Directed greybox fuzzing aims to test specific code and has made many advances in several areas. However, most vulnerabilities of input parsing programs are triggered in the particular state of the program, so existing directed greybox fuzzing works face path explosion problem when they fuzz the input parsing program and need more ability to explore the particular state of the program. To address the above problem, we propose a call-relationship-based fitness function. The main idea is to use the function call relationship to guide directed fuzzing before reaching the target. Call-relationship-based fitness function extracts the function calls and call relationship from the program, uses an intra-procedural reachability analysis to get all concerned edges, and constructs the fitness function based on the edges. Based on the above method, we implemented the directed greybox fuzzing IPDF and evaluated it with the mainstream directed greybox fuzzers Beacon and AFLGo on real-world programs. Evaluation of IPDF showed that IPDF found vulnerabilities faster than the state-of-the-art directed greybox fuzzers. The experimental results showed that the speed of MDGF is 3.01 times faster than that of AFLGo and 1.15 times faster than Beacon.
|