{"title":"Send Hardest Problems My Way: Probabilistic Path Prioritization for Hybrid Fuzzing","authors":"Lei Zhao, Yue Duan, Heng Yin, J. Xuan","doi":"10.14722/ndss.2019.23504","DOIUrl":null,"url":null,"abstract":"Hybrid fuzzing which combines fuzzing and concolic execution has become an advanced technique for software vulnerability detection. Based on the observation that fuzzing and concolic execution are complementary in nature, the stateof-the-art hybrid fuzzing systems deploy “demand launch” and “optimal switch” strategies. Although these ideas sound intriguing, we point out several fundamental limitations in them, due to oversimplified assumptions. We then propose a novel “discriminative dispatch” strategy to better utilize the capability of concolic execution. We design a novel Monte Carlo based probabilistic path prioritization model to quantify each path’s difficulty and prioritize them for concolic execution. This model treats fuzzing as a random sampling process. It calculates each path’s probability based on the sampling information. Finally, our model prioritizes and assigns the most difficult paths to concolic execution. We implement a prototype system DigFuzz and evaluate our system with two representative datasets. Results show that the concolic execution in DigFuzz outperforms than those in state-of-the-art hybrid fuzzing systems in every major aspect. In particular, the concolic execution in DigFuzz contributes to discovering more vulnerabilities (12 vs. 5) and producing more code coverage (18.9% vs. 3.8%) on the CQE dataset than the concolic execution in Driller.","PeriodicalId":20444,"journal":{"name":"Proceedings 2019 Network and Distributed System Security Symposium","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2019-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"117","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings 2019 Network and Distributed System Security Symposium","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.14722/ndss.2019.23504","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 117
Abstract
Hybrid fuzzing which combines fuzzing and concolic execution has become an advanced technique for software vulnerability detection. Based on the observation that fuzzing and concolic execution are complementary in nature, the stateof-the-art hybrid fuzzing systems deploy “demand launch” and “optimal switch” strategies. Although these ideas sound intriguing, we point out several fundamental limitations in them, due to oversimplified assumptions. We then propose a novel “discriminative dispatch” strategy to better utilize the capability of concolic execution. We design a novel Monte Carlo based probabilistic path prioritization model to quantify each path’s difficulty and prioritize them for concolic execution. This model treats fuzzing as a random sampling process. It calculates each path’s probability based on the sampling information. Finally, our model prioritizes and assigns the most difficult paths to concolic execution. We implement a prototype system DigFuzz and evaluate our system with two representative datasets. Results show that the concolic execution in DigFuzz outperforms than those in state-of-the-art hybrid fuzzing systems in every major aspect. In particular, the concolic execution in DigFuzz contributes to discovering more vulnerabilities (12 vs. 5) and producing more code coverage (18.9% vs. 3.8%) on the CQE dataset than the concolic execution in Driller.
混合模糊测试将模糊测试和协同执行相结合,已成为一种先进的软件漏洞检测技术。基于观察到模糊测试和协同执行在本质上是互补的,最先进的混合模糊测试系统采用“需求启动”和“最优切换”策略。虽然这些想法听起来很有趣,但我们指出了它们的几个基本局限性,这是由于过于简化的假设。然后,我们提出了一种新的“判别调度”策略,以更好地利用协同执行的能力。我们设计了一种新的基于蒙特卡罗的概率路径优先级模型来量化每条路径的难度,并对它们进行优先级排序。该模型将模糊处理视为随机抽样过程。它根据采样信息计算每条路径的概率。最后,我们的模型对最困难的路径进行优先级排序,并将其分配给联合执行。我们实现了一个原型系统DigFuzz,并用两个代表性的数据集对我们的系统进行了评估。结果表明,在每个主要方面,DigFuzz的一致性执行都优于最先进的混合模糊系统。特别是,与Driller中的concolic执行相比,DigFuzz中的concolic执行有助于在CQE数据集上发现更多漏洞(12 vs. 5)并产生更多代码覆盖率(18.9% vs. 3.8%)。