Method on the Model of Exploration and Exploitation to Optimize the AFL Smutation

doi:10.3969/j.issn.1671-1122.2019.06.008

Abstract

Abstract:

Fuzzing is to detect and identify security vulnerabilities by generating different input continuously. It has been widely used in vulnerability discovery. At present, gray-box fuzzy testing is the most popular fuzzing strategy. It combines lightweight code instrumentation with data feedback driver to generate new program input. AFL is an excellent grey-box fuzzing test tool. It is famous for its efficient forkserver execution, reliable genetic algorithm and a variety of mutation strategies. However, its mutation strategy mainly sampled random mutation, which has great blindness. In this paper, a method of reinforcement learning is proposed to optimize mutation strategy. Taking Multi-Armed Bandit problem as a model, the execution effect of input generated by different mutation modes in the target program is recorded. The probabilistic distribution of mutation operation results is adaptively learned byExploration-Exploitation algorithm, and mutation operation strategy is intelligently adjusted to improve the fuzzing performance of AFL. According to the above principles, Thompson sampling is chosen as the optimization algorithm to design and implement AFL-EE fuzzing tool. Five kinds of common file programs are tested and verified. Experiments show that the method can automatically adjust the mutation operation strategy and effectively generate test input with high coverage. The method is feasible and has less additional resource consumption. It is superior to the original AFL in general.

Key words: AFL, multi-armed bandit, exploration-exploitation, thompson sampling

CLC Number:

TP309

Peng XU, Jiayong LIU, Bo LIN. Method on the Model of Exploration and Exploitation to Optimize the AFL Smutation[J]. Netinfo Security, 2019, 19(6): 61-67.

