面向二进制程序的导向性模糊测试方法

为了解决当前模糊测试技术中变异存在一定的盲目性以及变异生成的样本大多经过相同的高频路径的问题，提出并实现了一种基于轻量级程序分析技术的二进制程序模糊测试方法。首先对目标二进制程序进行静态分析来筛选在模糊测试过程中阻碍样本文件深入程序内部的比较指令；随后对目标文件进行插桩来获取比较指令中操作数的具体值，并根据该具体值为比较指令建立实时的比较进度信息，通过比较进度衡量样本的重要程度；然后基于模糊测试过程中实时的路径覆盖信息为经过稀有路径的样本增加其被挑选进行变异的概率；最后根据比较进度信息并结合启发式策略有针对性地对样本文件进行变异，通过变异引导提高模糊测试中生成能够绕过程序规约检查的有效样本的效率。实验结果表明，所提方法发现crash及发现新路径的能力均优于模糊测试工具AFL-Dyninst。

Directed fuzzing method for binary programs

In order to address the problem that the mutation in the current fuzzing has certain blindness and the samples generated by the mutation mostly pass through the same high-frequency paths, a binary fuzzing method based on light-weight program analysis technology was proposed and implemented. Firstly, the target binary program was statically analyzed to filter out the comparison instructions which hinder the sample files from penetrating deeply into the program during the fuzzing process. Secondly, the target binary program was instrumented to obtain the specific values of the operands in the comparison instructions, according to which the real-time comparison progress information for each comparison instruction was established, and the importance of each sample was measured according to the comparison progress information. Thirdly, the real-time path coverage information in the fuzzing process was used to increase the probability that the samples passing through rare paths were selected to be mutated. Finally, the input files were directed and mutated by the comparison progress information combining with a heuristic strategy to improve the efficiency of generating valid inputs that could bypass the comparison checks in the program. The experimental results show that the proposed method is better than the current binary fuzzing tool AFL-Dyninst both in finding crashes and discovering new paths.