演讲人:Prof. Hao Chen, UC Davis 

演讲题目:Principled fuzzing driven by mathematics


Fuzzing is a popular technique for finding software bugs. However, fuzzers based on random mutation have difficulty producing quality inputs. We propose a principled fuzzing framework driven by mathematics. Our goal is to increase branch coverage by solving path constraints without symbolic execution. To solve path constraints efficiently, we introduce several key techniques: scalable byte-level taint tracking, context-sensitive branch count, search based on gradient descent, and input length exploration. Path constraints that involve deeply nested conditional statements are particularly challenging. To overcome this difficulty, first we identify all the control flow-dependent conditional statements of the target conditional statement. Next, we select the taint flow-dependent conditional statements. Finally, we use three strategies to find an input that satisfies all conditional statements simultaneously. We compared our tool on 13 open source programs with other state-of-the-art fuzzers. Our fuzzer achieved significantly higher cumulative line and branch coverage than other fuzzers. We manually classified the crashes found by our fuzzer into 41 unique new bugs and obtained 12 CVEs.




陈浩 美国加州大学戴维斯分校计算机系教授

Hao Chen is a Professor in the Department of Computer Science at the University of California, Davis. Currently he is on academic leave and is leading the security research group at ByteDance AI lab. His research focuses on a broad range of security problems, including machine learning security, software security, and mobile and wireless security. His work on fuzzing includes Angora (S&P ’18) and Matryoshka (CCS ’19). He received his PhD at the Computer Science Division at the University of California, Berkeley in 2004 advised by Professor David Wagner.

Bookmark the permalink.

Comments are closed.