VERTFuzz：用于复杂文件解析器的版本转换器驱动的模糊测试

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-08-20 DOI:10.1016/j.cose.2025.104641

Zhaoyu Wen , Zhiqiang Wang , Biao Liu

{"title":"VERTFuzz：用于复杂文件解析器的版本转换器驱动的模糊测试","authors":"Zhaoyu Wen , Zhiqiang Wang , Biao Liu","doi":"10.1016/j.cose.2025.104641","DOIUrl":null,"url":null,"abstract":"<div><div>Fuzzing test technology has seen significant growth in recent years and has evolved into an important tool for more thoroughly and efficiently identifying programme vulnerabilities and defects. However, fuzzing test for complex format files remains challenging. Most fuzz testers require extensive expert knowledge and heavily rely on manually constructed format models, or struggle to accurately identify complex structural relationships, resulting in numerous invalid test variants. In this paper, we propose a metadata-based mutation technique that leverages deep learning models to identify metadata location information and incorporate it into specific mutations, enabling rapid identification of file structures. We also utilise the Version Transformer model to filter out valid test cases from the queue, effectively addressing the issue of sparse defect space in input, making the mutated test cases more effective. Experimental results show that VERTFuzz has identified 32 unique errors across ten different programs, including four complex file formats. On average, VERTFuzz discovered 29% more paths and 14.54% more code blocks than AFL++.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"158 ","pages":"Article 104641"},"PeriodicalIF":5.4000,"publicationDate":"2025-08-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"VERTFuzz: Version transformer-driven fuzzing for complex file parsers\",\"authors\":\"Zhaoyu Wen , Zhiqiang Wang , Biao Liu\",\"doi\":\"10.1016/j.cose.2025.104641\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>Fuzzing test technology has seen significant growth in recent years and has evolved into an important tool for more thoroughly and efficiently identifying programme vulnerabilities and defects. However, fuzzing test for complex format files remains challenging. Most fuzz testers require extensive expert knowledge and heavily rely on manually constructed format models, or struggle to accurately identify complex structural relationships, resulting in numerous invalid test variants. In this paper, we propose a metadata-based mutation technique that leverages deep learning models to identify metadata location information and incorporate it into specific mutations, enabling rapid identification of file structures. We also utilise the Version Transformer model to filter out valid test cases from the queue, effectively addressing the issue of sparse defect space in input, making the mutated test cases more effective. Experimental results show that VERTFuzz has identified 32 unique errors across ten different programs, including four complex file formats. On average, VERTFuzz discovered 29% more paths and 14.54% more code blocks than AFL++.</div></div>\",\"PeriodicalId\":51004,\"journal\":{\"name\":\"Computers & Security\",\"volume\":\"158 \",\"pages\":\"Article 104641\"},\"PeriodicalIF\":5.4000,\"publicationDate\":\"2025-08-20\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Computers & Security\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S016740482500330X\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S016740482500330X","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

摘要

模糊测试技术在最近几年有了显著的发展，并且已经发展成为一种更彻底、更有效地识别程序漏洞和缺陷的重要工具。然而，复杂格式文件的模糊测试仍然具有挑战性。大多数模糊测试人员需要广泛的专业知识，并且严重依赖于手动构建的格式模型，或者努力准确地识别复杂的结构关系，从而导致大量无效的测试变体。在本文中，我们提出了一种基于元数据的突变技术，该技术利用深度学习模型来识别元数据位置信息并将其合并到特定的突变中，从而能够快速识别文件结构。我们还利用Version Transformer模型从队列中过滤出有效的测试用例，有效地处理输入中稀疏缺陷空间的问题，使突变的测试用例更有效。实验结果表明，VERTFuzz在10个不同的程序中识别出32个独特的错误，包括4种复杂的文件格式。VERTFuzz平均比afl++多发现29%的路径和14.54%的代码块。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

VERTFuzz: Version transformer-driven fuzzing for complex file parsers

Fuzzing test technology has seen significant growth in recent years and has evolved into an important tool for more thoroughly and efficiently identifying programme vulnerabilities and defects. However, fuzzing test for complex format files remains challenging. Most fuzz testers require extensive expert knowledge and heavily rely on manually constructed format models, or struggle to accurately identify complex structural relationships, resulting in numerous invalid test variants. In this paper, we propose a metadata-based mutation technique that leverages deep learning models to identify metadata location information and incorporate it into specific mutations, enabling rapid identification of file structures. We also utilise the Version Transformer model to filter out valid test cases from the queue, effectively addressing the issue of sparse defect space in input, making the mutated test cases more effective. Experimental results show that VERTFuzz has identified 32 unique errors across ten different programs, including four complex file formats. On average, VERTFuzz discovered 29% more paths and 14.54% more code blocks than AFL++.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.