Present smart fuzzing techniques are time-consuming and do not effecdtively trigger vulnerabilities. A parallel execution path negate algorithm and a compound test case generation method are introduced in this paper with parallel program analyses and traditional fuzzing techniques. Each test case was given a variable to limit the range of the negate operation with many conditions negated in this range. The test case generation method generates the vulnerability trigger data using traditional fuzzing techniques which are added to the test case generated by Concolic execution. Diting was developed to verify and test these techniques. Tests of three applications using 203602 test cases identified two vulnerabilities. One of the vulnerabilities was a 0-Day vulnerability. Theoretical analyses and test results show that the negate algorithm can be applied in a parallel environment to reduce the testing time and the test case generation method improves the ability to trigger vulnerabilities in the test cases.
Godefroid P, Levin M Y, Molnar D. Automated white-box fuzz testing [C]// Proceedings of the 10th International Conference on Network and Distributed System Security Symposium. San Diego, USA: Schloss Dagstuhl, 2008: 201-213.
Campana G. Fuzzgrind: An automatic fuzzing tool [Z/OL]. (2013-09-12), http://esec-lab.sogeti.com/pages/Fuzzgrind.
Molnar D, Wagner D. Catchconv: Symbolic Execution and Run-Time Type Inference for Integer Conversion Errors, Technical Report No. UCB/EECS-2007-23 [R]. Berkeley, USA: University of California at Berkeley, 2007.
Isaev I, Sidorov D. The use of dynamic analysis for generation of input data that demonstrates critical bugs and vulnerabilities in programs [J]. Programming and Computing Software, 2010, 36(4): 225-236.
Clause J, LI Wanchun, Orso A. Dytan: A generic dynamic taint analysis framework [C]// Proceedings of the International Symposium on Software Testing and Analysis. New York, USA: The Association for Computing Machinery Press, 2007: 196-206.
Drewry W, Ormandy T. Flayer: Exposing application internals [C]// Proceedings of the 1st USENIX Workshop on Offensive Technologies. Berkeley, USA: USENIX Association, 2007: 1-9.
Schwartz E J, Avgerinos T, Brumley D. All you ever wanted to know about dynamic taint analysis and forward symbolic execution [C]// Proceedings of the 2010 IEEE Symposium on Security and Privacy. Washington DC, USA: IEEE Computer Society, 2010: 317-331
Sen K, Marinov D, Agha G. CUTE: A Concolic unit testing engine for C [C]// Proceedings of the 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering. New York, USA: The Association for Computing Machinery Press, 2005: 263-272.
King J C. Symbolic execution and program testing[J]. Communications of the ACM, 1976, 19(7): 385-394.
Nethercote N, Valgrind S J. A framework for heavy weight dynamic binary instrumentation [C]// Proceedings of the 2007 ACM SIGPLAN Conference on Programming Language Design and Implementation. New York, USA: The Association for Computing Machinery Press, 2007: 89-100.
Ganesh V, Dill D. A decision procedure for bit-vectors and arrays [C]// Proceedings of Computer Aided Verification 2007. Berlin, Germany: Springer-Verlag, 2007: 519-531.
Sutton M. 模糊测试-强制性安全漏洞发掘 [M]. 黄陇, 译. 北京: 机械工业出版社, 2009. Sutton M. Fuzzing: Brute Force Vulnerability Discovery [M]. HUANG Long. Beijing: China Machine Press, 2009 (in Chinese)
王清. 0 Day安全: 软件漏洞分析技术 [M]. 第二版. 北京: 电子工业出版社, 2011. WANG Qing. 0 Day Security: Software Vulnerability Discovery [M]. 2nd Ed. Beijing: Electronic Industry Press, 2011 (in Chinese)