符號化變異之模糊測試排程法

Abstract

由於軟體實作缺陷造成的錯誤，例如存取變數或整數溢位等，可能形成安全弱點。一般都藉由靜態分析或動態測試來找尋這類的問題。然而，因為測試的不完整，相關軟體弱點層出不窮，尤其大型程式更可能隱藏許多未知的安全漏洞，這是屬於程式安全的研究議題，因此越受重視。 為了尋找更多軟體的弱點，模糊測試是常見被使用的一種方法。由於傳統模糊測試並未設定特定目標，只藉由隨機變異測試資料，使程式產生失誤。我們提出以特定敏感函式為目標，符號化程式的測試資料，以進行符號測試。測資若能經傳遞而感染到設定的目標，就能收集相關執行路徑與目標函式傳入資料的限制式，再使用排程演算法來適當選擇加入的路徑限制式，以產生受測程式失誤並異常終止的測資。若使程式異常終止，就極有可能發現程式的弱點。我們評估4種軟體，可在短時間內自動生成令程式異常終止的測試資料，這些測試資料若經由傳統模糊測試，要高達 500,000 秒以上。

Due to software implementation flaws, such as buffer overflow and integer overflow, the flaws may further cause software vulnerabilities. We often take advantages of static analysis or dynamic testing to find these issues. However, because of incomplete testing coverage, software vulnerabilities are still uncovered, especially for large software systems. Therefore, secure programs are getting more and more attentions in recent years. In order to improve the finding process of software vulnerabilities, fuzz testing is a commonly used approach. Because traditional fuzz testing has no specific target for input data mutation, the testing is an unpredictable process with indefinite testing time. We propose to hook sensitive functions as the mutation target and use symbolic execution to automate the fuzzing process. If we can reach the sensitive functions with symbolic input, we will be able to collect all the constraints and schedule the selection of constraints to generate test cases, which can lead the program to the crash point. We have evaluated four software systems and produce crash inputs in 30 minutes, compared with the traditional fuzzing taking more than 500,000 seconds.