CN103425570A - Fuzz optimization method based on file format - Google Patents
Fuzz optimization method based on file format Download PDFInfo
- Publication number
- CN103425570A CN103425570A CN2012101612190A CN201210161219A CN103425570A CN 103425570 A CN103425570 A CN 103425570A CN 2012101612190 A CN2012101612190 A CN 2012101612190A CN 201210161219 A CN201210161219 A CN 201210161219A CN 103425570 A CN103425570 A CN 103425570A
- Authority
- CN
- China
- Prior art keywords
- fuzz
- file
- method based
- optimization method
- sample
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention relates to a Fuzz optimization method based on a file format. The method includes 1, configuring original sample files, a target program to be tested and Fuzz thread parameters in testing environment; 2, inserting a file format analyzing module used for analyzing the format of the sample files; 3, performing Fuzz operations on the analyzed sample files and storing results to a local storing unit used for calling the target program to be tested; 4, under the set Fuzz threads, executing the target program according to sample file parameters in the storing unit, and recording abnormal information produced in the process of executing the target program; 5, traversing all the sample files in the storing unit to complete all tests till all the sample files are tested. Selections of Fuss positions have strong correlation with the specific file format of the sample files, production of the Fuss data has strong pertinence with the specific type of each domain of the sample files, and efficiency in excavating software vulnerabilities can be high.
Description
Technical field
The invention belongs to the Research on Discovering Software Vulnerabilities field, be specifically related to a kind of Fuzz optimization method based on file layout.
Background technology
Along with social development and progress, computing machine is more and more extensive in the application of social every field.Meanwhile, the harm that software vulnerability brings is also day by day serious.No matter be to trigger unintentionally the loss that software vulnerability brings, illegal invasion, system destruction, the information of still having a mind to utilize software vulnerability to carry out such as steals at the malicious act, all public safety and information privacy has been caused and has had a strong impact on.Therefore, the leak existed in software is effectively excavated and repairing seems very necessary.
The most effective method for discovering software vulnerabilities is to carry out Fuzz for the input data of software at present.Fuzz refers to the method for testing software that utilizes a large amount of random data that generate to be tested target software.The input data of software comprise file input, network input, user terminal input etc.The present invention only relates to the file input, for example, mainly for existing file Fuzz instrument, FileFuzz, only sample file is carried out to random Fuzz, make the Fuzz process lack guidance quality, make time complexity and space complexity higher, the problem of the inefficiency of bug excavation.
Current file Fuzz technology, usually use following several method:
1. select the character string that a specific length is N, and to replace successively in sample file skew by this character string be all the elements in i to i+N-1, wherein 0≤i≤(the Chang Du – of sample file N).Content in the specific character string that the method is selected can't be carried out flexible transformation according to different field types, and the method need to be replaced successively to all skews in sample file, itself is a kind of exhaustive method, and Time & Space Complexity is all very high.
2. certain skew and the length in the appointment sample file, then carry out random Fuzz to this appointed area.The method can only be carried out random Fuzz, can't formulate different Fuzz rules for different data types, and treats that the territory of Fuzz is also irrelevant with the form of sample file itself, and arbitrarily selected by the user, blindness is very large.
To sum up tell, the major defect of current file Fuzz is: the position that is no matter Fuzz is chosen or the production method of Fuzz data, and very high blindness is arranged, and lacks guidance quality, causes the time complexity of bug excavation and space complexity too high, inefficiency.
Summary of the invention
The invention provides a kind of Fuzz optimization method based on file layout.At first the method is resolved the file structure of sample file, obtain data length and the type information in each territory in sample file, then for skew, length, the type in each territory, the Fuzz that guidance quality is arranged, preferential its boundary value of test, the file finally Fuzz obtained inputs to the target executable program, and the target executable program is produced in operational process extremely monitored and reported, auxiliary bug excavation.
A kind of Fuzz optimization method based on file layout, its step comprises:
1) the original sample file in the configuration testing environment, target program to be tested and Fuzz thread parameter;
2) insert the File Format Analysis module, described parsing module is for the format analysis of original sample file;
3) sample file parsing obtained carries out the Fuzz operation and result is saved to local storage unit calling for target program to be tested;
4) under the Fuzz thread of setting, according to sample file parameter performance objective program in described storage unit, the abnormal information produced in analysis record object program process;
5) travel through all sample files in described storage unit, until all sample files all participated in test, complete whole tests.
The File Format Analysis module exists with the form of expansion plugin, and described parsing module can arrange different plug-in units according to different file layouts, and can be at test process supplementary plug-in unit of any time.
