Review of Fuzzing Based on Machine Learning

doi:10.3969/j.issn.1671-1122.2023.08.001

Abstract

Abstract:

Fuzzing is one of the most popular vulnerability discovering techniques today. Traditional fuzzing often requires a lot of labor, which increases the application cycle of fuzzing. Besides, expert experience determines the effect of fuzzing. The wide application of machine learning has enabled machine learning techniques to be applied to software security testing. Many research works use machine learning to optimize the fuzzing process, making up for many defects of traditional fuzzing technology. This paper provided a review of fuzzing based on machine learning. Firstly, common vulnerability discovery methods, fuzzing process and classification, and the shortcomings of traditional fuzzing were summarized. Then, from the perspective of test case generation, mutation, screening, and scheduling of fuzzing, this paper focused on the application research of machine learning methods in fuzzing, as well as the research work on combining machine learning and fuzzing to realize other functions. Finally, based on the existing work, this paper analyzed and summarized the limitations and challenges in the current research work, and prospected the future development directions of this field.

Key words: fuzzing, vulnerability discovery, machine learning

CLC Number:

TP309

WANG Juan, ZHANG Chong, GONG Jiaxin, LI Jun’e. Review of Fuzzing Based on Machine Learning[J]. Netinfo Security, 2023, 23(8): 1-16.

