sgabe/SeedClass

GitHub: sgabe/SeedClass

基于机器学习的种子选择策略，通过神经网络分类器优先处理具有漏洞特征的输入样本，显著提升定向模糊测试的崩溃发现效率。

Stars: 0 | Forks: 0

# SeedClass **SeedClass** 是一种种子选择策略的实验性实现，它利用机器学习来增强覆盖引导的变异模糊测试。它采用神经网络作为二元分类器，基于从过往模糊测试活动中收集的输入样本进行训练，以区分*有效*输入和会在目标程序中触发*崩溃* (crash) 的畸形样本。训练后的模型预测结果能够优先处理那些表现出与已知漏洞样本相似特征的输入，从而有效地引导 fuzzer 指向程序中与安全性相关的部分。 ## 训练数据集本仓库提供了一个带有标签的数据集，旨在现实测试条件下评估所提出的基于机器学习的种子选择策略。本案例研究侧重于在旧版 Windows 上使用 [EMF](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-emf/91c257d7-c39d-4a36-9b1f-63e3f73d30ca) 文件对 [Windows GDI](https://learn.microsoft.com/en-us/windows/win32/gdi/windows-gdi) 进行模糊测试，以评估该方法在引导 fuzzer 发现已知漏洞方面的有效性。

Distribution of labels (imbalanced) Distribution of labels (balanced)

2-component PCA (imbalanced) 2-component PCA (balanced)

t-SNE (imbalanced) t-SNE (balanced)

## 学习过程

Essential metrics (imbalanced) Essential metrics (balanced)

PRC (imbalanced) PRC (balanced)

Confusion matrix (imbalanced) Confusion matrix (balanced)

