• Proj THUDBFuzz Paper Reading: Fuzzing Challenges and Reflections

    Abstract

    Fuzzing-1. symbolic execution 2. random input generation

    Intro

    1. Blockbox fuzzing
    2. mutational
    3. generational: Peach
    4. Greybox fuzzing: 需用到程序插桩
    • Sanitizers会往程序中注入assertions
    • e.g: AFL; LibFuzzer; Honggfuzz
    1. Whitebox fuzzing: 往往使用程序分析和constraint solvers来遍历有意义的code path
    • constraint solver常常使用SMT(Satisfiability Module Theory)
    • 提取要到达某条code path所必须解决的condition中的一阶逻辑公式,功能,谓词符号等,使用constraint solver计算出一组能够到达这条路径的解
    • e.g: KLEE和SAGE

    Recent Impact

    1990就有了Fuzzing这个词,不过最近才在工业中大规模使用

    Challenges

    1. How can we fuzz effeciently more types of software systems?
    • 例如有环境交互,或者是机器学习
    • How do we fuzz stateful software?
    • How do we fuzz polyglot softwares?
    • How do we fuzz GUI-based programs
    • How can a symbolic execution tool fuzz a highly-structured-input software?
    1. How can the fuzzer identify more types of vulnerabilities(可以被认为是程序状态的断言)?
    • 信道攻击可能性
    1. How can we find "deep bugs" for which efficient oracles exist, but which nevertheless evade detection?
    • complex conditions
    1. What is the nature of vulnerabilities that have evaded discovery despite long fuzzing campaigns?
    2. How can fuzzers leverage the ingenuity of the auditor?
    • How can the auditor instruct the fuzzer to overcome the roadblock?
    1. How can we improve the usability of fuzzing tools
    • How can we prepare the output of a fuzzer for human consumption?
    1. How can we assess residual security risk if the fuzzing campaingn was unsuccessful?
    2. What are the theoretical limitations of blackbox, greybox and whitebox fuzzing?
    • Given a program and a time budget, how can we select that fuzzing tech, or combination of techs, which finds the most vulnerabilities within time budget?
    • How do program size and complexity affect the scalability and performance of each tech?
    1. How can we evaluate specialized fuzzers?
    2. How can we prevent overfitting to a specific benchmark?
    3. Are synthetic bugs representative?
    4. Are real bugs, which have previously been discovered with other fuzzers, representative?
    5. Is coverage a good measure of fuzzer effectiveness?
    6. What is a fair choice of time budget?
    7. How do we evaluate techs instead of implementations
  • 相关阅读:
    Navicat for Mysql远程连接数据时报(1045错误)Access denied for user 'root'@'localhost' (using password yes);
    添加数据源,管理工具--数据源(ODBC),点击添加不显示该驱动
    安装mysql odbc遇到error 1918.errror installing ODBC driver mysql ODBC 5.3 ANSI Drive
    ISO9126软件质量模型
    敏捷测试到底是灵丹妙药还是又一个忽悠
    CSS中背景图片的background-position中的left top到底是相对于谁的?
    制作可扩展的按钮
    CSS中的HSLA颜色
    JavaScript(jQuery)中的事件委托
    从零开始写一个微前端框架-数据通信篇
  • 原文地址:https://www.cnblogs.com/xuesu/p/14501600.html
Copyright © 2020-2023  润新知