Corrupted Data-oriented Fuzzing: Based on the analysis of propagation process, we developed a fuzzing method to efficiently explore the exploitable objects for OOB write bugs in general-purpose applications. Considering the large code scale and complex logical constraints of programs, methods such as symbol execution are inefficient and may suffer from constraint explosion [11]. Therefore, we adopted a search-based approach to explore the execution paths in programs.
The more extensively corrupted data propagate, the more likely the program reaches an exploitable state. Therefore, we use the extent of flawed data propagation to guide the fuzzer. Based on the corrupted data propagation model, we define the extent of corrupted data propagation. For a saved seed, if it can taint \(m\) more nodes, and the propagation potential of each node is \(p_{1}\) to \(p_{m}\), then the propagation extent of the seed (PES) is described in (1).
\(PES=\frac{m}{2}+\sum_{i=1}^{m}p_{i}\) (1)
To ensure thorough exploration of the program execution space [12,14], we also maintained code coverage as metric. Hence, we designed a multi-level fuzzing schedule by integrating both code coverage and PES. In terms of seed saving, we preserved seeds that discover new tainted nodes or trigger a new path. As for seed mutation strategy, we use random mutation algorithm and select seeds within a greedy algorithm. Regarding seed scoring, we evaluate each seed within a new scoring strategy, which is further illustrated in Algorithm 1.