检索规则说明:AND代表“并且”;OR代表“或者”;NOT代表“不包含”;(注意必须大写,运算符两边需空一格)
检 索 范 例 :范例一: (K=图书馆学 OR K=情报学) AND A=范并思 范例二:J=计算机应用与软件 AND (U=C++ OR U=Basic) NOT M=Visual
出 处:《清华大学学报(自然科学版)》2013年第12期1726-1730,共5页Journal of Tsinghua University(Science and Technology)
基 金:国家"八六三"高技术项目(2012AA012903);国家自然科学基金资助项目(61272493)
摘 要:为了及时对不断更新的大型软件进行漏洞分析,该文提出了一种基于软件代码差异分析的智能模糊测试方法。新旧代码经逆向分析和比对后确定代码差异区,再通过基于数据与控制依赖关系的双向传播分析,识别差异潜在影响区和相关输入变量,生成差异影响模型,在其指导下开展按需模糊测试与基于动态符号执行的智能进化测试,最终生成强针对性的测试用例。已实现原型工具,并对多个不同差异度的PHP软件版本进行了测试实验,检测到4个安全漏洞,覆盖了相邻软件版本85%以上的差异影响区域。实验结果表明:与当前方法相比,该方法既减少了对差异无关区域的冗余测试,又通过聚焦测试导向,提高了测试效率和代码覆盖率。This paper presents a smart fuzzy testing method based on software code differential analysis to quickly detect new vulnerabilities in evolving large software packages. The new and old versions of software codes are reverse analyzed and binary compared to identify the code differences. Then, a difference impact model is developed from the impacted areas and related input variations, which are derived from bi directional propagation of the data and control dependences. This model guides the on demand fuzzy testing and the evolution of the testing based on dynamic symbolic execution, which generates target test cases. The prototype has been implemented and tested on several PHP software versions with a range of differences. The prototype detected 4 vulnerabilities and covered more than 85% of the difference impact areas in subsequent versions. Tests show that this method is more efficiency and provides better code coverage than existing methods by reducing redundant test cases for different unrelated areas and focusing the test direction.
关 键 词:软件测试 漏洞分析 回归测试 智能模糊测试 代码差异分析 动态符号执行
分 类 号:TP311[自动化与计算机技术—计算机软件与理论]
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在链接到云南高校图书馆文献保障联盟下载...
云南高校图书馆联盟文献共享服务平台 版权所有©
您的IP:216.73.216.112
