并行模糊测试综述

摘要/Abstract

摘要： 软件脆弱性已成为互联网安全的主要威胁来源，软件脆弱性分析技术的重要性日益突出。模糊测试是脆弱性分析的热点技术之一，通过持续生成测试用例、动态监控目标代码执行和反馈调节变异策略的方法尝试触发程序异常，具有部署便捷、适用性广和效果直观的优点。随着测试目标的复杂性增加，从业人员对模糊测试的效率提出了更高的要求。并行模糊测试通过并行执行、任务分解和共享信息等方法提高脆弱性分析的效率。首先，分析了基于覆盖反馈的模糊测试面临的主要挑战；之后，探讨了并行模糊测试的解决思路和方案，从系统结构、任务划分、语料库共享和崩溃去重等方面对并行模糊测试进行了综述；最后，总结了现有并行模糊测试的优缺点，并对未来发展方向进行了展望。

关键词: 模糊测试, 并行模糊测试, 任务分发, 语料库共享, 崩溃去重

Abstract: Abstract:Software vulnerability has become the main threat of Internet security, so software vulnerability analysis technology has become increasingly prominent. As one of the hotspot technologies in vulnerability analysis, fuzzing triggers program exceptions by continuously generating test cases, dynamically monitoring the execution of target code, and implementing feedback adjusting variation strategies. Fuzzing has the advantages of convenient deployment, wide applicability and intuitive effect. However, the dynamic execution, variation and feedback mechanism of fuzzing is time-consuming, which affects the efficiency of vulnerability analysis. However, parallel fuzzing improves the efficiency of vulnerability detection with the help of parallel execution, task decomposition and information sharing. Firstly, the main challenges of fuzzing based on coverage feedback are analyzed. Besides, the ideas and solutions of parallel fuzzing are discussed. In addition, the system structure, task division, corpus sharing, crash de-duplication and other aspects of parallel fuzzing are summarized. Finally, the advantages and disadvantages of existing parallel fuzzing are summarized, and the future development direction is prospected.

Key words: fuzzing, parallel fuzzing, task division, corpus sharing, crash de-duplication

顾涛涛, 卢帅兵, 李响, 况晓辉, 赵刚. 并行模糊测试综述[J]. 计算机工程与科学, 2022, 44(06): 1046-1055.

GU Tao-tao, LU Shuai-bing, LI Xiang, KUANG Xiao-hui, ZHAO Gang. Overview of parallel fuzzing[J]. Computer Engineering & Science, 2022, 44(06): 1046-1055.

