CBFuzzer: Fuzzy Detection of Program Defects Based on Execution Context Orientation and Protection Breakthrough
-
Graphical Abstract
-
Abstract
A large number of application practices have proven the effectiveness of fuzzy testing to detect program vulnerabilities. The existing fuzzy testing methods lack the analysis of differences in performance specific to the testing tasks and adjust testing policies appropriately. Instead, they mostly adopt a unified process, resulting in unsatisfactory testing results. It is necessary to modify the policy based on specific information during the testing process to achieve better testing performance, and a new program defect fuzzy testing method based on execution context orientation is proposed, which can break through the protection mechanism. By capturing and analyzing specific contextual information during the actual processing of input test cases by the tested program, and achieving rapid exploration of program structural features, the sample mutation policy can be optimized. Meanwhile, a prototype tool CBFuzzer for program defect fuzzy detection based on execution context orientation is implemented. The experimental results indicate that CBFuzzer can effectively explore the internal structure of programs (including breakthroughs in protection mechanisms), simulate unconventional program state transitions, and more efficiently expose vulnerability points. By comparison, CBFuzzer shows improvements ranging from 6.8% to 36.76% in terms of vulnerability exposure, with the highest increase in the number of actual vulnerabilities detected reaching up to 66.67%. With the investment of a small amount of additional testing resources within an acceptable range, CBFuzzer not only achieves improved detection performance for regular types of vulnerabilities but also exhibits higher detection capabilities for vulnerabilities with strong concealment. As of August 10, 2023, a total of 126 new vulnerabilities have been identified through the utilization of CBFuzzer in 13 testing tasks (reported to related software developers and submitted to CVE® organization).
-
-