并行化智能模糊测试

删除或更新信息，请邮件至freekaoyan#163.com(#换成@)

清华大学辅仁网/2017-07-07

并行化智能模糊测试

梁洪亮¹(

),阳晓宇¹,董钰¹,张普含²,刘书昌¹

2. 中国信息安全测评中心, 北京 100085

Parallel smart fuzzing test

Hongliang LIANG¹(

),Xiaoyu YANG¹,Yu DONG¹,Puhan ZHANG²,Shuchang LIU¹

1. School of Computer Science, Beijing University of Posts and Telecommunications, Beijing 100876, China
2. China Information Technology Security Evaluation Center, Beijing 100085, China

摘要:

HTML
输出: BibTeX | EndNote (RIS) 背景资料

文章导读

摘要针对目前智能模糊测试技术中整体测试所需时间较长以及生成单个测试用例漏洞触发能力较弱的问题,该文提出了一种可用于并行化环境中的路径取反算法和一种加入随机数据的复合测试用例生成方式。该路径取反算法给每个测试用例赋予一个边界变量,利用该变量限定每个测试用例可进行取反操作的范围,同时在该范围中对多个条件进行取反。该复合测试用例生成方式借助传统模糊测试技术生成随机的漏洞触发数据,将该随机数据与混合符号执行生成用例相结合,从而生成复合化的测试用例。同时该文设计并实现了一个并行化智能模糊测试系统——谛听,并利用该系统对3个应用软件进行了测试,共生成测试用例203 602个,触发软件漏洞2个,其中一个为首次被发现的零日(0-Day)漏洞。理论分析与实验表明: 该路径取反算法可有效应用于并行环境中,从而缩短整个测试所需时间并生成较多测试用例; 同时该复合测试用例生成方式可有效提升测试用例漏洞触发能力。

关键词 ：软件安全,漏洞挖掘,智能模糊测试,约束求解

Abstract：Present smart fuzzing techniques are time-consuming and do not effecdtively trigger vulnerabilities. A parallel execution path negate algorithm and a compound test case generation method are introduced in this paper with parallel program analyses and traditional fuzzing techniques. Each test case was given a variable to limit the range of the negate operation with many conditions negated in this range. The test case generation method generates the vulnerability trigger data using traditional fuzzing techniques which are added to the test case generated by Concolic execution. Diting was developed to verify and test these techniques. Tests of three applications using 203602 test cases identified two vulnerabilities. One of the vulnerabilities was a 0-Day vulnerability. Theoretical analyses and test results show that the negate algorithm can be applied in a parallel environment to reduce the testing time and the test case generation method improves the ability to trigger vulnerabilities in the test cases.

Key words：software security vulnerability discovery smart fuzzing constraint solving

收稿日期: 2013-12-01 出版日期: 2015-04-16

ZTFLH:

基金资助:国家某部委基金 (CNITSEC-KY-2012-001/1)

引用本文:

梁洪亮, 阳晓宇, 董钰, 张普含, 刘书昌. 并行化智能模糊测试[J]. 清华大学学报（自然科学版）, 2014, 54(1): 14-19.
Hongliang LIANG, Xiaoyu YANG, Yu DONG, Puhan ZHANG, Shuchang LIU. Parallel smart fuzzing test. Journal of Tsinghua University(Science and Technology), 2014, 54(1): 14-19.

链接本文:

http://jst.tsinghuajournals.com/CN/或 http://jst.tsinghuajournals.com/CN/Y2014/V54/I1/14

图表:

示例代码

谛听系统架构图

被测程序	生成测试用例的总数	初始覆盖得分	最高覆盖得分	平均覆盖得分	跳转条件的总数
rdjpgcom	31 963	12 655	23 074	17 277	38 962
tbl	36 057	98 804	123 072	106 820	227 497
mcrypt	135 582	87 300	126 876	104 673	201 234

实验基本数据

覆盖率分析

参考文献:

[1]	Godefroid P, Levin M Y, Molnar D. Automated white-box fuzz testing [C]// Proceedings of the 10th International Conference on Network and Distributed System Security Symposium. San Diego, USA: Schloss Dagstuhl, 2008: 201-213.
[2]	Campana G. Fuzzgrind: An automatic fuzzing tool [Z/OL]. (2013-09-12), http://esec-lab.sogeti.com/pages/Fuzzgrind.
[3]	Molnar D, Wagner D. Catchconv: Symbolic Execution and Run-Time Type Inference for Integer Conversion Errors, Technical Report No. UCB/EECS-2007-23 [R]. Berkeley, USA: University of California at Berkeley, 2007.
[4]	Isaev I, Sidorov D. The use of dynamic analysis for generation of input data that demonstrates critical bugs and vulnerabilities in programs [J]. Programming and Computing Software, 2010, 36(4): 225-236.
[5]	Clause J, LI Wanchun, Orso A. Dytan: A generic dynamic taint analysis framework [C]// Proceedings of the International Symposium on Software Testing and Analysis. New York, USA: The Association for Computing Machinery Press, 2007: 196-206.
[6]	Drewry W, Ormandy T. Flayer: Exposing application internals [C]// Proceedings of the 1st USENIX Workshop on Offensive Technologies. Berkeley, USA: USENIX Association, 2007: 1-9.
[7]	Schwartz E J, Avgerinos T, Brumley D. All you ever wanted to know about dynamic taint analysis and forward symbolic execution [C]// Proceedings of the 2010 IEEE Symposium on Security and Privacy. Washington DC, USA: IEEE Computer Society, 2010: 317-331
[8]	Sen K, Marinov D, Agha G. CUTE: A Concolic unit testing engine for C [C]// Proceedings of the 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering. New York, USA: The Association for Computing Machinery Press, 2005: 263-272.
[9]	King J C. Symbolic execution and program testing[J]. Communications of the ACM, 1976, 19(7): 385-394.
[10]	Nethercote N, Valgrind S J. A framework for heavy weight dynamic binary instrumentation [C]// Proceedings of the 2007 ACM SIGPLAN Conference on Programming Language Design and Implementation. New York, USA: The Association for Computing Machinery Press, 2007: 89-100.
[11]	Ganesh V, Dill D. A decision procedure for bit-vectors and arrays [C]// Proceedings of Computer Aided Verification 2007. Berlin, Germany: Springer-Verlag, 2007: 519-531.
[12]	Sutton M. 模糊测试-强制性安全漏洞发掘 [M]. 黄陇, 译. 北京: 机械工业出版社, 2009. Sutton M. Fuzzing: Brute Force Vulnerability Discovery [M]. HUANG Long. Beijing: China Machine Press, 2009 (in Chinese)
[13]	王清. 0 Day安全: 软件漏洞分析技术 [M]. 第二版. 北京: 电子工业出版社, 2011. WANG Qing. 0 Day Security: Software Vulnerability Discovery [M]. 2nd Ed. Beijing: Electronic Industry Press, 2011 (in Chinese)

[1]	王振波, 张君, 罗孙一鸣. 喷水法成型纤维网增强水泥基板材抗弯性能[J]. 清华大学学报（自然科学版）, 2014, 54(5): 551-555.
[2]	李京哲, 梁彬, 游伟, 王鹏, 石文昌. 基于控制依赖分析的Android远程控制类恶意软件检测[J]. 清华大学学报（自然科学版）, 2014, 54(1): 8-13.
[3]	韩心慧, 肖祥全, 张建宇, 刘丙双, 张缘. 基于社交关系的DHT网络Sybil攻击防御[J]. 清华大学学报（自然科学版）, 2014, 54(1): 1-7.