CN112181833A - Intelligent fuzzy test method, device and system - Google Patents
Intelligent fuzzy test method, device and system Download PDFInfo
- Publication number
- CN112181833A CN112181833A CN202011046778.8A CN202011046778A CN112181833A CN 112181833 A CN112181833 A CN 112181833A CN 202011046778 A CN202011046778 A CN 202011046778A CN 112181833 A CN112181833 A CN 112181833A
- Authority
- CN
- China
- Prior art keywords
- test case
- test
- execution
- symbolic
- path
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000010998 test method Methods 0.000 title abstract description 6
- 238000012360 testing method Methods 0.000 claims abstract description 279
- 238000000034 method Methods 0.000 claims abstract description 49
- 230000014509 gene expression Effects 0.000 claims abstract description 33
- 238000001514 detection method Methods 0.000 claims abstract description 13
- 230000015654 memory Effects 0.000 claims description 49
- 230000008569 process Effects 0.000 claims description 31
- 238000012545 processing Methods 0.000 claims description 16
- 238000012544 monitoring process Methods 0.000 claims description 8
- 238000012795 verification Methods 0.000 claims description 6
- 238000004422 calculation algorithm Methods 0.000 claims description 5
- 230000036244 malformation Effects 0.000 claims description 4
- 238000013507 mapping Methods 0.000 claims description 3
- 230000007246 mechanism Effects 0.000 claims description 3
- 238000007726 management method Methods 0.000 description 27
- 238000004458 analytical method Methods 0.000 description 19
- 238000004891 communication Methods 0.000 description 10
- 238000010586 diagram Methods 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 8
- 230000003068 static effect Effects 0.000 description 6
- 238000004880 explosion Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 5
- 230000035772 mutation Effects 0.000 description 5
- 230000002159 abnormal effect Effects 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 4
- 238000013499 data model Methods 0.000 description 3
- 101001094649 Homo sapiens Popeye domain-containing protein 3 Proteins 0.000 description 2
- 101000608234 Homo sapiens Pyrin domain-containing protein 5 Proteins 0.000 description 2
- 101000578693 Homo sapiens Target of rapamycin complex subunit LST8 Proteins 0.000 description 2
- 102100027802 Target of rapamycin complex subunit LST8 Human genes 0.000 description 2
- 238000009412 basement excavation Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000013522 software testing Methods 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 239000000725 suspension Substances 0.000 description 2
- 102100026278 Cysteine sulfinic acid decarboxylase Human genes 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011981 development test Methods 0.000 description 1
- 238000007667 floating Methods 0.000 description 1
- 230000002068 genetic effect Effects 0.000 description 1
- 230000036039 immunity Effects 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 108010064775 protein C activator peptide Proteins 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3684—Test management for test design, e.g. generating new test cases
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3688—Test management for test execution, e.g. scheduling of test suites
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Quality & Reliability (AREA)
- Software Systems (AREA)
- Computing Systems (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses an intelligent fuzzy test method, a device and a system, which relate to the technical field of computers, and the method comprises the following steps: converting the input variable of the measured target into a symbolic expression through symbolic execution; executing path constraint on the symbolic expression of the multi-path input variables; generating a test case according to the execution path after the constraint; and executing the test case, and acquiring the execution state and the test data of the test case. The embodiment of the invention can solve the problem of low detection efficiency of the existing fuzzy test.
Description
Technical Field
The invention relates to the technical field of computers, in particular to an intelligent fuzzy test method, device and system.
Background
Due to design bugs and software bugs in the power system, malicious attacks against the power information physical system (power CPS) implemented from the information side are likely to break through protective measures, causing larger-scale disturbances and faults. Therefore, discovering the protocol of the current power CPS and the vulnerability of the system is very necessary for the protection of the power CPS.
The security vulnerability detection means of the current Internet of things tend to be mature, all the technologies can also be used for vulnerability detection of the electric power CPS, the vulnerability detection technology is mainly divided into static analysis and dynamic analysis, and the object of the static analysis is mainly a target source code; the dynamic analysis object is mainly an executable binary file, wherein the dynamic binary analysis scheme mainly adopts fuzzy test, the principle of the fuzzy test is to input a large amount of malformed data into a target program, and a security hole which may exist in the program to be tested is discovered by monitoring the abnormity of the program to be tested, and the dynamic binary analysis scheme is a typical automatic or semi-automatic process.
Although a program bug can be detected by the traditional fuzzy test, at present, bug excavation based on the fuzzy test in the aspect of the power internet of things belongs to black box test, namely, a test process and a return result of a protocol server side and a client side are monitored, a large number of invalid samples are generated in the process, and execution control flow and data flow information inside any program in an input process is not collected by the method, so that the code coverage rate is low. Low code coverage and large number of invalid samples can result in inefficient testing.
Disclosure of Invention
In view of this, embodiments of the present invention provide an intelligent fuzzy test method, apparatus, and system to solve the problem of low detection efficiency in the existing fuzzy test.
According to a first aspect, an embodiment of the present invention provides an intelligent fuzz testing method, including: converting the input variable of the measured target into a symbolic expression through symbolic execution; executing path constraint on the symbolic expression of the multi-path input variables; generating a test case according to the execution path after the constraint; and executing the test case, and acquiring the execution state and the test data of the test case.
Optionally, the converting the input variable of the target under test into a symbolic expression by symbolic execution includes: recording software internal stain data flow and program instruction control flow of a measured target by using an S2E platform to obtain an input stain variable; and obtaining a symbolic expression of the input taint variable on the execution path through symbolic execution.
