4. AFL: American Fuzzy Lop
• Coverage-based fuzzing
• Using GA (Genetic algorithm)
• Used to calculate score in
coverage based fuzzing (AFL).
• Developer: Michał Zalewski
• Software bugs in major software projects, including X.Org Server,[2] PHP,[3]
OpenSSL,[4][5] pngcrush, bash,[6] Firefox,[7] BIND,[8][9] Qt,[10] and SQLite.[11]
5. AFL: Mutation by GA
pre-process
Mutation (GA)
Crash or
hang ?
add input to queue
calibrate / trim / score
1. bitflip 2. arith 3. interest
4. dictionary 5. havoc
6. splice
YES
NO
6. AFL : score and mutation
• Score item
• Average execution time
• Coverage
• Queue Cycle
• Depth of branch execution
• Mutation
• SIMPLE
• ARITHMETIC INC/DEC
• INTERESTING VALUES
• DICTIONARY STUFF
• RANDOM HAVOC
• SPLICING
7. Coverage
• Depth of control flow graph
• How many branches the
program with given input
passed in fuzzing
• Used to calculate score in
coverage based fuzzing (AFL).
branch
covarage
8. AflGO (CCS17)
• Coverage-based Greybox Fuzzers (CGF)
• Coverage
• GA (Genetic algorithm)
• Directed Greybox Fuzzers (DGF) :
• reaching a given set of program location effectively
• BB (Basic Block Distance)
• Simulated annealing
• Control flow graph and call graph
• HeartBleed
9. FuzzGaurd (Usenix Sec 20)
• Predicting the reachability of inputs and filtering out
the unreachable test cases.
• Based on AflGO
• CNN (Convolutional Neural Network)
• Supervised learning
• Groud truth (Teacher signal): reachability
• Training data (inputs): control flow graph
• Famous vulnerability: CVE 2019-7582 (libming)