电子学报
電子學報
전자학보
ACTA ELECTRONICA SINICA
2014年
10期
2016-2023
,共8页
王颖%谷利泽%杨义先%董宇欣
王穎%穀利澤%楊義先%董宇訢
왕영%곡리택%양의선%동우흔
动态测试%软件脆弱性分析%测试用例生成%压缩存储
動態測試%軟件脆弱性分析%測試用例生成%壓縮存儲
동태측시%연건취약성분석%측시용례생성%압축존저
dynamic test%software vulnerability analysis%test generation%data compression
应用动态测试技术检测二进制程序的脆弱性是当前漏洞挖掘领域的研究热点。本文基于动态符号执行和污点分析等动态分析技术,提出了程序路径空间的符号模型的构建方法,设计了PWA(Path Weight Analysis)覆盖测试算法,实现了EWFT(Execution-based Whitebox Fuzzing Tool)原型工具。实验测试结果表明,EWFT提高了程序执行空间的测试覆盖率和路径测试深度,相比国际上同类测试工具,能够更加有效地检测出不同软件中存在的多种类型的程序漏洞。
應用動態測試技術檢測二進製程序的脆弱性是噹前漏洞挖掘領域的研究熱點。本文基于動態符號執行和汙點分析等動態分析技術,提齣瞭程序路徑空間的符號模型的構建方法,設計瞭PWA(Path Weight Analysis)覆蓋測試算法,實現瞭EWFT(Execution-based Whitebox Fuzzing Tool)原型工具。實驗測試結果錶明,EWFT提高瞭程序執行空間的測試覆蓋率和路徑測試深度,相比國際上同類測試工具,能夠更加有效地檢測齣不同軟件中存在的多種類型的程序漏洞。
응용동태측시기술검측이진제정서적취약성시당전루동알굴영역적연구열점。본문기우동태부호집행화오점분석등동태분석기술,제출료정서로경공간적부호모형적구건방법,설계료PWA(Path Weight Analysis)복개측시산법,실현료EWFT(Execution-based Whitebox Fuzzing Tool)원형공구。실험측시결과표명,EWFT제고료정서집행공간적측시복개솔화로경측시심도,상비국제상동류측시공구,능구경가유효지검측출불동연건중존재적다충류형적정서루동。
The dynamic testing for automaticlly identifing security vulnerabilities in binary executables has received increas-ingly interest in recent years .In this paper ,we present a new automated whitebox fuzzing tool EWFT (Execution-based Whitebox Fuzzing Tool ) ,which implements dynamic symbolic execution and taint tracing techniques during program execution .Our contribu-tions are:1 )we propose a ROBDD (Reduced Ordered Binary Decision Diagram )-based approach to analyse execution process ,2 )we introduce a new path weight analysis algorithm (PWA )for searching path space and automating test data generation ,and 3 )we build a prototype tool that automatically finds software vulnerabilities .Results of our experiments show that execution-based whitebox fuzzing is powerful to identify variety of security vulnerabilities in real applications .Compared to the related work in the research area ,it explored deeper program paths on the average ,and achieved higher structural coverage .