Optionally, the performing path constraint on the symbolic expression of the multiple input variables includes: generating a malformed constraint condition according to the symbolic expression of the multi-path input variables; and according to the malformed constraint condition, carrying out path constraint solving on the input taint variable to obtain an appointed code path.
Optionally, the intelligent fuzz testing method further includes: providing a test case template by using a test case knowledge base, and generating a test case based on the test case template, wherein the test case knowledge base comprises a distortion database and a test case template base; the distortion database is used for providing distortion data so as to generate a malformation constraint condition; the test case template library is used for providing test case templates so as to generate test cases.
Optionally, the intelligent fuzz testing method further includes: in the execution process of the test case, detecting the security vulnerability by adopting a vulnerability detection algorithm, wherein the detection process comprises the following steps: detecting whether the released heap memory pointer is reused in the test case executing process; and if the released heap memory pointer is reused, judging that the security hole exists.
Optionally, before detecting whether the released heap memory pointer is reused, the method further includes: intercepting a heap management API, and monitoring allocation and release of a heap memory; tracking the propagation of the pointer, and matching the mapping relation between the pointer and the heap memory; and clearing all pointers corresponding to the heap memory to be null when the heap memory is released.
According to a second aspect, an embodiment of the present invention provides an intelligent fuzz testing apparatus, including: the variable processing module is used for converting the input variable of the target to be detected into a symbolic expression through symbolic execution; the path constraint module is used for carrying out path constraint on the execution path of the target to be tested according to the symbolic expression; the test case generation module is used for generating a test case according to the execution path after the restriction; and the comprehensive processing module is used for executing the test case and acquiring the execution state and the test data of the test case.
According to a third aspect, an embodiment of the present invention provides an intelligent fuzz testing system, including: the comprehensive management subsystem is used for establishing a fuzzy test task according to a target to be tested; the test case knowledge base is used for providing distortion data and a test case template; the test case generation subsystem is used for generating a test case according to the test case template, and comprises: the variable processing module is used for converting the input variable of the target to be detected into a symbolic expression through symbolic execution; the path constraint module is used for carrying out path constraint on the execution path of the target to be tested according to the symbolic expression; the test case generation module is used for generating a test case according to the execution path after the restriction; the comprehensive processing module is used for executing the test case and acquiring the execution state and the test data of the test case; the fuzzy test engine is used for analyzing the test cases and executing the analyzed test cases by utilizing the S2E selective symbolic execution platform; the test control subsystem is used for controlling the execution process of the test case to acquire the execution state and the test data of the test case; the exception verification subsystem is used for analyzing software exception in the test data and analyzing an exception triggering mechanism; and the basic service platform is used for creating a virtual machine cluster and executing the fuzzy test task by using physical machine resources.
According to a fourth aspect, an embodiment of the present invention provides an electronic device, including: the intelligent fuzz testing method comprises a memory and a processor, wherein the memory and the processor are mutually connected in a communication mode, computer instructions are stored in the memory, and the processor executes the computer instructions so as to execute the intelligent fuzz testing method of the first aspect and any embodiment of the first aspect.
According to a fifth aspect, an embodiment of the present invention provides a computer-readable storage medium, which stores computer instructions for causing a computer to execute the intelligent fuzz testing method according to the first aspect and any one of the embodiments of the first aspect.
The embodiment of the invention has at least the following advantages:
in the embodiment, the symbolic execution is utilized to convert the input variable of the target to be detected into the symbolic expression, then the constraint condition is solved, the execution path of the test code is specified, and the strategy based on the path constraint is adopted to guide the generation of the test case, so that the path explosion in the symbolic execution process can be avoided, the data needing symbolization is reduced, the code coverage rate is improved, and the vulnerability detection efficiency is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
FIG. 1 is a flow chart of an intelligent fuzz testing method provided by an embodiment of the invention;
FIG. 2 is a flow diagram of a test case generation process according to an embodiment of the invention;
FIG. 3 is an S2E architecture diagram according to an embodiment of the invention;
FIG. 4 is a process diagram of abstracting a power system communication protocol into a protocol structure according to an embodiment of the invention;
FIG. 5 is a schematic structural diagram of an intelligent fuzzy test apparatus according to an embodiment of the present invention;
FIG. 6 is a diagram of an intelligent fuzz testing system architecture according to an embodiment of the present invention;
FIG. 7 is an exemplary distributed architecture diagram of an S2E plug-in provided by an embodiment of the present invention;
fig. 8 is a physical architecture diagram of an underlying service platform provided by an embodiment of the invention.
Fig. 9 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Symbolic Execution, namely, Execution using Symbolic values instead of real values, is an important formalization method and software analysis technology, the main platform of the method is Selective Symbolic Execution, S2E platform, values of variables in a program are expressed as calculation expressions composed of Symbolic values and constants by using the Symbolic Execution technology, and the output of program calculation is expressed as a function of input Symbolic values, which plays an important role in software testing and program verification. Based on this, this embodiment provides an intelligent fuzz testing method, which performs fuzz testing by symbolic execution, and the specific method includes establishing a test task according to target software to be tested, selecting a test case generation template according to a data type or protocol of the target to be tested, generating a test case according to the test case generation template, executing the test case, and performing data management and control on an execution process of the test case.
