For Advanced Fuzzing

Theory/fuzzing theory

For Advanced Fuzzing

TESTING 2023. 1. 3. 14:11

User-Mode Application Fuzzing

1. Strategy

1.1. Mutation Strategy

- Deterministic: bitflip, byteflip, arithmetic in/decrease, interesting value, special charactor

- Havoc: Same Deterministic, random byte, delete byte, insert byte, overwrite byte

- Custom: ?

- Radamsa [Github]

- AFLSmart: Smart Greybox Fuzzing [PDF, Github]

- Redqueen: Fuzzing with Input-to-State Correspondence, NDSS '19 [PDF, Slide, Video, Github]

1.2. Mutation Scheduling

- MOPT: Optimized Mutation Scheduling for Fuzzers, USENIX '19 [PDF, Slide, Video, Github]

- AFL++: EXPLORE, EXPLOIT, COE, FAST, LINEAR, QUAD, mmopt, rare, seek

1.3. Coverage

- DynamoRio[Github], Tinyinst[Github], QEMU[Github], IntelPT[Github]

- LLVM, GCC

2. Speed

2.1. 부하 제거를 통한 속도 향상

- peAFL, Make static instrumentation great again, High performance fuzzing for Windows system, BlueHatIL '19 [Slide, Video, Github]

- peafl64 [Github]

- Designing New Operating Primitives to Improve Fuzzing Performance, ACM CCS '17 [PDF, Video, Github]

2.2. 퍼저 성능 향상

- Nyx: Greybox Hypervisor Fuzzing using Fast Snapshots and Affine Types, USENIX '21 [PDF, Slide]

- Persistent mode on WinAFL [Github], Jackalope [Github]

- AFL++, USENIX '20 Woot [PDF, Github]

2.3. Distribute Fuzzing

- Network를 이용한 distribute fuzzing 수행, share seeds

- UltraFuzz: Towards Resource-saving in Distributed Fuzzing, TSE '22 [PDF, Git]

3. Seed Pool

3.1. 시드 풀이 많을 수록 유리함

- 시드 풀이 많을수로 다양한 커버리지를 테스트해볼 확률이 높음

- 같은 커버리지를 갖는 시드에 대해서는 퍼저가 처냄(Pre-Processing)

3.2. Quality of seed set

- regression test set과 일반 seed의 차이 존재: Targeted

3.3. Seed Selection

- Optimizing Seed Selection for Fuzzing, USENIX '14 [PDF, Video]

JavaScript Fuzzing

1. JsFunFuzz [Github]
2. Fuzzing with Code Fragments(LangFuzz), USENIX '12 [PDF, Slide, Video]
3. CodeAlchemist: Semantics-Aware Code Generation to Find Vulnerabilities in JavaScript Engines, NDSS '19 [PDF, Video, Github]
4. Fuzzilli [Github]
5. Superion: grammar-aware greybox fuzzing, ISEC '19 [PDF, Github]
6. Fuzzing JavaScript Engines with Aspect-preserving Mutation(DIE), S&P '20 [PDF, Slide, Video, Github]
7. JIT-Picking: Differential Fuzzing of JavaScript Engines, ACM CCS '22 [PDF, Github]

Kernel Fuzzing

1. syzkaller [Github]

2. kAFL [Github]

3. NtFuzz [Github]

계속...

저작자표시 비영리 변경금지