可编程模糊测试技术

模糊测试是一种有效的漏洞挖掘技术.为改善模糊测试因盲目变异而导致的效率低下的问题，需要围绕输入特征、变异策略、种子样本筛选、异常样本发现与分析等方面不断定制模糊测试器，从而花费了大量的定制成本.针对通用型模糊测试器（即支持多类输入格式及目标软件的模糊测试器）的低成本定制和高可扩展性需求，本文首次提出了一种可编程模糊测试框架，基于该框架漏洞挖掘人员仅需编写模糊测试制导程序即可完成定制化模糊测试，在不降低模糊测试效果的基础上可大幅提高模糊测试器开发效率.该框架包含一组涉及变异、监控、反馈等环节的模糊测试原语，作为制导程序的基本语句；还包含一套编程规范（FDS）及FDS解析器，支持制导程序的编写、解析和模糊测试器的生成.基于实现的可编程模糊测试框架原型Puzzer，在26个模糊测试原语的支持下，漏洞挖掘人员平均编写54行代码即可实现当前主流的5款万级代码模糊测试器的核心功能，并可覆盖总计87.8%的基本操作.基于Puzzer实现的AFL等价模糊测试器，仅用51行代码即可达到与AFL相当的模糊测试效果，具有良好的有效性.

Programmable Fuzzing Technology

Fuzzing is an effective vulnerability discovery technology. In order to solve the inefficient problem caused by blind mutation in fuzzing, safety engineers need to customize fuzzer from all aspects, such as input characteristics, mutation method, seed samples screening, abnormal samples found and analysis, which will result in huge expenditure. To meet the need of low cost customization and high scalability of the universal fuzzer (i.e.fuzzer supports multi-type input formats and softwares), this paper first proposes a programmable fuzzing framework. Based on the framework, the only thing safety engineers need to do is writting guidance programs when they want to customize fuzzing. It can sharply improve the efficiency of developing fuzzer without reducing effectiveness of fuzzing. The framework contains a set of fuzzing primitives, fuzzing directive specification (FDS) and FDS parser. Fuzzing primitives which involve mutation, monitoring and guidering are basicstatements of guidance program. FDS and FDS parser can support writing and parsing guidance programs, as well as generating fuzzers. Based on the implementation of a prototype framework called Puzzer, safety engineerscan accomplish core functionsand cover 87.8% of total basic operations of five mainstream fuzzers with onlyabout 54 lines of code.To accomplish a fuzzer which has equivalent function of AFL, it can reach the same effectiveness with only 51 lines of code using Puzzer.