Coverage-based graybox fuzzer (CGF), such as AFL has gained great success in
vulnerability detection thanks to its ease-of-use and bug-finding power. Since
some code fragments such as memory allocation are more vulnerable than others,
various improving techniques have been proposed to explore the more vulnerable
areas by collecting extra information from the program under test or its
executions. However, these improvements only consider limited types of
information sources and ignore the fact that the priority a seed input to be
fuzzed may be influenced by all the code it covers. Based on the above
observations, we propose a fuzzing method based on the importance of functions.
First, a data structure called Attributed Interprocedural Control Flow Graph
(AICFG) is devised to combine different features of code fragments. Second, the
importance of each node in the AICFG is calculated based on an improved
PageRank algorithm, which also models the influence between connected nodes.
During the fuzzing process, the node importance is updated periodically by a
propagation algorithm. Then the seed selection and energy scheduling of a seed
input are determined by the importance of its execution trace. We implement
this approach on top of AFL in a tool named FunAFL and conduct an evaluation on
14 real-world programs against AFL and two of its improvements. FunAFL, with
17% higher branch coverage than others on average, finds 13 bugs and 3 of them
are confirmed by CVE after 72 hours.
Go to Source of this post
Author Of this post: <a href="http://arxiv.org/find/cs/1/au:+Wang_W/0/1/0/all/0/1">Wenshuo Wang</a>, <a href="http://arxiv.org/find/cs/1/au:+Cheng_L/0/1/0/all/0/1">Liang Cheng</a>, <a href="http://arxiv.org/find/cs/1/au:+Zhang_Y/0/1/0/all/0/1">Yang Zhang</a>