CN114610640A - Fuzzy testing method and system for trusted execution environment of Internet of things - Google Patents
Fuzzy testing method and system for trusted execution environment of Internet of things Download PDFInfo
- Publication number
- CN114610640A CN114610640A CN202210291113.6A CN202210291113A CN114610640A CN 114610640 A CN114610640 A CN 114610640A CN 202210291113 A CN202210291113 A CN 202210291113A CN 114610640 A CN114610640 A CN 114610640A
- Authority
- CN
- China
- Prior art keywords
- test sample
- execution environment
- trusted execution
- kernel
- entity
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012360 testing method Methods 0.000 title claims abstract description 306
- 238000000034 method Methods 0.000 claims abstract description 27
- 238000013519 translation Methods 0.000 claims abstract description 6
- 230000006870 function Effects 0.000 claims description 120
- 238000004458 analytical method Methods 0.000 claims description 19
- 230000035772 mutation Effects 0.000 claims description 14
- 230000008569 process Effects 0.000 claims description 13
- 238000001914 filtration Methods 0.000 claims description 12
- 238000005206 flow analysis Methods 0.000 claims description 12
- 230000006855 networking Effects 0.000 claims description 12
- 230000004044 response Effects 0.000 claims description 12
- 230000010365 information processing Effects 0.000 claims description 9
- 238000010276 construction Methods 0.000 claims description 7
- 230000015556 catabolic process Effects 0.000 claims description 5
- 239000000284 extract Substances 0.000 claims description 3
- 230000008447 perception Effects 0.000 claims description 3
- 238000010998 test method Methods 0.000 abstract description 6
- 238000011160 research Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000004088 simulation Methods 0.000 description 3
- 230000003068 static effect Effects 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 238000005065 mining Methods 0.000 description 2
- 235000013311 vegetables Nutrition 0.000 description 2
- 238000007792 addition Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3676—Test management for coverage analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3684—Test management for test design, e.g. generating new test cases
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3688—Test management for test execution, e.g. scheduling of test suites
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3696—Methods or tools to render software testable
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a fuzzy test method and a system for a trusted execution environment of the Internet of things, which comprise the following steps: constructing a test template file according to a kernel function and an entity used by a target internet of things trusted execution environment document; collecting a legal system call sequence accepted by a trusted execution environment system kernel as a seed file; translating the test sample generated in the generation and variation stage of the fuzzy test tool to generate a payload; designing a user side application and a trusted application to finish forwarding, translation and execution of the payload; the data writing and the trusted execution environment kernel execution state information acquisition are efficiently finished by using a hardware simulator; and further guiding the fuzzy test to be efficiently carried out by using the obtained feedback information. The method and the system enable the fuzzy test tool to carry out efficient and extensible security test on the target internet of things trusted execution environment kernel.
Description
Technical Field
The invention belongs to the technical field of a trusted execution environment fuzzy test, and particularly relates to a fuzzy test method and system for a trusted execution environment of the Internet of things.
Background
The internet of things equipment becomes an indispensable component in the digital era in recent years, and plays an important role in the fields of national defense, industry, civilian life, medical treatment and the like. With the continuous abundance of the application of the internet of things, the security of the internet of things is more and more emphasized. The mainstream solution is a Trusted Execution Environment (TEE), which is intended to provide a relatively Trusted Execution Environment for key data and applications inside the internet of things device, and even if the system is broken, an intruder cannot directly acquire key information.
The credible execution environment of the low-resource Internet of things equipment gradually enters social production life, for example, LinkTEE designed by Alibaba is applied to enterprise production and intelligent security equipment such as vegetable and bird wrapping, zero-distance running automobiles, intelligent vegetable and bird vending machines and intelligent door locks. Although the TEE system can provide security guarantee for the internet of things equipment in a theoretical level, whether real equipment can fully realize the TEE function and avoid various potential risks is still a problem to be solved, and security verification needs to be performed through further testing.
At present, security research on a trusted execution environment of low-resource internet-of-things equipment does not exist, and most of the security research focuses on the trusted execution environment research of rich-resource equipment such as mobile phones. The safety research aiming at the rich resource equipment mainly adopts technical means such as manual test, static analysis or fuzzy test and the like. Considering that manual testing and static analysis have the problems of large dependence on human resources, low analysis efficiency and the like, the fuzzy testing is a potential technical scheme for the security analysis of the trusted execution environment, a large number of test cases are provided for the running tested program to discover potential program bugs, and the method has the characteristics of high efficiency, high precision and the like.
However, the current fuzz test for the rich resource type device only supports the fuzz test of the trusted application in the trusted execution environment, the security problem of the trusted kernel is not considered, and the existing fuzz test method based on simulation cannot be directly applied to the security analysis of the trusted execution environment of the low-resource internet-of-things device. Because the external devices of the internet of things are rich in types, the kernels are more, the hardware resources are directly interacted, different devices need to be adapted by adopting a simulation method, the engineering quantity is large, and the expandability is poor. Therefore, fuzz testing techniques based on simulation or re-hosting are not applicable.
In summary, how to implement high-efficiency extensible fuzzy test for the trusted execution environment of the internet of things and guarantee the security of the internet of things is a problem that needs to be solved urgently at present.
Disclosure of Invention
In view of the above, the present invention provides a fuzzy testing method and system for a trusted execution environment of the internet of things, so as to implement efficient and extensible security testing.
