Liqun Yang,Chunan Li,Yongxin Qiu,Chaoren Wei,Jian Yang,Hongcheng Guo,Jinxin Ma,Zhoujun Li

2024-01-30

Abstract:The importance of addressing security vulnerabilities is indisputable, with software becoming crucial in sectors such as national defense and finance. Consequently, The security issues caused by software vulnerabilities cannot be ignored. Fuzz testing is an automated software testing technology that can detect vulnerabilities in the software. However, most previous fuzzers encounter challenges that fuzzing performance is sensitive to initial input seeds. In the absence of high-quality initial input seeds, fuzzers may expend significant resources on program path exploration, leading to a substantial decrease in the efficiency of vulnerability detection. To address this issue, we propose WGAN-AFL. By collecting high-quality testcases, we train a generative adversarial network (GAN) to learn their features, thereby obtaining high-quality initial input seeds. To overcome drawbacks like mode collapse and training instability inherent in GANs, we utilize the Wasserstein GAN (WGAN) architecture for training, further enhancing the quality of the generated seeds. Experimental results demonstrate that WGAN-AFL significantly outperforms the original AFL in terms of code coverage, new paths, and vulnerability discovery, demonstrating the effective enhancement of seed quality by WGAN-AFL.

Cryptography and Security

Xin Sun,Wen Wang,Xujian Liu,Jiarong Fan,Zeru Li,Yubo Song,Zhongyuan Qin

DOI: https://doi.org/10.1109/trustcom56396.2022.00131

2022-01-01

Abstract:In fuzzing, the generative adversarial network learns from the training set and generates test-cases with similar formats, so as to provide inputs conforming to the input format for programs tested. However, problems of the unstable training process, single generation method, and monotonic sample types generated exist in general generative adversarial networks. This paper proposes a fuzzing input generation technique based on VAE-GAN, which introduces the representation learning process of variational auto-encoder for traditional generative adversarial networks, so that it can learn and utilize the character information of testcases, improving the stability of training and generate various testcases. It is shown that testcases generated by VAE-GAN trigger more unique tuples than other existing generative adversarial networks on 3 among 4 selected target programs. Moreover, compared with the AFL mutation training set, testcases generated by VAE-GAN can improve code coverage by up to 11.87%, and the discovery rate of 15.74% and 5.36% in the unique crashes and hangs respectively.

Ge Han,Zheng Li,Peng Tang,Chengyu Hu,Shanqing Guo

DOI: https://doi.org/10.1109/hpcc-dss-smartcity-dependsys57074.2022.00244

2022-01-01

Abstract:Deep neural networks (DNNs) are increasingly deployed in various fields. Despite their spectacular advances, DNNs are known to suffer from adversarial vulnerabilities. The robustness of DNNs is then threatened by leading them to misclassifications with unexpected inputs (adversarial examples). The fuzzing technique frequently used for testing traditional software has recently been adopted to evaluate the robustness of DNNs. Current DNN fuzzing techniques focus on image classification DNNs and generate test cases by mutations, e.g., image transformations and adversarial perturbations. However, mutation-based test cases usually lack diversity and have distribution deflection from the original DNN input space, which impacts the evaluation of DNNs. In this paper, we propose a generation-based fuzzing frame-work FuzzGAN to detect adversarial flaws existing in DNNs. We integrate the testing purpose and the guidance of the neuron coverage into the original objectives of auxiliary classifier generative adversarial networks. Hence, FuzzGAN learns the representation of a DNN's input space and generates test cases without the limitation of any concrete seed input. We evaluate the performance of FuzzGAN on two DNN models that have classical network structures and are trained on public datasets. The experiment results demonstrate that FuzzGAN can generate realistic, diverse and valid test cases and achieve high neuron coverage. Moreover, these test cases can be used to improve the performance of the target DNN through adversarial retraining.

