ENZZ: Effective N-gram coverage assisted fuzzing with nearest neighboring branch estimation

IF 3.8 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Information and Software Technology Pub Date : 2024-09-24 DOI:10.1016/j.infsof.2024.107582

Xi Peng, Peng Jia, Ximing Fan, Jiayong Liu

{"title":"ENZZ: Effective N-gram coverage assisted fuzzing with nearest neighboring branch estimation","authors":"Xi Peng, Peng Jia, Ximing Fan, Jiayong Liu","doi":"10.1016/j.infsof.2024.107582","DOIUrl":null,"url":null,"abstract":"<div><div>Fuzzing is a highly effective approach for identifying software bugs and vulnerabilities. Among the various techniques employed, coverage-guided fuzzing stands out as particularly valuable, relying on tracing code coverage information. N-gram coverage is a coverage metric in gray-box fuzz testing, where the value of N determines the sensitivity of the coverage. Block and edge coverage can be represented as 0-gram and 1-gram, respectively. The value of N can range from 0 to infinity. However, the specific methodology for selecting the appropriate value of N is still an area yet to be explored.</div><div>This paper proposes an estimation method based on the nearest branch. We initially explained the role of N-gram in the execution paths of programs and elucidated the objective of selecting the value of N, which aims to cover the closest neighboring branches. Subsequently, based on this objective, we proposed a method for calculating N based on the closest neighboring branch and estimated N at the function level. Finally, in this paper, we designed a scheduling mechanism using Adversarial Multi-Armed Bandit model that automatically selects either the seeds generated by N-gram or the original queue seeds for fuzz testing.</div><div>We implement our approach in ENZZ based on AFL and compare it with other N-gram coverage fuzzers and the state-of-the-art path coverage-assisted fuzzer PathAFL. We find that ENZZ outperforms other N-gram fuzzers and PathAFL by achieving an average improvement of 5.57% and 4.38% on edge coverage, and it improves the efficiency of path-to-edge discovery by 31.5% and 26.1%, respectively, on 12 Google FuzzBench programs. It also finds more bugs than other N-gram fuzzers and three more real-world bugs than PathAFL.</div></div>","PeriodicalId":54983,"journal":{"name":"Information and Software Technology","volume":"177 ","pages":"Article 107582"},"PeriodicalIF":3.8000,"publicationDate":"2024-09-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Information and Software Technology","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0950584924001873","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Fuzzing is a highly effective approach for identifying software bugs and vulnerabilities. Among the various techniques employed, coverage-guided fuzzing stands out as particularly valuable, relying on tracing code coverage information. N-gram coverage is a coverage metric in gray-box fuzz testing, where the value of N determines the sensitivity of the coverage. Block and edge coverage can be represented as 0-gram and 1-gram, respectively. The value of N can range from 0 to infinity. However, the specific methodology for selecting the appropriate value of N is still an area yet to be explored.

This paper proposes an estimation method based on the nearest branch. We initially explained the role of N-gram in the execution paths of programs and elucidated the objective of selecting the value of N, which aims to cover the closest neighboring branches. Subsequently, based on this objective, we proposed a method for calculating N based on the closest neighboring branch and estimated N at the function level. Finally, in this paper, we designed a scheduling mechanism using Adversarial Multi-Armed Bandit model that automatically selects either the seeds generated by N-gram or the original queue seeds for fuzz testing.

We implement our approach in ENZZ based on AFL and compare it with other N-gram coverage fuzzers and the state-of-the-art path coverage-assisted fuzzer PathAFL. We find that ENZZ outperforms other N-gram fuzzers and PathAFL by achieving an average improvement of 5.57% and 4.38% on edge coverage, and it improves the efficiency of path-to-edge discovery by 31.5% and 26.1%, respectively, on 12 Google FuzzBench programs. It also finds more bugs than other N-gram fuzzers and three more real-world bugs than PathAFL.

查看原文本刊更多论文

ENZZ：利用最近相邻分支估计进行有效的 N-gram 覆盖率辅助模糊处理

模糊测试是一种识别软件错误和漏洞的高效方法。在采用的各种技术中，覆盖率指导模糊测试尤其有价值，它依赖于跟踪代码覆盖率信息。N-gram 覆盖率是灰盒模糊测试中的一种覆盖率指标，其中 N 的值决定了覆盖率的灵敏度。块覆盖率和边覆盖率可分别表示为 0-gram 和 1-gram。N 的取值范围从 0 到无穷大。本文提出了一种基于最近分支的估算方法。我们首先解释了 N-gram 在程序执行路径中的作用，并阐明了 N 值的选择目标，即覆盖最近的相邻分支。随后，基于这一目标，我们提出了一种基于最近相邻分支的 N 计算方法，并在函数层面对 N 进行了估计。最后，在本文中，我们设计了一种调度机制，利用逆向多臂匪特模型，自动选择由 N-gram 生成的种子或原始队列种子进行模糊测试。我们发现，在 12 个 Google FuzzBench 程序上，ENZZ 的边缘覆盖率分别平均提高了 5.57% 和 4.38%，路径到边缘的发现效率分别提高了 31.5% 和 26.1%，因此优于其他 N-gram 模糊器和 PathAFL。它还比其他 N-gram 模糊器发现了更多的错误，比 PathAFL 多发现了三个真实世界的错误。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Information and Software Technology 工程技术-计算机：软件工程

CiteScore

9.10

自引率

7.70%

发文量

164

审稿时长

9.6 weeks

期刊介绍： Information and Software Technology is the international archival journal focusing on research and experience that contributes to the improvement of software development practices. The journal''s scope includes methods and techniques to better engineer software and manage its development. Articles submitted for review should have a clear component of software engineering or address ways to improve the engineering and management of software development. Areas covered by the journal include: • Software management, quality and metrics, • Software processes, • Software architecture, modelling, specification, design and programming • Functional and non-functional software requirements • Software testing and verification & validation • Empirical studies of all aspects of engineering and managing software development Short Communications is a new section dedicated to short papers addressing new ideas, controversial opinions, "Negative" results and much more. Read the Guide for authors for more information. The journal encourages and welcomes submissions of systematic literature studies (reviews and maps) within the scope of the journal. Information and Software Technology is the premiere outlet for systematic literature studies in software engineering.