In order to achieve the above object, an embodiment provides a fuzzy testing method for a trusted execution environment of the internet of things, including the following steps:
step 1, analyzing a standard trusted execution environment document and reversely analyzing an internet of things trusted execution environment document to construct a test sample template file;
step 2, establishing a seed file by analyzing and running a trusted application program example;
step 3, generating a new test sample according to the test sample template file, or after selecting the original test sample from the seed file, carrying out mutation operation on the original test sample selected from the seed file according to the test sample template file and the seed file to obtain a new test sample, translating the new test sample into a payload, and transmitting the payload to a client application program operated by the tested object networking equipment through the hardware simulator;
step 4, after the client application program forwards the received effective load to the trusted application program, the trusted application program decodes the effective load into a test sample and then runs the test sample to realize the test of the trusted execution environment kernel;
step 5, when the test sample of the trusted application program is operated through the hardware simulator, the execution coverage rate information of the trusted execution environment kernel is obtained, and the seed file is updated according to the coverage rate information;
and 6, repeating the step 3 to the step 5, storing the test sample which enables the trusted execution environment to have no response or breakdown condition, repeatedly testing the trusted execution environment by using the stored test sample, and considering that the trusted execution environment has a bug when the trusted execution environment is damaged.
In one embodiment, step 1, comprises:
step 1-1, analyzing a standard trusted execution environment document, extracting a standard function code block and an entity parameter code block of a defined trusted execution environment kernel from the standard trusted execution environment document, extracting kernel function information and entity information from the standard function code block and the entity parameter code block respectively, and converting the kernel function information and the entity information into a first kernel function description language and a first entity description language which are formalized respectively, wherein an entity comprises a structural body and a complex body;
step 1-2, obtaining and deducing a custom kernel function code block and a custom entity code block customized by a manufacturer in an internet of things trusted execution environment document through reverse analysis, respectively deducing custom function information and a custom entity from the custom kernel function code block and the custom entity code block, and respectively converting the custom function information and the custom entity information into a second kernel function description language and a second entity description language in a formalization mode, wherein the custom entity comprises a structural body and a complex body;
and 1-3, combining the first kernel function description language, the second kernel function description language, the first entity description language and the second entity description language to form a test sample template file used as a trusted execution environment of the Internet of things.
In one embodiment, the kernel function information includes a function name, a number of function parameters, a function parameter type, and a return value type; the self-defined kernel function information comprises a function name, a parameter number, a parameter type and a return value type;
the entity information comprises an entity name, an entity parameter number and an entity parameter type; the self-defined entity information comprises an entity name, an entity parameter number and an entity parameter type.
In one embodiment, step 2, comprises:
step 2-1, analyzing a trusted application program example, extracting a kernel function and an entity from the trusted application program example, performing program instrumentation, and outputting a kernel function, an entity calling sequence and an actual parameter value in the running process of the trusted application program example, wherein the entity comprises a structural body and a complex;
and 2-2, running the trusted application program example on the real hardware environment, and when no response or crash occurs, storing the kernel function, the calling sequence of the entity and the actual parameter value in the running process to form a seed file according to the instrumentation statement in the step 2-1.
In step 3 of an embodiment, generating a new test sample according to the test sample template file, or selecting an original test sample from the seed file includes:
randomly selecting a group of function calling sequences based on a test sample template, randomly generating parameters based on the parameter types defined by functions, and filling the parameters into the function calling sequences to be used as generated new test sample samples;
extracting a group of kernel function calling sequences from the seed file by adopting a scheduling algorithm to serve as original test samples to be mutated;
when the scheduling algorithm extracts a group of kernel function calling sequences from the seed file, the selection is carried out based on the seed coverage rate and the seed sequence length, and the method comprises the following steps: and preferentially selecting seeds with high coverage rate, and preferentially selecting kernel function calling sequences with long sequences under the condition of consistent coverage rate.
In step 3 of an embodiment, performing a mutation operation on an original test sample selected from the seed file according to the test sample template file and the seed file to obtain a new test sample, includes:
the first mutation operation: randomly selecting a kernel function from an original test sample, and realizing the variation operation of the kernel function parameter type perception based on a test sample template file to form a new test sample;
and (2) performing variation operation II: randomly deleting a kernel function in the original test sample to form a new test sample;
and (3) performing mutation operation: randomly inserting a random kernel function into the original test sample to form a new test sample; or the like, or, alternatively,
and (4) performing variation operation IV: randomly selecting a seed sequence from the seed file and splicing the seed sequence with the original test sample to form a new test sample.
In step 3 of one embodiment, translating the new test sample case into a payload includes:
translating the new test sample case into a byte string as a payload, wherein the translation process comprises the following steps: and translating the kernel function name into a preset system calling number, and translating the system function parameter type information and value information into corresponding character representations.
In step 5 of one embodiment, obtaining execution coverage information of a trusted execution environment kernel includes:
designing event-based and address-based execution coverage rate filtering through a hardware simulator, and performing flow analysis based on an embedded tracking macro unit or GDB debugging on a trusted execution environment kernel to acquire execution coverage rate information of the trusted execution environment kernel;
the address-based execution coverage filtering refers to performing flow analysis based on an embedded macro unit or GDB debugging on a secure address in a trusted execution environment to obtain coverage information, and does not obtain coverage on a non-secure address;
the event-based execution coverage rate filtering means that flow analysis based on an embedded macro unit or GDB debugging is started to obtain coverage rate information when a group of test samples start to be executed, and the flow analysis based on the embedded macro unit or GDB debugging is finished to be started after the group of test samples are executed, and the coverage rate information is stopped to be obtained;
in step 5, updating the seed file according to the coverage rate information, including: and storing the test sample and the execution coverage rate information corresponding to the test sample into the seed file to update the seed file.