Figures/Tables 5

References 68

[1]	SUN Hongyu, HE Yuan, WANG Jice, et al. Application of Artificial Intelligence Technology in the Field of Security Vulnerability[J]. Journal on Communications, 2018, 39(8): 1-17. doi: 10.11959/j.issn.1000-436x.2018137
	孙鸿宇, 何远, 王基策, 等. 人工智能技术在安全漏洞领域的应用[J]. 通信学报, 2018, 39(8): 1-17. doi: 10.11959/j.issn.1000-436x.2018137
[2]	GU Mianxue, SUN Hongyu, HAN Dan, et al. Software Security Vulnerability Mining Based on Deep Learning[J]. Journal of Computer Research and Development, 2021, 58(10): 2140-2162.
	顾绵雪, 孙鸿宇, 韩丹, 等. 基于深度学习的软件安全漏洞挖掘[J]. 计算机研究与发展, 2021, 58(10): 2140-2162.
[3]	LECUN Y, BENGIO Y, HINTON G. Deep Learning[J]. Nature, 2015, 521(7553): 436-444. doi: 10.1038/nature14539
[4]	DENG Li, YU Dong. Deep Learning: Methods and Applications[J]. Foundations and Trends in Signal Processing, 2014, 7(4): 197-387. doi: 10.1561/2000000039 URL
[5]	SAAVEDRA G J, RODHOUSE K N, DUNLAVY D M, et al. A Review of Machine Learning Applications in Fuzzing[EB/OL]. (2019-08-04)[2022-10-07]. https://arxiv.org/pdf/1906.11133.pdf.
[6]	WANG Yan, JIA Peng, LIU Luping, et al. A Systematic Review of Fuzzing Based on Machine Learning Techniques[EB/OL]. (2020-08-18)[2022-10-07]. https://arxiv.org/abs/1908.01262.
[7]	ZOU Quanchen, ZHANG Tao, WU Runpu, et al. From Automation to Intelligence: Survey of Research on Vulnerability Discovery Techniques[J]. Journal of Tsinghua University (Science and Technology), 2018, 58(12): 1079-1094.
	邹权臣, 张涛, 吴润浦, 等. 从自动化到智能化:软件漏洞挖掘技术进展[J]. 清华大学学报(自然科学版), 2018, 58(12): 1079-1094.
[8]	MILLER B P, FREDRIKSEN L, SO B. An Empirical Study of the Reliability of UNIX Utilities[J]. Communications of the ACM, 1990, 33(12): 32-44. doi: 10.1145/96267.96279 URL
[9]	AMINI P. Fuzzing: Brute Force Vulnerability Discovery[M]. Boston: Addison Wesley Publishing Company, 2007.
[10]	CHA S K, WOO M, BRUMLEY D. Program-Adaptive Mutational Fuzzing[C]//IEEE. 2015 IEEE Symposium on Security and Privacy. New York: IEEE, 2015: 725-741.
[11]	HOSCHELE M, ZELLER A. Mining Input Grammars from Dynamic Taints[C]//IEEE. 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE). New York: IEEE, 2016: 720-725.
[12]	KAKSONEN R, LAAKSO M, TAKANEN A. Software Security Assessment Through Specification Mutations and Fault Injection[C]//Springer. Communications and Multimedia Security Issues of the New Century. Berlin: Springer, 2001: 173-183.
[13]	GODEFROID P, LEVIN M Y, MOLNAR D. Automated Whitebox Fuzz Testing[C]//IEEE. Proceedings of Network and Distributed Systems Security (NDSS) 2008. New York: IEEE, 2008: 151-166.
[14]	CADAR C, DUNBAR D, ENGLER D R. Klee:Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs[C]//ACM. Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation. New York: ACM, 2008: 209-224.
[15]	SEN K, AGHA G. CUTE and jCUTE: Concolic Unit Testing and Explicit Path Model-Checking Tools[C]//Springer. International Conference on Computer Aided Verification. Berlin: Springer, 2006: 419-423.
[16]	GODEFROID P. Random Testing for Security:Blackbox vs Whitebox Fuzzing[C]//IEEE. Proceedings of the 2nd International Workshop on Random Testing: Co-Located with the 22nd IEEE/ACM International Conference on Automated Software Engineering (ASE 2007). New York: IEEE, 2007: 1-10.
[17]	LI Jun, ZHAO Bodong, ZHANG Chao. Fuzzing: A Survey[J]. Cybersecurity, 2018, 1(1): 1-13. doi: 10.1186/s42400-018-0005-8
[18]	GODEFROID P, KIEZUN A, LEVIN M Y. Grammar-Based Whitebox Fuzzing[C]//ACM. Proceedings of the 29th ACM SIGPLAN Conference on Programming Language Design and Implementation. New York: ACM, 2008: 206-215.
[19]	NILIZADEH S, NOLLER Y, PASAREANU C S. DifFuzz:Differential Fuzzing for Side-Channel Analysis[C]//IEEE. 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE). New York: IEEE, 2019: 176-187.
[20]	WANG Junjie, CHEN Bihuan, WEI Lei, et al. Superion:Grammar-Aware Greybox Fuzzing[C]//IEEE. 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE). New York: IEEE, 2019: 724-735.
[21]	MICHAL Z. 2017 American Fuzzy Lop[EB/OL]. (2017-03-12)[2022-10-07]. http://lcamtuf.coredump.cx/afl.
[22]	BÖHME M, PHAM V T, NGUYEN M D, et al. Directed Greybox Fuzzing[C]//ACM. Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2017: 2329-2344.
[23]	CHEN Hongxu, XUE Yinxing, LI Yuekang, et al. Hawkeye:Towards a Desired Directed Grey-Box Fuzzer[C]//ACM. Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2018: 2095-2108.
[24]	REN Zezhong, ZHENG Han, ZHANG Jiayuan, et al. A Review of Fuzzing Techniques[J]. Journal of Computer Research and Development, 2021, 58(5): 944-963.
	任泽众, 郑晗, 张嘉元, 等. 模糊测试技术综述[J]. 计算机研究与发展, 2021, 58(5): 944-963.
