“软件智能分析”学术沙龙第五次活动将于2018年3月20日(星期二上午)9点在中国科学院软件研究所5号楼334会议室举行。本次活动由中科院软件所软件智能分析协同创新团队和InForSec论坛共同举办,邀请到了UC Davis的Hao Chen教授,华中科技大学的邹德清教授和清华大学的张超博士,三位学者将分别带来AI在软件漏洞工作中应用的最新研究成果。敬请关注。






事项 主讲嘉宾 主题
9:00  – 12:00 主持人:苏璞睿  中科院软件所研究员
9:00  – 9:50 专家报告 张超 CollAFL: Path Sensitive Fuzzing IEEE S&P 2018)
9:50  – 10:40 专家报告 邹德清 基于深度学习的源代码漏洞智能检测(NDSS 2018)
10:40 – 11:30 专家报告 Hao Chen Angora:Efficient Fuzzing by Principled Search(IEEE S&P 2018)

1、题目:CollAFL: Path Sensitive Fuzzing


摘要:Coverage-guided fuzzing is a widely used and ef- fective solution to find software vulnerabilities. Tracking code coverage and utilizing it to guide fuzzing are crucial to coverage- guided fuzzers. However, tracking full and accurate path coverage is infeasible in practice due to the high instrumentation overhead. Popular fuzzers (e.g., AFL) often use coarse coverage information, e.g., edge hit counts stored in a compact bitmap, to achieve highly efficient greybox testing. Such inaccuracy and incompleteness in coverage introduce serious limitations to fuzzers. First, it causes path collisions, which prevent fuzzers from discovering potential paths that lead to new crashes. More importantly, it prevents fuzzers from making wise decisions on fuzzing strategies. In this paper, we propose a coverage sensitive fuzzing solution CollAFL. It mitigates path collisions by providing more accurate coverage information, while still preserving low instrumentation overhead. It also utilizes the coverage information to apply three new fuzzing strategies, promoting the speed of discovering new paths and vulnerabilities. We implemented a prototype of CollAFL based on the popular fuzzer AFL and evaluated it on 24 popular applications. The results showed that path collisions are common, i.e., up to 75% of edges could collide with others in some applications, and CollAFL could reduce the edge collision ratio to nearly zero. Moreover, armed with the three fuzzing strategies, CollAFL outperforms AFL in terms of both code coverage and vulnerability discovery. On average, CollAFL covered 20% more program paths, found 320% more unique crashes and 260% more bugs than AFL in 200 hours. In total, CollAFL found 157 new security bugs with 95 new CVEs assigned.

个人介绍:张超博士,清华大学网络科学与网络空间研究院副教授(博导)。北京大学本科及博士,UC Berkeley博士后(合作导师:Dawn Song)。入选国家“千人计划”青年项目、中国科协”青年人才托举工程”、计算机学会”青年人才发展计划”等。主要研究方向为系统和软件安全,发表多篇高水平学术论文,其中一篇为2013年BIG4最高引用十篇论文之一。研究成果FPGate获得微软BlueHat防御竞赛特别提名奖。带队参加DARPA CGC机器自动化攻防竞赛,获得初赛防御第一名和决赛攻击第二名。另外获得Defcon CTF攻防夺旗竞赛、GeekPwn智能安全挑战赛等竞赛奖项。



摘要:软件漏洞的自动检测是一个重要的研究问题。现有的源代码漏洞静态分析方法存在两个问题:第一,依赖人类专家定义漏洞特征;第二,漏报较高。理想的漏洞检测系统能同时满足低误报和低漏报,当二者无法同时满足时,通常更强调降低漏报,同时保证误报在可接受的范围内。针对上述问题,我们首次将深度学习技术引入到漏洞检测领域,提出了基于深度学习的漏洞检测系统VulDeePecker。以code gadget为粒度,基于双向长短期记忆网络模型自动学习生成漏洞模式,在不需人类专家定义feature的前提下,自动检测目标程序是否含有漏洞,并给出漏洞代码的位置。实验结果表明,VulDeePecker在可接受的误报前提下,比其他方法具有更低的漏报;在3个目标软件中检测到4个在National Vulnerability Database中未公布的漏洞,这些漏洞在相应软件的后续版本中进行了默默修补。



3、题目:Angora: Efficient Fuzzing by Principled Search

讲者:Peng Chen and Hao Chen

摘要:Fuzzing is a popular technique for finding software bugs. However, fuzzers based on symbolic execution produce quality inputs but run slow, while fuzzers based on random mutation run fast but have difficulty producing quality inputs. We propose Angora, a new mutation-based fuzzer that outperforms the state-of-the-art fuzzers by a wide margin. The main goal of Angora is to increase branch coverage by solving path constraints without symbolic execution. To solve path constraints efficiently, we introduce several key techniques: scalable byte-level taint tracking, context-sensitive branch count, search based on gradient descent, and input length exploration. On the LAVA-M data set, Angora found almost all the injected bugs, found more bugs than any other fuzzer that we compared with, and found eight times as many bugs as the second-best fuzzer in the program who. Angora also found 103 bugs that the LAVA authors injected but could not trigger. We also tested Angora on eight popular, mature open source programs. Angora found 6, 52, 29, 40 and 48 new bugs in file, jhead, nm, objdump and size, respectively. We measured the coverage of Angora and evaluated how its key techniques contribute to its impressive performance.


Hao Chen is a professor at the Department of Computer Science at the University of California, Davis. He received his PhD at the Computer Science Division at the University of California, Berkeley. His current research focuses on software security, machine learning, and their synergy. He won the National Science Foundation CAREER award in 2007, and UC Davis College of Engineering Faculty Award in 2010.





Bookmark the permalink.

Comments are closed.