CN116451244B - Directional dust box fuzzy test method and device based on software vulnerability cause guidance - Google Patents
Directional dust box fuzzy test method and device based on software vulnerability cause guidance Download PDFInfo
- Publication number
- CN116451244B CN116451244B CN202310686869.5A CN202310686869A CN116451244B CN 116451244 B CN116451244 B CN 116451244B CN 202310686869 A CN202310686869 A CN 202310686869A CN 116451244 B CN116451244 B CN 116451244B
- Authority
- CN
- China
- Prior art keywords
- vulnerability
- software
- code
- cause
- loophole
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 239000000428 dust Substances 0.000 title claims abstract description 23
- 238000010998 test method Methods 0.000 title claims description 9
- 238000012360 testing method Methods 0.000 claims abstract description 160
- 238000000034 method Methods 0.000 claims abstract description 56
- 238000004458 analytical method Methods 0.000 claims abstract description 9
- 230000003068 static effect Effects 0.000 claims abstract description 7
- 230000006870 function Effects 0.000 claims description 38
- 230000014509 gene expression Effects 0.000 claims description 23
- 238000004590 computer program Methods 0.000 claims description 8
- 238000013101 initial test Methods 0.000 claims description 7
- 238000012545 processing Methods 0.000 claims description 7
- 238000004364 calculation method Methods 0.000 claims description 6
- 230000001960 triggered effect Effects 0.000 claims description 6
- 238000004891 communication Methods 0.000 claims description 3
- 238000012216 screening Methods 0.000 claims description 3
- 238000012795 verification Methods 0.000 claims description 3
- 238000007670 refining Methods 0.000 claims 1
- 239000004071 soot Substances 0.000 claims 1
- 238000001514 detection method Methods 0.000 abstract description 2
- 238000005065 mining Methods 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 5
- 239000004973 liquid crystal related substance Substances 0.000 description 4
- 230000007547 defect Effects 0.000 description 2
- 230000009977 dual effect Effects 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000009412 basement excavation Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000009193 crawling Effects 0.000 description 1
- 230000002950 deficient Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000012634 fragment Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000013522 software testing Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3688—Test management for test execution, e.g. scheduling of test suites
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Abstract
The invention discloses a method and a device for fuzzy testing of a directional dust box based on software vulnerability cause guidance, wherein the method comprises the following steps: constructing a vulnerability cause knowledge base module, a vulnerability region identification module, a test case selection module and a fuzzy test module; constructing a software code vulnerability cause knowledge base by extracting software vulnerability cause characteristics; obtaining a vulnerability region of the software to be tested according to vulnerability cause characteristic identification; and selecting a directional gray box fuzzy test case according to the vulnerability region of the software to be tested, and carrying out directional gray box fuzzy test. The method and the device can solve the problem of low accuracy and efficiency of software vulnerability mining in the prior art, and through combining software static analysis and dynamic fuzzy test, the software vulnerability detection speed is accelerated, and the effectiveness and accuracy of the ash box fuzzy test are improved.
Description
Technical Field
The invention relates to the technical field of software testing, in particular to a method and a device for fuzzy testing of a directional dust box based on software vulnerability cause guidance.
Background
The fuzzy test is widely used in the current vulnerability mining field, and is used for finding out defects or vulnerabilities of software by constructing unexpected inputs to a target program, then transmitting the unexpected inputs to the target program for execution and monitoring abnormal conditions of the target program after receiving the inputs. The fuzzy test is a very important ring in the software security development, and the security of the software can be improved through the fuzzy test.
The blur test can be classified into a white box blur test, a gray box blur test, and a black box blur test according to the degree of dependency on program source code and program analysis. White-box fuzzing may access the source code of a program, so program running state information may be affected by analyzing the source code and collecting test cases. The black box fuzzing test may perform the fuzzing test without knowing the interior of the target program. The gray box blur test is intermediate between the white box blur test and the black box blur test. The gray box fuzzy test can simultaneously consider the logic structure of the code program and observe the output of the target program during execution to acquire some valuable test information, and the effect of the fuzzy test is better improved by utilizing the information. The fuzzy test can be further classified into a directional fuzzy test and a coverage-based fuzzy test according to a strategy of the exploration program. The directional ambiguity test is intended to generate test cases that cover target code and program target paths, while the overlay-based modulo test is intended to generate test cases that cover as much program code as possible.
