基于路径约束和偏差路径校正的定向模糊

IF 4.3 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Information and Software Technology Pub Date : 2025-09-17 DOI:10.1016/j.infsof.2025.107875

Hongsheng Zuo, Yong Fang, Peng Jia, Ximing Fan, Xi Peng, YiJia Xu, Rui Pan

{"title":"基于路径约束和偏差路径校正的定向模糊","authors":"Hongsheng Zuo, Yong Fang, Peng Jia, Ximing Fan, Xi Peng, YiJia Xu, Rui Pan","doi":"10.1016/j.infsof.2025.107875","DOIUrl":null,"url":null,"abstract":"<div><div>Directed fuzzing targets specific parts of a program and is particularly useful for tasks like PoC verification, crash reproduction, and patch testing. It uses static analysis to guide the fuzzing process. However, it still faces two significant challenges that affect its efficiency. They overlook whether the code region is related to the target location, causing excessive computational power to be wasted on calculating distances for irrelevant regions and hindering precise distance calculation. Additionally, the reliance on random mutations during test case generation results in new cases that are mostly unreachable to the target location. Therefore, we propose PathFuzz, a fuzzer that employs a distance calculation method constrained by the target path and a directed mutation method for the bytes that cause deviation from the target path. We first identified code regions related to the target location and calculated finer-grained basic block distances within these regions. Next, through taint analysis, we map program input bytes to the basic blocks that process them. We then perform directed mutations, adjusting the input bytes corresponding to the basic blocks that deviate from the target execution path to guide it back on track. We evaluated PathFuzz on Magma dataset, and experiments show that compared to several SOTA directed fuzzers, PathFuzz is on average 17.85 times, 2.47 times, 17.61 times, and 4.85 times faster, respectively, and it can trigger four vulnerabilities that other tools cannot within the specified time.</div></div>","PeriodicalId":54983,"journal":{"name":"Information and Software Technology","volume":"188 ","pages":"Article 107875"},"PeriodicalIF":4.3000,"publicationDate":"2025-09-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Directed fuzzing based on path constraints and deviation path correction\",\"authors\":\"Hongsheng Zuo, Yong Fang, Peng Jia, Ximing Fan, Xi Peng, YiJia Xu, Rui Pan\",\"doi\":\"10.1016/j.infsof.2025.107875\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>Directed fuzzing targets specific parts of a program and is particularly useful for tasks like PoC verification, crash reproduction, and patch testing. It uses static analysis to guide the fuzzing process. However, it still faces two significant challenges that affect its efficiency. They overlook whether the code region is related to the target location, causing excessive computational power to be wasted on calculating distances for irrelevant regions and hindering precise distance calculation. Additionally, the reliance on random mutations during test case generation results in new cases that are mostly unreachable to the target location. Therefore, we propose PathFuzz, a fuzzer that employs a distance calculation method constrained by the target path and a directed mutation method for the bytes that cause deviation from the target path. We first identified code regions related to the target location and calculated finer-grained basic block distances within these regions. Next, through taint analysis, we map program input bytes to the basic blocks that process them. We then perform directed mutations, adjusting the input bytes corresponding to the basic blocks that deviate from the target execution path to guide it back on track. We evaluated PathFuzz on Magma dataset, and experiments show that compared to several SOTA directed fuzzers, PathFuzz is on average 17.85 times, 2.47 times, 17.61 times, and 4.85 times faster, respectively, and it can trigger four vulnerabilities that other tools cannot within the specified time.</div></div>\",\"PeriodicalId\":54983,\"journal\":{\"name\":\"Information and Software Technology\",\"volume\":\"188 \",\"pages\":\"Article 107875\"},\"PeriodicalIF\":4.3000,\"publicationDate\":\"2025-09-17\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Information and Software Technology\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S0950584925002149\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q2\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Information and Software Technology","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0950584925002149","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

摘要

定向模糊测试针对程序的特定部分，对于PoC验证、崩溃再现和补丁测试等任务特别有用。它使用静态分析来指导模糊测试过程。然而，它仍然面临着影响其效率的两个重大挑战。它们忽略了编码区域是否与目标位置相关，导致将过多的计算能力浪费在计算无关区域的距离上，阻碍了精确的距离计算。另外，在测试用例生成过程中对随机突变的依赖会导致新用例在大多数情况下无法到达目标位置。因此，我们提出了PathFuzz，这是一种模糊器，它采用受目标路径约束的距离计算方法和导致偏离目标路径的字节的定向突变方法。我们首先确定了与目标位置相关的代码区域，并在这些区域内计算了细粒度的基本块距离。接下来，通过污点分析，我们将程序输入字节映射到处理它们的基本块。然后，我们执行定向突变，调整与偏离目标执行路径的基本块相对应的输入字节，以引导它回到轨道上。我们在Magma数据集上对PathFuzz进行了评估，实验表明，与几种SOTA导向的fuzzers相比，PathFuzz的平均速度分别快17.85倍、2.47倍、17.61倍和4.85倍，并且可以在规定的时间内触发其他工具无法触发的4个漏洞。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Directed fuzzing based on path constraints and deviation path correction

Directed fuzzing targets specific parts of a program and is particularly useful for tasks like PoC verification, crash reproduction, and patch testing. It uses static analysis to guide the fuzzing process. However, it still faces two significant challenges that affect its efficiency. They overlook whether the code region is related to the target location, causing excessive computational power to be wasted on calculating distances for irrelevant regions and hindering precise distance calculation. Additionally, the reliance on random mutations during test case generation results in new cases that are mostly unreachable to the target location. Therefore, we propose PathFuzz, a fuzzer that employs a distance calculation method constrained by the target path and a directed mutation method for the bytes that cause deviation from the target path. We first identified code regions related to the target location and calculated finer-grained basic block distances within these regions. Next, through taint analysis, we map program input bytes to the basic blocks that process them. We then perform directed mutations, adjusting the input bytes corresponding to the basic blocks that deviate from the target execution path to guide it back on track. We evaluated PathFuzz on Magma dataset, and experiments show that compared to several SOTA directed fuzzers, PathFuzz is on average 17.85 times, 2.47 times, 17.61 times, and 4.85 times faster, respectively, and it can trigger four vulnerabilities that other tools cannot within the specified time.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Information and Software Technology 工程技术-计算机：软件工程

CiteScore

9.10

自引率

7.70%

发文量

164

审稿时长

9.6 weeks

期刊介绍： Information and Software Technology is the international archival journal focusing on research and experience that contributes to the improvement of software development practices. The journal''s scope includes methods and techniques to better engineer software and manage its development. Articles submitted for review should have a clear component of software engineering or address ways to improve the engineering and management of software development. Areas covered by the journal include: • Software management, quality and metrics, • Software processes, • Software architecture, modelling, specification, design and programming • Functional and non-functional software requirements • Software testing and verification & validation • Empirical studies of all aspects of engineering and managing software development Short Communications is a new section dedicated to short papers addressing new ideas, controversial opinions, "Negative" results and much more. Read the Guide for authors for more information. The journal encourages and welcomes submissions of systematic literature studies (reviews and maps) within the scope of the journal. Information and Software Technology is the premiere outlet for systematic literature studies in software engineering.