[25]	ZHANG Xiong, LI Zhoujun. Survey of Fuzz Testing Technology[J]. Computer Science, 2016, 43(5): 1-8, 26. doi: 10.11896/j.issn.1002-137X.2016.05.001
	张雄, 李舟军. 模糊测试技术研究综述[J]. 计算机科学, 2016, 43 (5): 1-8, 26. doi: 10.11896/j.issn.1002-137X.2016.05.001
[26]	GODEFROID P, PELEG H, SINGH R. Learn&Fuzz:Machine Learning for Input Fuzzing[C]//IEEE. 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE). New York: IEEE, 2017: 50-59.
[27]	NASRABADI M Z, PARSA S, KALAEE A. Format-Aware Learn&Fuzz: Deep Test Data Generation for Efficient Fuzzing[J]. Neural Computing and Applications, 2021, 33(5): 1497-1513. doi: 10.1007/s00521-020-05039-7
[28]	SABLOTNY M, JENSEN B S, JOHNSON C W. Recurrent Neural Networks for Fuzz Testing Web Browsers[C]//Springer. Information Security and Cryptology-ICISC 2018. Berlin: Springer, 2019: 354-370.
[29]	PADURARU C, MELEMCIUC M C. An Automatic Test Data Generation Tool Using Machine Learning[EB/OL]. (2018-10-16)[2022-10-07]. https://pdfs.semanticscholar.org/82bd/ef8522578768ffa161a255eb9ce68b99e371.pdf.
[30]	JITSUNARI Y, ARAHORI Y. Coverage-Guided Learning-Assisted Grammar-Based Fuzzing[C]//IEEE. 2019 IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW). New York: IEEE, 2019: 275-280.
[31]	CHENG Liang, ZHANG Yang, ZHANG Yi, et al. Optimizing Seed Inputs in Fuzzing with Machine Learning[C]//IEEE. 2019 IEEE/ACM 41st International Conference on Software Engineering:Companion Proceedings (ICSE-Companion). New York: IEEE, 2019: 244-245.
[32]	FAN Rong, CHANG Yaoyao. Machine Learning for Black-Box Fuzzing of Network Protocols[C]//Springer. Information and Communications Security-ICICS 2017. Berlin: Springer, 2018: 621-632.
[33]	GAO Zicong, DONG Weiyu, CHANG Rui, et al. The Stacked Seq2Seq-Attention Model for Protocol Fuzzing[C]//IEEE. 2019 IEEE 7th International Conference on Computer Science and Network Technology (ICCSNT). New York: IEEE, 2019: 126-130.
[34]	LAI Yingxu, GAO Huijuan, LIU Jing. Vulnerability Mining Method for the Modbus TCP Using an Anti-Sample Fuzzer[J]. Sensors, 2020, 20(7): 20-40. doi: 10.3390/s20010020 URL
[35]	ZHAO Hui, LI Zhihui, WEI Hansheng, et al. SeqFuzzer:An Industrial Protocol Fuzzing Framework from a Deep Learning Perspective[C]//IEEE. 2019 12th IEEE Conference on Software Testing, Validation and Verification (ICST). New York: IEEE, 2019: 59-67.
[36]	HU Zhicheng, SHI Jianqi, HUANG Yanhong, et al. GANFuzz:A GAN-Based Industrial Network Protocol Fuzzing Framework[C]//ACM. Proceedings of the 15th ACM International Conference on Computing Frontiers. New York: ACM, 2018: 138-145.
[37]	CUMMINS C, PETOUMENOS P, MURRAY A, et al. Compiler Fuzzing Through Deep Learning[C]//ACM. Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis. New York: ACM, 2018: 95-105.
[38]	LIU Xiao, LI Xiaoting, PRAJAPATI R, et al. DeepFuzz:Automatic Generation of Syntax Valid C Programs for Fuzz Testing[C]//ACM. Proceedings of the AAAI Conference on Artificial Intelligence. New York: ACM, 2019: 1044-1051.
[39]	LEE S, HAN H S, CHA S K, et al. Montage:A Neural Network Language Model-Guided Javascript Engine Fuzzer[C]//USENIX. 29th USENIX Security Symposium. Berkley: USENIX, 2020: 2613-2630.
[40]	YE Guixin, TANG Zhanyong, TAN S H, et al. Automated Conformance Testing for Javascript Engines via Deep Compiler Fuzzing[C]//ACM. Proceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation. New York: ACM, 2021: 435-450.
[41]	LIU Peng, ZHANG Xiangyu, PISTOIA M, et al. Automatic Text Input Generation for Mobile Testing[C]//IEEE. 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE). New York: IEEE, 2017: 643-653.
[42]	LI Yuanchun, YANG Ziyue, GUO Yao, et al. Humanoid:A Deep Learning-Based Approach to Automated Black-Box Android App Testing[C]//IEEE. 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE). New York: IEEE, 2019: 1070-1073.
[43]	CHEN Yuqi, POSKITT C M, SUN Jun, et al. Learning-Guided Network Fuzzing for Testing Cyber-Physical System Defences[C]//IEEE. 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE). New York: IEEE, 2019: 962-973.
[44]	RAJPAL M, BLUM W, SINGH R. Not All Bytes are Equal: Neural Byte Sieve for Fuzzing[EB/OL]. (2017-11-10)[2022-10-07]. https://arxiv.org/abs/1711.04596.
[45]	SHE Dongdong, PEI Kexin, EPSTEIN D, et al. Neuzz:Efficient Fuzzing with Neural Program Smoothing[C]//IEEE. 2019 IEEE Symposium on Security and Privacy (SP). New York: IEEE, 2019: 803-817.
[46]	SHE Dongdong, RAHUL K, YAN Lu, et al. MTFuzz:Fuzzing with a Multi-Task Neural Network[C]//ACM. Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE 2020). New York: ACM, 2020: 737-749.