The goal of the directed gray box fuzziness test is that the test case execution is able to reach a predetermined code region location (possibly defective portion of code) of the target software and use most of its test time budget to reach the target location without wasting resources to test irrelevant portions. As a most representative tool in the directional gray box blur test, AFLGo (an extension of AFL (American Fuzzy Lop)), it calculates the distance between the input and the predefined target. The distance is calculated as the average weight of the execution trace and the target basic block. The weight of the execution trace is determined by the call graph of the program and the number of edges in the control flow graph. Then, at run-time, the AFLGo prioritizes seeds according to distance rather than new path coverage and prioritizes seeds closer to the target over basic block level distances. The calculation of its distance is flawed, favoring short paths, and focusing on long paths that are more likely to find vulnerabilities. Meanwhile, for unmeasured software, the code region position where the bug is located is not identified, so that the efficiency is low when the directional dust box is used for fuzzy test, and the accuracy of a test result is low.
Disclosure of Invention
In order to overcome the defect of low accuracy of leak discovery in the conventional directional dust box fuzzy test technology, the invention provides a directional dust box fuzzy test method and device based on software leak cause guidance, which are used for solving the problems of low accuracy and efficiency of software leak excavation in the prior art, and combining with the software directional fuzzy test, so that software static analysis and dynamic fuzzy test are combined, the software leak detection speed is increased, and the effectiveness and accuracy of dust box fuzzy test are improved.
In a first aspect, the invention provides a method for testing the fuzzy of a directional dust box based on software vulnerability cause guidance, which comprises the following steps:
1) Constructing a software code vulnerability cause knowledge base;
2) Identifying a vulnerability occurrence area of the software to be tested according to vulnerability cause characteristics;
3) And selecting a directional gray box fuzzy test case according to the software vulnerability region to be tested, and carrying out directional gray box fuzzy test.
In the step 1), a software code vulnerability cause knowledge base is constructed, specifically:
11 Obtain published software security vulnerability information.
The software security vulnerability information is related vulnerability information including CVE (Common Vulnerabilities and Exposures), NVD (NATIONAL VULNERABILITY DATABASE), CWE (Common WeaknessEnumeration), CNNVD (China National Vulnerability Database of Information Security), CNVD (China NationalVulnerability Database), github and the like, which is acquired from multiple paths of the network, and the vulnerability information includes a vulnerability type, a vulnerability POC (Proof of Concept) for checking whether a corresponding vulnerability exists or not, and a vulnerability code, wherein the vulnerability code includes a code segment of software containing a known vulnerability or a complete program of the software (vulnerability program).
12 Combining, de-duplicating and screening the software security hole information, and correcting the existing errors.
13 Classifying the software security vulnerabilities to obtain corresponding vulnerability types.
According to the generation mechanism of loopholes, the loopholes concerned include but are not limited to buffer overflow, integer overflow, zero removal loopholes, array out-of-range, formatted character strings, reuse after release, double release, null pointer dereferencing, incorrect input verification, assertion failure, memory overflow, memory leakage and other loophole types, and the loopholes can be further divided into heap overflow loopholes, stack overflow loopholes and data segment overflow loopholes.
14 Extracting vulnerability cause characteristics.
Firstly, carrying out static analysis on the vulnerability codes of the same type of vulnerability, finding out vulnerability points, and identifying specific positions of the vulnerability codes, wherein the specific positions lead to the vulnerability; most of published software security vulnerability information marks vulnerability positions (positions of vulnerability points) and unlabeled vulnerability codes are processed by using static analysis tools such as Cppcheck and the like to output a vulnerability report comprising the positions of the vulnerability points and line number information;
and then extracting the characteristics affecting the vulnerability cause in the vulnerability code. The method is to locate the position of the vulnerability point, process the code statement corresponding to the vulnerability point, find the vulnerability type according to the fuzzy test, then extract the vulnerability identification as the vulnerability cause characteristic for different vulnerability types, and process according to the following situations:
(1) Vulnerabilities caused by function misuse. The method comprises the steps of deleting or replacing specific parameter parts of functions in the loophole point code statement, and reserving function names (loophole identifications) as loophole causative characteristics. For example, using the strcpy () function results in a buffer loophole occurring because the sizes of the target buffer and the source string are not compared, the code statement for the loophole point is: strcpy (dest, src), deleting parameters of strcpy () functions dest and src, and extracting strcpy () as a vulnerability cause characteristic of the vulnerability code;
