Please wait a minute...
 首页  期刊介绍 期刊订阅 联系我们
 
最新录用  |  预出版  |  当期目录  |  过刊浏览  |  阅读排行  |  下载排行  |  引用排行  |  百年期刊
Journal of Tsinghua University(Science and Technology)    2014, Vol. 54 Issue (1) : 14-19     DOI:
Orginal Article |
Parallel smart fuzzing test
Hongliang LIANG1(),Xiaoyu YANG1,Yu DONG1,Puhan ZHANG2,Shuchang LIU1
1. School of Computer Science, Beijing University of Posts and Telecommunications, Beijing 100876, China
2. China Information Technology Security Evaluation Center, Beijing 100085, China
Download: PDF(1115 KB)   HTML
Export: BibTeX | EndNote | Reference Manager | ProCite | RefWorks     Supporting Info
Guide   
Abstract  

Present smart fuzzing techniques are time-consuming and do not effecdtively trigger vulnerabilities. A parallel execution path negate algorithm and a compound test case generation method are introduced in this paper with parallel program analyses and traditional fuzzing techniques. Each test case was given a variable to limit the range of the negate operation with many conditions negated in this range. The test case generation method generates the vulnerability trigger data using traditional fuzzing techniques which are added to the test case generated by Concolic execution. Diting was developed to verify and test these techniques. Tests of three applications using 203602 test cases identified two vulnerabilities. One of the vulnerabilities was a 0-Day vulnerability. Theoretical analyses and test results show that the negate algorithm can be applied in a parallel environment to reduce the testing time and the test case generation method improves the ability to trigger vulnerabilities in the test cases.
Keywords software security      vulnerability discovery      smart fuzzing      constraint solving     
ZTFLH:     
Fund: 
Issue Date: 15 January 2014
Service
E-mail this article
E-mail Alert
RSS
Articles by authors
Hongliang LIANG
Xiaoyu YANG
Yu DONG
Puhan ZHANG
Shuchang LIU
Cite this article:   
Hongliang LIANG,Xiaoyu YANG,Yu DONG, et al. Parallel smart fuzzing test[J]. Journal of Tsinghua University(Science and Technology), 2014, 54(1): 14-19.
URL:  
http://jst.tsinghuajournals.com/EN/     OR     http://jst.tsinghuajournals.com/EN/Y2014/V54/I1/14
  
  
被测程序 生成测试用例的总数 初始覆盖得分 最高覆盖得分 平均覆盖得分 跳转条件的总数
rdjpgcom 31 963 12 655 23 074 17 277 38 962
tbl 36 057 98 804 123 072 106 820 227 497
mcrypt 135 582 87 300 126 876 104 673 201 234
  
  
[1] Godefroid P, Levin M Y, Molnar D. Automated white-box fuzz testing [C]// Proceedings of the 10th International Conference on Network and Distributed System Security Symposium. San Diego, USA: Schloss Dagstuhl, 2008: 201-213.
[2] Campana G. Fuzzgrind: An automatic fuzzing tool [Z/OL]. (2013-09-12), http://esec-lab.sogeti.com/pages/Fuzzgrind.
[3] Molnar D, Wagner D. Catchconv: Symbolic Execution and Run-Time Type Inference for Integer Conversion Errors, Technical Report No. UCB/EECS-2007-23 [R]. Berkeley, USA: University of California at Berkeley, 2007.
[4] Isaev I, Sidorov D. The use of dynamic analysis for generation of input data that demonstrates critical bugs and vulnerabilities in programs [J]. Programming and Computing Software, 2010, 36(4): 225-236.
url: http://dx.doi.org/10.1134/S0361768810040055
[5] Clause J, LI Wanchun, Orso A. Dytan: A generic dynamic taint analysis framework [C]// Proceedings of the International Symposium on Software Testing and Analysis. New York, USA: The Association for Computing Machinery Press, 2007: 196-206.
[6] Drewry W, Ormandy T. Flayer: Exposing application internals [C]// Proceedings of the 1st USENIX Workshop on Offensive Technologies. Berkeley, USA: USENIX Association, 2007: 1-9.
[7] Schwartz E J, Avgerinos T, Brumley D. All you ever wanted to know about dynamic taint analysis and forward symbolic execution [C]// Proceedings of the 2010 IEEE Symposium on Security and Privacy. Washington DC, USA: IEEE Computer Society, 2010: 317-331
[8] Sen K, Marinov D, Agha G. CUTE: A Concolic unit testing engine for C [C]// Proceedings of the 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering. New York, USA: The Association for Computing Machinery Press, 2005: 263-272.
[9] King J C. Symbolic execution and program testing[J]. Communications of the ACM, 1976, 19(7): 385-394.
url: http://dx.doi.org/10.1145/360248.360252
[10] Nethercote N, Valgrind S J. A framework for heavy weight dynamic binary instrumentation [C]// Proceedings of the 2007 ACM SIGPLAN Conference on Programming Language Design and Implementation. New York, USA: The Association for Computing Machinery Press, 2007: 89-100.
[11] Ganesh V, Dill D. A decision procedure for bit-vectors and arrays [C]// Proceedings of Computer Aided Verification 2007. Berlin, Germany: Springer-Verlag, 2007: 519-531.
[12] Sutton M. 模糊测试-强制性安全漏洞发掘 [M]. 黄陇, 译. 北京: 机械工业出版社, 2009. Sutton M. Fuzzing: Brute Force Vulnerability Discovery [M]. HUANG Long. Beijing: China Machine Press, 2009 (in Chinese)
[13] 王清. 0 Day安全: 软件漏洞分析技术 [M]. 第二版. 北京: 电子工业出版社, 2011. WANG Qing. 0 Day Security: Software Vulnerability Discovery [M]. 2nd Ed. Beijing: Electronic Industry Press, 2011 (in Chinese)
[1] ZOU Quanchen, ZHANG Tao, WU Runpu, MA Jinxin, LI Meicong, CHEN Chen, HOU Changyu. From automation to intelligence: Survey of research on vulnerability discovery techniques[J]. Journal of Tsinghua University(Science and Technology), 2018, 58(12): 1079-1094.
[2] OUYANG Yongji, WEI Qiang, WANG Jiajie, WANG Qingxian. Guided software safety testing based on vulnerability characteristics[J]. Journal of Tsinghua University(Science and Technology), 2017, 57(9): 903-908.
[3] XIN Wei, SHI Zhiwei, HAO Yongle, DONG Guowei. Approach ofgenerating vulnerability signature based on taint analysis and symbolic execution[J]. Journal of Tsinghua University(Science and Technology), 2016, 56(1): 28-34.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
Copyright © Journal of Tsinghua University(Science and Technology), All Rights Reserved.
Powered by Beijing Magtech Co. Ltd