参考文献［52］

［1］	Yu Zhao-hui.A picture to understand the overview of Chinas Internet network security situation in 2019 ［J］.Civil-Military Integration on Cyberspace,2020,35(4):29-30.(in Chinese)
［2］	Microsoft security bulletin MS17-010-Critical\|Microsoft Docs［EB/OL］.［2020-10-23］.https://docs.microsoft.com/en-us/securityupdates/sec-uritybulletins/2017/ms17-010.
［3］	Liu B C, Shi L,Cai Z H,et al.Software vulnerability discovery techniques:A survey［C］∥Proc of the 4th International Conference on Multimedia Information Networking and Security,2012:152-156.
［4］	Khedker U,Sanyal A,Sathe B.Data flow analysis:Theory and practice［M］.Boca Raton:CRC Press,2017.
［5］	Baldoni R,Coppa E,Delia D C,et al.A survey of symbolic execution techniques［J］.ACM Computing Surveys,2018,51(3):1-39.
［6］	Li J, Zhao B, Zhang C. Fuzzing: A survey［J］. Cybersecurity, 2018, 1(1): 1-13.
［7］	Microsoft previews project Springfield,a cloud-based bug detector—The AI blog［EB/OL］.［2020-10-22］.https://blogs.microsoft.com/ai/microsoft-previews-project-springfield-cloud-based-bug-detector/.
［8］	Serebryany K. Announcing OSS-Fuzz: Continuous fuzzing for open source software［EB/OL］. ［2016-12-11］.https://testing.googleblog.com/2016/12/announcing-oss-fuzz-continuous-fuzzing.html.
［9］	Google online security blog: Open sourcing ClusterFuzz［EB/OL］.［2020-10-23］.https://security.googleblog.com/2019/02/open-sourcing-clusterfuzz.html.
［10］	Project OneFuzz—Microsoft research［EB/OL］.［2020-10-23］.https://www.microsoft.com/en-us/research/project/project-onefuzz/.
［11］	Wen C, Wang H J,Li Y K,et al.Memlock:Memory usage guided fuzzing［C］∥Proc of the 42nd International Conference on Software Engineering,2020:765-777.
［12］	Nagy S,Hicks M.Full-speed fuzzing:Reducing fuzzing overhead through coverage-guided tracing［C］∥Proc of 2019 IEEE Symposium on Security and Privacy,2019:787-802.
［13］	Zhou C, Wang M, Liang J, et al. Zeror: Speed up fuzzing with coverage-sensitive tracing and scheduling［C］//Proc of the 35th IEEE/ACM International Conference on Automated Software Engineering, 2020:858-870.
［14］	Miller B. Project list［EB/OL］. ［1988-12-10］. https://pages.cs.wisc.edu/~bart/fuzz/CS736-Projects-f1988.pdf.
［15］	Zalewski M. American fuzzy lop［EB/OL］. ［2014-12-11］.https://lcamtuf.coredump.cx/afl/.
［16］	Wang J J,Chen B H,Wei L,et al.Skyfire:Data-driven seed generation for fuzzing［C］∥Proc of 2017 IEEE Symposium on Security and Privacy,2017:579-594.
［17］	Godefroid P, Peleg H, Singh R.Learn & fuzz:Machine learning for input fuzzing［C］∥Proc of the 32nd IEEE/ACM International Conference on Automated Software Engineering,2017:50-59.
［18］	Bhme M, Pham V T,Roychoudhury A.Coverage-based greybox fuzzing as Markov chain［J］.IEEE Transactions on Software Engineering,2017,45(5):489-506.
［19］	Bhme M,Pham V T,Nguyen M D,et al.Directed greybox fuzzing［C］∥Proc of the 2017 ACM SIGSAC Conference on Computer and Communications Security,2017:2329-2344.
［20］	Yue T, Wang P F, Tang Y, et al. EcoFuzz: Adaptive energy-saving greybox fuzzing as a variant of the adversarial multi-armed bandit［C］∥Proc of the 29th USENIX Security Symposium, 2020: 2307-2324.
［21］	Rawat S,Jain V,Kumar A,et al.VUzzer:Application-aware evolutionary fuzzing［C］∥Proc of the 24th Annual Network and Distributed System Security Symposium,2017:1-14.
［22］	Gan S T,Zhang C,Chen P,et al.GREYONE:Data flow sensitive fuzzing［C］∥Proc of the 29th USENIX Security Symposium,2020:2577-2594.
［23］	Li He,Zhang Chao,Yang Xin,et al.Survey of OS kernel fuzzing［J］.Journal of Chinese Computer Systems,2019,40(9):1994-1999.(in Chinese)
［24］	Schumilo S, Aschermann C, Gawlik R, et al. kAFL: Hardware-assisted feedback fuzzing for OS kernels［C］∥Proc of the 26th USENIX Security Symposium, 2017:167-182.
［25］	Kim K, Jeong D R, Kim C H, et al. HFL: Hybrid fuzzing on the Linux kernel［C］∥Proc of the 27th Annual Network and Distributed System Security Symposium, 2020:1.
［26］	Jeong D R,Kim K,Shivakumar B,et al.Razzer:Finding kernel race bugs through fuzzing［C］∥Proc of 2019 IEEE Symposium on Security and Privacy,2019:754-768.
［27］	Xu W,Moon H,Kashyap S,et al.Fuzzing file system via two-dimensional input space exploration［C］∥Proc of 2019 IEEE Symposium on Security and Privacy,2019:818-834.
