计算机科学

计算机科学 ›› 2025, Vol. 52 ›› Issue (11): 382-389.doi: 10.11896/jsjkx.241000003

• 信息安全 • 上一篇    下一篇

结合动态分析的内存安全漏洞模糊测试方法

殷家乐1, 陈哲1,2   

  1. 1 南京航空航天大学计算机科学与技术学院 南京 211106
    2 软件新技术与产业化协同创新中心 南京 211106
  • 收稿日期:2024-10-08 修回日期:2024-12-13 出版日期:2025-11-15 发布日期:2025-11-06
  • 通讯作者: 陈哲(zhechen@nuaa.edu.cn)
  • 作者简介:(yinjiale1215@163.com)
  • 基金资助:
    国家自然科学基金(62172217);国家自然科学基金委员会-中国民航局民航联合研究基金(U1533130);CCF-华为胡杨林基金形式化专项资助

Dynamic Analysis Based Fuzz Testing for Memory Safety Vulnerabilities

YIN Jiale1, CHEN Zhe1,2   

  1. 1 College of Computer Science and Technology,Nanjing University of Aeronautics and Astronautics,Nanjing 211106,China
    2 Collaborative Innovation Center of Novel Software Technology and Industrialization,Nanjing 211106,China
  • Received:2024-10-08 Revised:2024-12-13 Online:2025-11-15 Published:2025-11-06
  • About author:YIN Jiale,born in 1999,postgraduate.His main research interest is verification of software.
    CHEN Zhe,born in 1981,professor,is a member of CCF(No.22234M).His main research interests include verification of software,software engineering and network security.
  • Supported by:
    National Natural Science Foundation of China(62172217),Joint Research Funds of National Natural Science Foundation of China and Civil Aviation Administration of China(U1533130) and CCF-Huawei Populus Euphratica Fund Formalization Project.

PDF (PC)

22

摘要: C语言编写的系统往往包含潜在的内存漏洞。模糊测试集成动态分析工具可以挖掘内存漏洞,但会引入巨大的性能开销。同时,当前流行的模糊测试方法更多地专注于提高整体代码的覆盖率,而高效触发已覆盖代码的内存漏洞也是一项重要能力。为此,改进了动态分析工具Movec并与AFL结合,创新工作主要为使用指针元数据引导模糊测试高效挖掘内存漏洞。核心步骤包括使用源码级别的哈希表和二级树管理指针元数据,以减少模糊测试结合动态分析的缺页中断;然后在汇编级别上取消对动态分析代码的覆盖率插桩,以减少冗余插桩对覆盖率计算的影响;随后增加最小指针边界距离,内存分配峰值指标引导模糊测试高效挖掘缓冲区溢出、内存分配失败漏洞;最后优化种子队列的筛选逻辑,精简队列规模并提高内存漏洞相关种子的优先级。对CVE程序进行实验,Movec结合AFL的执行吞吐量为原生的54%,而Asan,Msan只有10%和4%。对比先进模糊测试器,可以在更短的时间内挖掘内存漏洞,平均减少48.4%的时间消耗。

关键词: 内存安全, 动态分析, 模糊测试, 源代码插桩

Abstract: Systems written in C often contain potential memory vulnerabilities.Fuzz testing integrated with dynamic analysis tools can uncover memory vulnerabilities but introduce significant performance overhead.Meanwhile,current popular fuzz testing me-thods focus more on improving overall code coverage,while efficiently triggering memory vulnerabilities in already covered code is also an important capability.To this end,the dynamic analysis tool Movec is improved and combined with AFL,with the innovative work primarily using pointer metadata to guide fuzz testing for efficient memory vulnerability detection.The core steps include using a source-level hash table and secondary tree to manage pointer metadata to reduce page faults caused by combining fuzz testing with dynamic analysis.Then it removes coverage instrumentation of dynamic analysis code at the assembly level to reduce the impact of redundant instrumentation on coverage calculation.Subsequently it adds minimum pointer boundary distance and memory allocation peak indicators to guide fuzz testing in efficiently detecting buffer overflows and memory allocation failure vulnerabilities,and finally optimizes the seed queue filtering logic to streamline queue size and prioritize seeds related to memory vulnerabilities.Experiments on CVE programs show that the execution throughput of Movec combined with AFL is 54% of native,while Asan and Msan are only 10% and 4%,respectively.Compared with advanced fuzzers,it can uncover memory vulnerabilities in a shorter time,reducing the time consumption by an average of 48.4%.

