基于控制流分析的导向性灰盒模糊测试方法  被引量：1

作　　者：黎君玉 罗琴[1] 刘智 Li Junyu;Luo Qin;Liu Zhi(School of Computer Science,Southwest Petroleum University,Chengdu 610500,China)

机构地区：[1]西南石油大学计算机科学学院,成都610500

出　　处：《电子测量技术》2022年第15期21-27,共7页Electronic Measurement Technology

基　　金：国家自然科学基金(61902328)项目资助。

摘　　要：模糊测试(Fuzzing)是软件漏洞挖掘的主要技术,它能随机生成测试用例并动态执行程序,可以覆盖较深的分支。但模糊测试技术中变异存在一定的盲目性,并且随机变异样本执行相同路径的频率很高,导致变异样本冗余,从而降低测试效率。本文提出并实现了一种基于控制流分析的导向性灰盒模糊测试方法CTM。CTM首先对目标二进制程序进行静态分析获取程序控制流图,再根据程序控制流分析程序路径执行稀有度,接着识别执行路径上敏感函数来计算程序执行路径比重,并且求解生成测试用例;其次在模糊测试过程中,对非格式关键信息位置进行变异;最后根据支路覆盖反馈信息,利用启发式规则对执行路径约束信息进行求解,来生成新测试用例样本。CTM通过引导性的测试用例和定位变异方法,提高模糊测试生成满足复杂分支条件测试用例的概率,从而提高代码覆盖率和减少变异样本冗余。为了验证本方法有效性,本文选择readelf、gif2png等真实应用程序进行测试,并与业界主流Fuzzing软件Driller和AFL进行对比测试,测试结果表明,CTM发现crash和探索新路径的能力都有所提高。Fuzzing is the main technology of software vulnerability mining. It can randomly generate test cases and dynamically execute programs that can cover deeper branches. However, there is a certain blindness in mutation in fuzzing technology, and the frequency of random mutation samples executing the same path is very high, resulting in redundancy of mutation samples, thus reducing the test efficiency. This paper proposes and implements a guided grey-box fuzzing method CTM based on control flow analysis. CTM first statically analyzes the target binary program to obtain the program control flow graph, then analyzes the execution rarity of the program path according to the program control flow, then identifies the sensitive functions on the execution path to calculate the program execution path proportion, and solves and generates test cases;The position of non-format key information is mutated in the testing process;Finally, according to the feedback information of branch coverage, the execution path constraint information is solved by heuristic rules to generate new test case samples. CTM improves the probability of fuzzing to generate test cases that satisfy complex branch conditions through guided test cases and locating mutation methods, thereby improving code coverage and reducing mutation sample redundancy. In order to verify the effectiveness of this method, this paper selects real applications such as readelf and gif2 png for testing, and compares it with the mainstream Fuzzing software Driller and AFL in the industry. The test results show that CTM′s ability to detect crashes and explore new paths has been improved.

关 键 词：符号执行 模糊测试 控制流图 约束求解 测试用例 

分 类 号：TP311[自动化与计算机技术—计算机软件与理论]