Proj THUDBFuzz Paper Reading: Fuzzing Challenges and Reflections

Abstract

Fuzzing-1. symbolic execution 2. random input generation

Intro

  1. Blockbox fuzzing
  2. mutational
  3. generational: Peach
  4. Greybox fuzzing: 需用到程序插桩
  • Sanitizers会往程序中注入assertions
  • e.g: AFL; LibFuzzer; Honggfuzz
  1. Whitebox fuzzing: 往往使用程序分析和constraint solvers来遍历有意义的code path
  • constraint solver常常使用SMT(Satisfiability Module Theory)
  • 提取要到达某条code path所必须解决的condition中的一阶逻辑公式,功能,谓词符号等,使用constraint solver计算出一组能够到达这条路径的解
  • e.g: KLEE和SAGE

Recent Impact

1990就有了Fuzzing这个词,不过最近才在工业中大规模使用

Challenges

  1. How can we fuzz effeciently more types of software systems?
  • 例如有环境交互,或者是机器学习
  • How do we fuzz stateful software?
  • How do we fuzz polyglot softwares?
  • How do we fuzz GUI-based programs
  • How can a symbolic execution tool fuzz a highly-structured-input software?
  1. How can the fuzzer identify more types of vulnerabilities(可以被认为是程序状态的断言)?
  • 信道攻击可能性
  1. How can we find "deep bugs" for which efficient oracles exist, but which nevertheless evade detection?
  • complex conditions
  1. What is the nature of vulnerabilities that have evaded discovery despite long fuzzing campaigns?
  2. How can fuzzers leverage the ingenuity of the auditor?
  • How can the auditor instruct the fuzzer to overcome the roadblock?
  1. How can we improve the usability of fuzzing tools
  • How can we prepare the output of a fuzzer for human consumption?
  1. How can we assess residual security risk if the fuzzing campaingn was unsuccessful?
  2. What are the theoretical limitations of blackbox, greybox and whitebox fuzzing?
  • Given a program and a time budget, how can we select that fuzzing tech, or combination of techs, which finds the most vulnerabilities within time budget?
  • How do program size and complexity affect the scalability and performance of each tech?
  1. How can we evaluate specialized fuzzers?
  2. How can we prevent overfitting to a specific benchmark?
  3. Are synthetic bugs representative?
  4. Are real bugs, which have previously been discovered with other fuzzers, representative?
  5. Is coverage a good measure of fuzzer effectiveness?
  6. What is a fair choice of time budget?
  7. How do we evaluate techs instead of implementations
posted @ 2021-03-08 19:21  雪溯  阅读(91)  评论(0编辑  收藏  举报