Generation method of dynamic binary code test case

Abstract

The invention discloses a generation method of a dynamic binary code test case. The generation method comprises the following steps: a dynamic binary insertion tool is achieved to collect the context information including a register, a memory, a thread, system invoking, base loading and the like in the execution process of the binary code, transmitting such information into a binary code translation assembly, converting the information into an intermediate language, carrying out symbol execution on the intermediate language, disseminating symbol input, and collecting a path constraint depending on the input. And then, inputting the path constraint into a path generation assembly, providing a new in-step branch-path mutation algorithm and a strategy, generating new path constraints as much as possible after each symbol execution, using a theorem prover to solve the new path constraint, obtaining the new input satisfying the path constraint, transmitting the new input to the binary code to carry out specific execution for one time, obtaining new path constraints from the new execution in continuously circular manner, generating new inputs, and improving the cover ratio of the binary code.

Description

technical field [0001] The invention relates to a dynamic binary code test case generation method, which can be directly operated on the Windows platform, does not need the source code of the program to be tested, and can generate new input to detect new paths during operation, and is suitable for software testing, Vulnerability mining, reverse engineering and other fields. Background technique [0002] Traditional software testing methods generally use black-box Fuzz testing, which constructs a set of random inputs and passes them to the program until the program crashes. This method is blind, neither can know which program paths have been executed, nor can it construct the input in a oriented manner, so that the program can be executed to the paths that have not been traversed. Most of the time in the test process is repeated execution of the same path, making the test time cost too high. Source-level testing can help programmers find many bugs caused by code style or wr...

AI Technical Summary

Problems solved by technology

This method is blind, neither can know which program paths have been executed, nor can it construct the input in a oriented manner, so that the program can be executed to paths that have not been traversed

Most of the time in the test process is repeated execution of the same path, making the test time cost too high

Source-level testing can help programmers find many bugs caused by code style or wrong syntax and semantics, but there are several disadvantages: 1) It is impossible to find bugs when the program is running; 2) In many cases, the source code is not accessible 3) Each type of programming language needs to be considered separately

Catchconv and Fuzzgrind are open source tools, and both use Valgrind as their instrumentation framework. Only Microsoft's Sage runs on Windows, but it has not been released

Images