zoukankan      html  css  js  c++  java

  • Proj THUDBFuzz Paper Reading: Fuzzing Challenges and Reflections

    Abstract

    Fuzzing-1. symbolic execution 2. random input generation

    Intro

    1. Blockbox fuzzing
    2. mutational
    3. generational: Peach
    4. Greybox fuzzing: 需用到程序插桩
    • Sanitizers会往程序中注入assertions
    • e.g: AFL; LibFuzzer; Honggfuzz
    1. Whitebox fuzzing: 往往使用程序分析和constraint solvers来遍历有意义的code path
    • constraint solver常常使用SMT(Satisfiability Module Theory)
    • 提取要到达某条code path所必须解决的condition中的一阶逻辑公式,功能,谓词符号等,使用constraint solver计算出一组能够到达这条路径的解
    • e.g: KLEE和SAGE

    Recent Impact

    1990就有了Fuzzing这个词,不过最近才在工业中大规模使用

    Challenges

    1. How can we fuzz effeciently more types of software systems?
    • 例如有环境交互,或者是机器学习
    • How do we fuzz stateful software?
    • How do we fuzz polyglot softwares?
    • How do we fuzz GUI-based programs
    • How can a symbolic execution tool fuzz a highly-structured-input software?
    1. How can the fuzzer identify more types of vulnerabilities(可以被认为是程序状态的断言)?
    • 信道攻击可能性
    1. How can we find "deep bugs" for which efficient oracles exist, but which nevertheless evade detection?
    • complex conditions
    1. What is the nature of vulnerabilities that have evaded discovery despite long fuzzing campaigns?
    2. How can fuzzers leverage the ingenuity of the auditor?
    • How can the auditor instruct the fuzzer to overcome the roadblock?
    1. How can we improve the usability of fuzzing tools
    • How can we prepare the output of a fuzzer for human consumption?
    1. How can we assess residual security risk if the fuzzing campaingn was unsuccessful?
    2. What are the theoretical limitations of blackbox, greybox and whitebox fuzzing?
    • Given a program and a time budget, how can we select that fuzzing tech, or combination of techs, which finds the most vulnerabilities within time budget?
    • How do program size and complexity affect the scalability and performance of each tech?
    1. How can we evaluate specialized fuzzers?
    2. How can we prevent overfitting to a specific benchmark?
    3. Are synthetic bugs representative?
    4. Are real bugs, which have previously been discovered with other fuzzers, representative?
    5. Is coverage a good measure of fuzzer effectiveness?
    6. What is a fair choice of time budget?
    7. How do we evaluate techs instead of implementations
  • 相关阅读:
    80x86的保护模式
    计算机二进制的表示
    操作系统基本知识(一)
    记录一次在安装双系统的过程(先有debian, 后加windows 8.1)
    LitePal + Gson + Volley的ORM框架尝试方案
    如何使用DDMS Heap查看Android应用内存情况
    测试驱动开发的第一个例子---我的毕业设计
    策略模式的孪生兄弟---状态模式
    面试常备---栈和队列总结篇
    面试常备题---二叉树总结篇
  • 原文地址:https://www.cnblogs.com/xuesu/p/14501600.html
Copyright © 2011-2022 走看看