标题: 符号化变异之模糊测试排程法
Scheduling Fuzz Testing with Symbolic Mutation
作者: 罗绍文
Luo, Shao-Wen
黄世昆
蔡锡钧
Huang, Shih-Kun
Tsai, Shi-Chun
资讯科学与工程研究所
关键字: 模糊测试;符号化变异;排程;Fuzz Testing;Symbolic Mutation;Scheduling
公开日期: 2015
摘要: 由于软体实作缺陷造成的错误,例如存取变数或整数溢位等,可能形成安全弱点。一般都藉由静态分析或动态测试来找寻这类的问题。然而,因为测试的不完整,相关软体弱点层出不穷,尤其大型程式更可能隐藏许多未知的安全漏洞,这是属于程式安全的研究议题,因此越受重视。
为了寻找更多软体的弱点,模糊测试是常见被使用的一种方法。由于传统模糊测试并未设定特定目标,只藉由随机变异测试资料,使程式产生失误。我们提出以特定敏感函式为目标,符号化程式的测试资料,以进行符号测试。测资若能经传递而感染到设定的目标,就能收集相关执行路径与目标函式传入资料的限制式,再使用排程演算法来适当选择加入的路径限制式,以产生受测程式失误并异常终止的测资。若使程式异常终止,就极有可能发现程式的弱点。我们评估4种软体,可在短时间内自动生成令程式异常终止的测试资料,这些测试资料若经由传统模糊测试,要高达 500,000 秒以上。
Due to software implementation flaws, such as buffer overflow and integer overflow, the flaws may further cause software vulnerabilities. We often take advantages of static analysis or dynamic testing to find these issues. However, because of incomplete testing coverage, software vulnerabilities are still uncovered, especially for large software systems. Therefore, secure programs are getting more and more attentions in recent years.
In order to improve the finding process of software vulnerabilities, fuzz testing is a commonly used approach. Because traditional fuzz testing has no specific target for input data mutation, the testing is an unpredictable process with indefinite testing time. We propose to hook sensitive functions as the mutation target and use symbolic execution to automate the fuzzing process.
If we can reach the sensitive functions with symbolic input, we will be able to collect all the constraints and schedule the selection of constraints to generate test cases, which can lead the program to the crash point. We have evaluated four software systems and produce crash inputs in 30 minutes, compared with the traditional fuzzing taking more than 500,000 seconds.
URI: http://140.113.39.130/cdrfb3/record/nctu/#GT070156153
http://hdl.handle.net/11536/126129
显示于类别:Thesis