In order to achieve the above object, an embodiment provides a fuzzy test system for a trusted execution environment of the internet of things, which includes a host, a hardware simulator, and a device under test for networking;
the host comprises a fuzzy test engine, a feedback information processing module and a test result safety analysis module, wherein the fuzzy test engine is used for generating a test sample according to a constructed test sample template file and a seed file and converting the test sample into a payload, and the feedback information processing module is used for updating the seed file according to received execution coverage rate information of the trusted execution environment kernel; the test result security analysis module is used for repeatedly testing the trusted execution environment according to the stored test sample, and when the trusted execution environment is damaged, the trusted execution environment is considered to have a bug, wherein the stored test sample is a test sample which enables the trusted execution environment to have no response or breakdown;
the hardware simulator comprises an address-based filter module and an event-based filter module, wherein the hardware simulator is used for forwarding the effective load to the trusted execution environment kernel test module and forwarding the execution coverage rate information of the trusted execution environment kernel to the feedback information processing module, and the address-based filter module and the event-based filter module are used for filtering the execution coverage rate of the trusted execution environment to obtain the trusted execution environment kernel coverage rate;
the tested object networking device comprises a trusted execution environment kernel test module, and the trusted execution environment kernel test module is used for decoding the received payload to form a test sample, then testing the trusted execution environment kernel by using the test sample, and generating execution coverage rate information of the trusted execution environment kernel.
In one embodiment, the fuzzy test engine comprises a test template building module, a seed file building module, a test sample generating module, a test sample variation module and a payload generating module;
the test template construction module is used for constructing a test sample template file by analyzing the standard trusted execution environment document and reversely analyzing the internet of things trusted execution environment document;
the seed file construction module is used for constructing a seed file by analyzing and running a trusted application program example;
the test sample generating module is used for constructing an original test sample according to the template file or the seed file of the test sample;
the test sample variation module is used for performing variation operation on an original test sample constructed according to the seed file according to the test sample template file and the seed file to obtain a new test sample;
the payload generation module is used for translating the original test sample and the new test sample into a payload.
Compared with the prior art, the invention has the beneficial effects that at least:
(1) according to the method, the test sample template file of the trusted execution environment is constructed, the test sample template file comprises the function template and the entity template, and the legal system calling sequence is used as the initial seed file, so that the generation quality of the fuzzy test sample is improved;
(2) the invention uses a hardware simulator to complete the high-efficiency transmission of data. Compared with a re-hosting technology used in related work, the method does not need to simulate the working environment of the equipment of the Internet of things, and has good expandability and accuracy; compared with the interactive forwarding technology used in the related work, the method does not need to synchronize the equipment state information, and has good fuzzy test efficiency.
(3) In the invention, the resource limitation of the equipment of the Internet of things is considered, the rule is preset for the test sample, and the system calling sequence is translated into the payload and is sent to the tested object networking equipment, so that the test scheduling engine is separated from the test sample execution module, and the technical blank of testing the trusted execution environment kernel of the Internet of things is filled.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a flowchart of a fuzz testing method for a trusted execution environment of the internet of things provided by an embodiment;
FIG. 2 is a flow chart of test template generation provided by an embodiment;
FIG. 3 is a schematic diagram of a payload format generated by compilation provided by an embodiment;
FIG. 4 is a flow diagram of trusted execution environment kernel testing provided by an embodiment;
fig. 5 is a schematic structural diagram of a fuzz testing system for a trusted execution environment of the internet of things.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the detailed description and specific examples, while indicating the scope of the invention, are intended for purposes of illustration only and are not intended to limit the scope of the invention.
Aiming at the defects of the security analysis work of the trusted execution environment of the Internet of things, the embodiment provides the fuzzy test method and the fuzzy test system for the trusted execution environment of the Internet of things, so that the fuzzy test of the trusted execution environment on real hardware is realized, and the good expandability and the higher test efficiency are realized. Specifically, a test sample template file (a function template, a structural body and a united body template) aiming at a trusted execution environment is designed, a seed file aiming at the trusted execution environment is collected and constructed through the existing application condition of a trusted program, a fuzzy test framework with scheduling and execution separation is designed to separate sample generation from sample execution in a traditional fuzzy test tool, a translation method of a system call sequence is designed, the sample generated by the fuzzy test tool is converted into a payload byte string, and a hardware simulator is used for completing the writing of payload data and the feedback information acquisition of kernel state information of the trusted execution environment, so that the high-efficiency and extensible fuzzy test of the Internet of things equipment is realized, and the high-efficiency vulnerability mining of the trusted execution environment is realized.
Fig. 1 is a flowchart of a fuzz testing method for a trusted execution environment of the internet of things according to an embodiment. As shown in fig. 1, the fuzz testing method for the trusted execution environment of the internet of things according to the embodiment includes the following steps:
step 1, a test sample template file is constructed by analyzing a standard trusted execution environment document and reversely analyzing an internet of things trusted execution environment document.