[47]	WU Mingyuan, JIANG Ling, XIANG Jiahong, et al. Evaluating and Improving Neural Program-Smoothing-Based Fuzzing[C]//IEEE. 2022 IEEE/ACM 44th International Conference on Software Engineering (ICSE). New York: IEEE, 2022: 847-858.
[48]	KARAMCHETI S, MANN G, ROSENBERG D. Adaptive Grey-Box Fuzz-Testing with Thompson Sampling[C]//ACM. Proceedings of the 11th ACM Workshop on Artificial Intelligence and Security. New York: ACM, 2018: 37-47.
[49]	DROZD W, MICHAEL D W. FuzzerGym: A Competitive Framework for Fuzzing and Learning[EB/OL]. (2018-07-19)[2022-10-07]. https://arxiv.org/abs/1807.07490.
[50]	BOTTINGER K, GODEFROID P, SINGH R. Deep Reinforcement Fuzzing[C]//IEEE. 2018 IEEE Security and Privacy Workshops (SPW). New York: IEEE, 2018: 116-122.
[51]	WU Mingyuan, JIANG Ling, XIANG Jiahong, et al. One Fuzzing Strategy to Rule Them All[C]//IEEE. 2022 IEEE/ACM 44th International Conference on Software Engineering (ICSE). New York: IEEE, 2022: 1634-1645.
[52]	ZHAO Yuyue, LI Yangyang, YANG Tengfei, et al. Suzzer: A Vulnerability-Guided Fuzzer Based on Deep Learning[C]//Springer. Information Security and Cryptology:15th International Conference. Berlin: Springer, 2020: 134-153.
[53]	LI Yuwei, JI Shouling, LYU Chenyang, et al. V-Fuzz: Vulnerability Prediction-Assisted Evolutionary Fuzzing for Binary Programs[J]. IEEE Transactions on Cybernetics, 2020, 52(5): 3745-3756. doi: 10.1109/TCYB.2020.3013675 URL
[54]	WANG Yunchao, WU Zehui, WEI Qiang, et al. NeuFuzz: Efficient Fuzzing with Deep Neural Network[J]. IEEE Access, 2019(7): 36340-36352.
[55]	CHEN Yaohui, AHMADI M, FARKHANI R M, et al. MEUZZ:Smart Seed Scheduling for Hybrid Fuzzing[C]//USENIX. 23rd International Symposium on Research in Attacks, Intrusions and Defenses ({RAID} 2020). Berkley: USENIX, 2020: 77-92.
[56]	WANG Jinghan, SONG Chengyu, YIN Heng. Reinforcement Learning-Based Hierarchical Seed Scheduling for Greybox Fuzzing[EB/OL]. (2021-01-01)[2022-10-07]. https://escholarship.org/uc/item/44p2v1gd.
[57]	WANG Daimeng, ZHANG Zheng, ZHANG Hang, et al. SyzVegas:Beating Kernel Fuzzing Odds with Reinforcement Learning[C]//USENIX. 30th USENIX Security Symposium. Berkley: USENIX, 2021: 2741-2758.
[58]	SUN Xiaoshan, FU Yu, DONG Yun, et al. Improving Fitness Function for Language Fuzzing with PCFG Model[C]//IEEE. 2018 IEEE 42nd Annual Computer Software and Applications Conference (COMPSAC). New York: IEEE, 2018: 655-660.
[59]	SANJEEV D, KEDRIAN J, JAN W, et al. A Flexible Framework for Expediting Bug Finding by Leveraging Past (Mis-)Behavior to Discover New Bugs[C]//ACM. Annual Computer Security Applications Conference (ACSAC’20). New York: ACM, 2020: 345-359.
[60]	GONG Weiwei, ZHANG Gen, ZHOU Xu. Learn to Accelerate Identifying New Test Cases in Fuzzing[C]//Springer. International Conference on Security, Privacy and Anonymity in Computation, Communication and Storage. Berlin: Springer, 2017: 298-307.
[61]	JOFFE L. Machine Learning Augmented Fuzzing[C]//IEEE. 2018 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW). New York: IEEE, 2018: 178-183.
[62]	JOFFE L, CLARK D. Directing a Search Towards Execution Properties with a Learned Fitness Function[C]//IEEE. 2019 12th IEEE Conference on Software Testing, Validation and Verification (ICST). New York: IEEE, 2019: 206-216.
[63]	ZONG Peiyuan, LYU Tao, WANG Dawei, et al. Fuzzguard:Filtering out Unreachable Inputs in Directed Grey-Box Fuzzing Through Deep Learning[C]//USENIX. 29th USENIX Security Symposium. Berkley: USENIX, 2020: 2255-2269.
[64]	MING Liang, ZHAO Gang, HUANG Minhuan, et al. Remote Protocol Vulnerability Discovery for Intelligent Transportation Systems (ITS)[C]//IEEE. 2018 IEEE Third International Conference on Data Science in Cyberspace (DSC). New York: IEEE, 2018: 923-929.
[65]	TRIPATHI S, GRIECO G, RAWAT S. Exniffer:Learning to Prioritize Crashes by Assessing the Exploitability from Memory Dump[C]//IEEE. 2017 24th Asia-Pacific Software Engineering Conference (APSEC). New York: IEEE, 2017: 239-248.
[66]	ZHANG Li, THING V. Assisting Vulnerability Detection by Prioritizing Crashes with Incremental Learning[C]//IEEE. TENCON 2018 IEEE Region 10 Conference. New York: IEEE, 2018: 2080-2085.
[67]	YAN Guanhua, LU Junchen, SHU Zhan, et al. Exploitmeter:Combining Fuzzing with Machine Learning for Automated Evaluation of Software Exploitability[C]//IEEE. 2017 IEEE Symposium on Privacy-Aware Computing (PAC). New York: IEEE, 2017: 164-175.
[68]	YOU Wei, ZONG Peiyuan, CHEN Kai, et al. Semfuzz:Semantics-Based Automatic Generation of Proof-of-Concept Exploits[C]//ACM. Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2017: 2139-2154.

