灰盒模糊测试自适应技术研究
|
摘要
分析了在不同测试环境下灰盒模糊测试各个阶段的不适应问题,针对反馈获取、反馈处理和样本生成三个阶段机制存在的问题分别提出了自适应技术进行解决。针对样本生成机制存在的格式破坏缺陷,导致测试效率低下的问题,提出了样本格式修复技术;针对反馈获取机制存在的缺陷,导致部分进化样本被漏报的问题,提出了路径追踪位图自适应技术;针对反馈处理机制存在的缺陷,导致优选语料库效率较低的问题,提出了语料选择自适应技术。基于提出的理论实现了原型系统,该原型系统在针对MathType、unzip、binutils等软件进行测试时代码分支发现的效率提高了20%以上,解决了部分进化样本的漏报问题,发现了一些商用软件的漏洞。
This paper analyzes the problem of inadaptability in various stages of greybox fuzzing under different test environments, and proposes self-adaptive techniques to solve the problems existing in feedback acquisition, feedback processing and sample generation. Aiming at the defects of format destruction existing in the sample generation mechanism, resulting in low test efficiency, a sample format repair technique is proposed. For the problem that some defects in the feedback acquisition mechanism result in missed reports of some evolutionary samples, a trace bitmap adaptation technique is proposed. For the flaws in the feedback processing mechanism, resulting in a lower efficiency of the preferred corpus, a corpus selecting adaption technique is proposed. Based on the theory proposed in this paper, a demo system is realized. The efficiency of code branch discovery is improved by more than 20% when it tests the software such as MathType, unzip,binutils, etc. And the problem of missing reports of some evolutionary samples is solved. Some commercial software vulnerabilities have been discovered based on the technology proposed in this paper.
This paper analyzes the problem of inadaptability in various stages of greybox fuzzing under different test environments, and proposes self-adaptive techniques to solve the problems existing in feedback acquisition, feedback processing and sample generation. Aiming at the defects of format destruction existing in the sample generation mechanism, resulting in low test efficiency, a sample format repair technique is proposed. For the problem that some defects in the feedback acquisition mechanism result in missed reports of some evolutionary samples, a trace bitmap adaptation technique is proposed. For the flaws in the feedback processing mechanism, resulting in a lower efficiency of the preferred corpus, a corpus selecting adaption technique is proposed. Based on the theory proposed in this paper, a demo system is realized. The efficiency of code branch discovery is improved by more than 20% when it tests the software such as MathType, unzip,binutils, etc. And the problem of missing reports of some evolutionary samples is solved. Some commercial software vulnerabilities have been discovered based on the technology proposed in this paper.
引文
[1]James F.A review of fuzzing tools and methods[J].PenTest Magazine,2017.
[2]Cadar C,Dunbar D,Engler D R.KLEE:unassisted and automatic generation of high-coverage tests for complex systems programs[C]//8th USENIX Symposium on Operating Systems Design and Implementation(OSDI),2008.
[3]Wang T,Tao W,Gu G,et al.TaintScope:a checksumaware directed fuzzing tool for automatic software vulnerability detection[C]//IEEE Symposium on Security&Privacy,2010.
[4]张亚军,李舟军,廖湘科.自动化白盒模糊测试技术研究[J].计算机科学,2014(2):13-16.
[5]吴志勇,王红川,孙乐昌.Fuzzing技术综述[J].计算机应用研究,2010(3):35-38.
[6]Ganesh V,Leek T,Rinard M.Taint-based directed whitebox fuzzing[C]//The 31st International Conference on Software Engineering(ICSE’09),2009:474-484.
[7]American Fuzzy Lop(AFL)fuzzer[EB/OL].[2018-01-13].http://lcamtuf.coredump.cx/afl/technical_details.txt.
[8]Chen Y,Su T,Sun C,et al.Coverage-directed differential testing of JVM implementations[C]//Proceedings of PLDI,2016:85-99.
[9]B?hme M,Pham V T,Roychoudhury A.Coverage-based greybox fuzzing as Markov chain[J].IEEE Transactions on Software Engineering,2017.
[10]B?hme M,Pham V T,Nguyen M D,et al.Directed greybox fuzzing[C]//The ACM Conference on Computer and Communications Security,Dallas,2017:2329-2344.
[11]Arcuri A,Briand L.A hitchhiker’s guide to statistical tests for assessing randomized algorithms in software engineering[J].Software Testing,Verification and Reliability,2014,24(3):219-250.
[12]张海涛,陈光宣,王斌君.一种fuzzing策略评价方法[J].计算机应用研究,2013(12):290-292.
[13]沈亚楠,赵荣彩,任华.软件模糊测试中畸形输入数据的自动构造[J].计算机工程,2010(17):29-30.
[14]Lemieux C,Sen K.Fair fuzz:targeting rare branches to rapidly increase greybox fuzz testing coverage[EB/OL]https://arxiv.org/abs/1709.07101v1.
[15]唐彰国,钟明全,李焕洲.基于Fuzzing的文件格式漏洞挖掘技术[J].计算机工程,2010(16):157-159.
[16]任春钰,舒辉,瞿进.一种改进的针对复合文档的Fuzz测试技术[J].计算机应用,2008(2):275-277.
[17]岳彩松,李建华,银鹰.基于Fuzz的MS Office漏洞检测[J]信息安全与通信保密,2007(9):116-118.
[18]沈亚楠,赵荣彩,王小芹.基于文件规范描述的文件模糊测试[J].计算机工程,2010(16):58-59.
[19]Akhter F.A heuristic approach for minimum set cover problem[J].International Journal of Advanced Research in Artificial Intelligence,2015,4(6):40-45.
[20]张波,刘郁林,王开.基于概率稀疏随机矩阵的压缩数据收集方法[J].电子与信息学报,2014(4):76-81.
[21]Bell N.Sparse matrix representations&iterative Solvers[EB/OL].[2018-03-21].http://www.bu.edu/pasi/files/2011/01/NathanBell1-10-1000.pdf.
[22]Chandu D P.Improved greedy algorithm for set covering problem[J].SSRG International Journal of Computer Science and Engineering,2015.
[2]Cadar C,Dunbar D,Engler D R.KLEE:unassisted and automatic generation of high-coverage tests for complex systems programs[C]//8th USENIX Symposium on Operating Systems Design and Implementation(OSDI),2008.
[3]Wang T,Tao W,Gu G,et al.TaintScope:a checksumaware directed fuzzing tool for automatic software vulnerability detection[C]//IEEE Symposium on Security&Privacy,2010.
[4]张亚军,李舟军,廖湘科.自动化白盒模糊测试技术研究[J].计算机科学,2014(2):13-16.
[5]吴志勇,王红川,孙乐昌.Fuzzing技术综述[J].计算机应用研究,2010(3):35-38.
[6]Ganesh V,Leek T,Rinard M.Taint-based directed whitebox fuzzing[C]//The 31st International Conference on Software Engineering(ICSE’09),2009:474-484.
[7]American Fuzzy Lop(AFL)fuzzer[EB/OL].[2018-01-13].http://lcamtuf.coredump.cx/afl/technical_details.txt.
[8]Chen Y,Su T,Sun C,et al.Coverage-directed differential testing of JVM implementations[C]//Proceedings of PLDI,2016:85-99.
[9]B?hme M,Pham V T,Roychoudhury A.Coverage-based greybox fuzzing as Markov chain[J].IEEE Transactions on Software Engineering,2017.
[10]B?hme M,Pham V T,Nguyen M D,et al.Directed greybox fuzzing[C]//The ACM Conference on Computer and Communications Security,Dallas,2017:2329-2344.
[11]Arcuri A,Briand L.A hitchhiker’s guide to statistical tests for assessing randomized algorithms in software engineering[J].Software Testing,Verification and Reliability,2014,24(3):219-250.
[12]张海涛,陈光宣,王斌君.一种fuzzing策略评价方法[J].计算机应用研究,2013(12):290-292.
[13]沈亚楠,赵荣彩,任华.软件模糊测试中畸形输入数据的自动构造[J].计算机工程,2010(17):29-30.
[14]Lemieux C,Sen K.Fair fuzz:targeting rare branches to rapidly increase greybox fuzz testing coverage[EB/OL]https://arxiv.org/abs/1709.07101v1.
[15]唐彰国,钟明全,李焕洲.基于Fuzzing的文件格式漏洞挖掘技术[J].计算机工程,2010(16):157-159.
[16]任春钰,舒辉,瞿进.一种改进的针对复合文档的Fuzz测试技术[J].计算机应用,2008(2):275-277.
[17]岳彩松,李建华,银鹰.基于Fuzz的MS Office漏洞检测[J]信息安全与通信保密,2007(9):116-118.
[18]沈亚楠,赵荣彩,王小芹.基于文件规范描述的文件模糊测试[J].计算机工程,2010(16):58-59.
[19]Akhter F.A heuristic approach for minimum set cover problem[J].International Journal of Advanced Research in Artificial Intelligence,2015,4(6):40-45.
[20]张波,刘郁林,王开.基于概率稀疏随机矩阵的压缩数据收集方法[J].电子与信息学报,2014(4):76-81.
[21]Bell N.Sparse matrix representations&iterative Solvers[EB/OL].[2018-03-21].http://www.bu.edu/pasi/files/2011/01/NathanBell1-10-1000.pdf.
[22]Chandu D P.Improved greedy algorithm for set covering problem[J].SSRG International Journal of Computer Science and Engineering,2015.