As the current software has a large code amount, when the fuzzy test is performed, the corresponding execution path and the number of states will increase exponentially, so as to avoid path explosion during the execution of the symbol and reduce the data to be symbolized, as shown in fig. 1, the intelligent fuzzy test method of the embodiment includes the following steps:
step S1: converting the input variable of the measured target into a symbolic expression through symbolic execution;
specifically, for example, the S2E platform can be used to record the software internal taint data flow and the program instruction control flow of the target to be tested, and obtain the input taint variable; and obtaining a symbolic expression of the input taint variable on the execution path through symbolic execution.
The recording of the taint data stream can be represented as recording detailed information (such as registers, memories, variables, instructions and the like) of a program execution path of software of a detected object, collecting sensitive path information and propagation information of sensitive data in the execution track by using symbolic execution and forward taint propagation technology, and acquiring the taint variable according to the propagation information of the sensitive data.
The method comprises the steps of performing symbolic calculation through input variables of multiple measured targets, and improving the efficiency of vulnerability detection by recording software internal stain data flow and program instruction control flow of the measured targets.
Step S2: executing path constraint on symbolic expressions of the multiple paths of input variables;
acquiring input variables converted into symbolic expressions in the multiple paths of steps S1, and generating malformed constraint conditions according to the symbolic expressions of the multiple paths of input variables; and according to the malformed constraint condition, carrying out path constraint solving on the input taint variable to obtain an appointed code path. The method is characterized in that a plurality of execution paths are subjected to malformation constraint, so that a test case generation task is executed according to the specified code paths, namely, a strategy based on taint variable constraint solving is adopted to guide the generation of the test cases, the data needing symbolization can be reduced, and path explosion is avoided.
Step S3: generating a test case according to the execution path after the constraint;
specifically, the generation of the test case needs to be realized according to a test case template, the embodiment provides the test case template by using a test case knowledge base, and generates the test case based on the test case template, wherein the test case knowledge base comprises a distortion database and a test case template base; the distortion database is used for providing distortion data so as to generate a malformation constraint condition; the test case template library is used for providing test case templates so as to generate test cases.
In practical application, a tester can select and generate different templates according to different input data formats or protocols of a tested object, define a state model and a data model of software testing and different distortion libraries through a script pattern in an XML format, and configure corresponding generation strategies to automatically generate batches of test cases. The test case aiming at the data format comprises two major classes of file input and data packet input, wherein the file input template comprises formats of common document, video and image files such as doc, xls, ppt, pdf, jpg, png, wmv, MP3 and the like, and the input template aiming at the network protocol class test case supports communication protocols of main streams such as UDP, TCP, HTTPS, FTP, SMTP/POP3 and DNS. And according to the distortion mode contained in the distortion library corresponding to each test template, configuring a test case generation strategy corresponding to the distortion mode to automatically generate batch test cases.
Optionally, the test case may be generated according to a mutation-based test case generation strategy, a generated test case generation strategy, or a self-feedback-based test case generation strategy, or two of the mutation-based test case generation strategy, the generated test case generation strategy, and the self-feedback-based test case generation strategy may be combined, or the three may be simultaneously used to generate the test case. The mutation-based test case generation strategy is to generate a new test case by a mutation method according to a known data sample; the generated test case generation strategy is based on modeling according to a known protocol or interface specification, so that a test case is generated; the test case generation strategy based on self-feedback is to optimize the generation of input data by using a genetic algorithm by utilizing the instruction execution path information of a test process so as to cover a real program as much as possible.
Referring to fig. 2, in the detailed test case generation process, a path constraint solution is performed on the result of symbolic execution by the S2E platform to obtain an assigned execution path, and according to the assigned execution path, a plurality of test cases are automatically generated by using a test case template, that is, the generation of the test cases is guided according to a strategy based on taint variable constraint solution. Optionally, the test case may also be generated by a mutation-based, generation-based and self-feedback-based test case generation strategy, and then input into the QEMU test environment constructed by the S2E platform for execution.
Step S4: and executing the test case, and acquiring the execution state and the test data of the test case.
After the test case is generated, the content of the test case needs to be analyzed, relevant test parameters are set, the analyzed test case is sent to a Qemu test environment constructed by S2E for execution, wherein an S2E architecture is shown in fig. 3, an S2E platform uses a Qemu virtual machine, a symbolic execution engine KLEE and a LLVM symbolic chain for symbolic data access, data connection is performed through an S2E selection interface and an S2E analysis interface, and a plug-in form is adopted to designate and analyze a target code. Specifically, a tested target application program runs in a QEMU virtual machine, a library function is called, an operating system kernel is used for driving, dynamic binary translation is carried out on the tested program through a dynamic binary translator, translated TCG intermediate language is executed, the TCG intermediate language comprises a specific mode and a symbolic mode, when the specific mode is executed, the TCG intermediate language is converted into host machine codes, and a host CPU is used for executing specific mode data; when executing the symbolic mode, converting the TCG intermediate language into LLVM byte codes, and executing symbolic data by using a KLEE symbolic execution engine; meanwhile, the read-write operation in the QEMU and the KLEE execution engines is redirected to the shared memory state of the virtual machine, the state of the virtual CPU and the state of the virtual device, so that the S2E can perform data conversion between specific execution and symbolic execution and provide different state backups for different execution paths.
