Corrupted Data-oriented Fuzzing: Based on the analysis of
propagation process, we developed a fuzzing method to efficiently
explore the exploitable objects for OOB write bugs in general-purpose
applications. Considering the large code scale and complex logical
constraints of programs, methods such as symbol execution are
inefficient and may suffer from constraint explosion [11].
Therefore, we adopted a search-based approach to explore the execution
paths in programs.
The more extensively corrupted data propagate, the more likely the
program reaches an exploitable state. Therefore, we use the extent of
flawed data propagation to guide the fuzzer. Based on the corrupted data
propagation model, we define the extent of corrupted data propagation.
For a saved seed, if it can taint \(m\) more nodes, and the propagation
potential of each node is \(p_{1}\) to \(p_{m}\), then the propagation
extent of the seed (PES) is described in (1).
\(PES=\frac{m}{2}+\sum_{i=1}^{m}p_{i}\) (1)
To ensure thorough exploration of the program execution space
[12,14], we also maintained code coverage as metric. Hence, we
designed a multi-level fuzzing schedule by integrating both code
coverage and PES. In terms of seed saving, we preserved seeds
that discover new tainted nodes or trigger a new path. As for seed
mutation strategy, we use random mutation algorithm and select seeds
within a greedy algorithm. Regarding seed scoring, we evaluate each seed
within a new scoring strategy, which is further illustrated in Algorithm
1.