Fuzzing Based on Function Importance by Attributed Call Graph
share
Fuzzing has become one of the important methods for vulnerability detecting. The existing fuzzing tools represented by AFL use heuristic algorithms to guide the direction of fuzzing which exposes great randomness. What's more, AFL filters seeds only by execution time and seed length. Meanwhile there is no in-depth consideration of the instruction information covered by the trace. In this paper, we propose a fuzzing method based on function importance. First, we propose a data structure called Attributed Call Graph to characterize function feature and the relationship. On this basis, we use an improved PageRank algorithm to further strengthen ACG's characterization of the importance of function position. We score the seeds according to the feature vector of the ACG covered in the seed execution trace and optimize the seed filtering and according to the scoring results. In addition, fuzzing is a process of dynamic change. We will adjust the feature vector range according to the number of function hits. The change of a node attribute will affect the importance of its surrounding nodes. Here we use the improved Weisfeiler-Lehman The algorithm propagates the node attributes to reflect this influence relationship. We implemented our fuzzer FunAFL based on the above method. Our tool found 18 bugs on the LAVA-M dataset exceeding the fuzzers such as AFL and AFLFast. The coverage rate in real-world programs is higher than that of AFL and AFLFast. At the same time, 10 bugs were found in real-world programs and 3 CVE numbers were assigned.
READ FULL TEXT