四川大学学报(自然科学版)2025,Vol.62Issue(3):631-640,10.DOI:10.19907/j.0490-6756.250004
基于间接调用补充的路径约束定向灰盒模糊测试
Directed grey-box fuzzing based on path constraints with supplemented indirect calls
摘要
Abstract
Directed fuzzing conducts targeted testing on specific locations within a program and is commonly used in scenarios such as Proof-of-Concept(PoC)validation,crash reproduction,and patch testing.It uti-lizes static analysis to obtain relevant information about the target location,which then guides the mutation of test cases.However,existing directed fuzzing methods still face two critical issues that affect testing effi-ciency.First,the presence of indirect function calls negatively impacts the guidance of fuzzing,leading to er-rors in distance calculations or a lack of guidance during the early stages of fuzzing.Second,current distance calculation mechanisms fail to effectively distinguish between long seeds and short seeds,and more precise distance calculations require a substantial amount of time.Therefore,this paper proposes a fuzzing method called ConstrainFuzz,which supplements indirect calls and performs fine-grained distance calculation under path constraints.First,we extract indirect calls in the code through multi-layer type matching and complete the function call graph,mitigating misguidance in distance calculation caused by missing indirect calls or false positives.Next,this paper employs static analysis to identify code regions related to the target location and computes the distances from basic blocks in these regions to the target basic block for selective instrumenta-tion,modifying the function distance calculation mechanism to distinguish between long and short seeds.We evaluate ConstrainFuzz on the Magma benchmark,and experimental results demonstrate that ConstrainFuzz outperforms existing open-source directed fuzzing tools in vulnerability detection.Compared to AFLGo,Win-dRanger,and SelectFuzz,ConstrainFuzz uncovered 6,6,and 7 additional vulnerabilities,respectively.关键词
漏洞挖掘/定向模糊测试/间接调用/路径约束/选择性插桩Key words
Vulnerability mining/Directed fuzzing/Indirect calls/Path constraints/Selective instrumenta-tion分类
信息技术与安全科学引用本文复制引用
左洪盛,方勇,贾鹏,范希明,潘睿,陈兴刚..基于间接调用补充的路径约束定向灰盒模糊测试[J].四川大学学报(自然科学版),2025,62(3):631-640,10.基金项目
四川省科技厅重大科技项目(2024YFHZ0015) (2024YFHZ0015)
