A Fuzzing System Based on Program Tracing and Mixed Execution

Abstract

The invention provides a fuzzy test system based on program tracking and hybrid execution, and the system mainly comprises three modules: a fuzzy test module, a data flow tracking module, and a hybridexecution module. Wherein the input of the fuzzy test module is a target binary program, the type information of variables corresponding to byte sequences in a seed test case and the seed test case extracted by the data flow tracking module is output as a test case for triggering a new path; wherein the input of the data flow tracking module is a seed test case loaded by the target binary programand the fuzzy test module, and the output of the data flow tracking module is a dependency relationship between type information of variables corresponding to byte sequences in the seed test case anddata in the target binary program; wherein the input of the hybrid execution module is a dependency relationship of data in a target binary program provided by the data flow tracking module in real time, and the output of the hybrid execution module is a candidate test case which is newly generated by the module and can trigger a new path. Compared with the prior art, the system can improve the effectiveness of test case generation.

Description

technical field [0001] The invention belongs to the technical field of information security, in particular to a fuzz testing system based on program tracing and mixed execution. Background technique [0002] Fuzz testing: Fuzz testing is a method of discovering software vulnerabilities by providing unexpected inputs to the target system or software and monitoring abnormal results. Because fuzz testing technology can convert a large number of manual tests into highly automated tests, between black and white Between box testing and white box testing, it is widely used in the field of vulnerability mining at home and abroad. [0003] Test cases: The generation strategy of test cases determines the test efficiency of fuzz testing. Better test cases can cover more paths of the program to be tested, thereby detecting more program vulnerabilities. Fuzzing test case generation methods can be divided into two types, generation-based and mutation-based. The generation-based method m...

AI Technical Summary

Problems solved by technology

Although this method is more efficient for source code testing, it has the possibility of conflicts and collisions for the unique identification of basic blocks, and it also lacks support for binary programs

[0015] (2) Although some fuzzing tools can test binary programs, they generally lack a feedback mechanism, which makes the testing efficiency low; even if a few fuzzing tools use a feedback mechanism, such as AFL's QEMU mode (referred to as Q-AFL), However, due to the need to simulate and track instructions, on the one hand, it is difficult for the simulator to fully and correctly simulate the target instructions, which may cause errors during the simulation execution of the target binary program; on the other hand, operations such as stub insertion or instruction conversion during simulation execution greatly affect It affects the performance of the target binary program, resulting in poor test results, and it is difficult to achieve satisfactory test results in practical applications

[0016] (3) Some mainstream fuzzing tools use symbolic execution, taint analysis and other technologies to assist in testing to improve the pertinence of testing, thereby improving the efficiency of fuzzing to a certain extent, but these technologies have their own limitations, such as symbolic execution technology. Problems such as path explosion, low constraint solving efficiency, and difficulty in extending to large-scale programs limit the improvement of fuzz testing effect

Images