## 评估结果 | 策略 | 执行次数 | 速度 | 路径数 | 待处理 | 覆盖率 | 稳定性 | TTC | 崩溃数 | |----------------------|----------|----------|---------|----------|------------|------------|-----------|---------| | Randomize | 182M | 2.1k | **19k** | 131k | 38.81% | 68.11% | 01:17 | 46 | | Minimize | **252M** | **2.9k** | 18k | 117k | 39.11% | 65.48% | 01:11 | 59 | | Predict (balanced) | 212M | 2.5k | 17k | 118k | 39.04% | 64.66% | **00:11** | **108** | | Predict (imbalanced) | 188M | 2.2k | 16.2k | 109k | 38.51% | **70.17%** | 00:54 | 73 | | Combine | 154M | 1.8k | 17k | **137k** | **40.37%** | 69.47% | 04:27 | 62 | ## 漏洞分布 | BugId | Randomize | Minimize | Predict (balanced) | Predict (imbalanced) | Combine | |------------|-----------|----------|--------------------|----------------------|-------------| | `0e5.7fb` | 11 | 16 | 16 | 4 | 3 | | `2b1.cf1` | | | | | 1 | | `3ce.9b5` | 35 | 10 | 17 | 10 | 13 | | `520.506` | 1 | 7 | | | | | `5ab.a57` | | | | | 5 | | `6e7.9de` | | | | 1 | | | `8ed.260` | | | 1261 | 847 | 806 | | `8ed.13f` | | | 3 | 4 | 2 | | `999.7fb` | 1 | | | | | | `be9.1bc` | | | 1 | | | | `d05.7fb` | | 6 | 76 | 2 | | | `db3.f44` | 28 | 1 | 1 | | | | `eb3.7fb` | 11 | 23 | 34 | 32 | 16 | | `efe.7fb` | 3 | 9 | 11 | 1 | 2 | | `f33.8ed` | | | 2603 | 2464 | 1726 | | `f33.cf7` | | | 158 | 104 | 70 | ## 独特崩溃样本 | **文件 (SHA256)** | **大小** | **BugId** | **库** | **函数** | |-----------------------|----------|-----------|--------------------|--------------------------------------------| | `00AE644CE5C9` | 608 | f33.cf7 | GdiPlus.dll | `DpRegion::Set` | | `011E5AC5E789` | 220 | 2b1.cf1 | Gdi32Full.dll | `CreateFontIndirectWImpl` | | `0330DE6EF25F` | 806 | 358.586 | GdiPlus.dll | `MRRESIZEPALETTE::bPlay` | | `05B0FED97564` | 608 | db3.f44 | GdiPlus.dll | `Div64_Asm` | | `097C40E7A079` | 550 | e5f.b0d | GdiPlus.dll | `EmfEnumState::ModifyRecordColor` | | `09A8E14E95E9` | 248 | 9ce.d2f | GDI32.dll | `CreateDIBitmap` | | `0CC3CBE5B224` | 446 | 3f4.c6a | GdiPlus.dll | `GdipGetWinMetaFileBitsEx` | | `1455438460E2` | 144 | d05.7fb | GdiPlus.dll | `EmfEnumState::CreatePen` | | `19917F1A9771` | 248 | 6b3.d8d | Gdi32Full.dll | `StretchDIBitsImpl` | | `1FC0FB7EFAE0` | 136 | 0e5.7fb | GdiPlus.dll | `EmfEnumState::ExtCreatePen` | | `21013B2BF3D4` | 756 | 5ab.a57 | GdiPlus.dll | `CopyGindices` | | `2544E3E4EE24` | 56020 | a89.bf8 | GDI32.dll | `ConvertDxArray` | | `29DE93CD3EFD` | 526 | fe8.b17 | GdiPlus.dll | `MfEnumState::ModifyDib` | | `2D3E1B99717E` | 159000 | c31.d2f | GdiPlus.dll | `DoRotatedStretchBlt` | | `431E261EEC30` | 612 | 9e2.372 | GdiPlus.dll | `FullTextImager::Render` | | `46F782B08565` | 904 | 552.f99 | GdiPlus.dll | `DoExtTextOut` | | `4979D4379004` | 236 | bba.7fb | GdiPlus.dll | `EmfEnumState::ModifyRecordColor` | | `51D49EC5E723` | 313 | 289.e06 | GDI32.dll | `pbmiConvertInfo` | | `522AD0595FDE` | 780 | cbf.7fb | GdiPlus.dll | `EmfEnumState::CreateDibPatternBrushPt` | | `54FF54F83BDB` | 280 | 1ce.77d | GdiPlus.dll | `DrawImagePointsEPR::Play` | | `5BA20DD2301B` | 472 | 9f7.7fb | GdiPlus.dll | `EmfEnumState::SelectObject` | | `64F96E2C43A4` | 232 | 999.7fb | GdiPlus.dll | `EmfEnumState::SetROP2` | | `671F4A6C7173` | 248 | 7c8.7c8 | msvcrt.dll | `_VEC_memcpy` | | `6E39F2B013BE` | 3700 | 3a8.13d | GdiPlus.dll | `DoGdiCommentMultiFormats` | | `77526891CE54` | 555 | f33.8ed | GdiPlus.dll | `DpRegion::Set` | | `79E5F5357EDA` | 1270 | 334.995 | GdiPlus.dll | `ToCOLORREF` | | `8437F6E0B646` | 248 | 72d.895 | GDI32.dll | `MRSETDIBITSTODEVICE::bPlay` | | `878209CA7A27` | 555 | 3ce.9b5 | GdiPlus.dll | `GpStringFormat::SetData` | | `893201F60329` | 204 | 3cd.699 | GdiPlus.dll | `bHandleFrameRgn` | | `8A18FBD266E6` | 248 | 72d.895 | GdiPlus.dll | `bEmitWin16StretchBlt` | | `8DDB06D2AA0E` | 314 | 2b1.699 | GdiPlus.dll | `bHandlePaintRgn` | | `99161BA9CBC0` | 769 | 6fe.4dc | GdiPlus.dll | `EpAliasedFiller::FillEdgesAlternate` | | `9F8741698275` | 500 | 8bb.46b | GdiPlus.dll | `DoSetDIBitsToDevice` | | `E00B5FAFBD7E` | 578 | 8ed.260 | GdiPlus.dll | `DpRegion::And` | | `E112D9DC0123` | 137 | efe.7fb | GdiPlus.dll | `EmfEnumState::ExtCreateFontIndirect` | | `F30797A5B8BB` | 626 | 932.8d1 | GdiPlus.dll | `ValidateBitmapInfo` | | `F5F958FEF5E9` | 599 | 853.699 | GdiPlus.dll | `bHandleFillRgn` | | `F7AFF247E121` | 252 | 699.0e9 | GdiPlus.dll | `bParseWin32Metafile` | | `FD0F262AA4D7` | 854 | - | Gdi32Full.dll | `MRBDIB::vInit` | | `A390F3B1FEDF` | 400 | 520.506 | Gdi32Full.dll | `NamedEscape` | | `44168A76232A` | 608 | 6e7.9de | dwrite.dll | `GlyphDataElement<...>::GetExistingGlyphs` | | `763A0E8C4880` | 12771 | 23a.5ec | GdiPlus.dll | `BuiltLine::UpdateContentWithPathEllipsis` | | `AE76571CE282` | 609 | 07f | GdiPlus.dll | `RasterizePath` | | `400A7E5433EE` | 617 | 596.07f | GdiPlus.dll | `EpAliasedFiller::FillEdgesWinding` | | `EF4C6D6334D` | 610 | 02a.273 | GdiPlus.dll | `ScanOperation::AlphaMultiply_sRGB` | | `DBD042AD80CA` | 656 | d9b.21d | GdiPlus.dll | `ScanOperation::Blend_sRGB_sRGB_MMX` | | `02072F1534E8` | 608 | 7dd.2cd | dwrite.dll | `fsc_FillBitMap` | | `A17568FA8D62` | 608 | be9.1bc | GdiPlus.dll | `GpPen::GetMaximumWidth` | | `3A8835E20EA1` | 610 | 7fa.70b | GdiPlus.dll | `SpanVector<...>::Free` | | `F16B74E7CF5E` | 234 | a05.56e | GdiPlus.dll | `EpScanGdiDci::NextBuffer` | | `D9A80A481AB5` | 289 | 8c2.671 | Gdi32Full.dll | `MF_GdiCommentBeginGroupEMF` | | `0050349F2FEF` | 291 | a20.9f5 | msvcrt.dll | `fastzero_I` | | `01266FE4F837` | 199 | 6cf.8c2 | Gdi32Full.dll | `MRGDICOMMENT::vInitBeginGroupEMF` | | `2F3C8D485B7A` | 288 | d1b.d76 | GdiPlus.dll | `ValidateBitmapInfo` | | `1BDFC7E83A3C` | 220 | f61.dc1 | ucrtbase.dll | `_wcsicmp` | | `9024AD25E0B4` | 612 | fab | GdiPlus.dll | `QuickSortIndex` | | `5A437085BC9F` | 1012 | 56d.23c | GdiPlus.dll | `DpDriver::FillPath` |

标签：Apex, API密钥检测, EMF文件, Fuzzing, PCA, Python, t-SNE, Windows GDI, 二进制分类, 可配置连接, 后端开发, 安全测试, 定向模糊测试, 异常检测, 攻击性安全, 无后门, 机器学习, 深度学习, 漏洞利用研究, 神经网络, 种子选择, 程序分析, 网络安全, 覆盖引导, 输入验证, 逆向工具, 隐私保护