In an embodiment, the constructed test sample template file is from binary codes included in a standard trusted execution environment document and an internet of things trusted execution environment document. The method specifically comprises the following steps:
step 1-1, a first kernel function description language and a first entity description language are constructed by analyzing a standard trusted execution environment document.
In the embodiment, a standard trusted execution environment document is obtained and analyzed, and a standard function code block and an entity parameter code block of a defined trusted execution environment kernel are extracted from the standard trusted execution environment document, wherein the entity parameter code block is a parameter code block of an entity including a structure, a complex and the like.
After the standard function code block is obtained, kernel function information such as the function name, the number of function parameters, the function parameter type and the return value type of the kernel standard function of the trusted execution environment of the internet of things is extracted from the standard function code block, and the kernel function information is further converted into a formal first kernel function description language.
After the entity parameter code block is obtained, entity information such as the name of the networked trusted execution environment entity, the number of the entity parameters, the type of the entity parameters and the like is extracted from the entity parameter code block, and the entity information is further converted into a first formal entity description language. It should be noted that the entity includes a standard structure and a complex.
And 1-2, constructing a second kernel function description language and a second entity description language by reversely analyzing the credible execution environment document of the Internet of things.
In the embodiment, binary codes of the trusted execution environment of the internet of things are obtained and reversely analyzed to deduce a vendor-defined custom kernel function code block and a custom entity code block in the trusted execution environment of the internet of things, wherein the custom entity code block and the custom kernel function code block are both binary code blocks, and the custom entity code block is a binary code block including entities such as a structural body, a complex body and the like.
After obtaining the self-defined kernel function code block, according to an internal data flow graph and an external calling relation which are included in the self-defined kernel function code block, self-defined function information comprising a kernel function calling name, the number of kernel parameters, a kernel parameter type, a return value and the like is presumed; the custom function information is further converted into a formalized second kernel function description language.
After the user-defined entity code block is obtained, according to the initialization code and the calling code of the binary code of the entity (the structure and the complex), the user-defined entity (the structure and the complex) information comprising the entity name, the entity parameter number, the entity parameter type and the like is presumed, and the user-defined entity information is further converted into a formal second entity description language.
And 1-3, combining the first kernel function description language, the second kernel function description language, the first entity description language and the second entity description language to form a test sample template file used as a trusted execution environment of the Internet of things. The kernel function is also called a system call function.
To further facilitate understanding of those skilled in the art, a specific embodiment of the template construction is shown in fig. 2, taking an internet of things trusted execution environment document designed by a semiconductor intellectual property provider ARM as an example.
And 2, establishing a seed file by analyzing and running the trusted application program example.
In an embodiment, according to an example of a running trusted application program successfully executed by a target internet of things trusted execution environment system kernel, recording a function sequence and parameter information to construct a seed file, specifically including:
and 2-1, automatically identifying source codes of the trusted application program examples given by the manufacturer, extracting kernel functions and entities (structures and complexes) from the source codes, performing program instrumentation, and outputting calling sequences and actual parameter values of the kernel functions and the entities (structures and complexes) in the running process of the trusted application program examples.
Step 2-2, running the trusted application program example on the real hardware environment, and in the execution process, when no response or crash occurs, re-running the trusted application program example or selecting other trusted application program examples to run; and when no response or crash occurs, saving the kernel function, the calling sequence of the entity and the actual parameter value in the running process to form a seed file according to the instrumentation statement in the step 2-1.
And 3, generating a new test sample according to the test sample template file or selecting an original test sample from the seed file.
In the embodiment, a group of function calling sequences are randomly selected according to a test sample template, parameters are randomly generated based on the function parameter types defined in the test sample template and are filled in the function calling sequences to serve as new test samples, or the test sample template file obtained in the step 1 and the seed file obtained in the step 2 are stored in a host, and then a scheduling algorithm is adopted to extract a group of kernel function calling sequences from the seed file to serve as original test samples to be mutated. When the scheduling algorithm extracts a group of kernel function calling sequences from the seed file, the selection is carried out based on the seed coverage rate and the seed sequence length, and the method comprises the following steps: and preferentially selecting seeds with high coverage rate, and preferentially selecting kernel function calling sequences with long sequences under the condition of consistent coverage rate.
And 4, performing mutation operation on the original test sample extracted from the seed file according to the test sample template file and the seed file to obtain a new test sample.
The test sample template file is constructed according to the standard trusted execution environment document and the internet of things trusted execution environment document of the manufacturer, and has specificity, so that the original test sample extracted from the test sample template file is not required. However, the mutation operation needs to be performed on the original test sample constructed according to the seed file, specifically, the mutation operation is performed on the original test sample according to the test sample template file and the seed file, and the mutation operation can be performed in at least 1 of the following four ways to construct a new test sample:
the first mutation operation: randomly selecting a kernel function from an original test sample, and realizing variation operation of kernel function parameter type perception based on a test sample template file to form a new test sample;
and (2) performing variation operation II: randomly deleting a kernel function in the original test sample to form a new test sample;
and (3) performing mutation operation: randomly inserting a random kernel function into the original test sample to form a new test sample;
and (4) performing variation operation IV: randomly selecting a seed sequence from the seed file and splicing the seed sequence with the original test sample to form a new test sample.
And 5, translating the new test sample case into a payload.
