CAFA: A Checksum-Aware Fuzzing Assistant Tool for Coverage Improvement

<table class="fixed-width table-group" id="tab2"><tr><td><table class="table"><colgroup><col style="width:27.04em"/></colgroup><tr><td class="thead-hr" colspan="1"><hr/></td></tr><tr><td class="align_left">application ::= ins<svg height="10.1524pt" id="M33" style="vertical-align:-0.04990005pt" version="1.1" viewbox="-0.0498162 -10.1025 6.17869 10.1524" width="6.17869pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.0091,0,0,-0.0091,0,-5.741)"><path d="M486 158C486 177 478 202 466 220C413 228 386 236 336 262C386 288 413 297 466 304C478 323 486 347 485 366C470 376 444 381 422 380C389 338 368 319 321 288C323 345 329 372 349 422C339 442 322 461 305 470C289 461 271 442 262 422C281 372 287 345 290 288C243 319 222 338 189 380C167 381 142 376 125 366C125 347 133 322 145 304C198 296 225 288 275 262C225 236 198 227 145 220C133 201 125 177 126 158C141 148 167 143 189 144C222 186 243 205 290 236C288 179 282 152 262 102C272 82 289 63 306 54C322 63 340 82 350 102C330 152 324 179 321 236C368 205 390 186 422 144C444 143 470 148 486 158Z" id="g50-43"></path></g></svg></td></tr><tr><td class="align_left">ins::= cji ∣ cli ∣ oti</td></tr><tr><td class="align_left">cji::= conditional jump instructions</td></tr><tr><td class="align_left">cli ::= constant instructions</td></tr><tr><td class="align_left">oti::= other instructions</td></tr><tr><td class="align_left">operand p::= register ∣ memory</td></tr><tr><td class="align_left">register r::= eax ∣ ebx ∣ ecx ∣ edx ∣ eflags ∣ …</td></tr><tr><td class="align_left">taint status::= T ∣ F</td></tr><tr><td class="align_left">taint labels::= labels of the taint source</td></tr><tr><td class="align_left"><svg height="9.14241pt" id="M34" style="vertical-align:-3.1815pt" version="1.1" viewbox="-0.0498162 -5.96091 12.0258 9.14241" width="12.0258pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M471 456L444 459C426 433 414 430 388 430C324 430 270 434 216 434C103 434 51 374 23 338L43 317C96 366 146 380 221 375L154 109C149 86 147 68 147 52C147 4 168 -12 197 -12C240 -12 291 25 334 71L320 96C295 75 268 58 252 58C238 58 227 79 238 138C251 211 272 296 292 372C310 372 332 368 350 368C391 368 421 369 434 371C444 388 455 413 471 456Z" id="g113-241"></path></g><g transform="matrix(.0091,0,0,-0.0091,5.434,3.132)"><path d="M610 0V27L347 666L316 657L46 26V0H610ZM504 54H116L310 537L504 54Z" id="g50-133"></path></g></svg> ::= map of register or memory addresses to taint statuses</td></tr><tr><td class="align_left"><svg height="12.1045pt" id="M35" style="vertical-align:-3.18152pt" version="1.1" viewbox="-0.0498162 -8.92298 18.5632 12.1045" width="18.5632pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M896 662C863 643 826 624 783 624C682 624 539 680 429 680C328 680 253 659 202 616C163 583 138 537 138 484C138 399 208 349 283 349C396 349 466 417 492 554L472 555C436 442 385 379 286 379C234 379 179 410 179 491C179 578 257 634 382 634C475 634 622 574 731 574C796 574 862 610 907 647L896 662ZM657 568C577 499 520 440 477 341L463 310C368 277 286 233 247 186L260 171C320 211 380 237 437 256C349 77 281 31 184 31C124 31 83 59 78 94H80C87 83 101 81 109 81C137 81 153 104 153 131S130 180 103 180C68 180 43 154 43 111C43 34 123 0 192 0C335 0 469 75 546 282C599 291 640 293 661 294C653 267 650 244 650 224V206L709 226C706 235 706 245 706 252C706 271 706 289 714 312C758 333 786 368 786 387C786 403 775 409 763 409C744 409 712 391 685 352C644 351 604 345 564 337C595 433 622 506 671 554L657 568Z" id="g198-7"></path></g><g transform="matrix(.0091,0,0,-0.0091,11.947,3.132)"><path d="M610 0V27L347 666L316 657L46 26V0H610ZM504 54H116L310 537L504 54Z" id="g50-133"></path></g></svg> ::= map of register or memory addresses to taint labels</td></tr><tr><td class="align_left"><svg height="12.1925pt" id="M36" style="vertical-align:-3.29563pt" version="1.1" viewbox="-0.0498162 -8.89687 12.4447 12.1925" width="12.4447pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M498 289L301 680H245L48 289L245 -101H301L498 289ZM435 289L274 -29H272L111 289L272 608H274L435 289Z" id="g114-155"></path></g><g transform="matrix(.0091,0,0,-0.0091,7.098,3.132)"><path d="M156 406V710C117 695 54 682 9 675V647C73 642 75 635 75 573V25C131 -2 180 -12 223 -12C359 -12 478 92 478 240C478 357 387 451 278 451C265 451 251 447 236 440L156 406ZM156 373C175 384 208 392 235 392C315 392 387 328 387 214C387 97 332 30 251 31C197 31 170 66 162 84C158 93 156 104 156 118V373Z" id="g58-96"></path></g></svg> ::= typical OR operator</td></tr><tr><td class="align_left"><svg height="12.0784pt" id="M37" style="vertical-align:-3.18153pt" version="1.1" viewbox="-0.0498162 -8.89687 12.125 12.0784" width="12.125pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M498 289L301 680H245L48 289L245 -101H301L498 289ZM435 289L274 -29H272L111 289L272 608H274L435 289Z" id="g114-155"></path></g><g transform="matrix(.0091,0,0,-0.0091,7.098,3.132)"><path d="M482 0V30C420 38 407 48 370 103L273 248C308 299 331 332 352 357C387 397 401 404 463 409V439H277V409C318 405 324 400 307 369C290 337 270 307 251 279L194 367C175 396 180 402 220 409V439H18V409C74 401 87 395 117 349L204 213C173 168 147 130 119 95C78 46 67 38 5 30V0H195V30C144 38 143 47 162 79C181 112 202 149 225 181L297 70C314 43 307 35 264 30V0H482Z" id="g58-118"></path></g></svg> ::= typical XOR operator</td></tr><tr><td class="align_left"><svg height="12.1925pt" id="M38" style="vertical-align:-3.29563pt" version="1.1" viewbox="-0.0498162 -8.89687 12.6639 12.1925" width="12.6639pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M498 289L301 680H245L48 289L245 -101H301L498 289ZM435 289L274 -29H272L111 289L272 608H274L435 289Z" id="g114-155"></path></g><g transform="matrix(.0091,0,0,-0.0091,7.098,3.132)"><path d="M527 54L498 55C459 56 451 63 451 114V445C436 442 413 438 384 435C353 432 318 430 291 429V402L328 396C361 390 370 387 370 331V101C336 70 300 54 262 54C217 54 173 78 173 166V300C173 361 173 412 176 445C160 442 132 438 105 434C77 431 52 430 29 429V402L59 395C83 390 92 385 92 331V141C92 30 150 -12 218 -12C246 -12 266 -4 295 13C324 29 346 47 370 64V-6L376 -12C396 -7 421 1 448 8C476 15 504 21 527 24V54Z" id="g58-115"></path></g></svg> ::= typical UNION operator for sets</td></tr><tr class="table-tr"><td colspan="1"><hr class="tbody-hr"/></td></tr></table></td></tr></table>

<div>Intermediate language CAFA-IL.</div>

Security and Communication Networks

tab2

Table 2

Table 2: CAFA: A Checksum-Aware Fuzzing Assistant Tool for Coverage Improvement 