Most greybox fuzzing tools are coverage-guided as code coverage is strongly correlated with bug coverage. However, since most covered codes may not contain bugs, blindly extending code coverage is less efficient, especially for corner cases. Unlike coverage-guided greybox fuzzers who extend code coverage in an undirected manner, a directed greybox fuzzer spends most of its time allocation on reaching specific targets (e.g., the bug-prone zone) without wasting resources stressing unrelated parts. Thus, directed greybox fuzzing (DGF) is particularly suitable for scenarios such as patch testing, bug reproduction, and specialist bug hunting. This paper studies DGF from a broader view, which takes into account not only the location-directed type that targets specific code parts, but also the behaviour-directed type that aims to expose abnormal program behaviours. Herein, the first in-depth study of DGF is made based on the investigation of 32 state-of-the-art fuzzers (78% were published after 2019) that are closely related to DGF. A thorough assessment of the collected tools is conducted so as to systemise recent progress in this field. Finally, it summarises the challenges and provides perspectives for future research.
翻译:大部分灰盒引信工具都是覆盖制导的,因为代码覆盖与错误覆盖密切相关。然而,由于大多数覆盖的代码可能不包含错误,盲目的扩展代码覆盖面效率较低,特别是对于角落案件。与未引导的覆盖制灰盒引信不同,一个直接的灰盒引信将大部分时间用于达到具体目标(例如,易虫区),而不会浪费强调不相干部分的资源。因此,直接的灰盒引信(DGF)特别适合补丁测试、错误复制和专门查找错误等情景。本文从更广泛的角度研究DGF。 DGF不仅考虑到目标特定代码部分的定位型号,而且还考虑到旨在暴露异常程序行为的面向型号,因此,DGF的首次深入研究基于对32个最先进的模糊器(78%在2019年之后发表)的调查,这些模糊器与DGF非常相关。对所收集的工具进行了彻底评估,以便系统化最近研究领域的进展。最后,它提供了系统化未来的挑战。
相关内容
微信扫码咨询专知VIP会员