In an embodiment, translating the new test sample instance into a payload includes: the original test sample and the new test sample are translated into byte strings to be used as payloads, and the translation process comprises the following steps: and translating the kernel function name into a preset system calling number, and translating the system function parameter type information and value information into corresponding character representations.
During translation, firstly preparing an empty character string buffer area for storing the effective load byte strings, and then repeating the following steps until all kernel functions in the test sample are translated completely: sequentially selecting kernel functions in the test sample, translating system calling numbers into integer character strings, and placing the integer character strings into an empty character string buffer area; then, for all parameters of the system call function, translating the type information into an integer character string, and putting the integer character string into a character string buffer area; then, for each parameter of the system call function, its value is translated into a corresponding integer string or special string. And after all kernel functions are translated, calling a hardware simulator to transmit the effective load character string to a client application program of the tested object networking equipment. To further facilitate understanding by those skilled in the art, the constructed payload format is shown in fig. 3.
And 6, transmitting the effective load to a client application program operated by the tested object networking equipment through the hardware simulator, and forwarding the received effective load to the trusted application program by the client application program.
In an embodiment, the translated payload is transmitted to a client application program operated by the tested object networking device through the object simulator. After receiving the effective load, the client application program creates a buffer area to store the effective load, calls an interface function interacting with the credible application program and forwards the effective load to the credible application program through the interface function.
And 7, the trusted application program decodes the effective load into an executable test sample and then runs the test sample to realize the test of the trusted execution environment kernel.
In the embodiment, on the basis of a mainstream fuzzy test frame designed for an operating system kernel, a fuzzy test frame with separated scheduling and execution is constructed for the trusted execution environment design of the Internet of things, and the fuzzy test frame realizes efficient test on the trusted environment on real hardware through steps 3-7. To further facilitate understanding by those skilled in the art, the trusted execution environment kernel test flow executed in step 6 and step 7 is shown in fig. 4.
And 8, when the test sample of the trusted application program is operated through the hardware simulator, the execution coverage rate information of the trusted execution environment kernel is obtained, and the seed file is updated according to the coverage rate information.
In the embodiment, on the fuzzy test frame designed in the steps 3 to 7, the fuzzy test feedback information (namely the execution coverage rate information) is acquired based on the hardware simulator, and the acquired fuzzy test feedback information is used for guiding the seed selection process of the fuzzy test, so that the fuzzy test efficiency is improved.
After each test sample execution test is finished, the hardware simulator designs execution coverage rate filtering based on addresses and events, and flow analysis based on embedded trace macro units or GDB debugging (debugging tools released by GNU organization) is carried out on the trusted execution environment kernel to obtain the execution coverage rate information of the trusted execution environment kernel.
Specifically, the address-based execution coverage filtering performs flow analysis based on an embedded macro unit or based on GDB debugging on a secure address in a trusted execution environment to acquire coverage information, does not acquire coverage on a non-secure address, starts flow analysis based on the embedded macro unit or based on GDB debugging when starting to execute a group of test samples based on event-based execution coverage filtering, acquires coverage information, ends starting flow analysis based on the embedded macro unit or based on GDB debugging after finishing executing the group of test samples, and stops acquiring coverage information.
When the GDB is used for debugging and acquiring the code coverage rate information, firstly, a corresponding compiling option (-fpprofile-arcs-ftest-coverage) is added to compile a target trusted execution environment system, and the program branch information is acquired. And then, debugging the target system by using the GDB, calling a dump binary memory command to acquire memory information during branch jump before the operation is finished, and storing the memory information in a host end in a file form. After the execution of the test is finished, analyzing the memory information file by combining the program branch information to obtain information such as code coverage rate and the like; when the embedded tracking macro unit is used for acquiring the code coverage rate information, the hardware simulator is used for tracking the instruction information and the data information of the program in real time during the running process, the program execution condition is rebuilt, the code coverage rate is acquired, and the code coverage rate is transmitted to the host through the hardware simulator. Based on the obtained coverage rate information, the host saves the test sample and the corresponding coverage rate of the test sample to the seed file, updates the seed file and provides data support for the scheduling algorithm.
And 9, on the basis of the steps 3 to 8, sending a large number of test samples to observe the response of the trusted execution environment for security analysis.
In the embodiment, the steps 3 to 8 are repeated, that is, a large number of test samples are sent to the trusted execution environment and executed by the trusted execution environment, whether the test samples exist or not is observed, so that the trusted execution environment has a no-response or crash condition, if the test samples exist, the test samples are stored, and if the test samples do not exist, the test is continued until the set test time is reached.
After the test is finished, a group of test samples enabling the trusted execution environment to have no response or breakdown conditions are stored, the trusted execution environment is tested repeatedly by using the stored test samples, the memory change of the trusted execution environment is analyzed, if the memory of the trusted execution environment is damaged, the trusted execution environment is considered to have a bug, otherwise, the test samples are considered to have no bug.
In one embodiment, a NuMaker-PFM-M2351 development board published by New Tang science and technology, Inc. is used, JTrace Pro is used as a hardware simulator, a trusted execution environment mTower of the Internet of things proposed by Samsung electronics is tested, and errors such as illegal access to a memory address caused by functions such as TEE _ MemMove and TEE _ Malloc of an mTower system kernel are found.