已有工作		发表时间	测试目标类型	模型输入	学习模型	模型功能
文件解析	文献[26]方法	2017	PDF文件解析工具	文件字符流	Char-RNN	生成PDF 文件
	文献[27]方法	2021	文件解析工具	文件字符流	RNN(LSTM)	学习文件结构并生成新文件
	文献[28]方法	2018	Web 浏览器	One-hot 编码向量	LSTM/GRU	生成HTML文件
	文献[29]方法	2018	文件解析工具	文件文本	Seq2Seq	生成多种格式的文件
	文献[30]方法	2019	PDF文件解析工具	指令序列	RNN	生成PDF页面指令流
	文献[31]方法	2019	PDF文件解析工具	PDF文件	RNN、Seq2Seq	生成PDF 文件
协议解析	文献[32]方法	2018	专有网络协议	网络数据包	LSTM、Seq2Seq	生成网络协议数据包
	文献[33]方法	2019	网络协议	网络数据包	Seq2seq-attention	解析协议规范
	文献[34]方法	2020	Modbus TCP	Modbus TCP网络层数据包	RNN	学习协议数据单元的语义
	文献[35]方法	2019	工业协议解析工具	协议数据包	Seq2Seq、LSTM	生成虚假可信的协议消息
	文献[36]方法	2018	工业协议解析工具	协议数据包	GAN(LSTM/CNN)	生成虚假可信的协议消息
代码解析	文献[37]方法	2018	编译器	程序代码	LSTM	推断代码结构
	文献[38]方法	2019	C编译器	C源程序	Seq2Seq	生成C 代码
	文献[39]方法	2020	JavaScript 引擎	AST序列	LSTM	生成JavaScript 程序
	文献[40]方法	2021	JavaScript 引擎	JS源代码中单词的统计向量	GPT-2	生成JavaScript 程序
其他	文献[41]方法	2017	移动应用程序	自定义的行为模型向量表示	RNN、Word2Vec	生成上下文相关文本
	文献[42]方法	2019	移动应用程序	GUI上下文的向量表示	LSTM	生成GUI行为输入
	文献[43]方法	2019	CPS	—	LSTM/SVR	指导生成CPS测试用例