Taking the excavation of the communication protocol vulnerability of the power system as an example, the fuzzy test object is as follows: the communication protocol analysis module in the electric power industry control system and the terminal aims to test whether the realization of the communication protocol of the electric power system by the object to be tested has a leak, and the mining process comprises the following steps:
abstracting the power system communication protocol into a protocol structure, as shown in fig. 4, the process of describing the identification of the protocol structure mainly includes: extracting message sequences of the same type in different network flow data files (PCAP) in local historical network flow by adopting type matching, and taking the message sequences as a message group; combining the multiple sequence comparison messages, and separating an invariant domain and a variable domain to preliminarily divide the message domains; and identifying the message area, further obtaining an ANSI character string area, thereby generating more accurate message format and test data, and performing fuzzy test on the tested target by using a fuzzy test tool and the more accurate message format and test data. Specifically, the tester selects a corresponding data template according to the abstracted protocol structure description, defines a state model and a data model of the software test through an XML-style script style, configures different distortion libraries, configures different generation strategies to automatically generate batches of test cases, and executes the test cases.
In addition, in the execution process of the test case, this embodiment provides a detection algorithm for common vulnerability types such as a memory release reuse vulnerability, an integer overflow vulnerability, a cache overflow vulnerability, and the like, and a specific procedure for detecting a security vulnerability by using a vulnerability detection algorithm includes:
and detecting whether the released heap memory pointer is reused in the test case executing process, and if the released heap memory pointer is reused, judging that a security vulnerability exists, thereby detecting the possible security vulnerability.
For example, the memory release reuse vulnerability is detected by the method comprising the following steps: intercepting a heap management API, and monitoring allocation and release of a heap memory; tracking the propagation of the pointer, and matching the mapping relation between the pointer and the heap memory; and clearing all pointers corresponding to the heap memory to be null when the heap memory is released, wherein if the released heap memory pointer, namely the suspension pointer, is reused in the execution process of the test case, the current test case can trigger the security vulnerability.
In the embodiment, the symbolic execution is utilized to convert the input variable of the target to be tested into the symbolic expression, then the constraint condition is solved, the execution path of the test code is specified, and the strategy based on the path constraint is adopted to guide the generation of the test case, so that the path explosion in the symbolic execution process can be avoided, the data needing symbolization is reduced, and the code coverage rate is improved.
Further, the present embodiment provides an intelligent fuzz testing apparatus, and referring to fig. 5, the apparatus includes:
the variable processing module 01 is used for converting the input variable of the measured target into a symbolic expression through symbolic execution; this module executes the method described in step S1 in the above embodiment, which is not described herein again.
The path constraint module 02 is used for carrying out path constraint on the execution path of the target to be measured according to the symbolic expression; this module executes the method described in step S2 in the above embodiment, which is not described herein again.
The test case generation module 03 is configured to generate a test case according to the constrained execution path; this module executes the method described in step S3 in the above embodiment, which is not described herein again.
The comprehensive processing module 04 is configured to execute the test case and obtain an execution state and test data of the test case, and this module executes the method described in step S4 in the foregoing embodiment, which is not described herein again.
It should be noted that the comprehensive processing module includes a test case executed by using the Qemu test environment constructed by S2E in the intelligent fuzzy test system in the following embodiment, and a test management and control subsystem for acquiring the execution state and test data of the test case.
In the embodiment, the symbolic execution is utilized to convert the input variable of the target to be tested into the symbolic expression, then the constraint condition is solved, the execution path of the test code is specified, and the strategy based on the path constraint is adopted to guide the generation of the test case, so that the path explosion in the symbolic execution process can be avoided, the data needing symbolization is reduced, and the code coverage rate is improved.
Further, the present embodiment provides an intelligent fuzz testing system, and referring to fig. 6, the system includes: the system comprises an integrated management subsystem 05, a test case knowledge base 06, a test case generation subsystem 07, a fuzzy test engine 08, a test management and control subsystem 09, an exception verification subsystem 10 and a basic service platform 11.
Specifically, the comprehensive management subsystem 05 is used for establishing a fuzzy test task according to a tested object, the comprehensive management subsystem 05 comprises a test management module 12, a configuration management module 13, an operation management module 14, a user management module 15, a knowledge base management module 16 and a log management module 17,
the test management module 12 is configured to manage the fuzzy test task, establish the test task, and allocate memory, storage, or CPU system resources to the test task;
the configuration management module 13 is used for configuring a test case generation subsystem, appointing a test case generation strategy of the fuzzy test according to the characteristics of the tested target, and configuring a fuzzy test engine to complete the test work;
the operation management module 14 is configured to schedule a fuzzy test task, perform operation management such as suspension, snapshot, and restart on a running fuzzy test virtual machine, and receive and collect collection and display of an internal operation state and a fine-grained operation information state of the test management and control subsystem;
a user management module 15, which is used for managing and registering, and canceling distribution managers and common user accounts;
the knowledge base management module 16 is used for managing the storage of test data and templates and storing distortion data and test case modules;
and the log management module 17 is used for recording and processing system operation information in the task execution process and displaying the system operation information to a user.
Specifically, the test case knowledge base 06 is configured to provide distortion data and a test case template, reduce redundancy of test cases as much as possible, and improve code coverage, thereby improving the efficiency of the fuzzy test. The knowledge base mainly comprises a distortion database and a test case template base. The distortion database mainly comprises distortion data sets of common types of dirty variables such as character string types, integer data types, Boolean types, floating point types, directory indexes and the like. The test case template library comprises file templates of mainstream documents, pictures and videos, mainly comprises formats such as doc, ppt, xls, jpg, png and wmv, a data packet format template supporting a mainstream communication protocol mainly comprises common TCP/IP protocols such as UDP, TCP, HTTPS, FTP, SMTP/POP3 and DNS, can support customized template development test on a communication protocol with unknown format, supports fine-grained definition of Bit and Byte levels, supports common field types and similar check and calculation in the customized template, and adopts a calculation method.
Specifically, the test case generation subsystem 07 is configured to generate a test case according to the test case template, and the test case generation subsystem includes the variable processing module 01, the path constraint module 02, and the test case generation module 03. The tester can select to generate different templates according to different input data formats or protocols of the test object, and defines a state model and a data model of software test through an XML-style script pattern and configures different generation strategies to automatically generate batches of test cases. And selective symbolic execution is adopted to record the spread of internal taint data flow and program instruction control flow of the tested software, so that the generation of a test case can be guided, and intelligent fuzz test can be carried out.
Specifically, the fuzzy test engine 08 is configured to receive a test case generated by the test case generation subsystem, analyze the test case, and execute the analyzed test case by using the S2E selective symbolic execution platform; the fuzzy test engine mainly comprises a test case receiving module 18, a description analysis module 19, a test case sending module 20 and a test data acquisition module 21.
The test case receiving module 18 is configured to receive a relevant test case;
the description analysis module 19 is used for analyzing the content of the test case and setting related test parameters;
the test case sending module 20 is configured to send the analyzed test case to the Qemu test environment constructed in S2E for execution;
the test data acquisition module 21 is configured to provide a function of recording execution paths, states, related memory accesses, and code block execution data when an abnormal state occurs in the form of a plug-in.
Specifically, the test control subsystem 09 is configured to control an execution process of a test case, collect and monitor an execution state of a device under test, and implement fine-grained test control, where the test control subsystem 09 includes a software state monitoring module 22, a software state recording module 23, and an exception capturing module 24.
The software status monitoring module 22: the monitoring of the running states of loading, unloading and the like of the software module is realized by setting S2E operation system event monitor plug-ins such as Windows monitor, Linux monitor, OSmonitor Interface, Rawmonitor, ModuleExecutionDetector, Statemanager and the like.
The software status recording module 23: and recording various types of data such as path information, code block address, CPU register information and the like during software execution by adopting S2E analyzer plug-ins such as a transformationBlockTracer, an Instructioncounter and the like.
The anomaly capture module 24: acquiring debug information in a test process by adopting ModuleTracer and Interreceptor plug-ins; ExecutionTracer plug-ins and customized Annotation plug-ins are employed to capture exceptions.
Referring to fig. 7, the test program is executed by using a plurality of selector plug-ins, and simultaneously, recording of various types of data such as path information, code block address, CPU register information and the like during software execution is realized by using a plurality of S2E analyzer plug-ins, a general purpose analyzer and a Windows-specific analyzer, and monitoring of software status is performed by using a plurality of os event monitor plug-ins.
Specifically, the anomaly verification subsystem 10 is used for analyzing software anomalies in test data, analyzing anomaly triggering mechanisms, and verifying the availability of anomalies triggered in the fuzzy test. The anomaly verification subsystem can provide a support environment and tools for improving the capability and efficiency of anomaly analysis, and the anomaly verification subsystem 10 includes an anomaly environment loading module 25, a static analysis module 26, a dynamic analysis module 27 and an anomaly debugging aid 28.
The abnormal loading module is realized through a Qemu virtual machine, is divided into two processes, can cover operating system abnormity and software abnormity, loads an operating system through the Qemu virtual machine, recovers a system image before abnormity, loads tested software in the operating system, sends test case data generating abnormity to the tested software, reproduces the software abnormity, and can capture the instruction position of an abnormal trigger point, including current program instruction context, call stack, register information and the like.
The static analysis module is composed of static analysis tools such as an Execution Profiler, a Coverage Generator, a Trace Printer and the like provided by the S2E, realizes the analysis processing capacity of information such as the Trace acquisition capacity, page faults, TLB loss, cache description and the like of an instruction sequence executed in the test process, and provides an analysis report of the Coverage rate of a relevant code block and generates an abnormal test case.
The dynamic analysis module comprises ModulTracer and Interreceptor plug-ins of S2E, provides the capability of acquiring debug code information in the test process, comprises the acquisition of a critical branch of an execution path, the plug-in of analysis codes and the like, and can assist in performing exception debugging.
The auxiliary tool set for exception debugging consists of universal debuggers such as OllyDbg, Windbg, Immunity debug and GDB, can analyze software exception or system exception of mainstream operating systems such as Windows and Linux, and meanwhile comprises a key position for supporting static reverse software exception by mainstream disassembling tools such as IDA.
And the basic service platform 11 is used for creating a virtual machine cluster and executing the fuzzy test task by using physical machine resources. The basic service platform provided by the embodiment uses server clustering to connect many servers to improve computing power and server virtualization technology to create diverse and independent server environments on a single machine. The nodes in the cluster are not real physical machine nodes but virtual machine nodes, the cluster constructed by the virtual machines is called a virtual cluster, and because the virtual cluster is not precisely coupled with physical equipment or is transparent to the physical nodes, the virtual cluster can be flexibly configured more quickly, the physical resources can be more efficiently and fully utilized, and the management and use cost is reduced. Therefore, the intensive fuzzy test can be carried out by more effectively utilizing limited computing and storage resources, and simultaneously, the cluster virtualization resource pool is adopted, so that the same host can serve as a client and a server at the same time, and the hardware resources of the system can be flexibly expanded very conveniently.