(2) Vulnerability induced by zero divisor. The method is that codes for division calculation in the vulnerability point code statement are converted into regular expressions, and the regular expressions are used as vulnerability causative features. For example, if the vulnerability point code statement is int r=m/n, and n is zero, the program crash may be caused, and the regular expression int\s+ (\w+) \s = \s (\w+)/s +)/s \w+) converted by the int r=m/n statement is the vulnerability cause feature of the vulnerability code;
(3) Integer overflow vulnerability types. The method is to convert codes for calculating integer in the vulnerability point code statement into a regular expression, wherein the regular expression is used as vulnerability causative characteristics. For example, the vulnerability point code is INT a=int_max, INT b=a+1 will cause program crash, and the regular expression converted from the intb=a+1 statement is int\s+ (\w+) \s = \s (\w+) \s +)/s (\w+), which is used as the vulnerability factor feature of the vulnerability code;
(4) An array out-of-range vulnerability type. Converting an operation statement of an array into a regular expression as a vulnerability cause characteristic, for example, a vulnerability point code is int array [3] = {1, 2, 3}, array [5] = 10, a program is crashed, a statement for assigning an element in the array is array [5] = 10, and the regular expression \b (\w+) \s [ \w+) \s = is the vulnerability cause characteristic of the vulnerability code;
(5) A failure vulnerability type is asserted. The method is to delete or replace specific parameters in the vulnerability point code statement, and keep the assertion operation as vulnerability causative characteristics. For example, the vulnerability point code is int x=5, the assertion condition is judged to be inconsistent with the actual situation, so that the vulnerability occurs, and the assertion () is extracted as the vulnerability cause characteristic of the vulnerability code;
(6) Vulnerability caused by improper memory operation. The method comprises the steps of double release of loopholes, reuse of loopholes after release, memory leakage and the like, and is characterized in that specific parameters of functions in the loophole point code statement are deleted, and function names (loophole identifiers) of the functions operating the memory are reserved as loophole causative features. For example, the dual release vulnerability point code is free (ptr), the free (ptr) releases the released memory again, so that the memory management is incorrect, the ptr parameter is deleted, and the extraction function free () is the vulnerability cause feature; the loophole point code statement of the memory leakage is int x ptr=malloc (sizeof (int)), and the loophole is generated because the dynamically allocated memory is not released, and a function malloc () is extracted as the loophole characteristic of the loophole code;
(7) Pointer error uses the induced vulnerability. The method comprises the steps of deleting specific parameters of functions in the loophole point code statement, and reserving the names of the functions operating the pointers as the loophole cause characteristics. For example, the NULL pointer dereferencing loophole point code statement is int. InvalididPtr=NULL free (invalidPtr), and the parameter invalididPtr is deleted as the invalid pointer is released, and the function free () is extracted as the loophole causative feature of the loophole code;
15 The structure of the vulnerability cause knowledge base is in a quaternary group form of the vulnerability type, the vulnerability code, the vulnerability POC and the vulnerability cause characteristics, and the specific information content is stored in the vulnerability cause knowledge base.
Step 2) identifying and obtaining a bug area of the software to be tested according to bug cause characteristics, wherein the method specifically comprises the following steps:
21 Determining the software type and the vulnerability type of the software to be tested;
firstly, determining the software type of the software to be tested and the type of the loopholes to be concerned, wherein the probability of each loophole is different due to the different software types; for web browser types, memory leak holes and the like need to be paid attention to; for operating system kernel types, attention needs to be paid to buffer overflow loopholes, null pointer dereferencing loopholes, integer overflow loopholes, and the like.
22 Searching in a software vulnerability cause knowledge base to obtain vulnerability code information of a corresponding vulnerability type; obtaining corresponding vulnerability cause characteristics from a software code vulnerability cause knowledge base according to vulnerability code information, matching the vulnerability cause characteristics with the software code to be detected, and finding out a region in the software code to be detected, wherein the region possibly has a vulnerability;
specifically, vulnerability code information of a vulnerability type to be focused is found in a software vulnerability cause knowledge base, analysis is carried out class by class, and then vulnerability cause features in the software code vulnerability cause knowledge base are matched with software codes to be detected by using methods such as character string matching, regular expression matching and the like, so that a vulnerability region possibly existing in the software codes to be detected is found. For example, if the loophole cause of a buffer overflow loophole code is strcpy () function, the number of rows where the strcpy () function is located is searched for in the code to be tested by using a character string matching method, that is, an area where a loophole may exist.
And 3) selecting a software test case according to the software vulnerability region to be tested, and performing software oriented gray box fuzzy test.
