Dynamic data flow analysis has been widely used to guide greybox fuzzing. However, traditional dynamic data flow analysis tends to go astray in the massive path tracking and requires to process a large volume of data, resulting in low efficiency in reaching the target location. In this paper, we propose a directed greybox fuzzer based on dynamic constraint filtering and focusing (CONFF). First, all path constraints are tracked, and those with high priority are filtered as the next solution targets. Next, focusing on a single path constraint to be satisfied, we obtain its data condition and probe the mapping relationship between it and the input bytes through multi-byte mapping and single-byte mapping. Finally, various mutation strategies are utilized to solve the path constraint currently focused on, and the target location of the program is gradually approached through path selection. The CONFF fuzzer can reach a specific location faster in the target program, thus efficiently triggering the crash. We designed and implemented a prototype of the CONFF fuzzer and evaluated it with the LAVA-1 dataset and some real-world vulnerabilities. The results show that the CONFF fuzzer can reproduce crashes on the LAVA-1 dataset and most of the real-world vulnerabilities. For most vulnerabilities, the CONFF fuzzer reproduced the crashes with significantly reduced time compared to state-of-the-art fuzzers. On average, the CONFF fuzzer was 23.7x faster than the state-of-the-art code coverage-based fuzzer Angora and 27.3x faster than the classical directed greybox fuzzer AFLGo.

翻译：动态数据流分析已被广泛用于指导灰盒模糊测试。然而，传统动态数据流分析在大量路径追踪中容易偏离目标，且需要处理海量数据，导致到达目标位置的效率低下。本文提出一种基于动态约束过滤与聚焦的定向灰盒模糊器（CONFF）。首先，追踪所有路径约束，并筛选出优先级高的约束作为待求解目标。随后，聚焦于需要满足的单个路径约束，获取其数据条件，并通过多字节映射和单字节映射探测该约束与输入字节之间的映射关系。最后，采用多种变异策略来求解当前聚焦的路径约束，通过路径选择逐步逼近程序的目标位置。CONFF模糊器能够更快地到达目标程序中的特定位置，从而高效触发崩溃。我们设计并实现了CONFF模糊器的原型，并利用LAVA-1数据集及若干真实世界漏洞对其进行了评估。结果表明，CONFF模糊器能够复现LAVA-1数据集及大部分真实世界漏洞。对于大多数漏洞，与现有最优模糊器相比，CONFF模糊器复现崩溃的时间显著减少。平均而言，CONFF模糊器的速度是现有最优代码覆盖率模糊器Angora的23.7倍，是经典定向灰盒模糊器AFLGo的27.3倍。