Figures/Tables 4

References 18

[1]	SHI ji, ZENG Zhaolong, YANG Congbao, et al. Fuzzingtest Technology Overview[J]. Netinfo Security, 2014, 14(3): 87-91.
	史记,曾昭龙,杨从保,等.Fuzzing测试技术综述[J].信息网络安全,2014,14(3):87-91.
[2]	ZHANG Xiong, LI Zhoujun.Overview of Fuzzing Test Technology[J]. Computer Science, 2016, 43(5): 1-8, 26.
	张雄,李舟军.模糊测试技术研究综述[J].计算机科学,2016,43(5):1-8,26.
[3]	FENG Jizhou, TIAN Minghui.Research and Consideration of Software Potential Security Defect Test Cases[J]. Netinfo Security, 2015, 15(6): 85-90.
	冯济舟,田明辉.软件潜在安全性缺陷测试案例的研究及思考[J].信息网络安全,2015,15(6):85-90.
[4]	ZOU Quanchen, ZHANG Tao, WU Runpu, et al.From Automation to Intelligence: Advances in Software Vulnerability Mining Technology[J]. Journal of Tsinghua University (Natural Science Edition), 2018, 58(12): 1079-1094.
	邹权臣,张涛,吴润浦,等.从自动化到智能化:软件漏洞挖掘技术进展[J].清华大学学报(自然科学版),2018,58(12):1079-1094.
[5]	ZHANG Lei, CUI Yong, LIU Jing, et al.Application of Machine Learning in Cyberspace Security Research[J]. Journal of Computer Science, 2018, 41(9): 1943-1975.
	张蕾,崔勇,刘静,等.机器学习在网络空间安全研究中的应用[J].计算机学报,2018,41(9):1943-1975.
[6]	WANG Xiaqing, HU Changzhen, MA Rui, et al.A Review of Key Technologies of Binary Program Vulnerability Mining[J]. Netinfo Security, 2017, 17(8): 1-13.
	王夏菁,胡昌振,马锐,等.二进制程序漏洞挖掘关键技术研究综述[J].信息网络安全,2017,17(8):1-13.
[7]	LI Tong, HUANG Xuan, HUANG Rui.Test Case Generation Method in Fuzzing Test[J]. Computer System Application, 2015, 24(4): 139-143.
	李彤,黄轩,黄睿.模糊测试中测试用例生成方法[J].计算机系统应用,2015,24(4):139-143.
[8]	BÖHME M, PHAM V T, NGUYEN M D, et al. Directed Greybox Fuzzing[C]//ACM. Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, October 30-November 3, 2017, Dallas, Texas, USA. New York: ACM, 2017: 2329-2344.
[9]	GODEFROID P, LEVIN M Y, MOLNAR D A. Automated Whitebox Fuzz Testing[EB/OL]. , 2008-7-15.
[10]	GODEFROID P, LEVIN M Y, MOLNAR D.SAGE: Whitebox Fuzzing for Security Testing[J]. Communications of the ACM, 2012, 55(3): 40-44.
[11]	HUGO Gascon, CHRISTIAN W, FABIAN Y, et al.Pulsar: Stateful Black-Box Fuzzing of Proprietary Network Protocols[C]//Spring. 11th EAI International Conference, SecureComm 2015, October 26-29, 2015, Dallas, TX, USA. Berlin: Spring, 2015: 330-347.
[12]	YAN Fei.Research on Web Application Vulnerability Mining Based on Genetic Algorithms and Fuzzing Technology[J]. Information Communication, 2018, 18(9): 61-62.
	闫飞. 基于遗传算法和Fuzzing技术的Web应用漏洞挖掘研究[J].信息通信,2018,18(9):61-62.
[13]	MICHAL Z. AFL Technical Details[EB/OL]. , 2017-7-1 5.
[14]	HO Simai, JINYujia, WANG Hua, et al.Overview of Online Learning Methods: Thompson Sampling and Other Methods[J]. Journal of Operational Research, 2017, 21(4): 84-102.
	何斯迈,金羽佳,王华,等.在线学习方法综述:汤普森抽样和其他方法[J].运筹学学报,2017,21(4):84-102.
[15]	ZHOU Zhi-Hua.Machine Learning[M]. Beijing: Tsinghua University Press, 2016(in Chinese).
	周志华. 机器学习[M].北京:清华大学出版社,2016.
[16]	CHAPELLE O, LI L. An Empirical Evaluation of Thompson Sampling[EB/OL]. , 2011-11-5.
[17]	AGRAWAL S, GOYAL N. Analysis of Thompson Sampling for the Multi-armed Bandit Problem[EB/OL]. , 2012-11-5.
[18]	ZHANG Yao, ZHANG Chaorong, LIN Teng, et al.Design and Implementation of Binary Code Test Coverage Evaluation System[J]. Command Information System and Technology, 2015, 6(6): 13-17.
	张垚,张超容,林腾,等.二进制代码测试覆盖率评估系统设计与实现[J].指挥信息系统与技术,2015,6(6):13-17.

编号	变异操作名称	变异方法
0	翻转	随机单个比特位翻转
1~3	特殊替换	随机替换byte、word、dword为特殊
4~9	加减	随机byte、word、dword上加减35以内的数字
10	变换	随机变换1byte内容
11、12	删除	随机删除随机长度的字节
13	克隆增加	随机选取部分数据复制和插入至随机位置
14	随机覆盖	随机选取一个位置替换随机长度内容
15	token覆盖	随机选取token随机的位置替换
16	token插入	随机选取token随机的位置插入

程序	名称	Paths	对比	Crashes	对比
readelf	AFL	7278	+18.37%	2	+50%
readelf	AFL-EE	8615	+18.37%	3	+50%
pngimage	AFL	3696	+19.2%	0	0%
pngimage	AFL-EE	4406	+19.2%	0	0%
imginfo	AFL	1176	+15.47%	14	+42.85%
imginfo	AFL-EE	1358	+15.47%	20	+42.85%
ffmpeg	AFL	1948	+28.54%	0	0%
ffmpeg	AFL-EE	2504	+28.54%	0	0%
wavpack	AFL	1206	+18.40%	41	+41.46%
wavpack	AFL-EE	1428	+18.40%	58	+41.46%