［28］	Schumilo S, Aschermann C,Abbasi A,et al.HYPER-CUBE:High-dimensional hypervisor fuzzing［C］∥Proc of the 27th Annual Network and Distributed System Security Symposium,2020:23-26.
［29］	Zhong R,Chen Y,Hu H,et al.SQUIRREL:Testing database management systems with language validity and coverage feedback［C］∥Proc of the 2020 ACM SIGSAC Conference on Computer and Communications Security,2020:955-970.
［30］	Kim T,Kim C H,Rhee J,et al.RVFUZZER:Finding input validation bugs in robotic vehicles through control-guided testing［C］∥Proc of the 28th USENIX Security Symposium,2019:425-442.
［31］	Zhang G,Zhou X,Luo Y Q,et al.PTfuzz:Guided fuzzing with processor trace feedback［J］.IEEE Access,2018,6:37302-37313.
［32］	ClusterFuzz［EB/OL］. ［2020-10-23］.https://google.github.io/clusterfuzz/.
［33］	Xu W,Kashyap S,Min C,et al.Designing new operating primitives to improve fuzzing performance［C］∥Proc of the 2017 ACM SIGSAC Conference on Computer and Communications Security,2017:2313-2328.
［34］	Li Y,Feng C,Tang C.A large-scale parallel fuzzing system［C］∥Proc of the 2nd International Conference on Advances in Image Processing,2018:194-197.
［35］	Ye J X,Zhang B,Li R L,et al.Program state sensitive parallel fuzzing for real world software［J］.IEEE Access,2019,7:42557-42564.
［36］	Li S S,Li R L,Ye J X,et al.Adaptive parallel fuzzing with multi-candidate task scheduling［J］.Journal of Physics:Conference Series,2020,1619:012019.
［37］	Liang J,Jiang Y,Chen Y L,et al.PAFL:Extend fuzzing optimizations of single mode to industrial parallel mode［C］∥Proc of the 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering,2018:809-814.
［38］	Chen Y, Jiang Y,Ma F,et al.EnFuzz:Ensemble fuzzing with seed synchronization among diverse fuzzers［C］∥Proc of the 28th USENIX Security Symposium,2019:1967-1983.
［39］	Güler E, Grz P, Geretto E, et al. CUPID: Automatic fuzzer selection for collaborative fuzzing［C］//Proc of Annual Computer Security Applications Conference, 2020:360-372.
［40］	Serebryany K. libFuzzer–A library for coverage-guided fuzz testing［EB/OL］. ［2015-12-11］. https://llvm.org/docs/LibFuzzer.html.
［41］	Swiecki R. Honggfuzz［EB/OL］.［2016-11-12］.http://code.google.com/p/honggfuzz.
［42］	Song C,Zhou X,Yin Q,et al.P-Fuzz:A parallel grey-box fuzzing framework［J］.Applied Sciences,2019,9(23):5100.
［43］	Zhou X,Wang P F,Liu C Y F,et al.UniFuzz:Optimizing distributed fuzzing via dynamic centralized task scheduling［J］.arXiv:2009.06124,2020.
［44］	Yan X.Using grid computing for large scale fuzzing［D］.Lisbon:Universidade Nova de Lisboa,2010.
［45］	Richo/Roving［EB/OL］.［2020-10-23］.https://github.com/richo/roving.
［46］	MartijnB/disfuzz-afl:Distributed fuzzing for afl［EB/OL］.［2020-10-23］.https://github.com/MartijnB/disfuzz-afl.
［47］	Mxmssh/manul:Manul is a coverage-guided parallel fuzzer for open-source and blackbox binaries on Windows,Linux and MacOS［EB/OL］.［2020-10-23］.https://github.com/mxmssh/manul.
［48］	Stephens N, Grosen J,Salls C,et al.Driller:Augmenting fuzzing through selective symbolic execution［C］∥Proc of the 23rd Annual Network and Distributed System Security Symposium,2016:1-16.
［49］	Yun I, Lee S, Xu M, et al. QSYM: A practical concolic execution engine tailored for hybrid fuzzing［C］∥Proc of the 27th USENIX Security Symposium,2018:745-761.
［50］	Chen Y H,Li P,Xu J,et al.SAVIOR:Towards bug-driven hybrid testing［C］∥Proc of 2020 IEEE Symposium on Security and Privacy,2020:1580-1596.
［51］	Lemieux C,Sen K.FairFuzz:A targeted mutation strategy for increasing greybox fuzz testing coverage［C］∥Proc of the 33rd ACM/IEEE International Conference on Automated Software Engineering,2018:475-485.
［52］	Liang Hong-liang,Yang Xiao-yu, Dong Yu,et al.Parallel smart fuzzing test［J］.Journal of Tsinghua University (Science and Technology),2014,54(1):14-19.(in Chinese)
［53］	Li Y,Ji S,Chen Y,et al.UNIFUZZ:A holistic and pragmatic metrics-driven platform for evaluating fuzzers［J］.arXiv:2010.01785,2020.
	附中文参考文献：
［1］	于朝晖.一图读懂《2019年我国互联网网络安全态势综述》［J］.网信军民融合,2020,35(4):29-30.
［23］	李贺,张超,杨鑫,等.操作系统内核模糊测试技术综述［J］.小型微型计算机系统,2019,40(9):1994-1999.
［52］	梁洪亮，阳晓宇，董钰，等.并行化智能模糊测试［J］.清华大学学报（自然科学版），2014，54（1）：14-19.