In the sample file that parsing obtains, each territory means with four-tuple (domain name, skew, length, data type).
When the sample file that parsing is obtained carries out the Fuzz operation, for each territory, adopt the preferential Fuzz operation of boundary value.
The abnormal information produced in the evaluating objects program process, need to and produce abnormal instruction address to described abnormal Exception Type is analyzed, if Exception Type is abnormal for debugging, and produces abnormal instruction address and be not arranged in system module, extremely meet the requirements and stop process; If to be non-debugging abnormal or produce abnormal instruction address is arranged in system module for Exception Type, extremely undesirable.
The operation of target program end of run, target program is overtime, captures in program operation process satisfactoryly extremely all will finish this test, and selects next sample to continue to test.
The Fuzz thread can utilize a plurality of threads generation samples to carry out the Fuzz operation simultaneously.
The original sample file is can be by the normal legitimate files of resolving of target executable program to be tested.
The Starting mode of target program to be tested and start-up parameter can be carried out self-defined according to the user.
The instruction address that triggers abnormal process is arranged in ntdll.dll, kernel32.dll system function.
Advantage of the present invention and good effect are as follows:
1. the present invention, on the basis of resolving the sample file form, carries out Fuzz for each territory in sample file, makes choosing of Fuzz position have very strong specific aim.
2. the present invention, according to type and the boundary value in each territory in sample file, carries out the Fuzz of Different Rule, and therefore nonrandom generation data have good guidance quality on generation Fuzz data.
3. the File Format Analysis module in the present invention exists with the form of expansion plugin, according to different file layouts, different plug-in units is arranged, and can supplement at any time, and very high extendability is arranged, thereby carries out high efficiency bug excavation work.
4. according to file layout, selectively each territory is carried out that border is preferential, Fuzz that guidance quality is arranged, just reduced the blindness of Fuzz, increase the success ratio of bug excavation.
The accompanying drawing explanation
The Fuzz method flow diagram of Fig. 1 based on File Format Analysis.
Fig. 2 File Format Analysis process flow diagram.
Embodiment
Describe technical scheme of the present invention in detail below in conjunction with accompanying drawing:
Original sample file in Fig. 2 refers to an input file that form is legal, for example will be Fuzz for AdobeReader.exe and detect, and needs to select a common pdf file as sample file.
In the operational process of target executable program, catch all abnormal that this program produces, such as calling corresponding debugging API in Fig. 1.And according to abnormal type with produce abnormal instruction address to extremely being filtered, if satisfactory abnormal, abnormal information is reported to the user with together with file as the data input;
Further illustrate, the a lot of abnormal not debugging produced at target executable program run duration abnormal (as abnormal etc. in created thread), and some debugging is deliberately produced by operating system extremely, with input data independence (as abnormal as what dished out by built-in function after the establishment process), therefore, the present invention, after capturing extremely, needs the abnormal type of judgement and produces abnormal instruction address.If abnormal type is abnormal for debugging, and produces abnormal instruction address (do not belong to the module target executable program, that operating system carries) not in system module, think that this is satisfactory abnormal extremely.
As shown in Figure 1, a kind of Fuzz of the optimization for file layout method comprises step:
1) insert the File Format Analysis module, described parsing module is for the format analysis of original sample file;
2) sample file after resolving is carried out the Fuzz operation and result is saved to local storage unit calling for target program to be tested;
3) under the Fuzz thread of setting, according to sample file parameter performance objective program in described storage unit, the abnormal information produced in the record object program process;
4) travel through all sample files in described storage unit, until all sample files all participated in test, complete whole tests.
Particularly:
1, select to treat original sample file, the target executable program to be tested of Fuzz and configure the various information such as Fuzz Thread Count.
In this step, the original sample file of selection need to be the legitimate files that can normally be resolved by the target executable program, and the active user need to have pair authority that the target executable program is debugged.
2, the identification file layout, call corresponding File Format Analysis module the form of sample file resolved.
In this step, every kind of corresponding File Format Analysis module of file layout.The File Format Analysis module exists with the form of expansion plugin.The function of File Format Analysis module is each territory in the recognition sample file, and each territory is meaned by the form of (domain name, skew, length, data type) four-tuple.
3, carry out Fuzz for each territory in sample file, produce different files, be saved on disk.
In this step, using each territory of identifying in step 2 as the Fuzz position, and carry out the preferential Fuzz of boundary value according to the type in each territory.If for example the type in certain territory is DWORD, while Fuzz being carried out in this territory, first takes off border 0x00000000, then get coboundary 0xFFFFFFFF, and then random Fuzz is carried out in this territory.