Based on the same inventive concept, the embodiment also provides a fuzzy test system facing the trusted execution environment of the Internet of things. As shown in FIG. 5, the provided fuzzy test system comprises a host computer, a hardware simulator and a device to be tested and networked. The system comprises a host, a hardware simulator and a tested object networking device, wherein the host comprises a fuzzy test engine, a feedback information processing module and a test result safety analysis module, the fuzzy test engine comprises a test template building module, a seed file building module, a test sample generating module, a test sample variation module and a payload generating module, the hardware simulator comprises an address-based filter module and an event-based filter module, and the tested object networking device comprises a trusted execution environment kernel test module.
The test template construction module is used for constructing a test sample template file by analyzing the standard trusted execution environment document and reversely analyzing the internet of things trusted execution environment document; the seed file construction module is used for constructing a seed file by analyzing and running a trusted application program example; the test sample generating module is used for constructing an original test sample according to the template file or the seed file of the test sample; the test sample variation module is used for performing variation operation on the original test sample constructed according to the seed file according to the test sample template file and the seed file to obtain a new test sample; the payload generation module is used for translating the original test sample and the new test sample into a payload; the hardware simulator is used for forwarding the effective load to the trusted execution environment kernel test module and forwarding execution coverage rate information of the trusted execution environment kernel to the feedback information processing module, wherein the address-based filter module and the event-based filter module are used for filtering the execution coverage rate of the trusted execution environment to obtain the trusted execution environment kernel coverage rate; the trusted execution environment kernel test module is used for decoding the received payload to form a test sample, then testing the trusted execution environment kernel by using the test sample to generate execution coverage rate information of the trusted execution environment kernel; the feedback information processing module is used for updating the seed file according to the received execution coverage rate information of the trusted execution environment kernel; and the test result security analysis module is used for repeatedly testing the trusted execution environment according to the stored test sample so as to observe the response of the trusted execution environment to perform static and dynamic security analysis.
It should be noted that, when the fuzz testing apparatus for the trusted execution environment of the internet of things provided in the foregoing embodiment performs fuzz testing, the division of the functional modules is taken as an example, and the function distribution may be completed by different functional modules according to needs, that is, the internal structure of the terminal or the server is divided into different functional modules, so as to complete all or part of the functions described above. In addition, the fuzzy test device for the trusted execution environment of the internet of things and the embodiment of the fuzzy test method for the trusted execution environment of the internet of things provided by the embodiments belong to the same concept, and the embodiment of the fuzzy test method for the trusted execution environment of the internet of things is specifically realized, and is not described herein again.
According to the fuzzy testing method and system for the trusted execution environment of the Internet of things, the testing sample template file is constructed through the standard document analysis and automatic function reverse analysis method of the trusted execution environment, vulnerability mining is achieved by combining with fuzzy testing, and source codes of the trusted environment do not need to be obtained; the testing process is completely automatic, so that the manual burden can be reduced, and the safety analysis of the trusted execution environments of all manufacturers is supported; the method can be easily expanded into testing frameworks of software systems on different Internet of things devices by providing configuration files of corresponding Internet of things devices, modifying template files and seed files of the testing samples for the hardware simulator.
The above-mentioned embodiments are intended to illustrate the technical solutions and advantages of the present invention, and it should be understood that the above-mentioned embodiments are only the most preferred embodiments of the present invention, and are not intended to limit the present invention, and any modifications, additions, equivalents, etc. made within the scope of the principles of the present invention should be included in the scope of the present invention.
Claims (10)
1. A fuzzy testing method for a trusted execution environment of the Internet of things is characterized by comprising the following steps:
step 1, analyzing a standard trusted execution environment document and reversely analyzing an internet of things trusted execution environment document to construct a test sample template file;
step 2, establishing a seed file by analyzing and running a trusted application program example;
step 3, generating a new test sample according to the test sample template file, or after selecting the original test sample from the seed file, carrying out mutation operation on the original test sample selected from the seed file according to the test sample template file and the seed file to obtain a new test sample, translating the new test sample into a payload, and transmitting the payload to a client application program operated by the tested object networking equipment through the hardware simulator;
step 4, after the client application program forwards the received effective load to the trusted application program, the trusted application program decodes the effective load into a test sample and then runs the test sample to realize the test of the trusted execution environment kernel;
step 5, when the test sample of the trusted application program is operated through the hardware simulator, the execution coverage rate information of the trusted execution environment kernel is obtained, and the seed file is updated according to the coverage rate information;
and 6, repeating the step 3 to the step 5, storing the test sample which enables the trusted execution environment to have no response or breakdown condition, repeatedly testing the trusted execution environment by using the stored test sample, and considering that the trusted execution environment has a bug when the trusted execution environment is damaged.
2. The fuzz testing method for the trusted execution environment of the internet of things according to claim 1, wherein the step 1 comprises:
step 1-1, analyzing a standard trusted execution environment document, extracting a standard function code block and an entity parameter code block of a defined trusted execution environment kernel from the standard trusted execution environment document, extracting kernel function information and entity information from the standard function code block and the entity parameter code block respectively, and converting the kernel function information and the entity information into a first kernel function description language and a first entity description language which are formalized respectively, wherein an entity comprises a structural body and a complex body;
step 1-2, obtaining and deducing a custom kernel function code block and a custom entity code block customized by a manufacturer in an internet of things trusted execution environment document through reverse analysis, respectively deducing custom function information and a custom entity from the custom kernel function code block and the custom entity code block, and respectively converting the custom function information and the custom entity information into a second kernel function description language and a second entity description language in a formalization mode, wherein the custom entity comprises a structural body and a complex body;
and 1-3, combining the first kernel function description language, the second kernel function description language, the first entity description language and the second entity description language to form a test sample template file used as a trusted execution environment of the Internet of things.
3. The fuzzy testing method oriented to the trusted execution environment of the internet of things according to claim 2, wherein the kernel function information comprises a function name, a number of function parameters, a type of the function parameters, and a type of return values; the self-defined kernel function information comprises a function name, a parameter number, a parameter type and a return value type;
the entity information comprises an entity name, an entity parameter number and an entity parameter type; the user-defined entity information comprises an entity name, an entity parameter number and an entity parameter type.
4. The fuzz testing method for the trusted execution environment of the internet of things according to claim 1, wherein the step 2 comprises:
step 2-1, analyzing a trusted application program example, extracting a kernel function and an entity from the trusted application program example, performing program instrumentation, and outputting a kernel function, an entity calling sequence and an actual parameter value in the running process of the trusted application program example, wherein the entity comprises a structural body and a complex;
and 2-2, running the trusted application program example on the real hardware environment, and when no response or crash occurs, storing the kernel function, the calling sequence of the entity and the actual parameter value in the running process to form a seed file according to the instrumentation statement in the step 2-1.
5. The fuzz testing method for the trusted execution environment of the internet of things according to claim 1, wherein in the step 3, generating a new test sample according to the test sample template file, or selecting an original test sample from the seed file comprises:
randomly selecting a group of function calling sequences based on a test sample template, randomly generating parameters based on the parameter types defined by functions, and filling the parameters into the function calling sequences to be used as generated new test sample samples;
extracting a group of kernel function calling sequences from the seed file by adopting a scheduling algorithm to serve as original test samples to be mutated;
when the scheduling algorithm extracts a group of kernel function calling sequences from the seed file, the selection is carried out based on the seed coverage rate and the seed sequence length, and the method comprises the following steps: and preferentially selecting seeds with high coverage rate, and preferentially selecting kernel function calling sequences with long sequences under the condition of consistent coverage rate.
6. The fuzzy testing method for the trusted execution environment of the internet of things according to claim 1, wherein in step 3, a mutation operation is performed on an original test sample selected from the seed file according to the test sample template file and the seed file to obtain a new test sample, and the method comprises:
the first mutation operation: randomly selecting a kernel function from an original test sample, and realizing the variation operation of the kernel function parameter type perception based on a test sample template file to form a new test sample;
and (2) performing variation operation II: randomly deleting a kernel function in the original test sample to form a new test sample;
and (3) performing mutation operation: randomly inserting a random kernel function into the original test sample to form a new test sample; or the like, or, alternatively,
and (4) performing variation operation: randomly selecting a seed sequence from the seed file and splicing the seed sequence with the original test sample to form a new test sample.
7. The fuzz testing method for the trusted execution environment of the internet of things according to claim 1, wherein in the step 3, translating the new test sample case into the payload comprises:
translating the new test sample case into a byte string as a payload, wherein the translation process comprises the following steps: and translating the kernel function name into a preset system calling number, and translating the system function parameter type information and value information into corresponding character representations.
8. The fuzz testing method for the trusted execution environment of the internet of things according to claim 1, wherein in the step 5, obtaining the execution coverage rate information of the kernel of the trusted execution environment includes:
designing execution coverage filtering based on events and addresses through a hardware simulator, and carrying out flow analysis based on an embedded tracking macro unit or GDB debugging on a trusted execution environment kernel to acquire execution coverage information of the trusted execution environment kernel;
the address-based execution coverage rate filtering refers to performing flow analysis based on an embedded macro unit or GDB debugging on a secure address in a trusted execution environment to obtain coverage rate information, and does not obtain coverage rate on a non-secure address;
the event-based execution coverage rate filtering means that flow analysis based on an embedded macro unit or GDB debugging is started to obtain coverage rate information when a group of test samples start to be executed, and the flow analysis based on the embedded macro unit or GDB debugging is finished to be started after the group of test samples are executed, and the coverage rate information is stopped to be obtained;
in step 5, updating the seed file according to the coverage rate information, including: and storing the test sample and the execution coverage rate information corresponding to the test sample into the seed file to update the seed file.
9. A fuzzy test system for a trusted execution environment of the Internet of things is characterized by comprising a host, a hardware simulator and a tested object networking device;
the host comprises a fuzzy test engine, a feedback information processing module and a test result safety analysis module, wherein the fuzzy test engine is used for generating a test sample according to a built test sample template file and a seed file and converting the test sample into a payload, and the feedback information processing module is used for updating the seed file according to received execution coverage rate information of a trusted execution environment kernel; the test result security analysis module is used for repeatedly testing the trusted execution environment according to the stored test sample, and when the trusted execution environment is damaged, the trusted execution environment is considered to have a bug, wherein the stored test sample is a test sample which enables the trusted execution environment to have no response or breakdown;
the hardware simulator comprises an address-based filter module and an event-based filter module, wherein the hardware simulator is used for forwarding the effective load to the trusted execution environment kernel test module and forwarding the execution coverage rate information of the trusted execution environment kernel to the feedback information processing module, and the address-based filter module and the event-based filter module are used for filtering the execution coverage rate of the trusted execution environment to obtain the trusted execution environment kernel coverage rate;
the tested object networking device comprises a trusted execution environment kernel test module, and the trusted execution environment kernel test module is used for decoding the received payload to form a test sample, then testing the trusted execution environment kernel by using the test sample, and generating execution coverage rate information of the trusted execution environment kernel.