已有工作	发表时间	测试目标类型	模型输入	学习模型	模型功能
文献[44]方法	2017	文件解析工具	文件字节序列	Seq2Seq、LSTM	预测种子变异位置
文献[45]方法	2019	二进制程序	待测程序输入和输出测试输入字节序列	NN	近似模拟目标程序的逻辑分支，指导模糊器的种子突变
文献[46]方法	2020			MTNN
文献[47]方法	2022			NN
文献[48]方法	2018	二进制程序	测试程序的输入	MAB	预测变异算子概率分布
文献[49]方法	2018	二进制程序	文件字节序列	DQN	优化变异选择策略
文献[50]方法	2018	—	包含状态、操作和奖励信息的向量	Q-Learning	指导生成高回报的输入
文献[51]方法	2022	—	测试程序的输入	UCB1-Tuned	预测Havoc堆叠次数和变异算子

已有工作		发表时间	模型输入	学习模型	模型功能
种子调度	文献[52]方法	2020	函数ACFG	Bi-LSTM	预测代码块的脆弱性
	文献[53]方法	2020	函数ACFG	图嵌入网络	预测脆弱性代码位置
	文献[54]方法	2019	指令字节码组成的执行路径	LSTM	预测路径脆弱性
	文献[55]方法	2020	种子特征向量和对应标签	有监督机器学习	预测测试用例的模糊测试效果
	文献[56]方法	2021	种子集合	UCB1	实现多级覆盖度的分层调度
	文献[57]方法	2021	任务集合和种子集合	MAB	进行种子选择
测试用例筛选	文献[58]方法	2018	AST	PCFG、Markov	辅助进化算法中的适应度函数计算
	文献[59]方法	2020	HPC事件集	MLP	预测输入是否能触发异常
	文献[60]方法	2017	AFL生成测试用例和执行结果	DL	分析变异得到的测试用例是否会到达新状态
	文献[61]方法	2018	AFL生成的测试用例	NN	分析不同类型软件的变异模式
	文献[62]方法	2019	包含状态、操作和奖励信息的向量	NN	指导生成高回报的输入
	文献[63]方法	2020	待测程序输入和可访问性	CNN	预测测试用例的目标可达性

已有研究工作	发表时间	学习模型	模型功能
文献[64]方法	2018	ML	对模糊测试得到的请求和响应进行分析识别
文献[65]方法	2017	SVM	识别崩溃的可利用性，确定要检查崩溃的优先级
文献[66]方法	2018	n-gram	识别崩溃的可利用性，确定要检查崩溃的优先级
文献[67]方法	2017	ML	静态评估软件可开发性
文献[68]方法	2017	NLP	从漏洞描述信息中提取脆弱性信息