovery 

摘      要：Mutation-based greybox fuzzing has been one of the most prevalent techniques for security vulnerability discovery and a great deal of research work has been proposed to improve both its efficiency and ***-based greybox fuzzing generates input cases by mutating the input seed,i.e.,applying a sequence of mutation operators to randomly selected mutation positions of the ***,existing fruitful research work focuses on scheduling mutation operators,leaving the schedule of mutation positions as an overlooked aspect of fuzzing *** paper proposes a novel greybox fuzzing method,PosFuzz,that statistically schedules mutation positions based on their historical *** makes use of a concept of effective position distribution to represent the semantics of the input and to guide the *** first utilizes Good-Turing frequency estimation to calculate an effective position distribution for each mutation *** then leverages two sampling methods in different mutating stages to select the positions from the *** have implemented PosFuzz on top of AFL,AFLFast and MOPT,called Pos-AFL,-AFLFast and-MOPT respectively,and evaluated them on the UNIFUZZ benchmark(20 widely used open source programs)and LAVA-M *** result shows that,under the same testing time budget,the Pos-AFL,-AFLFast and-MOPT outperform their counterparts in code coverage and vulnerability discovery *** with AFL,AFLFast,and MOPT,PosFuzz gets 21%more edge coverage and finds 133%more paths on *** also triggers 275%more unique bugs on average.