Zicong Gao,Hao Xiong,Weiyu Dong,Rui Chang,Rui Yang,Yajin Zhou,Liehui Jiang

DOI: https://doi.org/10.1109/tse.2023.3326144

IF: 7.4

2024-01-01

IEEE Transactions on Software Engineering

Abstract:Mutation-based fuzzing has been widely used in both academia and industry. Recently, researchers observe that the mutation scheduling scheme affects the efficiency of fuzzing. Accordingly, they propose PSO algorithm or machine learning-based technique to optimize the scheduling process. However, these methods fail to consider the fact that the optimal operator distribution of different seeds is different, even for the same program. In this paper, we propose a novel general scheduling scheme, named FA-fuzz, to find the optimal selecting probability distribution of mutation operators, which is based on the observations that the effective mutation operators are different for different seeds. Specifically, our method is based on the firefly algorithm. The positions of fireflies are mapped to the selection probability distribution of different mutation operators. The brightness of fireflies is expressed as the efficiency of discovering unique testcases. We implement prototype systems on multiple state-of-art fuzzers, and perform evaluations on two datasets. Our proposed method improves both the number of unique paths and unique bugs on real-world datasets. In addition, we discover 30 zero-day vulnerabilities in eight real-world programs, which demonstrate the effectiveness of FA-fuzz.

Yaoyang Liu,Bin Wu

DOI: https://doi.org/10.1109/icmcce51767.2020.00289

2020-01-01

Abstract:Fuzzy testing technology has a good effect in discovering web vulnerabilities, which is incomparable with other security testing technologies. Because of the randomness and unpredictability of its test cases, it can dig out the relevant vulnerabilities comprehensively and systematically. Before that, some researchers proposed to use genetic algorithm to generate test cases to solve the problem of single test cases. However, the test cases generated by genetic algorithm are often of high randomness, and the proportion of effective test cases is relatively low. According to this problem, I proposed to generate test cases based on generative countermeasure network. On the basis of ensuring its randomness, the relevant test cases are generated pertinently. Through relevant experiments, it is proved that the generated confrontation network can generate effective test cases. Compared with the test cases generated by genetic algorithm, its effectiveness is better and more web vulnerabilities can be found.

Aoshuang Ye,Lina Wang,Lei Zhao,Jianpeng Ke,Wenqi Wang,Qinliang Liu

DOI: https://doi.org/10.1016/j.neucom.2021.06.082

IF: 6

2021-01-01

Neurocomputing

Abstract:We implement a Generative Adversarial Network (GAN) based fuzzer called RapidFuzz to generate synthetic testcase, which can precisely catch the data structure feature in a relatively shorter time than the state-of-art fuzzers. RapidFuzz provides potential seeds generated by GAN. i.e., The generated seeds with similar but different numerical distributions accelerate the mutation process. An algorithm is elaborately designed to locate the hot-points generated by GAN. The generated testcases make structural features easier to be identified, which makes the whole process faster. In our experiment, RapidFuzz considerably improves the performance of American Fuzzy Lop(AFL) in speed, coverage, and mapsize. We select 9 open-sourced programs with different highly-structured inputs to demonstrate the effectiveness of RapidFuzz. As a result, code coverage is significantly improved. For tiff2pdf and tiffdump, coverage increase exceeds over 20%. We also observe that RapidFuzz achieves the same coverage with less time than AFL. Furthermore, AFL absorbs 21% of generated seed files in tiff2pdf with an average absorption rate around 15% in other programs.

Jun Yang,Guojun Mei,Chen Chen

DOI: https://doi.org/10.1109/ICCCN.2018.8487461

2018-01-01

Abstract:The fuzzy technology based on model constraint is lack of guidance in variation process, and the fuzzy technology based on coverage information has a weak code penetration ability when meeting a complex logic verification, what's more, these two methods' code coverage are deeply dependent on the initial samples, if there are no specific file structure types in the initial samples, the possibility of covering the corresponding code blocks will be very low. This paper proposes a vulnerability mining method based on genetic algorithm and constraint model. The method uses the model constraint technology to create test samples, and uses the fuzzy technology based on coverage information feedback to guide the direction of data variation. Besides that, using genetic algorithm to enrich the diversity of file structure types and combinations among test samples, and generate high-quality test samples gradually at the same time, which can greatly improve the efficiency of fuzzing test.

