CAJ | 학술논문

应用动态测试技术检测二进制程序的脆弱性是当前漏洞挖掘领域的研究热点。本文基于动态符号执行和污点分析等动态分析技术，提出了程序路径空间的符号模型的构建方法，设计了PWA（Path Weight Analysis）覆盖测试算法，实现了EWFT（Execution-based Whitebox Fuzzing Tool）原型工具。实验测试结果表明，EWFT提高了程序执行空间的测试覆盖率和路径测试深度，相比国际上同类测试工具，能够更加有效地检测出不同软件中存在的多种类型的程序漏洞。
응용동태측시기술검측이진제정서적취약성시당전루동알굴영역적연구열점。본문기우동태부호집행화오점분석등동태분석기술，제출료정서로경공간적부호모형적구건방법，설계료PWA（Path Weight Analysis）복개측시산법，실현료EWFT（Execution-based Whitebox Fuzzing Tool）원형공구。실험측시결과표명，EWFT제고료정서집행공간적측시복개솔화로경측시심도，상비국제상동류측시공구，능구경가유효지검측출불동연건중존재적다충류형적정서루동。
The dynamic testing for automaticlly identifing security vulnerabilities in binary executables has received increas-ingly interest in recent years .In this paper ,we present a new automated whitebox fuzzing tool EWFT (Execution-based Whitebox Fuzzing Tool ) ,which implements dynamic symbolic execution and taint tracing techniques during program execution .Our contribu-tions are:1 )we propose a ROBDD (Reduced Ordered Binary Decision Diagram )-based approach to analyse execution process ,2 )we introduce a new path weight analysis algorithm (PWA )for searching path space and automating test data generation ,and 3 )we build a prototype tool that automatically finds software vulnerabilities .Results of our experiments show that execution-based whitebox fuzzing is powerful to identify variety of security vulnerabilities in real applications .Compared to the related work in the research area ,it explored deeper program paths on the average ,and achieved higher structural coverage .