The physical architecture diagram of the access basic service platform is shown in fig. 8, and each physical machine completes creating, editing, guiding or stopping a virtual machine through a universal libvirt api interface; checking and controlling a console of each QEMU virtual machine; checking the performance and the utilization rate of each virtual machine; checking the real-time performance and utilization rate information of each running virtual machine and the main control end; the KVM, Xen, QEMU functions can be used locally or remotely. Libvirtd in FIG. 8 is an open source API, daemon, and management tool for managing virtualization platforms, which may be used to manage KVM, Xen, VMware ESX, QEMU, and other virtualization technologies.
In addition, in this embodiment, a web service management interface is developed, so that a virtual machine on a virtual machine cluster can be remotely managed by using a browser, and no matter the virtual machine is in a shutdown state or a running state, the virtual machine cluster can be conveniently started, shut down, restarted and a remote desktop can be operated by using the browser through the web browser, and batch management can be very conveniently performed.
The system adopts the cloud computing and virtualization cluster technology to realize rapid testing, state dynamic recovery and resource remote management of target software and system environment, thereby constructing a multi-engine-based multi-granularity intelligent fuzzy test virtualization cluster and fully meeting the fuzzy test of IP attack equipment.
The embodiment also provides an electronic device, which comprises a memory and a processor, wherein the memory and the processor are mutually connected in a communication manner, the memory stores computer instructions, and the processor executes the computer instructions so as to execute an intelligent fuzz testing method. The processor and the memory may be connected by a bus or other means, and fig. 9 illustrates the connection by the bus as an example.
The processor may be a Central Processing Unit (CPU). The Processor may also be other general purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, or a combination thereof.
The memory, which is a non-transitory computer readable storage medium, may be used to store non-transitory software programs, non-transitory computer executable programs, and modules, such as program instructions/modules corresponding to the intelligent fuzz testing method in the embodiments of the present invention. The processor executes various functional applications and data processing of the processor by running non-transitory software programs, instructions and modules stored in the memory, so as to implement the intelligent fuzz testing method in the above method embodiments.
The memory may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created by the processor, and the like. Further, the memory may include high speed random access memory, and may also include non-transitory memory, such as at least one disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory optionally includes memory located remotely from the processor, and such remote memory may be coupled to the processor via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
Corresponding to the above embodiments, the present embodiment also provides a computer-readable storage medium, where computer instructions are stored, and the computer instructions are used to enable the computer to execute the intelligent fuzz testing method. The storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a Flash Memory (Flash Memory), a Hard Disk (Hard Disk Drive, abbreviated as HDD), a Solid State Drive (SSD), or the like; the storage medium may also comprise a combination of memories of the kind described above.
Although the embodiments of the present invention have been described in conjunction with the accompanying drawings, those skilled in the art may make various modifications and variations without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope defined by the appended claims.
Claims (10)
1. An intelligent fuzz testing method, the method comprising:
converting the input variable of the measured target into a symbolic expression through symbolic execution;
executing path constraint on the symbolic expression of the multi-path input variables;
generating a test case according to the execution path after the constraint;
and executing the test case, and acquiring the execution state and the test data of the test case.
2. The intelligent fuzz testing method of claim 1, wherein the converting of the input variables of the target under test into symbolic expressions by symbolic execution comprises:
recording software internal stain data flow and program instruction control flow of a measured target by using an S2E platform to obtain an input stain variable;
and obtaining a symbolic expression of the input taint variable on the execution path through symbolic execution.
3. The intelligent fuzz testing method of claim 1, wherein the performing path constraints on the symbolic expressions of multiple input variables comprises:
generating a malformed constraint condition according to the symbolic expression of the multi-path input variables;
and according to the malformed constraint condition, carrying out path constraint solving on the input taint variable to obtain an appointed code path.
4. The intelligent fuzz testing method of claim 1, further comprising:
providing a test case template by using a test case knowledge base, and generating a test case based on the test case template, wherein the test case knowledge base comprises a distortion database and a test case template base;
the distortion database is used for providing distortion data so as to generate a malformation constraint condition;
the test case template library is used for providing test case templates so as to generate test cases.
5. The intelligent fuzz testing method of claim 1, further comprising:
in the execution process of the test case, detecting the security vulnerability by adopting a vulnerability detection algorithm, wherein the detection process comprises the following steps:
detecting whether the released heap memory pointer is reused in the test case executing process;
and if the released heap memory pointer is reused, judging that the security hole exists.
6. The intelligent fuzz testing method of claim 5, wherein before detecting whether the released heap memory pointers are reused, the method further comprises:
intercepting a heap management API, and monitoring allocation and release of a heap memory;
tracking the propagation of the pointer, and matching the mapping relation between the pointer and the heap memory;
and clearing all pointers corresponding to the heap memory to be null when the heap memory is released.
7. An intelligent fuzz testing apparatus, the apparatus comprising:
the variable processing module is used for converting the input variable of the target to be detected into a symbolic expression through symbolic execution;
the path constraint module is used for carrying out path constraint on the execution path of the target to be tested according to the symbolic expression;
the test case generation module is used for generating a test case according to the execution path after the restriction;
and the comprehensive processing module is used for executing the test case and acquiring the execution state and the test data of the test case.
