AugPersist：自动增强持久性软件基于覆盖范围的灰盒模糊测试的持久性

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2024-09-07 DOI:10.1016/j.cose.2024.104099

Chiheng Wang, Jianshan Peng, Junhu Zhu, Qingxian Wang

{"title":"AugPersist：自动增强持久性软件基于覆盖范围的灰盒模糊测试的持久性","authors":"Chiheng Wang, Jianshan Peng, Junhu Zhu, Qingxian Wang","doi":"10.1016/j.cose.2024.104099","DOIUrl":null,"url":null,"abstract":"<div><p>Fuzzing is one of the most successful approaches for verifying software functionalities and discovering security vulnerabilities. However, the software with persistent runtime characteristics (e.g., web service programs) cannot be effectively tested by current coverage-based greybox (CG) fuzzers, which strictly rely on the termination state of the target software to feed test cases synchronously and obtain code coverage. The present approach requires delicate analysis and modification of the target to eliminate its persistence, but leads to excessive non-essential restarts during testing, resulting in low throughput.</p><p>To improve the convenience and efficiency of CG fuzzing for persistent software, we propose augmenting persistence (AugPersist) as a complementary method. AugPersist introduces the concept of persistent basic block (PBB) to leverage the inherent code features of persistent software. PBB can be found automatically and quickly before fuzzing based on the execution flow graph (EFG). On this basis, we develop a low- delay synchronous communication so that after regular test cases are fed into the target, the fuzzer can derive code coverage without rebooting the target, thus significantly minimizing extraneous restarts. Additionally, by utilizing the self-adaptive forkserver, we can dynamically adjust the re-execution point of the target to the PBB position, which further minimizes losses when test cases trigger exceptions and cause necessary restarts.</p><p>To show the potential of augmenting persistence, we create two implementations, AFL-AugPersist and AFLNet-AugPersist, using AFL and AFLNet as baselines. We evaluate both with their respective baselines on different benchmarks. AFL-AugPersist makes stateless persistent software easier to be fuzzed than AFL and provides 4.9 × to 71.1 × throughput improvement compared to AFL. The throughput of AFLNet-AugPersist improves by a maximum of 210.0 × and a minimum of 3.3 × compared to AFLNet. These results show that AugPersist significantly contributes to the convenience and efficiency of CG fuzzing on persistent software.</p></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104099"},"PeriodicalIF":4.8000,"publicationDate":"2024-09-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"AugPersist: Automatically augmenting the persistence of coverage-based greybox fuzzing for persistent software\",\"authors\":\"Chiheng Wang, Jianshan Peng, Junhu Zhu, Qingxian Wang\",\"doi\":\"10.1016/j.cose.2024.104099\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><p>Fuzzing is one of the most successful approaches for verifying software functionalities and discovering security vulnerabilities. However, the software with persistent runtime characteristics (e.g., web service programs) cannot be effectively tested by current coverage-based greybox (CG) fuzzers, which strictly rely on the termination state of the target software to feed test cases synchronously and obtain code coverage. The present approach requires delicate analysis and modification of the target to eliminate its persistence, but leads to excessive non-essential restarts during testing, resulting in low throughput.</p><p>To improve the convenience and efficiency of CG fuzzing for persistent software, we propose augmenting persistence (AugPersist) as a complementary method. AugPersist introduces the concept of persistent basic block (PBB) to leverage the inherent code features of persistent software. PBB can be found automatically and quickly before fuzzing based on the execution flow graph (EFG). On this basis, we develop a low- delay synchronous communication so that after regular test cases are fed into the target, the fuzzer can derive code coverage without rebooting the target, thus significantly minimizing extraneous restarts. Additionally, by utilizing the self-adaptive forkserver, we can dynamically adjust the re-execution point of the target to the PBB position, which further minimizes losses when test cases trigger exceptions and cause necessary restarts.</p><p>To show the potential of augmenting persistence, we create two implementations, AFL-AugPersist and AFLNet-AugPersist, using AFL and AFLNet as baselines. We evaluate both with their respective baselines on different benchmarks. AFL-AugPersist makes stateless persistent software easier to be fuzzed than AFL and provides 4.9 × to 71.1 × throughput improvement compared to AFL. The throughput of AFLNet-AugPersist improves by a maximum of 210.0 × and a minimum of 3.3 × compared to AFLNet. These results show that AugPersist significantly contributes to the convenience and efficiency of CG fuzzing on persistent software.</p></div>\",\"PeriodicalId\":51004,\"journal\":{\"name\":\"Computers & Security\",\"volume\":\"148 \",\"pages\":\"Article 104099\"},\"PeriodicalIF\":4.8000,\"publicationDate\":\"2024-09-07\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Computers & Security\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S0167404824004048\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404824004048","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

摘要

模糊测试是验证软件功能和发现安全漏洞的最成功方法之一。然而，目前基于覆盖率的灰盒（CG）模糊器无法对具有持久运行特性的软件（如网络服务程序）进行有效测试，这种模糊器严格依赖目标软件的终止状态来同步输入测试用例并获得代码覆盖率。目前的方法需要对目标软件进行细致的分析和修改，以消除其持久性，但会导致测试过程中过多的非必要重启，从而降低测试效率。为了提高持久性软件的 CG 模糊测试的便利性和效率，我们提出了增强持久性（AugPersist）作为补充方法。AugPersist 引入了持久性基本块（PBB）的概念，以利用持久性软件固有的代码特性。在基于执行流图（EFG）进行模糊测试之前，可以自动快速地找到 PBB。在此基础上，我们开发了一种低延迟同步通信，这样在将常规测试用例输入目标机后，模糊器无需重启目标机即可获得代码覆盖率，从而大大减少了无关的重启。此外，通过利用自适应分叉服务器，我们可以将目标的重新执行点动态调整到 PBB 位置，从而进一步减少测试用例触发异常并导致必要重启时的损失。我们在不同的基准测试中对这两种实现与各自的基准进行了评估。与 AFL 相比，AFL-AugPersist 使无状态持久性软件更容易被模糊，吞吐量提高了 4.9 倍到 71.1 倍。与 AFLNet 相比，AFLNet-AugPersist 的吞吐量最大提高 210.0 倍，最小提高 3.3 倍。这些结果表明，AugPersist 大大提高了对持久性软件进行 CG 模糊测试的便利性和效率。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

AugPersist: Automatically augmenting the persistence of coverage-based greybox fuzzing for persistent software

Fuzzing is one of the most successful approaches for verifying software functionalities and discovering security vulnerabilities. However, the software with persistent runtime characteristics (e.g., web service programs) cannot be effectively tested by current coverage-based greybox (CG) fuzzers, which strictly rely on the termination state of the target software to feed test cases synchronously and obtain code coverage. The present approach requires delicate analysis and modification of the target to eliminate its persistence, but leads to excessive non-essential restarts during testing, resulting in low throughput.

To improve the convenience and efficiency of CG fuzzing for persistent software, we propose augmenting persistence (AugPersist) as a complementary method. AugPersist introduces the concept of persistent basic block (PBB) to leverage the inherent code features of persistent software. PBB can be found automatically and quickly before fuzzing based on the execution flow graph (EFG). On this basis, we develop a low- delay synchronous communication so that after regular test cases are fed into the target, the fuzzer can derive code coverage without rebooting the target, thus significantly minimizing extraneous restarts. Additionally, by utilizing the self-adaptive forkserver, we can dynamically adjust the re-execution point of the target to the PBB position, which further minimizes losses when test cases trigger exceptions and cause necessary restarts.

To show the potential of augmenting persistence, we create two implementations, AFL-AugPersist and AFLNet-AugPersist, using AFL and AFLNet as baselines. We evaluate both with their respective baselines on different benchmarks. AFL-AugPersist makes stateless persistent software easier to be fuzzed than AFL and provides 4.9 × to 71.1 × throughput improvement compared to AFL. The throughput of AFLNet-AugPersist improves by a maximum of 210.0 × and a minimum of 3.3 × compared to AFLNet. These results show that AugPersist significantly contributes to the convenience and efficiency of CG fuzzing on persistent software.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.