10. The fuzzy test system oriented to the trusted execution environment of the internet of things according to claim 9, wherein the fuzzy test engine comprises a test template building module, a seed file building module, a test sample generating module, a test sample variation module, and a payload generating module;
the test template construction module is used for constructing a test sample template file by analyzing the standard trusted execution environment document and reversely analyzing the internet of things trusted execution environment document;
the seed file construction module is used for constructing a seed file by analyzing and running a trusted application program example;
the test sample generating module is used for constructing an original test sample according to the template file or the seed file of the test sample;
the test sample variation module is used for performing variation operation on an original test sample constructed according to the seed file according to the test sample template file and the seed file to obtain a new test sample;
the payload generation module is used for translating the original test sample and the new test sample into a payload.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210291113.6A CN114610640A (en) | 2022-03-23 | 2022-03-23 | Fuzzy testing method and system for trusted execution environment of Internet of things |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210291113.6A CN114610640A (en) | 2022-03-23 | 2022-03-23 | Fuzzy testing method and system for trusted execution environment of Internet of things |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114610640A true CN114610640A (en) | 2022-06-10 |
Family
ID=81865875
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210291113.6A Pending CN114610640A (en) | 2022-03-23 | 2022-03-23 | Fuzzy testing method and system for trusted execution environment of Internet of things |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114610640A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115270139A (en) * | 2022-09-20 | 2022-11-01 | 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) | IoT equipment network service automatic vulnerability analysis method and system |
| CN115774677A (en) * | 2022-12-20 | 2023-03-10 | 上海安般信息科技有限公司 | Fuzzy test method and device based on multi-parameter input |
| CN117235686A (en) * | 2023-10-30 | 2023-12-15 | 杭州海康威视数字技术股份有限公司 | Data protection method, device and equipment |
| CN117436533A (en) * | 2023-12-20 | 2024-01-23 | 贵州大学 | Species distribution monitoring method and device based on habitat data analysis |
-
2022
- 2022-03-23 CN CN202210291113.6A patent/CN114610640A/en active Pending
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115270139A (en) * | 2022-09-20 | 2022-11-01 | 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) | IoT equipment network service automatic vulnerability analysis method and system |
| CN115270139B (en) * | 2022-09-20 | 2023-01-17 | 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) | IoT equipment network service automatic vulnerability analysis method and system |
| CN115774677A (en) * | 2022-12-20 | 2023-03-10 | 上海安般信息科技有限公司 | Fuzzy test method and device based on multi-parameter input |
| CN115774677B (en) * | 2022-12-20 | 2024-02-23 | 上海安般信息科技有限公司 | Fuzzy test method and device based on multi-parameter input |
| CN117235686A (en) * | 2023-10-30 | 2023-12-15 | 杭州海康威视数字技术股份有限公司 | Data protection method, device and equipment |
| CN117235686B (en) * | 2023-10-30 | 2024-01-30 | 杭州海康威视数字技术股份有限公司 | Data protection method, device and equipment |
| CN117436533A (en) * | 2023-12-20 | 2024-01-23 | 贵州大学 | Species distribution monitoring method and device based on habitat data analysis |
| CN117436533B (en) * | 2023-12-20 | 2024-02-13 | 贵州大学 | Species distribution monitoring method and device based on habitat data analysis |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114610640A (en) | Fuzzy testing method and system for trusted execution environment of Internet of things | |
| CN110554965B (en) | Automated fuzz testing method, related equipment and computer readable storage medium | |
| CN110008113B (en) | Test method and device and electronic equipment | |
| CN101706725B (en) | Method and system for loading and debugging relocatable program | |
| CN107239392B (en) | Test method, test device, test terminal and storage medium | |
| CN107704382B (en) | Python-oriented function call path generation method and system | |
| US10809985B2 (en) | Instrumenting program code | |
| CN112187580B (en) | Automatic testing framework and testing method for gateway plug-in | |
| CN111985055A (en) | Model packaging method and device and electronic equipment | |
| CN111913889A (en) | Test system building method and test system | |
| CN110543427A (en) | Test case storage method and device, electronic equipment and storage medium | |
| CN106933642B (en) | Application program processing method and processing device | |
| CN114327477A (en) | Intelligent contract execution method and device, electronic device and storage medium | |
| US10853041B2 (en) | Extensible instrumentation | |
| JP2010140408A (en) | Source code converting device | |
| CN115994085A (en) | Code coverage rate test processing method, device, equipment and storage medium | |
| US10642714B2 (en) | Mapping dynamic analysis data to source code | |
| CN110750310B (en) | Binary and source code switching method based on IOS system componentization development | |
| US10540157B2 (en) | Systems to remove object relational mappings from a software project | |
| JP2010140407A (en) | Source code inspection device | |
| CN113590179B (en) | Plug-in detection method and device, electronic equipment and storage medium | |
| CN113641594B (en) | Cross-terminal automatic testing method and related device | |
| CN114676436A (en) | Android application multimedia analysis library vulnerability mining system and method based on structural variation | |
| CN114579457A (en) | Novel power system firmware operation simulation platform and simulation method | |
| CN113220586A (en) | Automatic interface pressure test execution method, device and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |