检索规则说明:AND代表“并且”;OR代表“或者”;NOT代表“不包含”;(注意必须大写,运算符两边需空一格)
检 索 范 例 :范例一: (K=图书馆学 OR K=情报学) AND A=范并思 范例二:J=计算机应用与软件 AND (U=C++ OR U=Basic) NOT M=Visual
名 称:
注 释:
出 处:《计算机应用研究》2014年第7期2088-2091,2096,共5页Application Research of Computers
摘 要:Fuzzing测试和符号执行都是漏洞挖掘领域常用的技术,但各自都存在一定缺陷。为提高漏洞挖掘效率,将两者优点相结合,设计并实现了一种基于混合符号执行的Fuzzing测试工具。采用二进制代码插桩技术,动态记录程序关键指令执行过程和环境。采用离线混合符号执行技术,在指令重放过程中收集路径约束条件,并采用STP程序求解。根据求解结果生成新数据集并动态测试,监测执行异常,计算代码覆盖率。经实验验证,工具能有效发现测试程序异常,并适用于大型应用软件测试,已发现Word 2003软件中存在的七个异常,代码覆盖率较传统Fuzzing测试工具也有较大提高。Fuzzing test and symbolic execute are common techniques for vulnerability mining,but each are flawed. In order to improve vulnerability mining efficiency,this paper combined the advantages of both techniques,and designed and implemented a Fuzzing test tool based on concolic symbolic execution. Using code instrumentation technology,it recorded all primary code execute paths and contexts dynamically. Using offline concolic symbolic execute technology,it collected the path constraints while the code record was replayed,and solved by STP program. New test cases was generated with solved results and tested dynamically,meanwhile execute exception was monitored and code coverage was calculated. The test results verify that the tool can find exceptions effectively,and can be applied to large application testing,seven exceptions are discovered in Word 2003 software,the code coverage is also mostly improved than traditional Fuzzing test tools.
关 键 词:混合符号执行 动态插桩 FUZZING测试 约束求解 代码覆盖率
分 类 号:TP311.53[自动化与计算机技术—计算机软件与理论]
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在链接到云南高校图书馆文献保障联盟下载...
云南高校图书馆联盟文献共享服务平台 版权所有©
您的IP:216.73.216.249