4, start target executable program to be tested with debug privilege, input to the process of this executable program using the file of generation in step 3 as data.
In this step, the start-up parameter that all right self-defined target executable program of user needs.In addition, step 3 and step 4 can sequentially be carried out, parallel processing, be can produce file with a plurality of threads in step 3, after producing any one file, the thread that produces this document can start the target executable program immediately using this document as data input, and it is complete to wait until that All Files produces.
What 5, target process is produced is extremely caught, is filtered and reported.
In this step, to all extremely being caught of target program generation, and abnormal kind and the abnormal instruction address of triggering are analyzed.Not debugging is abnormal for some, and that during as the establishment thread, dishes out is abnormal; Also some is that operating system has a mind to produce extremely, and with the input data independence, the debugging of dishing out during as the establishment process is abnormal.What therefore, in this step, the present invention will produce target process is filtered extremely.If the Exception Type that target process produces is abnormal for debugging, and trigger abnormal instruction address and be not arranged in the system modules such as ntdll.dll, kernel32.dll, think satisfactory abnormal when this is abnormal, and by this abnormal details (triggering abnormal address, abnormal kind, each register value while extremely producing) and test relevant input file to this and report together to the user, then target end process.
In addition, except find to report abnormal, program end of run and program operation are overtime also as the condition that stops this test.Wherein, the timeout value of program operation can be by user's arbitrary disposition.
6, repeating step 4 and step 5, until the file produced in step 3 is all finished using.
The Fuzz method based on File Format Analysis that the present invention proposes, for a person skilled in the art, can oneself select as required (or interpolation) File Format Analysis module, realization is had the Fuzz process of guidance quality to the file of specific format, thereby carries out high efficiency bug excavation work.
In Fig. 2, be the process flow diagram to File Format Analysis, 1) read in sample, 2) the judgement file layout, need to find the corresponding paper sample form of program to be detected; 3), if support to continue, loading of plug-in, if not ends file format analysis; 4) loading of plug-in respective file form; 5) constantly searching loop finds corresponding territory, and carries out different fuzz operations according to the difference in territory.
Although disclose for the purpose of illustration specific embodiments of the invention and accompanying drawing, its purpose is help to understand content of the present invention and implement according to this, it will be appreciated by those skilled in the art that: without departing from the spirit and scope of the invention and the appended claims, various replacements, variation and modification are all possible.Therefore, the present invention should not be limited to most preferred embodiment and the disclosed content of accompanying drawing, and the scope that the scope of protection of present invention defines with claims is as the criterion.
Claims (10)
1. the Fuzz optimization method based on file layout, its step comprises:
1) original sample file, target program to be tested and Fuzz thread parameter in the configuration testing environment;
2) insert the File Format Analysis module, described parsing module is for the format analysis of original sample file;
3) sample file parsing obtained carries out the Fuzz operation and result is saved to local storage unit calling for target program to be tested;
4) under the Fuzz thread of setting, according to sample file parameter performance objective program in described storage element, the abnormal information produced in analysis record object program process;
5) travel through all sample files in described storage unit, until all sample files all participate in test, complete whole tests.
2. the Fuzz optimization method based on file layout as claimed in claim 1, it is characterized in that, the File Format Analysis module exists with the form of expansion plugin, and described parsing module can arrange different plug-in units according to different file layouts, and can be at test process supplementary plug-in unit of any time.
3. the Fuzz optimization method based on file layout as claimed in claim 1, is characterized in that, resolves each territory in the sample file obtained and mean with four-tuple (domain name, skew, length, data type).
4. the Fuzz optimization method based on file layout as claimed in claim 3, is characterized in that, when the sample file that parsing is obtained carries out the Fuzz operation, for each territory, adopts the preferential Fuzz operation of boundary value.
5. the Fuzz optimization method based on file layout as claimed in claim 1, it is characterized in that, the abnormal information produced in the evaluating objects program process, need to and produce abnormal instruction address to described abnormal Exception Type is analyzed, if Exception Type is abnormal for debugging, and produce abnormal instruction address and be not arranged in system module, extremely meet the requirements and stop process; If to be non-debugging abnormal or produce abnormal instruction address is arranged in system module for Exception Type, extremely undesirable.
6. the Fuzz optimization method based on file layout as claimed in claim 5, it is characterized in that, target program end of run, target program move overtime, capture in program operation process and satisfactoryly extremely all will finish current test and stop process, and select next sample file to continue test.
7. the Fuzz optimization method based on file layout as claimed in claim 1, is characterized in that, the Fuzz thread can utilize a plurality of threads generation samples to carry out the Fuzz operation simultaneously.
