信息安全研究 ›› 2016, Vol. 2 ›› Issue (8): 699-705.

• 学术论文 • 上一篇    下一篇

一种动静结合的高代码覆盖率模糊测试方法

韩鹍   

  1. 西安电子科技大学
  • 收稿日期:2016-07-28 出版日期:2016-08-15 发布日期:2016-07-28
  • 通讯作者: 韩鹍
  • 作者简介:硕士,副教授,主要研究方向为信息安全、网络安全.

A High Code Coverage Static and Dyamic Combined Fuzzing Method

  • Received:2016-07-28 Online:2016-08-15 Published:2016-07-28

摘要: 针对浏览器软件的漏洞挖掘,目前业界主流自动化方案为模糊测试,但由于现有方法基本不关注测试过程的代码覆盖情况,致使众多测试用例可能一直覆盖的是同一条代码执行路径而不被察觉,导致整体代码覆盖率低、测试效果差.为研究具有高代码覆盖率的测试方法,讨论了一种动静结果的高代码覆盖率模糊测试方法,该方法综合利用静态和动态测试用例生成方式的优势,并以代码覆盖率指标来引导测试过程.测试过程首先构造静态变异的样本集合,然后将静态变异结果插入到动态变异引擎,由动态变异引擎加载和执行测试过程,再通过代码覆盖率监测引擎收集路径执行情况,并将覆盖情况反馈到静态变异引擎以辅助其生成更有效的测试用例,最后通过动态监控来检测出潜在漏洞.原型系统DASFuzzer的实验表明:该方法能够有效地提高浏览器测试过程的代码覆盖率,并且能够准确检测出未知漏洞.

关键词: 漏洞挖掘, 覆盖率导向, 测试用例生成, 模糊测试, 二进制插装

Abstract: AbstractFuzzing testing is the mainstream automation solution to browser software vulnerabilities discovery, but those methods usually dont pay attention to the code coverage, which may lead to the same execution path covered by many test cases without being noticed, and make the overall code coverage low and ineffective. To achieve high code coverage, this paper discussed a code coverage directed fuzzing test method, which makes advantage of both static and dynamic test cases generation. First, a basic sample collection is constructed for static mutation, and then the results of static mutation are inserted into the dynamic random engine. Second, the dynamic engine loads and executes the test cases, and code path coverage is collected though the monitoring engine, which is fed back to the static mutation engine to aid its test cases producing more effectively. Finally potential vulnerabilities are detected by dynamic monitoring engine. The experiment result of prototype system called DASFuzzer shows that the method proposed can effectively improve the code coverage of the testing process, and can accurately detect the unknown vulnerabilities.

Key words: vulnerability detection, coverage directed, test case generation, fuzzing, binary instrumentation