The method comprises the following steps:
31 Determining initial seeds of the directional gray box fuzzy test, wherein the initial seeds are initial test cases of the directional gray box fuzzy test;
32 Generating a control flow graph of the software to be tested, acquiring key basic blocks containing the vulnerability area, and inserting piles for the key basic blocks;
33 Acquiring the number of key basic blocks contained in all basic blocks on a program execution path triggered by the test case;
34 According to the number of the obtained key basic blocks, calculating to obtain the weight of the fuzzy test case of the oriented gray box;
35 Taking the test case with the largest weight as the seed of the next round of the fuzzy test of the directional ash box, and returning to the execution step 33;
36 And (3) when the user manually stops or reaches the preset test time, ending the operation, namely realizing the directed dust box fuzzy test based on the software vulnerability cause guidance aiming at the software to be tested.
When the method is implemented, firstly, the vulnerability codes capable of identifying the vulnerability areas of the software to be tested in the previous step are taken as initial seeds (initial test cases) for the fuzzy test of the directed ash box in the corresponding vulnerability POCs in the vulnerability cause knowledge base, and if the vulnerability POCs are all empty, a certain number of files of the input types are crawled by the network to be taken as the initial seeds (initial test cases) according to the input types of the software to be tested; then generating a control flow graph of the software to be tested, wherein nodes of the control flow graph are a piece of code which is sequentially executed, each directed edge represents one control flow transfer in the program, and the control flow graphThe method specifically comprises the steps of assigning corresponding weights to the test cases, wherein the weights are larger, and the probability of discovering the loopholes is larger. S is denoted as the input test case, I is denoted as the set of all oriented gray box fuzzy test cases,in order to test the number of key basic blocks passing through a program execution path of the case s, the calculation formula of the weight of the fuzzy test case of the oriented gray box is as follows:
wherein, the liquid crystal display device comprises a liquid crystal display device,the weight of the case is fuzzy for the directed gray box; />Test cases except s in I; />For test cases->The number of key basic blocks passed on the execution path;
then, a test case with a large weight is selected as a next round of seeds, the larger the weight is, the more likely the test case triggers the loopholes, and variant test cases are generated to guide the test case to cover potential loophole areas.
In a second aspect, an embodiment of the present invention provides a device for testing a fuzzy of a directional dust box based on a software vulnerability knowledge base, including: constructing a vulnerability cause knowledge base module, a vulnerability region identification module, a test case selection module and a fuzzy test module; wherein:
and constructing a vulnerability cause knowledge base module, wherein the vulnerability cause knowledge base is constructed by the disclosed vulnerability information and extracting vulnerability causes, and the vulnerability cause knowledge base structure is in a form of quaternary groups of vulnerability types, vulnerability codes, vulnerability POCs and vulnerability cause characteristics. For identifying regions of code holes to be tested.
And the vulnerability region identification module is obtained by matching vulnerability cause characteristics in the vulnerability cause knowledge base with software to be tested and is used for identifying a region with a vulnerability in the code to be tested.
The test case selection module is used for selecting the test cases covering the potential vulnerability areas, and the selection strategy is based on the coverage number of the key basic blocks.
And the fuzzy test module is used for carrying out the directional gray box fuzzy test on the software to be tested by using the screened test cases.
In a third aspect, an embodiment of the present invention provides an electronic device, including: a processor, a memory, a bus, and a computer program stored on the memory and executable on the processor;
the processor and the memory complete communication with each other through the bus;
the processor, when executing the computer program, implements the directional dust box ambiguity test apparatus as described above.
In a fourth aspect, embodiments of the present invention provide a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements a method as described above.
Compared with the prior art, the invention has the beneficial effects that:
the invention provides a directional fuzzy test method and a device based on software vulnerability cause guidance, which relate to the field of software security test, and the method comprises the following steps: acquiring the disclosed vulnerability knowledge information, extracting the characteristics affecting the vulnerability cause in the vulnerability code, and then processing the collected information to construct a software code vulnerability cause knowledge base; then matching the vulnerability cause characteristics with the codes of the software to be determined by utilizing methods such as character string matching and the like, and finding out the possible region of the vulnerability; and finally, selecting a test case according to the software vulnerability region to be tested, and performing fuzzy test. The method can analyze the region of the software where the loopholes possibly exist, so that the loopholes of the software can be found out more quickly by utilizing the directional gray box fuzzy test, and the effectiveness of the directional fuzzy test of the software is improved.
Drawings
FIG. 1 is a block flow diagram of a method for fuzzy testing of a directed dust box based on software vulnerability cause guidance according to an embodiment of the present invention.
Fig. 2 is a flowchart for constructing a vulnerability cause knowledge base in a directed dust box fuzzy test method based on software vulnerability cause guidance according to an embodiment of the present invention.
FIG. 3 is a block diagram of a device for testing the fuzzy of a directed dust box based on software vulnerability cause guidance according to an embodiment of the invention.
Fig. 4 is a schematic structural diagram of an electronic device for a directed dust box ambiguity test based on software vulnerability cause guidance according to an embodiment of the present invention.
Detailed Description
The invention is further described by way of examples in the following with reference to the accompanying drawings, but in no way limit the scope of the invention.
The invention provides a directional fuzzy test method and device based on software vulnerability cause guidance.
Fig. 1 shows a method for testing the ambiguity of a directional ash box based on software vulnerability cause guidance, which comprises the following steps S11-S13:
s11, constructing a software code vulnerability database
As shown in FIG. 2, firstly, the knowledge information of the security loopholes of the published software is obtained, and the loopholes including the relevant loopholes of CVE (Common Vulnerabilities and Exposures), NVD (NATIONAL VULNERABILITY DATABASE), CWE (Common Weakness Enumeration), CNNVD (China National Vulnerability Database of InformationSecurity), CNVD (China National Vulnerability Database), github and the like obtained from multiple paths of the network are realized by a web crawler, and the loophole information includes the loophole type, the loophole POC (Proofof Concept) and the loophole codes which contain the code fragments of known loopholes or complete loophole programs. And then combining, de-duplicating and screening the vulnerability information, and correcting the existing errors.
Then classifying the loopholes according to the types of the loopholes, wherein the types of the loopholes comprise but are not limited to: buffer overflow, integer overflow, zero-removal loopholes, array out-of-range, formatting character strings, reuse after release, double release, null pointer dereferencing, incorrect input verification, assertion failure, memory overflow, memory leakage and other types, and can be further divided into more fine types, for example, buffer overflow loopholes can be divided into heap overflow, stack overflow and data segment overflow, and meanwhile, the loophole codes in NIST-Juliet Test Suite are added into a software code loophole knowledge base, and the software code loophole knowledge base comprises a large number of C/C++ programs with loopholes.
Finally extracting the cause characteristics of the loopholes, carrying out static analysis on the loopholes, finding out the loopholes points, identifying the specific positions of the loopholes caused by the codes, wherein most of published software security loopholes information marks the positions of the loopholes (the positions of the loopholes), processing unlabeled loopholes by using static analysis tools such as Cppcheck and the like, and outputting a loophole report including the positions of the loopholes and line number information;
and then extracting the characteristics affecting the vulnerability cause in the vulnerability code. The method is to locate the position of the vulnerability point, process the code statement corresponding to the vulnerability point, find the type of the vulnerability according to the fuzzy test, then extract the vulnerability identification as the causative feature for different vulnerability types, and process according to the following situations:
(1) Vulnerabilities caused by function misuse. The method comprises deleting or replacing specific parameter parts of functions in a loophole point code statement, and reserving function names as loophole cause characteristics, for example, buffer loopholes occur due to the fact that the sizes of a target buffer area and a source character string are not compared by using a strcpy () function, the loophole point code statement is strcpy (dest, src), delete dest and src parameters in the strcpy () function, and extract strcpy () as the loophole cause characteristics of the loophole code;
(2) Vulnerability induced by zero divisor. The method converts codes for division calculation in the vulnerability point code statement into a regular expression, wherein the regular expression is used as a vulnerability causative feature. For example, a bug point code statement with int r=m/n and denominator zero may cause program crash, and a regular expression int\s+ (\w+) \s = \s (\w+) converted by the int r=m/n statement is a bug causative feature of the bug code;
(3) Integer overflow vulnerability types. The method converts codes for calculating integer in the vulnerability point code statement into a regular expression, wherein the regular expression is used as vulnerability causative characteristics. For example, the vulnerability point code is INT a=int_max, INT b=a+1 will cause program crash, and the regular expression int\s+ (\w+) \s = \s (\w+), s \w+) converted by the INT b=a+1 statement is the vulnerability cause feature of the vulnerability code;
