Please wait a minute...
 首页  期刊介绍 期刊订阅 联系我们 横山亮次奖 百年刊庆
 
最新录用  |  预出版  |  当期目录  |  过刊浏览  |  阅读排行  |  下载排行  |  引用排行  |  横山亮次奖  |  百年刊庆
清华大学学报(自然科学版)  2016, Vol. 56 Issue (1): 7-13    DOI: 10.16511/j.cnki.qhdxxb.2016.23.011
  信息安全 本期目录 | 过刊浏览 | 高级检索 |
基于污点信息的函数内存模糊测试技术研究
崔宝江1, 王福维1,2, 郭涛2, 柳本金2
1. 北京邮电大学 计算机学院, 北京 100876;
2. 中国信息安全测评中心, 北京 100085
Research of taint-analysis based API in-memory fuzzing tests
CUI Baojiang1, WANG Fuwei1,2, GUO Tao2, LIU Benjin2
1. School of Computer Science, Beijing University of Posts and Telecommunications, Beijing 100876, China;
2. China Information Technology Security Evaluation Center, Beijing 100085, China
全文: PDF(1185 KB)  
输出: BibTeX | EndNote (RIS)      
摘要 针对二进制程序文件处理漏洞的挖掘, 目前业界主流自动化方案为基于文件变异的模糊测试, 但该方法盲目性高、代码覆盖率低、效率低下。为研究具有高针对性的测试方法, 该文讨论了一种新型的函数内存模糊测试技术。该技术利用动态污点分析的结果, 获取目标程序中处理输入数据流的函数与指令。测试中基于二进制插桩, 对上述函数构造循环执行结构, 并针对内存中的污点数据进行变异。原型系统实验表明: 该测试方法可有效用于栈溢出等漏洞类型的挖掘; 相比传统模糊测试, 消除了因数据盲目测试造成的执行路径中断瓶颈, 且在执行效率上具有95%以上的提升。
服务
把本文推荐给朋友
加入引用管理器
E-mail Alert
RSS
作者相关文章
崔宝江
王福维
郭涛
柳本金
关键词 软件测试模糊测试污点分析控制流劫持    
Abstract:Fuzzing testing is widely utilized as an automatic solution to discover vulnerabilities in file-processing binary programs. Restricted by the high blindness and low code path coverage, fuzzing tests normally work quite inefficiently. An API in-memory fuzzing testing technique was developed to eliminate the blindness. The technique employs dynamic taint analysis to locate the routines and instructions which belong to the target binary executables and involve the input data parsing and processing. Within the testing phase, binary instrumentation was used to construct circulations around such routines, where the contained taint memory values were mutated in each loop. According to the experiments on the prototype tool, this technique can effectively detect defects such as stack overflows. The results also show that the API in-memory fuzzing testing eliminates the bottleneck of interrupting execution paths while gaining an over 95% enhancement of the execution speed in comparison with traditional fuzzing tools.
Key wordssoftware testing    fuzzing testing    taint analysis    control-flow hijacking
收稿日期: 2014-10-28      出版日期: 2016-01-29
ZTFLH:  TP311  
引用本文:   
崔宝江, 王福维, 郭涛, 柳本金. 基于污点信息的函数内存模糊测试技术研究[J]. 清华大学学报(自然科学版), 2016, 56(1): 7-13.
CUI Baojiang, WANG Fuwei, GUO Tao, LIU Benjin. Research of taint-analysis based API in-memory fuzzing tests. Journal of Tsinghua University(Science and Technology), 2016, 56(1): 7-13.
链接本文:  
http://jst.tsinghuajournals.com/CN/10.16511/j.cnki.qhdxxb.2016.23.011  或          http://jst.tsinghuajournals.com/CN/Y2016/V56/I1/7
  图1 函数内存模糊测试原理
  图2 函数内存模糊测试框架
  图3 污点函数调用示例
  表1 栈溢出程序代码
  表2 正常样本文件数据
  图4 目标程序执行与测试流程
  表3 测试中异常信息记录
  表4 污点函数代码基本块覆盖率
  图5 控制台程序测试速度对比
  图6 图形界面程序测试速度对比
[1] Newsome J, Song D. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software [C]//Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS 2005). New York: ACM, 2005.
[2] Schwartz E, Avgerinos T, Brumley T. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask) [C]//Proceedings of the IEEE Symposium on Security and Privacy. Washington DC: IEEE Computer Society, 2010: 317-331.
[3] WANG Tielei, WEI Tao, GU Guofei, et al. TaintScope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection [C]//ACM Transactions on Information and System Security (TISSEC). 2011, 14(2): 15:1-15:28.
[4] CUI Baojiang, WANG Fuwei, GUO Tao, et al. FlowWalker: A fast and precise off-line taint analysis framework [C]//Proceedings of the 2013 Fourth International Conference on Emerging Intelligent Data and Web Technologies. Washington DC: IEEE Computer Society, 2013: 583-588.
[5] Sutton M, Greene A, Amini P. Fuzzing: Brute Force Vulnerability Discovery [M]. Addison-Wesley Professional, 2007.
[6] Corelan Team.[EB/OL]. (2010-10-20). https://www.corelan.be/index.php/2010/10/20/in-memory-fuzzing/.
[7] Luk C, Cohn R, Muth R, et al. Pin: Building customized program analysis tools with dynamic instrumentation [C]//Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation. New York: ACM, 2005: 190-200.
[8] Oulu University Secure Programming Group. Radamsa[EB/OL].[2014-06-29]. https://www.ee.oulu.fi/research/ouspg/Radamsa.
[9] Eddington M. Peach Fuzzer[EB/OL]. (2014-06-07). http://sourceforge.net/projects/peachfuzz/.
[1] 辛伟, 时志伟, 郝永乐, 董国伟. 基于污点分析和符号执行的漏洞签名生成方法[J]. 清华大学学报(自然科学版), 2016, 56(1): 28-34.
[2] 梁洪亮, 阳晓宇, 董钰, 张普含, 刘书昌. 并行化智能模糊测试[J]. 清华大学学报(自然科学版), 2014, 54(1): 14-19.
[3] 李京哲, 梁彬, 游伟, 王鹏, 石文昌. 基于控制依赖分析的Android远程控制类恶意软件检测[J]. 清华大学学报(自然科学版), 2014, 54(1): 8-13.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
版权所有 © 《清华大学学报(自然科学版)》编辑部
本系统由北京玛格泰克科技发展有限公司设计开发 技术支持:support@magtech.com.cn