当前位置:
X-MOL 学术
›
Empir. Software Eng.
›
论文详情
Our official English website, www.x-mol.net, welcomes your
feedback! (Note: you will need to create a separate account there.)
CMFuzz: context-aware adaptive mutation for fuzzers
Empirical Software Engineering ( IF 3.5 ) Pub Date : 2021-01-01 , DOI: 10.1007/s10664-020-09927-3 Xiajing Wang , Changzhen Hu , Rui Ma , Donghai Tian , Jinyuan He
Empirical Software Engineering ( IF 3.5 ) Pub Date : 2021-01-01 , DOI: 10.1007/s10664-020-09927-3 Xiajing Wang , Changzhen Hu , Rui Ma , Donghai Tian , Jinyuan He
Mutation-based fuzzing is a simple yet effective technique to discover bugs and security vulnerabilities in software. Given a set of well-formed initial seeds, mutation-based fuzzers continually generate interesting seeds by applying specific mutation strategy in order to maximize code coverage or the number of unique bugs explored at any point-in-time. However, existing fuzzers remain limited in the paths it could cover since it simply follows a uniform distribution to choose mutation operators. In this paper, we proposed a novel context-aware adaptive mutation scheme, namely CMFuzz, which utilizes a contextual bandit algorithm LinUCB to effectively choose optimal mutation operators for various seed files. To this end, CMFuzz dynamically extracts and encodes file characteristics, which allows mutation-based fuzzers to perform context-aware mutation. We apply this scheme on top of several state-of-the-art fuzzers, i.e., PTfuzz, AFL, and AFLFast, and implement CMFuzz-PT, CMFuzz-AFL, and CMFuzz-AFLFast, respectively. We conduct evaluation on 12 real-world open source applications and LAVA-M dataset against their counterparts. Extensive evaluations demonstrate that CMFuzz-based fuzzers achieve higher code coverage and find more crashes at a faster rate than their counterparts on most cases. Furthermore, we also utilize other mainstream bandit algorithms, e.g., Thompson Sample and epsilon-greedy, and implement Thompson-PT and Greedy-PT based on PTfuzz to examine the performance of proposed model. CMFuzz-PT significantly outperforms Thompson-PT especially in terms of unique crashes and paths, i.e., found 1.79× unique crashes and 1.29× unique paths on average. Compared to Greedy-PT, our approach still increases the amount of unique crashes and paths by 1.11× and 1.05×, respectively.
中文翻译:
CMFuzz:模糊器的上下文感知自适应变异
基于变异的模糊测试是一种简单而有效的技术,可以发现软件中的错误和安全漏洞。给定一组格式良好的初始种子,基于突变的模糊器通过应用特定的突变策略不断生成有趣的种子,以最大化代码覆盖率或在任何时间点探索的独特错误的数量。然而,现有的模糊器在它可以覆盖的路径上仍然有限,因为它只是遵循均匀分布来选择变异算子。在本文中,我们提出了一种新的上下文感知自适应变异方案,即 CMFuzz,它利用上下文强盗算法 LinUCB 为各种种子文件有效地选择最佳变异算子。为此,CMFuzz 动态提取和编码文件特征,它允许基于变异的模糊器执行上下文感知变异。我们将此方案应用于几个最先进的模糊器,即 PTfuzz、AFL 和 AFLFast,并分别实现 CMFuzz-PT、CMFuzz-AFL 和 CMFuzz-AFLFast。我们对 12 个真实世界的开源应用程序和 LAVA-M 数据集与其对应物进行评估。广泛的评估表明,在大多数情况下,基于 CMFuzz 的模糊器实现了更高的代码覆盖率并以更快的速度发现了更多的崩溃。此外,我们还利用其他主流老虎机算法,例如 Thompson Sample 和 epsilon-greedy,并基于 PTfuzz 实现 Thompson-PT 和 Greedy-PT 来检查所提出模型的性能。CMFuzz-PT 明显优于 Thompson-PT,尤其是在独特的碰撞和路径方面,即发现 1。平均 79 次独特的崩溃和 1.29 次独特的路径。与 Greedy-PT 相比,我们的方法仍然分别将独特碰撞和路径的数量增加了 1.11 倍和 1.05 倍。
更新日期:2021-01-01
中文翻译:
CMFuzz:模糊器的上下文感知自适应变异
基于变异的模糊测试是一种简单而有效的技术,可以发现软件中的错误和安全漏洞。给定一组格式良好的初始种子,基于突变的模糊器通过应用特定的突变策略不断生成有趣的种子,以最大化代码覆盖率或在任何时间点探索的独特错误的数量。然而,现有的模糊器在它可以覆盖的路径上仍然有限,因为它只是遵循均匀分布来选择变异算子。在本文中,我们提出了一种新的上下文感知自适应变异方案,即 CMFuzz,它利用上下文强盗算法 LinUCB 为各种种子文件有效地选择最佳变异算子。为此,CMFuzz 动态提取和编码文件特征,它允许基于变异的模糊器执行上下文感知变异。我们将此方案应用于几个最先进的模糊器,即 PTfuzz、AFL 和 AFLFast,并分别实现 CMFuzz-PT、CMFuzz-AFL 和 CMFuzz-AFLFast。我们对 12 个真实世界的开源应用程序和 LAVA-M 数据集与其对应物进行评估。广泛的评估表明,在大多数情况下,基于 CMFuzz 的模糊器实现了更高的代码覆盖率并以更快的速度发现了更多的崩溃。此外,我们还利用其他主流老虎机算法,例如 Thompson Sample 和 epsilon-greedy,并基于 PTfuzz 实现 Thompson-PT 和 Greedy-PT 来检查所提出模型的性能。CMFuzz-PT 明显优于 Thompson-PT,尤其是在独特的碰撞和路径方面,即发现 1。平均 79 次独特的崩溃和 1.29 次独特的路径。与 Greedy-PT 相比,我们的方法仍然分别将独特碰撞和路径的数量增加了 1.11 倍和 1.05 倍。
京公网安备 11010802027423号