DiPri: Distance-based Seed Prioritization for Greybox Fuzzing

IF 6.6 2区计算机科学 Q1 COMPUTER SCIENCE, SOFTWARE ENGINEERING

ACM Transactions on Software Engineering and Methodology Pub Date : 2024-03-26 DOI:10.1145/3654440

Ruixiang Qian, Quanjun Zhang, Chunrong Fang, Ding Yang, Shun Li, Binyu Li, Zhenyu Chen

{"title":"DiPri: Distance-based Seed Prioritization for Greybox Fuzzing","authors":"Ruixiang Qian, Quanjun Zhang, Chunrong Fang, Ding Yang, Shun Li, Binyu Li, Zhenyu Chen","doi":"10.1145/3654440","DOIUrl":null,"url":null,"abstract":"Greybox fuzzing is a powerful testing technique. Given a set of initial seeds, greybox fuzzing continuously generates new test inputs to execute the program under test and drives executions with code coverage as feedback. Seed prioritization is an important step of greybox fuzzing that helps greybox fuzzing choose promising seeds for input generation in priority. However, mainstream greybox fuzzers like AFL++ and Zest tend to neglect the importance of seed prioritization. They may pick seeds plainly according to the sequential order of the seeds being queued or an order produced with a random-based approach, which may consequently degrade their performance in exploring code and exposing bugs. In the meantime, existing state-of-the-art techniques like Alphuzz and K-Scheduler adopt complex strategies to schedule seeds. Although powerful, such strategies also inevitably incur great overhead and will reduce the scalability of the proposed technique. In this paper, we propose a novel distance-based seed prioritization approach named DiPri to facilitate greybox fuzzing. Specifically, DiPri evaluates the queued seeds according to seed distances and chooses the outlier ones, which are the farthest from the others, in priority to improve the probabilities of discovering previously unexplored code regions. To make a profound evaluation of DiPri, we prototype DiPri on AFL++ and conduct large-scale experiments with four baselines and 24 C/C++ fuzz targets, where eight are from widely adopted real-world projects, eight are from the coverage-based benchmark FuzzBench, and eight are from the bug-based benchmark Magma. The results obtained through a fuzzing exceeding 50,000 CPU hours suggest that DiPri can (1) insignificantly influence the host fuzzer’s capability of code coverage by slightly improving the branch coverage on the eight targets from real-world projects and slightly reducing the branch coverage on the eight targets from FuzzBench, and (2) improve the host fuzzer’s capability of finding bugs by triggering five more Magma bugs. Besides the evaluation with the three C/C++ benchmarks, we integrate DiPri into the Java fuzzer Zest and conduct experiments on a Java benchmark composed of five real-world programs for more than 8,000 CPU hours to empirically study the scalability of DiPri. The results with the Java benchmark demonstrate that DiPri is pretty scalable and can help the host fuzzer find bugs more consistently.","PeriodicalId":50933,"journal":{"name":"ACM Transactions on Software Engineering and Methodology","volume":"30 1","pages":""},"PeriodicalIF":6.6000,"publicationDate":"2024-03-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Transactions on Software Engineering and Methodology","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1145/3654440","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}

引用次数: 0

Abstract

Greybox fuzzing is a powerful testing technique. Given a set of initial seeds, greybox fuzzing continuously generates new test inputs to execute the program under test and drives executions with code coverage as feedback. Seed prioritization is an important step of greybox fuzzing that helps greybox fuzzing choose promising seeds for input generation in priority. However, mainstream greybox fuzzers like AFL++ and Zest tend to neglect the importance of seed prioritization. They may pick seeds plainly according to the sequential order of the seeds being queued or an order produced with a random-based approach, which may consequently degrade their performance in exploring code and exposing bugs. In the meantime, existing state-of-the-art techniques like Alphuzz and K-Scheduler adopt complex strategies to schedule seeds. Although powerful, such strategies also inevitably incur great overhead and will reduce the scalability of the proposed technique.

In this paper, we propose a novel distance-based seed prioritization approach named DiPri to facilitate greybox fuzzing.

