关键词: 漏洞挖掘, 动态污点分析, 字段分类, 模糊测试, 遗传算法

Abstract: The traditional feedback fuzz testing method needs to mutate all the bytes of the original input data when generating test cases, and generates a large number of invalid test cases. This paper proposes an improved method for this shortcoming. Firstly, using the dynamic taint analysis technology to construct the mapping relationship between the input data and the program variable according to the program data flow information. The bytes of the input data are aggregated into fields based on taint diffuse path and fields are classified into three classes: code coverage related, dangerous operation related and harmless fields, depending on whether influence branch judgment condition or dangerous operation parameter. Then, encode code coverage related fields into gene and execute choose and mutate process of genetic algorithm, and then assign boundary values to dangerous operation related fields to generate a new test case. The experiment proves that the proposed method has improvement in new path discovery and triggering program crash compared with the traditional feedback fuzzy test method.

Key words: vulnerability discovery, dynamic taint analysis, field classification, fuzz testing, genetic algorithm