Key words: Memory safety, Dynamic analysis, Fuzzing, Source-level instrumentation

中图分类号: 

  • TP311
[1]CHEN Z,TAO C Q,ZHANG Z Y,et al.Beyond spatial and temporal memory safety[C]//Proceedings of the 40th International Conference on Software Engineering.2018:189-190.
[2]NETHERCOTE N,SEWARD J.Valgrind:Aprogram supervi-sion framework[J].Electronic notes in Theoretical Computer Science,2003,89(2):44-66.
[3]NAGARAKATTE S,ZHAO J Z,MARTIN M M K,et al.SoftBound:Highly compatible and complete spatial memory safety for C[C]//Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation.2009:245-258.
[4]XU W,DUVARNEY D C,SEKAR R.An efficient and back-wards-compatible transformation to ensure memory safety of C programs[C]//Proceedings of the 12th ACM SIGSOFT Twelfth International Symposium on Foundations of Software Enginee-ring.2004:117-126.
[5]CUI Z Q,ZHANG J M,ZHENG L W,et al.A Survey of Research on Coverage-Guided Greybox Fuzzing[J].Chinese Journal of Computers,2024,47(7):1665-1696.
[6]ZHU X G,WEN S,CAMTEPE S,et al.Fuzzing:a survey forroadmap[J].ACM Computing Surveys,2022,54(11s):1-36.
[7]WEN C,WANG H J,LI Y K,et al.Memlock:Memory usage guided fuzzing[C]//Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering.2020:765-777.
[8]SEREBRYANY K,BRUENING D,POTAPENKO A,et al.AddressSanitizer:A fast address sanity checker[C]//2012 USENIX Annual Technical Conference(USENIX ATC 12).2012:309-318.
[9]CHEN Z,WANG C,YAN J Q,et al.Runtime detection of memory errors with smart status[C]//Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis.2021:296-308.
[10]CHEN Z,YAN J Q,KAN S L,et al.Detecting memory errors at runtime with source-level instrumentation[C]//Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis.2019:341-351.
[11]CHEN Z,YAN R,MA Y Z,et al.A smart status based monitoring algorithm for the dynamic analysis of memory safety[J].ACM Transactions on Software Engineering and Methodology,2024,33(4):1-47.
[12]BÖHME M,PHAM V T,ROYCHOUDHURY A.Coverage-based greybox fuzzing as markov chain[C]//Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security.2016:1032-1043.
[13]LEMIEUX C,SEN K.Fairfuzz:A targeted mutation strategy for increasing greybox fuzz testing coverage[C]//Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering.2018:475-485.
[14]LIANG J,WANG M Z,ZHOU C J,et al.Pata:Fuzzing with path aware taint analysis[C]//2022 IEEE Symposium on Secu-rity and Privacy(SP).IEEE,2022:1-17.
[15]CHEN P,CHEN H.Angora:Efficient fuzzing by principledsearch[C]//2018 IEEE Symposium on Security and Privacy(SP).IEEE,2018:711-725.
[16]GAN S T,ZHANG C,CHEN P,et al.GREYONE:Data flowsensitive fuzzing[C]//29th USENIX Security Symposium(USENIX Security 20).2020:2577-2594.
[17]LIANG G C,LIAO L J,XU X,et al.Effective fuzzing based on dynamic taint analysis[C]//2013 Ninth International Confe-rence on Computational Intelligence and Security.IEEE,2013:615-619.
[18]BA J S,DUCK G J,ROYCHOUDHURY A.Efficient greybox fuzzing to detect memory errors[C]//Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering.2022:1-12.
[19]KLEES G,RUEF A,COOPER B,et al.Evaluating fuzz testing[C]//Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security.2018:2123-2138.
[20]FIORALDI A,MAIER D,EIßFELDT H,et al.AFL++:Com-bining incremental steps of fuzzing research[C]//14th USENIX Workshop on Offensive Technologies(WOOT 20).2020.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发