Specifically, DiPri evaluates the queued seeds according to seed distances and chooses the outlier ones, which are the farthest from the others, in priority to improve the probabilities of discovering previously unexplored code regions. To make a profound evaluation of DiPri, we prototype DiPri on AFL++ and conduct large-scale experiments with four baselines and 24 C/C++ fuzz targets, where eight are from widely adopted real-world projects, eight are from the coverage-based benchmark FuzzBench, and eight are from the bug-based benchmark Magma. The results obtained through a fuzzing exceeding 50,000 CPU hours suggest that DiPri can (1) insignificantly influence the host fuzzer’s capability of code coverage by slightly improving the branch coverage on the eight targets from real-world projects and slightly reducing the branch coverage on the eight targets from FuzzBench, and (2) improve the host fuzzer’s capability of finding bugs by triggering five more Magma bugs. Besides the evaluation with the three C/C++ benchmarks, we integrate DiPri into the Java fuzzer Zest and conduct experiments on a Java benchmark composed of five real-world programs for more than 8,000 CPU hours to empirically study the scalability of DiPri. The results with the Java benchmark demonstrate that DiPri is pretty scalable and can help the host fuzzer find bugs more consistently.

查看原文本刊更多论文

DiPri：基于距离的灰盒模糊种子优先级排序

灰盒模糊是一种强大的测试技术。给定一组初始种子后，灰盒模糊会不断生成新的测试输入来执行被测程序，并以代码覆盖率作为反馈来驱动执行。种子优先级是灰盒模糊的一个重要步骤，它有助于灰盒模糊优先选择有希望的种子来生成输入。然而，AFL++ 和 Zest 等主流灰盒模糊器往往忽视了种子优先级的重要性。它们可能只是按照种子排队的顺序或基于随机的方法产生的顺序来选择种子，这可能会降低它们探索代码和暴露漏洞的性能。与此同时，Alphuzz 和 K-Scheduler 等现有的先进技术采用了复杂的策略来调度种子。这些策略虽然功能强大，但也不可避免地会产生巨大的开销，并会降低所提技术的可扩展性。在本文中，我们提出了一种名为 DiPri 的基于距离的新型种子优先级排序方法，以促进灰盒模糊处理。具体来说，DiPri 根据种子距离评估排队的种子，并优先选择离其他种子最远的离群种子，以提高发现先前未探索代码区域的概率。为了对 DiPri 进行深入评估，我们在 AFL++ 上建立了 DiPri 原型，并用四个基线和 24 个 C/C++ 模糊目标进行了大规模实验，其中八个来自广泛采用的实际项目，八个来自基于覆盖率的基准 FuzzBench，八个来自基于错误的基准 Magma。超过 50,000 个 CPU 小时的模糊测试结果表明，DiPri 可以：（1）通过略微提高来自实际项目的 8 个目标的分支覆盖率和略微降低来自 FuzzBench 的 8 个目标的分支覆盖率，对主机模糊器的代码覆盖能力影响不大；（2）通过多触发 5 个 Magma 错误，提高主机模糊器发现错误的能力。除了对三个 C/C++ 基准进行评估外，我们还将 DiPri 集成到 Java 模糊器 Zest 中，并在由五个真实世界程序组成的 Java 基准上进行了超过 8000 个 CPU 小时的实验，对 DiPri 的可扩展性进行了实证研究。Java 基准测试的结果表明，DiPri 具有很强的可扩展性，可以帮助主机模糊器更稳定地发现漏洞。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

ACM Transactions on Software Engineering and Methodology 工程技术-计算机：软件工程

CiteScore

6.30

自引率

4.50%

发文量

164

审稿时长

>12 weeks

期刊介绍： Designing and building a large, complex software system is a tremendous challenge. ACM Transactions on Software Engineering and Methodology (TOSEM) publishes papers on all aspects of that challenge: specification, design, development and maintenance. It covers tools and methodologies, languages, data structures, and algorithms. TOSEM also reports on successful efforts, noting practical lessons that can be scaled and transferred to other projects, and often looks at applications of innovative technologies. The tone is scholarly but readable; the content is worthy of study; the presentation is effective.