【Author】
He, Jingxuan; Balunovic, Mislay; Ambroladze, Nodar; Tsankov, Petar; Vechev, Martin
【Source】PROCEEDINGS OF THE 2019 ACM SIGSAC CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY (CCS'19)
【Abstract】Fuzzing and symbolic execution are two complementary techniques for discovering software vulnerabilities. Fuzzing is fast and scalable, but can be ineffective when it fails to randomly select the right inputs. Symbolic execution is thorough but slow and often does not scale to deep program paths with complex path conditions. In this work, we propose to learn an effective and fast fuzzer from symbolic execution, by phrasing the learning task in the framework of imitation learning. During learning, a symbolic execution expert generates a large number of quality inputs improving coverage on thousands of programs. Then, a fuzzing policy, represented with a suitable architecture of neural networks, is trained on the generated dataset. The learned policy can then be used to fuzz new programs. We instantiate our approach to the problem of fuzzing smart contracts, a domain where contracts often implement similar functionality (facilitating learning) and security is of utmost importance. We present an end-to-end system, ILF (for Imitation Learning based Fuzzer), and an extensive evaluation over >18K contracts. Our results show that ILF is effective: (i) it is fast, generating 148 transactions per second, (ii) it outperforms existing fuzzers (e.g., achieving 33% more coverage), and (iii) it detects more vulnerabilities than existing fuzzing and symbolic execution tools for Ethereum.
【Keywords】Fuzzing; Imitation learning; Symbolic execution; Smart contracts
【摘要】模糊和符号执行是发现软件漏洞的两种互补技术。Fuzzing快速且可扩展,但当它不能随机选择正确的输入时,可能会失效。符号执行是彻底的,但是很慢,并且通常不能扩展到具有复杂路径条件的深层程序路径。在本研究中,我们建议在模仿学习的框架下,通过对学习任务的描述,从符号执行中学习一个有效和快速的模糊器。在学习过程中,一个符号执行专家生成了大量的高质量的输入,改进了数千个程序的覆盖率。然后,在生成的数据集上训练用合适的神经网络结构表示的模糊策略。学习到的策略可以用来模糊新的项目。我们实例化了我们处理模糊智能合约问题的方法,在这个领域,合约通常实现类似的功能(便于学习),而安全性是最重要的。我们提出了一个端到端系统ILF(用于基于模仿学习的Fuzzer),并对>18K合约进行了广泛的评估。我们的结果表明,ILF是有效的:(i)它快速,每秒产生148个交易,(ii)它优于现有的模糊器(例如,实现33%以上的覆盖率),和(iii)它比现有的以太坊模糊和符号执行工具检测更多的漏洞。
评论