EWFT:基于程序执行过程的白盒测试工具

doi:10.3969/j.issn.0372-2112.2014.10.023

电子学报 ›› 2014, Vol. 42 ›› Issue (10): 2016-2023.DOI: 10.3969/j.issn.0372-2112.2014.10.023

EWFT:基于程序执行过程的白盒测试工具

王颖¹, 谷利泽¹, 杨义先¹, 董宇欣²

1. 北京邮电大学信息安全中心, 北京 100876;
2. 哈尔滨工程大学, 黑龙江哈尔滨 150001

收稿日期:2013-06-30 修回日期:2013-12-17 出版日期:2014-10-25
- 作者简介:
- 王颖 女,1978出生于吉林长春,博士研究生,主要研究领域为网络与信息安全. E-mail:boblee2002@163.com;谷利泽 男,1965年出生于辽宁省营口,北京邮电大学副教授,主要研究领域为现代密码学及其应用.;杨义先 男,1961年出生于四川盐亭,北京邮电大学教授、博士生导师,主要研究领域为现代密码学、网络与信息安全.;董宇欣 女,1974年出生于黑龙江省,哈尔滨工程大学副教授,工学博士,主要研究领域为社会网络、信任演化、智能信息处理等.
- 基金资助:
- 国家自然科学基金 (No.61003285,No.61121061); 中央高校基本科研业务费专项资金 (No.2012RC0218,No.2012RC0219,No.2013RC0311)

EWFT:Execution-based Whitebox Fuzzing for Executables

WANG Ying¹, GU Li-ze¹, YANG Yi-xian¹, DONG Yu-xin²

1. Information Security Center, School of Computer, Beijing University of Posts and Telecommunications, Beijing 100876, China;
2. Harbin Engineering University, Harbin 150001, China

Received:2013-06-30 Revised:2013-12-17 Online:2014-10-25 Published:2014-10-25
- Supported by:
- National Natural Science Foundation of China (No.61003285, No.61121061); Fundamental Research Funds for the Central Universities (No.2012RC0218, No.2012RC0219, No.2013RC0311)

摘要/Abstract

摘要：

应用动态测试技术检测二进制程序的脆弱性是当前漏洞挖掘领域的研究热点.本文基于动态符号执行和污点分析等动态分析技术,提出了程序路径空间的符号模型的构建方法,设计了PWA(Path Weight Analysis)覆盖测试算法,实现了EWFT(Execution-based Whitebox Fuzzing Tool)原型工具.实验测试结果表明,EWFT提高了程序执行空间的测试覆盖率和路径测试深度,相比国际上同类测试工具,能够更加有效地检测出不同软件中存在的多种类型的程序漏洞.

关键词: 动态测试, 软件脆弱性分析, 测试用例生成, 压缩存储

Abstract:

The dynamic testing for automaticlly identifing security vulnerabilities in binary executables has received increasingly interest in recent years.In this paper, we present a new automated whitebox fuzzing tool EWFT(Execution-based Whitebox Fuzzing Tool), which implements dynamic symbolic execution and taint tracing techniques during program execution.Our contributions are:1)we propose a ROBDD(Reduced Ordered Binary Decision Diagram)-based approach to analyse execution process, 2)we introduce a new path weight analysis algorithm(PWA)for searching path space and automating test data generation, and 3)we build a prototype tool that automatically finds software vulnerabilities.Results of our experiments show that execution-based whitebox fuzzing is powerful to identify variety of security vulnerabilities in real applications.Compared to the related work in the research area, it explored deeper program paths on the average, and achieved higher structural coverage.

Key words: dynamic test, software vulnerability analysis, test generation, data compression

中图分类号:

TP309.5

王颖, 谷利泽, 杨义先, 等. EWFT:基于程序执行过程的白盒测试工具[J]. 电子学报, 2014, 42(10): 2016-2023.

WANG Ying, GU Li-ze, YANG Yi-xian, et al. EWFT:Execution-based Whitebox Fuzzing for Executables[J]. Acta Electronica Sinica, 2014, 42(10): 2016-2023.

参考文献

[1] Cadar C,Godefroid P,et al.Symbolic execution for software testing in practice:preliminary assessment[A].Proceedings of the 2011 33rd International Conference on Software Engineering[C].New York:ACM,2011.1066-1071.
[2] Jim Chow,Ben Pfaff,et al.Understanding data lifetime via whole system simulation[A].Proceedings of the 13th conference on USENIX Security Symposium[C].California:USENIX Association Berkeley,2004.22-22.
[3] James Clause,Wanchun Li,Alessandro Orso.Dytan:a generic dynamic taint analysis framework[A].Proceedings of the 2007 international symposium on Software testing and analysis[C].New York:ACM,2007.196-206.
[4] Patrice Godefroid,Michael Levin,and David Molnar.Automated whitebox fuzz testing[A].Proceedings of the Network and Distributed System Security Symposium[C].California:Internet Society,2008.151-166.
[5] Papadakis M,Malevris N.Automatic mutation test case generation via dynamic symbolic execution[A].Proceedings of the 21st International Symposium on Software Reliability Engineering[C].Washington:IEEE Computer Society,2010.121-130.
[6] Rawat S,Mounier L.Offset-aware mutation based fuzzing for buffer overflow vulnerabilities:few preliminary results[A].Proceeedings of the Fourth International Conference on Software Testing,Verification and Validation Workshops[C].Washington:IEEE Computer Society,2011.531-533.
[7] Ganesh V,Leek T,Rinard M.Taint-based directed whitebox fuzzing[A].Proceedings of the IEEE 31st International Conference on Software Engineering[C].Washington:IEEE Computer Society,2009.474-484.
[8] Tielei Wang,Tao Wei,Guofei Gu,Wei Zou.Checksum-aware fuzzing combined with dynamic taint analysis and symbolic execution[J].ACM Transactions on Information and System Security,2011,14(2):1-28.
[9] Tielei Wang,Tao Wei,Guofei Gu,Wei Zou.Taintscope:a checksum-aware directed fuzzing tool for automatic software vulnerability detection[A].2010 IEEE Symposium on Security and Privacy[C].Washington:IEEE Computer Society,2010.497-512.
[10] Shinichi Minato.Zero-suppressed bdds and their applications[J].International Journal on Software Tools for Technology Transfer,2001,3(2):156-170.
[11] Towhidi F,Lashkari A H,Hosseini R S.Binary decision diagram (BDD)[A].International Conference on Future Computer and Communication[C].Washington:IEEE Computer Society,2009.496-499.
[12] 网址[OL]:http://valgrind.org/
[13] Nicholas Nethercote,Julian Seward.Valgrind:a framework for heavyweight dynamic binary instrumentation[J].ACM SIGPLAN Notices,2007,42(6):89-100.
[14] JØrn Lind-Nielsen.BuDDy:Binary Decision Diagram Package (Version 2.2)[OL].网址:http://vlsicad.eecs.umich.edu/BK/Slots/cache/www.itu.dk/research/buddy/index.html
[15] S Chakravarty.A characterization of binary decision diagrams.IEEE Transactions on Computers,1993,42(2):129-137.
[16] Randal E Bryant.Binary decision diagrams and beyond:enabling technologies for formalverification[A].Proceedings of the 1995 IEEE/ACM International Conference on Computer-aided design[C].Washington:IEEE Computer Society,1995,Page(s):236-243.
[17] Randal E Bryant.Symbolic boolean manipulation with ordered binary-decision diagrams[J].ACM Computing Surveys,1992,24(3):293-318.
[18] Randal E Bryant,Christoph Meinel.Ordered binary decision diagrams[A].Logic Synthesis and Verification[C].US:Springer,2002.654:285-307.
[19] Rolf Drechsler,Detlef Sieling.Binary decision diagrams in theory and practice.International Journal on Software Tools for Technology Transfer[J],2001,3(2):112-136.
[20] Burnim J,Sen K.Heuristics for scalable dynamic test generation[A].Proceedings of the 23rd IEEE/ACM International Conference on Automated Software Engineering[C].Washington:IEEE Computer Society,2008,Page(s):443-446.
[21] Burnim J,Sen K.Heuristics for scalable dynamic test generation[R].Berkeley:Electrical Engineering and Computer Sciences University of California at Berkeley,2008.1-10.
[22] Xie T,Tillmann N,de Halleux J,and Schulte W.Fitness-guided path exploration in dynamic symbolic execution[A].Proceedings of the 39th International IEEE/IFIP Conference on Dependable Systems and Networks[C].Washington:IEEE Computer Society,2009.359-368.
[23] 王颖,杨义先等.基于控制流序位比对的智能Fuzzing测试方法[J].通信学报,2013,34(4):114-121. [LL]WANG Ying,YANG Yi-xian,NIU Xin-xin,GU Li-ze.Smart Fuzzing method based on comparison algorithm of control flow sequences[J].Journal on Communications,2013,34(4):114-121.(in Chinese)
[24] Patrice Godefroid,Michael Y Levin,David Molnar.SAGE:Whitebox Fuzzing for Security Testing[J].Communications of the ACM,2012,55(3):40-44.
[25] 网址[OL]:http://www.sans.org/top25-software-errors/,或http://cwe.mitre.org/top25/
[26] 网址[OL]:http://cwe.mitre.org/top25/archive/2011/2011_onthecusp.html

EWFT:基于程序执行过程的白盒测试工具

EWFT:Execution-based Whitebox Fuzzing for Executables

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 3

编辑推荐

Metrics

[1]	王令赛, 姜淑娟, 张艳梅, 于巧. 基于正交搜索的粒子群优化测试用例生成方法[J]. 电子学报, 2014, 42(12): 2345-2351.
[2]	万勇兵, 徐中伟, 梅萌. 一种符号化执行的实时系统一致性测试生成方法[J]. 电子学报, 2013, 41(11): 2276-2284.
[3]	王林章;李宣东;郑国梁. 一个基于UML协作图的集成测试用例生成方法[J]. 电子学报, 2004, 32(8): 1290-1296.