面向源代码的导向Concolic测试方法研究
|
摘要
对规模较大的程序进行安全测试过程中,Concolic测试常面临路径爆炸和求解能力不足等问题。为缓解此类问题,提出一种面向源代码的导向Concolic测试方法。针对容易产生缺陷的危险代码区域,依据控制流和数据流属性,采用回溯的方式推导出静态可达路径信息和必要的符号变量,实现仅针对危险代码区域的覆盖测试。实证研究结果表明,通过规避对不关心路径和符号变量的分析,所提方法显著提升了覆盖测试危险代码区域的效率和发现缺陷的概率。
In the process of safety testing in large-scale programs,Concolic tests often faced problems such as path explosion and lack of constraint solving ability. In order to alleviate these problems,this paper proposed a directed Concolic testing method for source code. Aiming at the danger code area prone to produce defects,the paths which could reach the critical code areas and the essential symbolic variables could be inferred based on backtracking control-flow and data-flow analysis.These information limited the dynamic testing only to cover the danger code area. The empirical results show that by ignoring analysis of the unconcerned paths and symbolic variables,the method significantly improves the test efficiency and the provability of finding defects.
In the process of safety testing in large-scale programs,Concolic tests often faced problems such as path explosion and lack of constraint solving ability. In order to alleviate these problems,this paper proposed a directed Concolic testing method for source code. Aiming at the danger code area prone to produce defects,the paths which could reach the critical code areas and the essential symbolic variables could be inferred based on backtracking control-flow and data-flow analysis.These information limited the dynamic testing only to cover the danger code area. The empirical results show that by ignoring analysis of the unconcerned paths and symbolic variables,the method significantly improves the test efficiency and the provability of finding defects.
引文
[1]Larson E,Austin T.High coverage detection of input-related security faults[C]//Proc of the 12th USENIX Security Symposium.Berkeley:USENIX Association,2003:9.
[2]Cadar C,Ganesh V,Pawlowski P,et al.EXE:automatically generating inputs of death[C]//Proc of the 13th ACM Conference on Computer and Communications Security.New York:ACM Press,2006:322-335.
[3]Cadar C,Dunbar D,Engler D R.KLEE:unassisted and automatic generation of high-coverage tests for complex systems programs[C]//Proc of the 8th USENIX Conference on Operationg Systems Design and Implementation.Berkeley:USENIX Association,2008:209-224.
[4]Song D,Brumley D,Yin Heng,et al.Bit Blaze:a new approach to computer security via binary analysis[C]//Proc of International Conference on Information Systems Security.Berlin:Springer,2008:1-25.
[5]Godefroid P,Klarlund N,Sen K.DART:directed automated random testing[J].ACM SIGPLAN Notices,2005,40(6):213-223.
[6]Sen K,Marinov D,Agha G.CUTE:a Concolic unit testing engine for C[C]//Proc of the 13th ACM SIGSOFT Symposium on the Foundations of Software Engineering.New York:ACM Press,2005:263-272.
[7]Burnim J,Sen K.Heuristics for scalable dynamic test generation[C]//Proc of the 23rd International Conference on Automated Software Engineering.Washington DC:IEEE Computer Society,2008:443-446.
[8]Dinges P,Agha G.Targeted test input generation using symbolic-concrete backward execution[C]//Proc of the 29th IEEE/ACM International Conference on Automated Software Engineering.New York:ACM Press,2014:31-36.
[9]崔展齐,王林章,李宣东.一种目标制导的混合执行测试方法[J].计算机学报,2011,34(6):953-964.
[10]崔宝江,梁晓兵,王禹,等.基于回溯与引导的关键代码区域覆盖的二进制程序测试技术研究[J].电子与信息学报,2012,34(1):108-114.
[11]王伟光,曾庆凯,孙浩.面向危险操作的动态符号执行方法[J].软件学报,2016,27(5):1230-1245.
[12]Yamaguchi F,Maier A,Gascon H,et al.Automatic inference of search patterns for taint-style vulnerabilities[C]//Proc of IEEE Symposium on Security and Privacy.Washington DC:IEEE Computer Society,2015:797-812.
[13]Del Grosso C,Antoniol G,Merlo E,et al.Detecting buffer overflow via automatic test input data generation[J].Computers&Operations Research,2008,35(10):3125-3143.
[14]王欣,郭涛,董国伟,等.基于补丁比对的Concolic测试方法[J].清华大学学报:自然科学版,2013,53(12):1737-1742.
[15]Morgan C.The specification statement[J].Transactions on Programming Languages and Systems,1988,10(3):403-419.
[16]杨飏,张焕国,王后珍.一种C程序内存访问缺陷自动化检测方法研究[J].计算机科学,2010,37(6):155-158.
[17]周艳红,王天成,李华伟,等.基于路径约束求解的多目标状态激励生成方法[J].计算机学报,2016,39(9):1829-1842.
[18]Harrold M.Siemens programs,HR variants[EB/OL].(2010).http://www.cc.gatech.edu/aristotle/Tools/subjects.
[2]Cadar C,Ganesh V,Pawlowski P,et al.EXE:automatically generating inputs of death[C]//Proc of the 13th ACM Conference on Computer and Communications Security.New York:ACM Press,2006:322-335.
[3]Cadar C,Dunbar D,Engler D R.KLEE:unassisted and automatic generation of high-coverage tests for complex systems programs[C]//Proc of the 8th USENIX Conference on Operationg Systems Design and Implementation.Berkeley:USENIX Association,2008:209-224.
[4]Song D,Brumley D,Yin Heng,et al.Bit Blaze:a new approach to computer security via binary analysis[C]//Proc of International Conference on Information Systems Security.Berlin:Springer,2008:1-25.
[5]Godefroid P,Klarlund N,Sen K.DART:directed automated random testing[J].ACM SIGPLAN Notices,2005,40(6):213-223.
[6]Sen K,Marinov D,Agha G.CUTE:a Concolic unit testing engine for C[C]//Proc of the 13th ACM SIGSOFT Symposium on the Foundations of Software Engineering.New York:ACM Press,2005:263-272.
[7]Burnim J,Sen K.Heuristics for scalable dynamic test generation[C]//Proc of the 23rd International Conference on Automated Software Engineering.Washington DC:IEEE Computer Society,2008:443-446.
[8]Dinges P,Agha G.Targeted test input generation using symbolic-concrete backward execution[C]//Proc of the 29th IEEE/ACM International Conference on Automated Software Engineering.New York:ACM Press,2014:31-36.
[9]崔展齐,王林章,李宣东.一种目标制导的混合执行测试方法[J].计算机学报,2011,34(6):953-964.
[10]崔宝江,梁晓兵,王禹,等.基于回溯与引导的关键代码区域覆盖的二进制程序测试技术研究[J].电子与信息学报,2012,34(1):108-114.
[11]王伟光,曾庆凯,孙浩.面向危险操作的动态符号执行方法[J].软件学报,2016,27(5):1230-1245.
[12]Yamaguchi F,Maier A,Gascon H,et al.Automatic inference of search patterns for taint-style vulnerabilities[C]//Proc of IEEE Symposium on Security and Privacy.Washington DC:IEEE Computer Society,2015:797-812.
[13]Del Grosso C,Antoniol G,Merlo E,et al.Detecting buffer overflow via automatic test input data generation[J].Computers&Operations Research,2008,35(10):3125-3143.
[14]王欣,郭涛,董国伟,等.基于补丁比对的Concolic测试方法[J].清华大学学报:自然科学版,2013,53(12):1737-1742.
[15]Morgan C.The specification statement[J].Transactions on Programming Languages and Systems,1988,10(3):403-419.
[16]杨飏,张焕国,王后珍.一种C程序内存访问缺陷自动化检测方法研究[J].计算机科学,2010,37(6):155-158.
[17]周艳红,王天成,李华伟,等.基于路径约束求解的多目标状态激励生成方法[J].计算机学报,2016,39(9):1829-1842.
[18]Harrold M.Siemens programs,HR variants[EB/OL].(2010).http://www.cc.gatech.edu/aristotle/Tools/subjects.