藉由錯誤程式碼定位方法進行模糊測試的失誤分類

Abstract

隨著資訊產業蓬勃發展，軟體安全逐漸備受重視，軟體本身的錯誤容易被攻擊者進行非法入侵、造成傷害。我們因此透過軟體除錯技術，提升錯誤定位方法的效率，減少軟體錯誤漏洞造成的資安危害。 在軟體除錯(Software Debugging)中，有不同的錯誤定位(Fault Localization)方法。本論文採用模糊化測試，提出新錯誤分類(CRAXTriage)方法 CRAXTriage 以實作錯誤定位。透過模糊化測試工具（Fuzzer）對目標程式生成大量測資，收集程式執行覆蓋率資訊。藉由分析程式執行路徑，搭配Dstar演算法進行錯誤分類以提高錯誤分類效率。 本論文使用的CRAXTriage與傳統stack hash分類方式比較，可提升分類的效率與精確度，結果顯示為更有效的錯誤定位方法

With the development of Information Technology industry, software security is getting more important. A defect in software may allow an attacker to gain unauthorized access and damage the system. Therefore, we can improve the software debugging technique to reduce the security problem due to software defects. We use fuzz testing and our fault triage method CRAXTriage to perform fault localization. The fuzzer will produce input data for target programs and the code coverage information can be obtained. By analyzing all coverage results with Dster algorithm, we triage faults and locate faults in the program Compared with traditional triage method based on stack hash, our CRAXTriage method can reduce the number of triage types and realize a better fault localization method.