Fuzzy Test Improvement Based on Clustering and New Coverage Information
CHENG Liang;WANG Hua-Lei;ZHANG Yang;SUN Xiao-Shan;University of Chinese Academy of Sciences;Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences;
Fuzzing plays a huge role in discovering software security vulnerabilities and improving software security. This study discusses the low efficiency of the mutation strategy for fuzzing and the unreasonableness of the seed scoring strategy and proposes a mutation optimization strategy based on clustering and an energy allocation strategy based on new coverage information. The former improvement strategy extracts the positions of effective combined mutations by generating new coverage of non-deterministic mutations, uses clustering algorithms to further determine the positions of effective mutations, and implements fine-grained deterministic mutations at positions of effective mutations in the mutation stage. The latter improvement strategy in this study is for the seed scoring strategy. The new coverage information generated by the seed and the branch transfer information from the static analysis are used as important indicators of seed scoring. We compare the improved fuzzing tool AgileFuzz with existing ones such as AFL 2.52b,AFLFast, and EcoFuzz and conduct multiple experiments on open source programs such as binutils and libxml2. The experimental results show that AgileFuzz finds more program branch coverage in the same amount of time. Meanwhile,five unknown vulnerabilities in fontforge, harfbuzz, and other open source software are discovered during the testing.