变异器生成

星期五, 10月 25, 2024 | 2分钟阅读 | 更新于 星期日, 12月 8, 2024

YuanFeng Xie

本次博文用于梳理AFLplusplus的框架，Mutator在AFL及AFLplusplus中的定义，Custom Mutator在AFLplusplus中的定义，以及利用LLM进行Mutator Generation遇到的挑战。

模糊测试框架

Mutator的定义

AFL中对于Mutator的定义

Definition in AFL: Repeatedly mutate the file using a balanced and well-researched variety of traditional fuzzing strategies. The mutator operates as part of AFL’s instrumentation-guided genetic algorithm to explore new program states. When mutations result in new state transitions (detected through edge coverage), the mutated outputs are added to the fuzzing queue for further testing, as described in this sequence from the document.

AFL中没有对于Mutator的明确定义，而是对Mutation进行了定义，即对目标文件内容进行修改，修改操作可以包括添加，删除，替换等比特级别的操作

AFL++中对于Custom Mutator的定义

Custom mutators enhance and alter the mutation strategies of AFL++. There are different types of custom mutators for different purposes: Grammar-agnostic: “./autotokens you find a token-level fuzzer that does not need to know anything about the grammar of an input as long as it is in ascii and allows whitespace”；Grammar-based: “atnwalk and gramatron are grammar custom mutators”；Protocol-specific: As shown in the “libprotobuf Mutators” section

Custom Mutator是对AFL原始Mutator的一种增强，使变异操作不局限于比特级别，而是扩展到与输入语法相关的字段级，结构级修改变异，使修改后的内容语法正确性更高。

Mutator Generation

Mutator的Generation划分为两个部分，一个是Mutation Strategy的生成，一个是Mutation Oracle的生成。利用从RFC中抽取出来的Specification Requirement进行规则分类和匹配，将构造消息约束和处理消息约束进行配对。如下图所示，Msg Construction SR中的消息构造规则描述PSK字段应当置于Extension序列中的最后一个。

为了确保Mutation Strategy Generation执行结果即Msg Mutation Exec Code的正确性，将Mutation Strategy Generation的执行过程，分拆成三个部分，分别为约束违反生成，变异描述生成，变异代码生成。

• 约束违反生成：消息构造规则作为输入，输出违反规则约束的测试指导策略，图片展示测试策略为将PSK扩展置于其它扩展之前
• 变异描述生成：构造违反描述作为输入，输出报文变异指导自然语言描述，图片展示自然描述为将PSK和supported_versions扩展顺序进行交换
• 变异代码生成：报文变异指导作为输入，输出报文变异代码，图片展示最终的变异代码为一个API调用。