Chenyang Lyu,Shouling Ji,Yuwei Li,Junfeng Zhou,Jianhai Chen,Jing Chen

DOI: https://doi.org/10.48550/arXiv.1807.02606

2019-06-03

Abstract:Fuzzing is an automated application vulnerability detection method. For genetic algorithm-based fuzzing, it can mutate the seed files provided by users to obtain a number of inputs, which are then used to test the objective application in order to trigger potential crashes. As shown in existing literature, the seed file selection is crucial for the efficiency of fuzzing. However, current seed selection strategies do not seem to be better than randomly picking seed files. Therefore, in this paper, we propose a novel and generic system, named SmartSeed, to generate seed files towards efficient fuzzing. Specifically, SmartSeed is designed based on a machine learning model to learn and generate high-value binary seeds. We evaluate SmartSeed along with American Fuzzy Lop (AFL) on 12 open-source applications with the input formats of mp3, bmp or flv. We also combine SmartSeed with different fuzzing tools to examine its compatibility. From extensive experiments, we find that SmartSeed has the following advantages: First, it only requires tens of seconds to generate sufficient high-value seeds. Second, it can generate seeds with multiple kinds of input formats and significantly improves the fuzzing performance for most applications with the same input format. Third, SmartSeed is compatible to different fuzzing tools. In total, our system discovers more than twice unique crashes and 5,040 extra unique paths than the existing best seed selection strategy for the evaluated 12 applications. From the crashes found by SmartSeed, we discover 16 new vulnerabilities and have received their CVE IDs.

Cryptography and Security

Mingmin Lin,Yingpei Zeng,Ting Wu,Qiuhua Wang,Linan Fang,Shanqing Guo

DOI: https://doi.org/10.1155/2022/1505842

IF: 1.968

2022-01-01

Security and Communication Networks

Abstract:Mutation-based fuzzing is currently one of the most effective techniques to discover software vulnerabilities. It relies on mutation strategies to generate interesting seeds. As a state-of-the-art mutation-based fuzzer, AFL follows a mutation strategy with high randomization, which uses randomly selected mutation operators to mutate seeds at random offsets. Its strategy may ignore some efficient mutation operators and mutation positions. Therefore, in this paper, we propose a solution named GSA-Fuzz to improve the efficiency of seed mutation strategy with the gravitational search algorithm (GSA). GSA-Fuzz uses GSA to learn the optimal selection probability distributions of operators and mutation positions and designs a position-sensitive strategy to guide seed mutation with learned distributions. Besides, GSA-Fuzz also provides a flip mode to calculate the efficiencies of the deterministic stage and indeterministic stage and implements switching between the two stages to further improve the efficiency of seed mutation. We compare GSA-Fuzz with the state-of-the-art fuzzers AFL, MOPT-AFL, and EcoFuzz on 10 open-source programs. GSA-Fuzz finds 145% more paths than AFL, 66% more paths than EcoFuzz, and 43% more paths than MOPT-AFL. In addition, GSA-Fuzz also outperforms other fuzzers in bug detection and line coverage.

Zhihui Li,Hui Zhao,Jianqi Shi,Yanhong Huang,Jiawen Xiong

DOI: https://doi.org/10.1109/access.2019.2911121

IF: 3.9

2019-01-01

IEEE Access

Abstract:Fuzzing (Fuzz testing) can effectively identify security vulnerabilities in software by providing a large amount of unexpected input to the target program. An important part of fuzzing test is the fuzzing data generation. Numerous traditional methods to generate fuzzing data have been developed, such as model-based fuzzing data generation and random fuzzing data generation. These techniques require the specification of the input data format or analyze the input data format by manual reverse engineering. In this paper, we introduce an approach using Wasserstein generative adversarial networks (WGANs), a deep adversarial learning method, to generate fuzzing data. This method does not require defining the input data format. To the best of our knowledge, this study is the first to use a WGAN-based method to generate fuzzing data. Industrial security has been an important and pressing issue globally. Network protocol fuzzing plays a significant role in ensuring the safety and reliability of industrial control systems (ICSs). Thus, the proposed method is significant for ICS testing. In the experiment, we use an industrial control protocol such as the Modbus-TCP protocol and EtherCAT protocol as our test target. Results indicate that this approach is more intelligent and capable than the methods used in previous studies. In addition, owing to its design, this model can be trained within a short time, which is computationally light and practical.

