Introduction to fuzzy testing

1. Understand fuzzy testing 、 Relevant contents of stain analysis
2. To configure KLEE Other production environment .
3. Analyze the advantages and disadvantages of fuzzy testing

Fuzzy testing

1. The core idea ： Fuzzy testing is an automatic software vulnerability Mining Technology , The central idea is this Send a piece of data to the target software , And monitor / Judge the characteristics of program behavior , Like a crash 、 Assertion failure, etc , So as to find software vulnerabilities .
2. Specific tools ：

3. The combination of research

• Symbol execution
• Smudge inference
• Artificial intelligence + Heuristic search
• Perform scheduling optimization

4. present situation

• Execute with symbols
• Combined with stain analysis
• Heuristic search
  • evolutionary algorithms
  • Simulated annealing
  • Monte Carlo algorithm, etc
• Artificial intelligence
• Distributed and parallel AFL The implementation of the .

5. Existing problems

• Code coverage problem – The depth of code coverage is not enough , Because it is difficult to break through the complex path constraints of test cases .
• Local area oriented test – Difficult to test large code . Local testing of large code intelligence .
• Slow speed , Low degree of parallelism .

AFL Configuration and use of

1. AFL（American Fuzzy Lop） It's by security researchers Michał Zalewski（@lcamtuf） Development of a coverage based guide （Coverage-guided） Fuzzy testing tool of , It records the code coverage of input samples , So we can adjust the input samples to improve the coverage , Increase the probability of finding vulnerabilities . The workflow is as follows ：

① Instrumentation when compiling programs from source code , To record code coverage （Code Coverage）;

② Select some input files , Join the input queue as the initial test set （queue）;

③ The files in the queue are processed according to a certain policy “ mutation ”;

④ If the coverage is updated after a variation file , Then add its reservation to the queue ;

⑤ The process goes on in a cycle , It triggered crash Will be recorded .

2. AFL The way of variation

bitflip： Flip by bit ,1 Turn into 0,0 Turn into 1

arithmetic： Integral plus / Subtraction arithmetic operation

interest： Replace some special contents into the original document

dictionary： Automatically generated or user provided token Replace / Insert into the original file

havoc：“ Great destruction ”, It's a combination of the previous variations

splice：“ Connect ”, At this stage, the two files will be spliced together to get a new file

3. AFL Installation and use .

Use linux operating system

• git Download the source code , Decompress using make install Command installation
• establish test.c file , Write the code
• Execute the following script

afl-gcc -g -o test test.c 
mkdir fuzz_in fuzz_out
echo '1+1' > fuzz_in/seed
echo core | sudo tee /proc/sys/kernel/core_pattern
echo performance | sudo tee /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor
afl-fuzz -i fuzz_in -o fuzz_out ./test

Then get the following operation process .

• Finally, execute ctrl + c End
  

establish test.c file , Direct output hello world, Then test . Get the following execution process . In the use of ctrl + c After that , You can get fuzz_out Folder . Then there is the corresponding error message . Contains the following folders .

crashes： Cause the target to receive fatal signal And the unique test case of crash queue： Store all test cases with unique execution paths .AFL The output file ：

crashes/README.txt： Save the target to execute these crashes Command line parameters of the file .

hangs： Unique test cases that cause target timeouts .

fuzzer_stats：afl-fuzz Operating state .

plot_data： be used for afl-plot mapping .

Because there is no error message . therefore crashes and hangs The folders are all empty .plot_data Include the following data . See the picture below