8. An intelligent fuzz testing system, the system comprising:
the comprehensive management subsystem is used for establishing a fuzzy test task according to a target to be tested;
the test case knowledge base is used for providing distortion data and a test case template;
the test case generation subsystem is used for generating a test case according to the test case template, and comprises:
the variable processing module is used for converting the input variable of the target to be detected into a symbolic expression through symbolic execution;
the path constraint module is used for carrying out path constraint on the execution path of the target to be tested according to the symbolic expression;
the test case generation module is used for generating a test case according to the execution path after the restriction;
the comprehensive processing module is used for executing the test case and acquiring the execution state and the test data of the test case;
the fuzzy test engine is used for analyzing the test cases and executing the analyzed test cases by utilizing the S2E selective symbolic execution platform;
the test control subsystem is used for controlling the execution process of the test case to acquire the execution state and the test data of the test case;
the exception verification subsystem is used for analyzing software exception in the test data and analyzing an exception triggering mechanism;
and the basic service platform is used for creating a virtual machine cluster and executing the fuzzy test task by using physical machine resources.
9. An electronic device, comprising:
a memory and a processor, the memory and the processor being communicatively connected to each other, the memory having stored therein computer instructions, the processor executing the computer instructions to perform the intelligent fuzz testing method of any of claims 1-6.
10. A computer-readable storage medium storing computer instructions for causing a computer to perform the intelligent fuzz testing method of any of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011046778.8A CN112181833A (en) | 2020-09-28 | 2020-09-28 | Intelligent fuzzy test method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011046778.8A CN112181833A (en) | 2020-09-28 | 2020-09-28 | Intelligent fuzzy test method, device and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112181833A true CN112181833A (en) | 2021-01-05 |
Family
ID=73946464
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011046778.8A Pending CN112181833A (en) | 2020-09-28 | 2020-09-28 | Intelligent fuzzy test method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112181833A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112948255A (en) * | 2021-03-23 | 2021-06-11 | 北京鸿腾智能科技有限公司 | Distributed kernel fuzzing test system and method |
| CN113434390A (en) * | 2021-06-21 | 2021-09-24 | 北京理工大学 | FPGA logic comprehensive tool fuzzy test method based on variation |
| CN113836008A (en) * | 2021-09-13 | 2021-12-24 | 支付宝(杭州)信息技术有限公司 | Method and system for fuzz testing of virtual machine monitor |
| CN115174441A (en) * | 2022-09-06 | 2022-10-11 | 中国汽车技术研究中心有限公司 | State machine based TCP fuzzy test method, equipment and storage medium |
| CN115225551A (en) * | 2022-07-14 | 2022-10-21 | 北京邮电大学 | Fuzzy test method, device, equipment and storage medium |
| CN115292206A (en) * | 2022-10-08 | 2022-11-04 | 西安深信科创信息技术有限公司 | Software vulnerability detection method and device, electronic equipment and storage medium |
| CN116991681A (en) * | 2023-09-27 | 2023-11-03 | 北京中科润宇环保科技股份有限公司 | NLP-combined fly ash fusion processing system abnormality report identification method and server |
| CN117156022A (en) * | 2023-11-01 | 2023-12-01 | 中国电子科技集团公司第三十研究所 | Variation data generation method for fuzzy test |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103399780A (en) * | 2013-07-03 | 2013-11-20 | 清华大学 | Integer overflow detecting method based on virtual machine technique and dynamic symbolic execution |
| CN104598383A (en) * | 2015-02-06 | 2015-05-06 | 中国科学院软件研究所 | Mode-based dynamic vulnerability discovery integrated system and mode-based dynamic vulnerability discovery integrated method |
| JP6032095B2 (en) * | 2013-03-27 | 2016-11-24 | 富士通株式会社 | Test case generation method, test case generation apparatus, and test case generation program |
| CN108268371A (en) * | 2016-12-30 | 2018-07-10 | 南京理工大学 | The intelligent fuzzy test method applied towards Android |
| CN109739755A (en) * | 2018-12-27 | 2019-05-10 | 北京理工大学 | A kind of fuzz testing system executed based on program trace and mixing |
| CN110196815A (en) * | 2019-07-26 | 2019-09-03 | 中国人民解放军国防科技大学 | Software fuzzy test method |
| CN110363004A (en) * | 2018-04-10 | 2019-10-22 | 腾讯科技(深圳)有限公司 | A kind of code vulnerabilities detection method, device, medium and equipment |
| CN111581106A (en) * | 2020-05-12 | 2020-08-25 | 全球能源互联网研究院有限公司 | Binary program vulnerability testing method and device and readable storage medium |
| CN111625833A (en) * | 2020-04-13 | 2020-09-04 | 中国科学院软件研究所 | Efficient method and device for judging reuse vulnerability after software program release |
-
2020
- 2020-09-28 CN CN202011046778.8A patent/CN112181833A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP6032095B2 (en) * | 2013-03-27 | 2016-11-24 | 富士通株式会社 | Test case generation method, test case generation apparatus, and test case generation program |
| CN103399780A (en) * | 2013-07-03 | 2013-11-20 | 清华大学 | Integer overflow detecting method based on virtual machine technique and dynamic symbolic execution |
| CN104598383A (en) * | 2015-02-06 | 2015-05-06 | 中国科学院软件研究所 | Mode-based dynamic vulnerability discovery integrated system and mode-based dynamic vulnerability discovery integrated method |
| CN108268371A (en) * | 2016-12-30 | 2018-07-10 | 南京理工大学 | The intelligent fuzzy test method applied towards Android |
| CN110363004A (en) * | 2018-04-10 | 2019-10-22 | 腾讯科技(深圳)有限公司 | A kind of code vulnerabilities detection method, device, medium and equipment |
| CN109739755A (en) * | 2018-12-27 | 2019-05-10 | 北京理工大学 | A kind of fuzz testing system executed based on program trace and mixing |
| CN110196815A (en) * | 2019-07-26 | 2019-09-03 | 中国人民解放军国防科技大学 | Software fuzzy test method |
| CN111625833A (en) * | 2020-04-13 | 2020-09-04 | 中国科学院软件研究所 | Efficient method and device for judging reuse vulnerability after software program release |
| CN111581106A (en) * | 2020-05-12 | 2020-08-25 | 全球能源互联网研究院有限公司 | Binary program vulnerability testing method and device and readable storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 苏钰: "基于符号执行的Android系统漏洞分析技术研究", 《中国优秀硕士学位论文全文数据库信息科技辑》, no. 07 * |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112948255B (en) * | 2021-03-23 | 2024-05-14 | 三六零数字安全科技集团有限公司 | Distributed kernel fuzzy test system and method |
| CN112948255A (en) * | 2021-03-23 | 2021-06-11 | 北京鸿腾智能科技有限公司 | Distributed kernel fuzzing test system and method |
| CN113434390A (en) * | 2021-06-21 | 2021-09-24 | 北京理工大学 | FPGA logic comprehensive tool fuzzy test method based on variation |
| CN113836008B (en) * | 2021-09-13 | 2023-10-27 | 支付宝(杭州)信息技术有限公司 | Method and system for performing fuzzy test on virtual machine monitor |
| CN113836008A (en) * | 2021-09-13 | 2021-12-24 | 支付宝(杭州)信息技术有限公司 | Method and system for fuzz testing of virtual machine monitor |
| CN115225551A (en) * | 2022-07-14 | 2022-10-21 | 北京邮电大学 | Fuzzy test method, device, equipment and storage medium |
| CN115225551B (en) * | 2022-07-14 | 2024-03-29 | 北京邮电大学 | Fuzzy test method, device, equipment and storage medium |
| CN115174441B (en) * | 2022-09-06 | 2022-12-13 | 中国汽车技术研究中心有限公司 | State machine based TCP fuzzy test method, equipment and storage medium |
| CN115174441A (en) * | 2022-09-06 | 2022-10-11 | 中国汽车技术研究中心有限公司 | State machine based TCP fuzzy test method, equipment and storage medium |
| CN115292206B (en) * | 2022-10-08 | 2023-03-14 | 西安深信科创信息技术有限公司 | Software vulnerability detection method and device, electronic equipment and storage medium |
| CN115292206A (en) * | 2022-10-08 | 2022-11-04 | 西安深信科创信息技术有限公司 | Software vulnerability detection method and device, electronic equipment and storage medium |
| CN116991681A (en) * | 2023-09-27 | 2023-11-03 | 北京中科润宇环保科技股份有限公司 | NLP-combined fly ash fusion processing system abnormality report identification method and server |
| CN116991681B (en) * | 2023-09-27 | 2024-01-30 | 北京中科润宇环保科技股份有限公司 | NLP-combined fly ash fusion processing system abnormality report identification method and server |
| CN117156022A (en) * | 2023-11-01 | 2023-12-01 | 中国电子科技集团公司第三十研究所 | Variation data generation method for fuzzy test |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112181833A (en) | Intelligent fuzzy test method, device and system | |
| US10996947B2 (en) | Diagnosing production applications | |
| Saha et al. | Hector: Detecting resource-release omission faults in error-handling code for systems software | |
| Yuan et al. | Automated known problem diagnosis with event traces | |
| US20100011243A1 (en) | Methods, systems and media for software self-healing | |
| US20100100774A1 (en) | Automatic software fault diagnosis by exploiting application signatures | |
| KR20160044484A (en) | Cloud deployment infrastructure validation engine | |
| KR101715759B1 (en) | Apparatus and method for analysing malicious code in multi core environments | |
| US20230161614A1 (en) | Detecting vulnerabilities in configuration code of a cloud environment utilizing infrastructure as code | |
| Wang et al. | A combinatorial approach to detecting buffer overflow vulnerabilities | |
| Šor et al. | Memory leak detection in Plumbr | |
| CN113688398B (en) | Vulnerability scanning result evaluation method, device and system | |
| Kim et al. | FIRM-COV: high-coverage greybox fuzzing for IoT firmware via optimized process emulation | |
| Cotroneo et al. | Investigation of failure causes in workload-driven reliability testing | |
| Shen et al. | A systematic review of fuzzy testing for information systems and applications | |
| Ding et al. | Automatic Software Fault Diagnosis by Exploiting Application Signatures. | |
| US20220012161A1 (en) | Instrumentation trace capture technique | |
| Xu et al. | Real-Time Diagnosis of Configuration Errors for Software of AI Server Infrastructure | |
| CN116414722B (en) | Fuzzy test processing method and device, fuzzy test system and storage medium | |
| Liu et al. | Anatomist: Enhanced Firmware Vulnerability Discovery Based on Program State Abnormality Determination with Whole-System Replay | |
| Li et al. | Research on Security Vulnerability Mining Technology for Terminals of Electric Power Internet of Things | |
| Zhang et al. | Peda: comprehensive damage assessment for production environment server systems | |
| Yu et al. | IoTaint: An Optimized Static Taint Analysis Method in Embedded Firmware | |
| Khan | Time-Series Trend-Based Multi-Level Adaptive Execution Tracing | |
| CN117909160A (en) | Firmware crash analysis method and device based on Internet of things |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |