操作符號位址以產生異常執行路徑

Abstract

程式開發者不能完全避免因疏忽造成的漏洞，因而如今軟體安全是一個重要的議題。擬真測試是一項典型的自動化軟體測試技術，藉由實體測試與符號測試之間的結合交互作用，擬真測試可以達到較高且較精確的程式碼檢測率。但在擬真執行時，若發現路徑條件表示式含有符號型態的位址，它將無法掌握在相反路徑條件下所代表的實體數值，因而無法找到該相反路徑。本論文針對擬真符號測試，提出一個能增加程式碼檢測率的擬真位址模組，為了確保符號測試正常執行，我們暫時將含有符號位址的部分取代掉，並將替換的資訊記錄在符號位址表，最後我們透過路徑條件和符號位址表找出可能的位址解。我們目的為透過求解出來的符號位址，進入我們之前無法執行的路徑，如此一來我們將能提升程式碼檢測率，並找到更多程式錯誤。

The vulnerability caused by the negligence of the programmer is unavoidable. Software security is an important issue today. Concolic testing is a typical technique in automatic software testing. It achieves high coverage and precise analysis by combining concrete and symbolic execution in a co-operative way. But it cannot handle the situation when the address is symbolic in the path condition, so concolic executer may not find a concrete value which represents the test case of another negated path. This thesis proposes symbolic address module for enhancing the coverage of concolic testing. We use a substitute method to ensure symbolic executor running correctly and construct a symbolic address map to record symbolic address information. According to map information and path conditions, we generate a possible answer for symbolic addresses. We aim to find symbolic address solutions to enter abnormal paths we had never executed before. Then we can find more bugs by improving the code coverage.