標題: CRAXfuzz: Target-Aware Symbolic Fuzz Testing
作者: Yeh, Chao-Chun
Chung, Hsiang
Huang, Shih-Kun
資訊工程學系
資訊技術服務中心
Department of Computer Science
Information Technology Services Center
關鍵字: component;fuzz testing;symbolic execution;software testing;vulnerability
公開日期: 2015
摘要: Vulnerabilities are caused by implementation bugs, such as buffer overflow, integer overflow, uncontrolled format strings, and command injection flaws. They are often exploited to intrude software systems. In order to reduce software bugs, testing techniques are proposed. The recent technique to discover security-related bugs is fuzz testing. However, traditional fuzzers can only find bugs when program exceptions, especially crashes, raised. Some security threats may pass these tests due to insufficient code coverage. In this paper, we introduce a software testing framework based on symbolic execution using (SE)-E-2, a whole system symbolic execution engine. When a program executes our pre-defined security sensitive functions, such as malloc, strcpy or printf, our framework will initiate a triage process. The process will determine whether any related security vulnerabilities would possibly occur in these functions automatically. We successfully and efficiently reproduce 12 previously known vulnerabilities from normal input data within 100 seconds for large applications such as Tiff, VIM, and MPlayer. Our tool can help developers locate bugs faster, and improve the efficiency of software quality maintenance.
URI: http://dx.doi.org/10.1109/COMPSAC.2015.99
http://hdl.handle.net/11536/136477
ISBN: 978-1-4673-6563-5
ISSN: 0730-3157
DOI: 10.1109/COMPSAC.2015.99
期刊: 39TH ANNUAL IEEE COMPUTERS, SOFTWARE AND APPLICATIONS CONFERENCE (COMPSAC 2015), VOL 2
起始頁: 460
結束頁: 471
顯示於類別:會議論文