Please wait a minute...
 首页  期刊介绍 期刊订阅 联系我们 横山亮次奖 百年刊庆
 
最新录用  |  预出版  |  当期目录  |  过刊浏览  |  阅读排行  |  下载排行  |  引用排行  |  横山亮次奖  |  百年刊庆
清华大学学报(自然科学版)  2014, Vol. 54 Issue (1): 14-19    
  论文 本期目录 | 过刊浏览 | 高级检索 |
并行化智能模糊测试
梁洪亮1(),阳晓宇1,董钰1,张普含2,刘书昌1
2. 中国信息安全测评中心, 北京 100085
Parallel smart fuzzing test
Hongliang LIANG1(),Xiaoyu YANG1,Yu DONG1,Puhan ZHANG2,Shuchang LIU1
1. School of Computer Science, Beijing University of Posts and Telecommunications, Beijing 100876, China
2. China Information Technology Security Evaluation Center, Beijing 100085, China
全文: PDF(1115 KB)   HTML
输出: BibTeX | EndNote (RIS)       背景资料
文章导读  
摘要 

针对目前智能模糊测试技术中整体测试所需时间较长以及生成单个测试用例漏洞触发能力较弱的问题,该文提出了一种可用于并行化环境中的路径取反算法和一种加入随机数据的复合测试用例生成方式。该路径取反算法给每个测试用例赋予一个边界变量,利用该变量限定每个测试用例可进行取反操作的范围,同时在该范围中对多个条件进行取反。该复合测试用例生成方式借助传统模糊测试技术生成随机的漏洞触发数据,将该随机数据与混合符号执行生成用例相结合,从而生成复合化的测试用例。同时该文设计并实现了一个并行化智能模糊测试系统——谛听,并利用该系统对3个应用软件进行了测试,共生成测试用例203 602个,触发软件漏洞2个,其中一个为首次被发现的零日(0-Day)漏洞。理论分析与实验表明: 该路径取反算法可有效应用于并行环境中,从而缩短整个测试所需时间并生成较多测试用例; 同时该复合测试用例生成方式可有效提升测试用例漏洞触发能力。

服务
把本文推荐给朋友
加入引用管理器
E-mail Alert
RSS
作者相关文章
梁洪亮
阳晓宇
董钰
张普含
刘书昌
关键词 软件安全漏洞挖掘智能模糊测试约束求解    
Abstract

Present smart fuzzing techniques are time-consuming and do not effecdtively trigger vulnerabilities. A parallel execution path negate algorithm and a compound test case generation method are introduced in this paper with parallel program analyses and traditional fuzzing techniques. Each test case was given a variable to limit the range of the negate operation with many conditions negated in this range. The test case generation method generates the vulnerability trigger data using traditional fuzzing techniques which are added to the test case generated by Concolic execution. Diting was developed to verify and test these techniques. Tests of three applications using 203602 test cases identified two vulnerabilities. One of the vulnerabilities was a 0-Day vulnerability. Theoretical analyses and test results show that the negate algorithm can be applied in a parallel environment to reduce the testing time and the test case generation method improves the ability to trigger vulnerabilities in the test cases.

Key wordssoftware security    vulnerability discovery    smart fuzzing    constraint solving
收稿日期: 2013-12-01      出版日期: 2015-04-16
ZTFLH:     
基金资助:国家某部委基金 (CNITSEC-KY-2012-001/1)
引用本文:   
梁洪亮, 阳晓宇, 董钰, 张普含, 刘书昌. 并行化智能模糊测试[J]. 清华大学学报(自然科学版), 2014, 54(1): 14-19.
Hongliang LIANG, Xiaoyu YANG, Yu DONG, Puhan ZHANG, Shuchang LIU. Parallel smart fuzzing test. Journal of Tsinghua University(Science and Technology), 2014, 54(1): 14-19.
链接本文:  
http://jst.tsinghuajournals.com/CN/  或          http://jst.tsinghuajournals.com/CN/Y2014/V54/I1/14
  示例代码
  谛听系统架构图
被测程序 生成测试用例的总数 初始覆盖得分 最高覆盖得分 平均覆盖得分 跳转条件的总数
rdjpgcom 31 963 12 655 23 074 17 277 38 962
tbl 36 057 98 804 123 072 106 820 227 497
mcrypt 135 582 87 300 126 876 104 673 201 234
  实验基本数据
  覆盖率分析
[1] Godefroid P, Levin M Y, Molnar D. Automated white-box fuzz testing [C]// Proceedings of the 10th International Conference on Network and Distributed System Security Symposium. San Diego, USA: Schloss Dagstuhl, 2008: 201-213.
[2] Campana G. Fuzzgrind: An automatic fuzzing tool [Z/OL]. (2013-09-12), http://esec-lab.sogeti.com/pages/Fuzzgrind.
[3] Molnar D, Wagner D. Catchconv: Symbolic Execution and Run-Time Type Inference for Integer Conversion Errors, Technical Report No. UCB/EECS-2007-23 [R]. Berkeley, USA: University of California at Berkeley, 2007.
[4] Isaev I, Sidorov D. The use of dynamic analysis for generation of input data that demonstrates critical bugs and vulnerabilities in programs [J]. Programming and Computing Software, 2010, 36(4): 225-236.
[5] Clause J, LI Wanchun, Orso A. Dytan: A generic dynamic taint analysis framework [C]// Proceedings of the International Symposium on Software Testing and Analysis. New York, USA: The Association for Computing Machinery Press, 2007: 196-206.
[6] Drewry W, Ormandy T. Flayer: Exposing application internals [C]// Proceedings of the 1st USENIX Workshop on Offensive Technologies. Berkeley, USA: USENIX Association, 2007: 1-9.
[7] Schwartz E J, Avgerinos T, Brumley D. All you ever wanted to know about dynamic taint analysis and forward symbolic execution [C]// Proceedings of the 2010 IEEE Symposium on Security and Privacy. Washington DC, USA: IEEE Computer Society, 2010: 317-331
[8] Sen K, Marinov D, Agha G. CUTE: A Concolic unit testing engine for C [C]// Proceedings of the 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering. New York, USA: The Association for Computing Machinery Press, 2005: 263-272.
[9] King J C. Symbolic execution and program testing[J]. Communications of the ACM, 1976, 19(7): 385-394.
[10] Nethercote N, Valgrind S J. A framework for heavy weight dynamic binary instrumentation [C]// Proceedings of the 2007 ACM SIGPLAN Conference on Programming Language Design and Implementation. New York, USA: The Association for Computing Machinery Press, 2007: 89-100.
[11] Ganesh V, Dill D. A decision procedure for bit-vectors and arrays [C]// Proceedings of Computer Aided Verification 2007. Berlin, Germany: Springer-Verlag, 2007: 519-531.
[12] Sutton M. 模糊测试-强制性安全漏洞发掘 [M]. 黄陇, 译. 北京: 机械工业出版社, 2009. Sutton M. Fuzzing: Brute Force Vulnerability Discovery [M]. HUANG Long. Beijing: China Machine Press, 2009 (in Chinese)
[13] 王清. 0 Day安全: 软件漏洞分析技术 [M]. 第二版. 北京: 电子工业出版社, 2011. WANG Qing. 0 Day Security: Software Vulnerability Discovery [M]. 2nd Ed. Beijing: Electronic Industry Press, 2011 (in Chinese)
[1] 欧阳永基, 魏强, 王嘉捷, 王清贤. 基于脆弱点特征导向的软件安全测试[J]. 清华大学学报(自然科学版), 2017, 57(9): 903-908.
[2] 辛伟, 时志伟, 郝永乐, 董国伟. 基于污点分析和符号执行的漏洞签名生成方法[J]. 清华大学学报(自然科学版), 2016, 56(1): 28-34.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
版权所有 © 《清华大学学报(自然科学版)》编辑部
本系统由北京玛格泰克科技发展有限公司设计开发 技术支持:support@magtech.com.cn