Yuan LIU,Yong-hui YANG,Chun-rui ZHANG,Wei WANG

DOI: https://doi.org/10.3969/j.issn.0372-2112.2017.03.007

2017-01-01

Abstract:Considering the features of the traditional Fuzzing technology,a method is proposed for Fuzzing test case generating in vulnerability exploiting,which is aimed at nonlinear solution and single input problem.This method takes advantage of the genetic algorithm and deals with those two problems mentioned above.The experiment results show that,the proposed solution has an obvious improvement compared with the early method which generates the test cases randomly.

Pengcheng Zhang,Qiyin Dai,Patrizio Pelliccione

DOI: https://doi.org/10.48550/arXiv.1911.07931

2019-11-14

Computer Vision and Pattern Recognition

Abstract:Deep Learning systems (DL) based on Deep Neural Networks (DNNs) are more and more used in various aspects of our life, including unmanned vehicles, speech processing, and robotics. However, due to the limited dataset and the dependence on manual labeling data, DNNs often fail to detect their erroneous behaviors, which may lead to serious problems. Several approaches have been proposed to enhance the input examples for testing DL systems. However, they have the following limitations. First, they design and generate adversarial examples from the perspective of model, which may cause low generalization ability when they are applied to other models. Second, they only use surface feature constraints to judge the difference between the adversarial example generated and the original example. The deep feature constraints, which contain high-level semantic information, such as image object category and scene semantics are completely neglected. To address these two problems, in this paper, we propose CAGFuzz, a Coverage-guided Adversarial Generative Fuzzing testing approach, which generates adversarial examples for a targeted DNN to discover its potential defects. First, we train an adversarial case generator (AEG) from the perspective of general data set. Second, we extract the depth features of the original and adversarial examples, and constrain the adversarial examples by cosine similarity to ensure that the semantic information of adversarial examples remains unchanged. Finally, we retrain effective adversarial examples to improve neuron testing coverage rate. Based on several popular data sets, we design a set of dedicated experiments to evaluate CAGFuzz. The experimental results show that CAGFuzz can improve the neuron coverage rate, detect hidden errors, and also improve the accuracy of the target DNN.

Xinshi Zhou,Bin Wu

DOI: https://doi.org/10.1109/itnec48623.2020.9084765

2020-01-01

Abstract:Web fuzzing has always been an effective way to detect web vulnerabilities. Normally, traditional web fuzzing method mainly use limited test cases or generate test cases based on certain rules, which cause web fuzzing slow and inefficient. To solve this problem, we present improved genetic algorithm with a new mutation method to generate test cases. And the concept of preset functional units is proposed: test cases are divided into different functional units to ensure that the semantic structure will not be damaged during crossover and mutation. The experimental results show that the improved algorithm can generate better test cases than the standard genetic algorithm (SGA) and the adaptive genetic algorithm (AGA) and also detect more web vulnerabilities.

Shitong Wei,Shujie Yang,Ping Zou

DOI: https://doi.org/10.1007/978-981-19-9697-9_28

2023-01-01

Abstract:With the continuous development of software technology, software vulnerabilities have become one of the focuses of people’s attention. More and more methods for mining software vulnerabilities are emerging, and fuzzing technology has become one of the main methods for mining software vulnerabilities. A large number of fuzzing software tools such as AFL, Honggfuzz, and libufuzzer continue to emerge. However, at present, the mutation method of fuzz testing for test cases is inefficient, and it is difficult for a large number of mutated input test cases to trigger the deep logic code of the program. In this paper, we improve the deterministic seed mutation algorithm of AFL. The deterministic seed mutation efficiency of the improved AFL is higher than that of the original AFL, and it can trigger more paths in the same time.

Bo Shuai,Haifeng Li,Jian Wang,Quan Zhang,Chaojing Tang

DOI: https://doi.org/10.2991/nceece-15.2016.213

2016-01-01

Abstract:In order to elevate efficiency of traditional Fuzzing technique, a novel method using genetic algorithm is proposed based on path coverage and test cost. There are evidences that GA has been already successful in generating test cases. Considering path coverage as the test adequacy criterion, we have designed a GA-based test data generator that is able to synthesize multiple test data to cover multiple target paths. Meanwhile, in order to reduce the test cost in Fuzzing process, test cost is analyzed respectively from running time and loop structure in the method. Experimental results show that proposed approach could obtain higher vulnerability detection accuracy and efficiency.

Shunkai Zhu,Jingyi Wang,Jun Sun,Jie Yang,Xingwei Lin,Tianyi Wang,Liyi Zhang,Peng Cheng

DOI: https://doi.org/10.1109/tse.2023.3338129

IF: 7.4

2024-01-01

IEEE Transactions on Software Engineering

Abstract:Fuzzing is one of the prevailing methods for vulnerability detection. However, even state-of-the-art fuzzing methods become ineffective after some period of time, i.e., the coverage hardly improves as existing methods are ineffective to focus the attention of fuzzing on covering the hard-to-trigger program paths. In other words, they cannot generate inputs that can break the bottleneck due to the fundamental difficulty in capturing the complex relations between the test inputs and program coverage. In particular, existing fuzzers suffer from the following main limitations: 1) lacking an overall analysis of the program to identify the most “rewarding” seeds, and 2) lacking an effective mutation strategy which could continuously select and mutates the more relevant “bytes” of the seeds. In this work, we propose an approach called ATT UZZ to address these two issues systematically. First, we propose a lightweight dynamic analysis technique that estimates the “reward” of covering each basic block and selects the most rewarding seeds accordingly. Second, we mutate the selected seeds according to a neural network model which predicts whether a certain “rewarding” block will be covered given certain mutations on certain bytes of a seed. The model is a deep learning model equipped with an attention mechanism which is learned and updated periodically whilst fuzzing. Our evaluation shows that ATT UZZ significantly outperforms 5 state-of-the-art grey-box fuzzers on 6 popular real-world programs and MAGMA data sets at achieving higher edge coverage and finding new bugs. In particular, ATT UZZ achieved 1.2X edge coverage and 1.8X bugs detected than AFL ++ over 24-hour runs. In addition, ATT UZZ also finds 4 new bugs in the latest version of some popular software including p7zip and openUSD.

Tiantian Ji,Zhongru Wang,Zhihong Tian,Binxing Fang,Qiang Ruan,Haichen Wang,Wei Shi

DOI: https://doi.org/10.1016/j.jisa.2020.102497

IF: 4.96

2020-01-01

Journal of Information Security and Applications

Abstract:Fuzzing is a simple and popular technique that has been widely used to detect vulnerabilities in software. However, due to its blind mutation, fuzzing brings many limitations. First, it is difficult for fuzzing to pass the sanity checks, which makes fuzzing unable to target vulnerability or crash locations effectively. Secondly, blind mutation limits the diversity of seed generation and makes it difficult for the fuzzing process to achieve convergence. In this paper, we propose a direction sensitive fuzzing solution AFLPro. On the one hand, it focuses on seed selection, using a new fuzzing scheme based on Basic Block Aggregation (BBA), which reduces the possibility of seed selection in the wrong direction. By applying a multi-dimensional oriented seed selection strategy, it achieves fine-grained seed selection. On the other hand, based on biological evolution, AFLPro optimizes genetic variation to ensure the diversity of seed varieties and the convergence of fuzzing tests. Besides, AFLPro also incorporates lightweight static analysis to obtain information about the target program (this paper only studies closed source programs), providing complete semantic guidance for fuzzing through resource integration. We implemented a prototype of AFLPro based on the popular fuzzer AFL. We evaluated it on three datasets: DARPA Grand Challenges (CGC), LAVA-M dataset, and a set of real-world applications. The results show that in 92% of all three datasets, AFLPro exhibits better vulnerability detection capabilities than all of the state-of-the-art fuzzers mentioned in this paper. (C) 2020 Elsevier Ltd. All rights reserved.

Yiru Zhao,Xiaoke Wang,Lei Zhao,Yueqiang Cheng,Heng Yin

DOI: https://doi.org/10.48550/arXiv.2101.00612

2021-01-03

Software Engineering

Abstract:Coverage-based greybox fuzzing (CGF) has been approved to be effective in finding security vulnerabilities. Seed scheduling, the process of selecting an input as the seed from the seed pool for the next fuzzing iteration, plays a central role in CGF. Although numerous seed scheduling strategies have been proposed, most of them treat these seeds independently and do not explicitly consider the relationships among the seeds. In this study, we make a key observation that the relationships among seeds are valuable for seed scheduling. We design and propose a "seed mutation tree" by investigating and leveraging the mutation relationships among seeds. With the "seed mutation tree", we further model the seed scheduling problem as a Monte-Carlo Tree Search (MCTS) problem. That is, we select the next seed for fuzzing by walking this "seed mutation tree" through an optimal path, based on the estimation of MCTS. We implement two prototypes, AlphaFuzz on top of AFL and AlphaFuzz++ on top of AFL++. The evaluation results on three datasets (the UniFuzz dataset, the CGC binaries, and 12 real-world binaries) show that AlphaFuzz and AlphaFuzz++ outperform state-of-the-art fuzzers with higher code coverage and more discovered vulnerabilities. In particular, AlphaFuzz discovers 3 new vulnerabilities with CVEs.

Liu Guangrui,Zhang Weizhe,Li Xinjie,Fan Kaisheng,Yu Shui

DOI: https://doi.org/10.1007/s11432-021-3455-1

2022-01-01

Abstract:Machine learning-based network intrusion detection systems (ML-NIDS) are extensively used for network security against unknown attacks. Existing intrusion detection systems can effectively defend traditional network attacks, however, they face AI based threats. The current known AI attacks cannot balance the escape rate and attack effectiveness. In addition, the time cost of existing AI attacks is very high. In this paper, we propose a backdoor attack called VulnerGAN, which features high concealment, high aggressiveness, and high timeliness. The backdoor can make the specific attack traffic bypass the detection of ML-NIDS without affecting the performance of ML-NIDS in identifying other attack traffic. VulnerGAN uses generative adversarial networks (GAN) to calculate poisoning and adversarial samples based on machine learning model vulnerabilities. It can make traditional network attack traffic escape black-box online ML-NIDS. At the same time, model extraction and fuzzing test are used to enhance the convergence of VulnerGAN. Compared with the state-of-the-art algorithms, the VulnerGAN backdoor attack increases 33.28% in concealment, 18.48% in aggressiveness, and 46.32% in timeliness.

XIAO Tian,JIANG Zhihao,TANG Peng,HUANG Zheng,GUO Jie,QIU Weidong

DOI: https://doi.org/10.11959/j.issn.2096−109x.2023027

2023-01-01

Abstract:With the continuous growth and advancement of the Internet and information technology, continuous growth and advancement of the Internet and information technology.Nevertheless, these applications’ vulnerabilities pose a severe threat to information security and users’ privacy.Fuzzing was widely used as one of the main tools for automatic vulnerability detection due to its ease of vulnerability recurrence and low false positive errors.It generates test cases randomly and executes the application by optimization in terms of coverage or sample generation to detect deeper program paths.However, the mutation operation in fuzzing is blind and tends to make the generated test cases execute the same program path.Consequently, traditional fuzzing tests have problems such as low efficiency, high randomness of inputs generation and limited pertinence of the program structure.To address these problems, a directional fuzzing based on deep reinforcement learning was proposed, which used deep reinforcement learning networks with information obtained by staking program to guide the selection of the inputs.Besides, it enabled fast approximation and inspection of the program paths that may exist vulnerabilities.The experimental results showed that the proposed approach had better performance than the popular fuzzing tools such as AFL and AFLGO in terms of vulnerability detection and recurrence on the LAVA-M dataset and real applications like LibPNG and Binutils.Therefore, the approach can provide support for further vulnerability mining and security research.