高级检索

    HeapAFL:基于堆操作行为引导的灰盒模糊测试

    HeapAFL: Heap-Behavior Guided Greybox Fuzzing

    • 摘要: 随着软件开发环境和业务逻辑的复杂度不断增加,大量的堆内存对象生命周期及其引用关系造成堆内存操作行为错综复杂,极易引发程序错误造成漏洞. 模糊测试作为高效的软件代码错误检测技术,常用于漏洞挖掘. 然而,目前最先进的模糊测试工具专注于代码全覆盖功能测试,忽略了执行时堆内存操作状态信息,从而错过堆内存漏洞发现机会. 针对上述问题,提出了一种基于堆操作行为引导的灰盒模糊测试方法HeapAFL,在不依赖漏洞先验知识的情况下,其通过静态分析插桩基础堆操作函数及其参数监测执行时控制流和数据流变化,反馈堆操作行为信息,指导模糊测试中种子优先变异阶段,探索多样化堆操作行为从而更高概率触发堆内存错误类漏洞. 在6个真实应用程序上验证方法效果,并与6个最先进的模糊测试工具进行比较,实验中的CPU总共测试了4032 h. 实验结果表明,HeapAFL在漏洞挖掘效果和崩溃发现效率上优于对比工作.在漏洞挖掘数量上,HeapAFL相比于基准模糊测试方法AFL,AFLFast,PathAFL,TortoiseFuzz,Angora,Memlock分别提升了1.32倍,1.39倍,1.92倍,1.56倍,2.78倍,2.08倍. 最终,HeapAFL在数据集上挖掘到了25个堆内存错误类漏洞,其中包括19个已知的漏洞(即1 day)和6个未知的漏洞(即0 day),并报告给CVE(common vulnerabilities and exposures)官方漏洞库后已经获得了2个CVE漏洞编号,其余漏洞正在等待审核.

       

      Abstract: As the software gets more and more complicated, the intricate reference relationship and the interlaced life cycle of numerous data objects are confusing, which makes them prone to program errors and incurs vulnerabilities. Fuzzing is a general vulnerability discovery technique. However, the state-of-the-art fuzzing techniques focus on the full coverage of functionality testing but not the heap-based memory status in the running. It suffers from heap-based memory state information loss to distinguish execution with potential heap-based memory errors and often strays into unrelated paths. In this paper, we propose a heap-behavior diversity-guided fuzzing solution named HeapAFL. It uses static analysis to obtain the control flow and data flow information of heap-behavior to guide fuzzing to generate test cases that trigger more complex heap behaviors. The fuzzing process is guided by basic heap-behavior information so that our method is general and does not require domain knowledge. We test HeapAFL on a dataset of 6 real-world programs and compare it with 6 state-of-the-art fuzzers with a CPU running for 4032 hours. The results show that HeapAFL is a suitable method for heap-based memory vulnerability discovery, and it performs better than related works. It outperforms AFL, AFLFast, PathAFL, TortoiseFuzz, Angora, and Memlock in vulnerability findings 1.32 times, 1.39 times, 1.92 times, 1.56 times, 2.78 times, and 2.08 times, respectively. Moreover, we have found 25 heap-based vulnerabilities, including 19 known (i.e., 1day) and 6 unknown (i.e., 0day) vulnerabilities, and reported them to CVE (common vulnerabilities and exposures). We have 2 CVE numbers assigned, with the others waiting for confirmation.

       

    /

    返回文章
    返回