8. the Fuzz optimization method based on file layout as claimed in claim 1, is characterized in that, the original sample file is can be by the normal legitimate files of resolving of target executable program to be tested.
9. the Fuzz optimization method based on file layout as claimed in claim 1, is characterized in that, the Starting mode of target program to be tested and start-up parameter can be carried out self-defined according to the user.
10. the Fuzz optimization method based on file layout as claimed in claim 5, is characterized in that, system module refers to and do not belong to module target program to be tested, that operating system carries, comprising: ntdll.dll, kernel32.dll.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210161219.0A CN103425570B (en) | 2012-05-22 | 2012-05-22 | A kind of Fuzz optimization method based on file layout |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210161219.0A CN103425570B (en) | 2012-05-22 | 2012-05-22 | A kind of Fuzz optimization method based on file layout |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103425570A true CN103425570A (en) | 2013-12-04 |
| CN103425570B CN103425570B (en) | 2016-04-27 |
Family
ID=49650355
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210161219.0A Active CN103425570B (en) | 2012-05-22 | 2012-05-22 | A kind of Fuzz optimization method based on file layout |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103425570B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105335657A (en) * | 2015-12-07 | 2016-02-17 | 珠海市君天电子科技有限公司 | Program bug detection method and device |
| CN105512025A (en) * | 2014-12-31 | 2016-04-20 | 哈尔滨安天科技股份有限公司 | Fuzz engine optimizing method and system based on simulation message |
| CN107644164A (en) * | 2016-07-21 | 2018-01-30 | 中国电信股份有限公司 | bug excavation method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101714118B (en) * | 2009-11-20 | 2011-06-22 | 北京邮电大学 | Detector for binary-code buffer-zone overflow bugs, and detection method thereof |
-
2012
- 2012-05-22 CN CN201210161219.0A patent/CN103425570B/en active Active
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105512025A (en) * | 2014-12-31 | 2016-04-20 | 哈尔滨安天科技股份有限公司 | Fuzz engine optimizing method and system based on simulation message |
| CN105512025B (en) * | 2014-12-31 | 2019-01-15 | 哈尔滨安天科技股份有限公司 | Fuzz engine optimization method and system based on simulation message |
| CN105335657A (en) * | 2015-12-07 | 2016-02-17 | 珠海市君天电子科技有限公司 | Program bug detection method and device |
| CN107644164A (en) * | 2016-07-21 | 2018-01-30 | 中国电信股份有限公司 | bug excavation method and device |
| CN107644164B (en) * | 2016-07-21 | 2020-05-12 | 中国电信股份有限公司 | Vulnerability mining method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103425570B (en) | 2016-04-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Jan et al. | An innovative approach to investigate various software testing techniques and strategies | |
| Amalfitano et al. | A general framework for comparing automatic testing techniques of Android mobile apps | |
| CN109101815B (en) | Malicious software detection method and related equipment | |
| CN106055479B (en) | A kind of Android application software testing method based on compulsory execution | |
| CN108768793B (en) | Storage dual-active link fault testing method and device | |
| CN105574416A (en) | Detection method and device of browser bug | |
| CN112738094B (en) | Expandable network security vulnerability monitoring method, system, terminal and storage medium | |
| CN103425570B (en) | A kind of Fuzz optimization method based on file layout | |
| CN105302726A (en) | Test method and device | |
| CN108959936B (en) | Automatic utilization method of buffer overflow vulnerability based on path analysis | |
| CN103699837B (en) | A kind of method of scanning file and terminal unit | |
| Morgado et al. | Impact of execution modes on finding android failures | |
| CN104598287A (en) | Method and device for detecting malicious program and client side | |
| CN108427882B (en) | Android software dynamic analysis detection method based on behavior feature extraction | |
| CN102789417A (en) | Program detecting system and method based on directional symbol execution on mobile intelligent terminal | |
| JP2017134493A (en) | Ladder program display device with automatic tracing function for self-holding circuit of ladder program | |
| CN106033513A (en) | Method and device for detecting software | |
| CN105701004A (en) | Application test method and apparatus | |
| Lin et al. | Mobile malware detection in sandbox with live event feeding and log pattern analysis | |
| CN111027057B (en) | Method and device for detecting hidden hardware of chip and storage medium | |
| Fangquan et al. | Binary-oriented hybrid fuzz testing | |
| CN102645609B (en) | Joint test action group (JTAG) link circuit test device and test method of JTAG chain circuit test device | |
| CN108415822B (en) | Random test method and device | |
| Agrawal et al. | Preventing insider malware threats using program analysis techniques | |
| US20170123959A1 (en) | Optimized instrumentation based on functional coverage |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |