基于脆弱点特征导向的软件安全测试

doi:10.16511/j.cnki.qhdxxb.2017.26.038

摘要
图/表
参考文献
相关文章
Metrics

全文: PDF(1188 KB)
输出: BibTeX | EndNote (RIS)

摘要为克服模糊测试方法具有盲目性和覆盖率不高的缺点，缓解当前符号执行方法所面临的空间爆炸问题，该文提出一种基于脆弱点特征导向的软件安全测试方法。该方法结合模糊测试和符号执行方法的特点，针对缓冲区溢出，精确分析了具备该脆弱点特征的代码，并以此为测试目标，力图提高测试针对性；通过域收敛路径遍历策略生成新测试数据进行测试。实验数据表明：该方法的缓冲区溢出可疑点识别率比现有的以经验为主的识别方法至少提高41%，与CUTE符号执行工具相比，较好地缓解了空间爆炸问题，并有效验证了OpenSSL等常用软件的脆弱点。

	服务

	把本文推荐给朋友
	加入引用管理器
	E-mail Alert
	RSS

	作者相关文章
	欧阳永基
	魏强
	王嘉捷
	王清贤

关键词 ：软件安全, 特征导向, 域收敛, 空间爆炸

Abstract：Fuzzy testing software is random with low coverage while symbolic execution can result in the explosion of the variable space. This paper presents a guided software safety testing method based on vulnerability characteristics that combines fuzzy and symbolic execution. This study analyzed the codes associated with buffer overflow for use as targets to make testing more targeted. Then, new test data was generated using the path traversal patterns of domain convergence. Tests show that the identification rate for potentially vulnerable buffer overflows is at least 41% better than with fuzzy testing, the space size explosion with CUTE greatly reduced with vulnerabilities in common software products such as OpenSSL accurately identified.

Key words： software security characteristic guided region convergence space explosion

收稿日期: 2016-07-03 出版日期: 2017-09-15

ZTFLH:

TP311.1

引用本文:

欧阳永基, 魏强, 王嘉捷, 王清贤. 基于脆弱点特征导向的软件安全测试[J]. 清华大学学报（自然科学版）, 2017, 57(9): 903-908.
OUYANG Yongji, WEI Qiang, WANG Jiajie, WANG Qingxian. Guided software safety testing based on vulnerability characteristics. Journal of Tsinghua University(Science and Technology), 2017, 57(9): 903-908.

链接本文:

http://jst.tsinghuajournals.com/CN/10.16511/j.cnki.qhdxxb.2017.26.038 或 http://jst.tsinghuajournals.com/CN/Y2017/V57/I9/903

图１　测试框架

图２　CVEＧ２０１４Ｇ１７６１脆弱点出错位置

图３　strcpy函数循环

图４　无边界检查BOF特征模型

图５　CVEＧ２０１１Ｇ０９７８出错代码区域

图６　有边界检查BOF特征模型

图７　获取测试目标算法

图８　基于域收敛的路径遍历

图９　基于域收敛的路径遍历算法

表１　可疑点探测结果

图１０　深度优先和域收敛路径遍历算法对比

表２　脆弱点结果测试表

[1]	李红辉, 齐佳, 刘峰, 等. 模糊测试技术研究[J]. 中国科学:信息科学, 2014, 44(10):1305-1322.LI Honghui, QI Jia, LIU Feng, et al. The research progress of fuzz testing technology[J]. Science China:Information Sciences, 2014, 44(10):1305-1322. (in Chinese)
[2]	李舟军, 张俊贤, 廖湘科, 等. 软件安全漏洞检测技术[J]. 计算机学报, 2015, 4:717-732.LI Zhoujun,ZHANG Junxian, LIAO Xiangke, et al. Survey of software vulnerability detection techniques[J]. Chinese Journal of Computers, 2015, 4:717-732. (in Chinese)
[3]	杨丁宁, 肖晖, 张玉清. 基于Fuzzing的ActiveX控件漏洞挖掘技术研究[J]. 计算机研究与发展, 2012, 49(7):1525-1532.YANG Dingning, XIAO Hui, ZHANG Yuqing. Vulnerability detection in ActiveX controls based on fuzzing technology[J]. Journal of Computer Research and Development, 2012, 49(7):1525-1532. (in Chinese)
[4]	李伟明, 张爱芳, 刘建财, 等. 网络协议的自动化模糊测试漏洞挖掘方法[J]. 计算机学报, 2011, 2:242-255.LI Weiming, ZHANG Aifang, LIU Jiancai, et al. An automatic network protocol fuzz testing and vulnerability discover method[J]. Chinese Journal of Computers, 2011, 2:242-255. (in Chinese)
[5]	欧阳永基, 魏强, 王清贤, 等. 基于异常分布导向的智能Fuzzing方法[J]. 电子与信息学报, 2015, 37(1):143-149.OUYANG Yongji, WEI Qiang, WANG Qingxian, et al. Intelligent fuzzing based on exception distribution steering[J]. Journal of Electronics and Information Technology, 2015, 37(1):143-149. (in Chinese)
[6]	马金鑫, 张涛, 李舟军, 等. Fuzzing过程中的若干优化方法[J]. 清华大学学报(自然科学版). 2016, 56(5):478-483.MA Jinxin, ZHANG Tao, LI Zhoujun, et al. Improved fuzzy analysis methods[J]. Journal of Tsinghua University (Science and Technology) 2016, 56(5):478-483. (in Chinese)
[7]	Cadar C, Dunbar D, Engler D R. KLEE:Unassisted and automatic generation of high-coverage tests for complex systems programs[C]//Proceedings of OSDI'08. San Diego, CA, USA:USENIX Association, 2008:209-224.
[8]	Sen K, Agha G. CUTE and jCUTE:Concolic unit testing and explicit path model-checking tools[C]//Proceedings of Computer Aided Verification. Berlin Heidelberg, Germany:Springer, 2006:419-423.
[9]	Chipounov V, Kuznetsov V, Candea G. S2E:A platform for in-vivo multi-path analysis of software systems[J]. ACM SIGARCH Computer Architecture News, 2011, 39(1):265-278.
[10]	Godefroid P, Levin M Y, Molnar D. SAGE:Whitebox fuzzing for security testing[J]. Queue, 2012, 10(1):20.
[11]	崔宝江, 梁晓兵, 王禹, 等. 基于回溯与引导的关键代码区域覆盖的二进制程序测试技术研究[J]. 电子与信息学报, 2012, 34(1):108-114.CUI Baojiang, LIANG Xiaobing, WANG Yu, et al. The study of binary program test techniques based on backtracking and leading for covering key code area[J]. Journal of Electronics & Information Technology, 2012, 34(1):108-114. (in Chinese)
[12]	Haller I, Slowinska A, Neugschwandtner M, et al. Dowsing for overflows:A guided fuzzer to find buffer boundary violations[C]//Proceedings of 22nd USENIX Security Symposium. Washington DC, USA:USENIX Association, 2013:49-64.
[13]	Patrice G. Compositional dynamic test generation[C]//Proceedings of ACM Sigplan Notices. New York, NY, USA:ACM Press, 2007:47-54.
[14]	Mitchell N, Carter L, Ferrante J. A modal model of memory[C]//Proceedings of International Conference on Computational Science. Berlin Heidelberg, Germany:Springer, 2001:81-96.
[15]	Edsger W D. A Discipline of Programming[M]. Upper Saddle River:Prentice Hall, 1997.

[1]	梁洪亮, 阳晓宇, 董钰, 张普含, 刘书昌. 并行化智能模糊测试[J]. 清华大学学报（自然科学版）, 2014, 54(1): 14-19.

Viewed

Full text

Abstract

Cited

Shared

Discussed