(4) An array out-of-range vulnerability type. The method takes the regular expression of the group operation statement as the vulnerability cause characteristic. For example, the vulnerability point code is int array [3] = {1, 2, 3}, array [5] = 10, resulting in program crash, the statement assigned to the element in the array is array [5] = 10, its regular expression \b (\w+) \s [ \s = is the vulnerability causative feature of the vulnerability code;
(5) A failure vulnerability type is asserted. The method is to delete or replace specific parameters in the vulnerability point code statement, and keep the assertion operation as vulnerability causative characteristics. For example, the vulnerability point code is int x=5, the assertion condition is judged to be inconsistent with the actual situation, so that the vulnerability occurs, and the assertion () is extracted as the vulnerability cause characteristic of the vulnerability code;
(6) Vulnerability caused by improper memory operation. The method comprises the steps of double release of the loopholes, reuse of the loopholes after release, memory leakage and the like, and is characterized in that specific parameters of functions in the loophole point code statement are deleted, and function names of the functions operating the memory are reserved as loophole causative characteristics. For example, the dual release vulnerability point code is free (ptr), the free (ptr) releases the released memory again, so that the memory management is incorrect, the ptr parameter is deleted, and the extraction function free () is the vulnerability cause feature; the loophole point code statement of the memory leakage is int x ptr=malloc (sizeof (int)), and the loophole is generated because the dynamically allocated memory is not released, and a function malloc () is extracted as the loophole characteristic of the loophole code;
(7) Pointer error uses the induced vulnerability. The method comprises the steps of deleting specific parameters of functions in the loophole point code statement, and reserving the names of the functions operating the pointers as loophole causation characteristics. For example, the NULL pointer dereferencing loophole point code statement is int. InvalididPtr=NULL free (invalidPtr), and the parameter invalididPtr is deleted as the invalid pointer is released, and the function free () is extracted as the loophole causative feature of the loophole code;
the design vulnerability cause knowledge base structure is in a quaternary group form of vulnerability type, vulnerability code, vulnerability POC and vulnerability cause characteristic. And storing the specific information in a knowledge base. The following table shows:
and S12, identifying the vulnerability region of the software code to be detected according to the vulnerability cause characteristics.
21 Determining the software type and vulnerability type of the software under test
Firstly, determining the type of software to be tested and the type of loopholes to be concerned, wherein the probability of each type of loopholes is different due to different software types; for web browser types, such as Mozilla Firefox, attention is required to memory leak holes, etc.; for operating system kernel types, such as iOS kernel, attention needs to be paid to buffer overflow loopholes, null pointer dereferencing loopholes, integer overflow loopholes, and the like;
22 Searching in a software vulnerability cause knowledge base to obtain vulnerability code information of a corresponding vulnerability type; and acquiring corresponding vulnerability cause characteristics from a software code vulnerability cause knowledge base according to vulnerability code information, and matching with the software code to be detected to find out a region in the software code to be detected, wherein the region possibly has a vulnerability.
Specifically, the vulnerability code information of the vulnerability type to be concerned is found in a software vulnerability knowledge base, analysis is carried out class by class, then vulnerability cause characteristics are utilized to match with the codes to be detected, for example, the vulnerability cause characteristics of a certain buffer overflow vulnerability code are strcpy () functions, and the number of rows where the strcpy () functions are located is searched in the codes to be detected, namely, the region where the vulnerability possibly exists. Specifically, a character string matching method is used for searching each row, and the row number in the code where the row is located is output.
S13, selecting a test case according to the software vulnerability region to be tested, and performing software orientation gray box fuzzy test.
31 Determining initial seeds of the directional gray box fuzzy test, wherein the initial seeds are initial test cases of the directional gray box fuzzy test;
32 Generating a control flow graph of the software to be tested, acquiring key basic blocks containing the vulnerability area, and inserting piles for the key basic blocks;
33 Acquiring the number of key basic blocks contained in all basic blocks on a program execution path triggered by the test case;
34 According to the number of the obtained key basic blocks, calculating to obtain the weight of the fuzzy test case of the oriented gray box;
35 Taking the test case with the largest weight as the seed of the next round of the fuzzy test of the directional ash box, and returning to the execution step 33;
36 And (3) when the user manually stops or reaches the preset test time, ending the operation, namely realizing the directed dust box fuzzy test based on the software vulnerability cause guidance aiming at the software to be tested.
Firstly, taking a corresponding vulnerability POC in a vulnerability cause knowledge base as an initial seed (initial test case) for a directed gray box fuzzy test, and if the vulnerability POC is empty, crawling a certain number of files of the input type as the initial seed (initial test case) according to the input type of the software to be tested;
and then, utilizing tools such as angr, IDAPro and the like to generate a control flow graph of software to be tested, wherein nodes of the control flow graph are a section of code which is sequentially executed, each directed edge represents one control flow transfer in a program, each node of the control flow graph is called a basic block, the basic block containing a bug area is called a key basic block, LLVM tools are used for instrumentation of the key basic blocks, test cases are selected based on the coverage number of the key basic blocks (the number of the key basic blocks passing through an execution path of the test cases), the specific method is that all the basic blocks in the program path triggered by the test cases contain the number of the key basic blocks, corresponding weights are distributed for the test cases, and the larger the weights represent the larger the probability of discovering the bug. S is expressed as an input test case, I is expressed as a set of all test cases in a test case queue,for the number of all key basic blocks passing through the program execution path of the test case s, the calculation formula of the weight of the test case is as follows:
wherein, the liquid crystal display device comprises a liquid crystal display device,the weight of the case is fuzzy for the directed gray box; />Test cases except s in I; />For test cases->The number of critical basic blocks passed on the execution path.
Then, a test case with a large weight is selected as a next round of seeds, the larger the weight is, the more likely the test case triggers the loopholes, and variant test cases are generated to guide the test case to cover potential loophole areas.
Fig. 3 is a block diagram of a directed dust box fuzzy test device based on a software bug code according to an embodiment of the present invention, where the block diagram includes a bug origin knowledge base module 21, a bug area identification module 22, a test case selection module 23, and a fuzzy test module 24. Wherein:
and constructing a vulnerability cause knowledge base module, wherein the vulnerability cause knowledge base is constructed by the disclosed vulnerability information and extracting vulnerability causes, and the vulnerability cause knowledge base structure is in a form of quaternary groups of vulnerability types, vulnerability codes, vulnerability POCs and vulnerability cause characteristics. For inferring the region of code holes to be tested.
And the vulnerability region identification module is obtained by matching vulnerability cause characteristics in the vulnerability cause knowledge base with software to be tested and is used for identifying a region with a vulnerability in the code to be tested.
The test case selection module is used for selecting the test cases covering the potential vulnerability areas, the selection strategy is based on the coverage number of key basic blocks, and the specific method is that the number of key basic blocks is contained in all basic blocks in a program path triggered by the test cases, corresponding weights are distributed for the test cases, and the larger the weights are, the larger the probability of discovering the vulnerability is represented.
And the fuzzy test module is used for carrying out directional fuzzy test on the software to be tested by using the screened test cases.
The invention discloses a directional fuzzy test method and a device based on software vulnerability cause guidance, and relates to the field of software security test, wherein the method comprises the following steps: acquiring the disclosed vulnerability knowledge information, and then processing the information to construct a software code vulnerability knowledge base; extracting characteristics affecting the vulnerability cause in the vulnerability code, matching the vulnerability cause characteristics in the vulnerability cause knowledge base with the codes of the software to be determined by utilizing methods such as character string matching, and identifying a region where the vulnerability possibly exists; and finally, selecting a test case according to the software vulnerability region to be tested, and performing fuzzy test. The method can analyze the region of the software where the loopholes possibly exist, so that the loopholes of the software can be found out more quickly by utilizing the directional gray box fuzzy test, and the effectiveness of the directional fuzzy test of the software is improved.
Fig. 3 shows that an embodiment of the present invention provides an electronic device, including: processor 31, memory 32, bus 33
A computer program stored on the memory and executable on the processor;
the processor and the memory complete communication with each other through the bus;
the processor, when executing the computer program, implements a method as described above, for example comprising: acquiring the disclosed vulnerability knowledge information, extracting characteristics affecting vulnerability causes in the vulnerability codes, processing the collected information, marking the vulnerability cause characteristics, and constructing a software code vulnerability cause knowledge base; then matching the vulnerability cause characteristics with the codes of the software to be determined by using methods such as character string matching and the like, and identifying the possible region of the vulnerability; and finally, selecting a test case according to the software vulnerability region to be tested, and performing fuzzy test.
Embodiments of the present invention provide a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs a method as described above, for example comprising: acquiring the disclosed vulnerability knowledge information, extracting characteristics affecting vulnerability causes in the vulnerability codes, processing the collected information, marking the vulnerability cause characteristics, and constructing a software code vulnerability cause knowledge base; then matching the vulnerability cause characteristics with the codes of the software to be determined by using methods such as character string matching and the like, and identifying the possible region of the vulnerability; and finally, selecting a test case according to the software vulnerability region to be tested, and performing directional fuzzy test.
It should be noted that the purpose of the disclosed embodiments is to aid further understanding of the present invention, but those skilled in the art will appreciate that: various alternatives and modifications are possible without departing from the scope of the invention and the appended claims. Therefore, the invention should not be limited to the disclosed embodiments, but rather the scope of the invention is defined by the appended claims.
Claims (8)
1. A software vulnerability cause oriented dust box fuzzy test method is characterized by comprising the following steps:
1) Extracting software vulnerability cause characteristics and constructing a software code vulnerability cause knowledge base; comprising the following steps:
11 Acquiring the security vulnerability information of the published software;
12 Combining, de-duplicating, screening and correcting the software security hole information;
13 Classifying the software security vulnerabilities to obtain corresponding vulnerability types;
14 Aiming at different vulnerability types, extracting to obtain vulnerability cause characteristics; comprising the following steps:
141 Finding out a software bug point, and identifying the position causing the bug in the bug code, namely the position of the bug point;
142 Positioning the position of the software vulnerability point, processing the corresponding code statement, extracting to obtain vulnerability identification aiming at different vulnerability types, and taking the vulnerability identification as vulnerability causative characteristics, wherein the method comprises the following steps: the loopholes are caused by function misuse; a divisor of zero causes loopholes; integer overflow loopholes; an array out-of-range vulnerability; asserting a failure vulnerability; a loophole is caused by improper memory operation; pointer misuse causes vulnerabilities;
15 The structure of the vulnerability cause knowledge base is in a form of quaternary groups of vulnerability types, vulnerability codes, vulnerability POCs and vulnerability cause characteristics, and the software code vulnerability cause knowledge base is generated according to corresponding data;
2) Obtaining a vulnerability region of the software to be tested according to vulnerability cause characteristic identification; comprising the following steps:
21 Determining the software type and the corresponding vulnerability type of the software to be tested;
22 Obtaining vulnerability code information of corresponding vulnerability types through a software code vulnerability cause knowledge base; obtaining corresponding vulnerability cause characteristics from a software code vulnerability cause knowledge base according to vulnerability code information, matching the vulnerability cause characteristics with the software code to be detected, and finding out a vulnerability area in the software code to be detected; specifically, a character string matching method or a regular expression matching method is used for finding out an area possibly having loopholes in the software code to be tested;
3) Selecting a fuzzy test case of the directional gray box according to the vulnerability region of the software to be tested, and carrying out the fuzzy test of the directional gray box; the method comprises the following steps:
31 Determining initial seeds of the directional gray box fuzzy test, wherein the initial seeds are initial test cases of the directional gray box fuzzy test;
32 Generating a control flow graph of the software to be tested, acquiring key basic blocks containing the vulnerability area, and inserting piles for the key basic blocks;
33 Acquiring the number of key basic blocks contained in all basic blocks on a program execution path triggered by the test case;
34 According to the number of the obtained key basic blocks, calculating to obtain the weight of the fuzzy test case of the oriented gray box;
the weight of the fuzzy test case of the oriented gray box is obtained through calculation according to the following formula:
wherein s is expressed as an input test case, I is expressed as a set of all directional gray box fuzzy test cases,for testing the number of key basic blocks passed on the program execution path of case s +.>The weight of the case is fuzzy for the directed gray box;test cases except s in I; />For test cases->The number of critical basic blocks passed on the execution path.
2. The method for fuzzy testing a directed ash box based on software vulnerability cause guidance according to claim 1, wherein in step 11), vulnerability information includes vulnerability type, vulnerability POC and vulnerability code; the vulnerability code includes a code segment of software or a complete program of software that contains a known vulnerability.
3. The method of claim 1, wherein the vulnerability types include, but are not limited to, buffer overflow, integer overflow, zero-out vulnerability, array out-of-bound, formatting strings, post-release reuse, double release, null pointer de-referencing, incorrect input verification, assertion failure, memory overflow, memory leak vulnerability types.
4. The method for fuzzy testing of a directed dust box based on software vulnerability cause guidance of claim 3, further comprising refining the type of vulnerability of the score; the loophole types of the buffer overflow loophole subdivision comprise heap overflow loopholes, stack overflow loopholes and data segment overflow loopholes.
5. The method for fuzzy testing the oriented dust box based on the software bug cause guidance according to claim 1, wherein the method for obtaining the position of the software bug point is characterized in that a static analysis tool Cppcheck is used for processing a software code to obtain the position and line number information of the software bug point.
6. The method for fuzzy testing a directed ash box based on software vulnerability cause guidance as set forth in claim 1, wherein in step 142), vulnerability identifications are extracted for different vulnerability types as vulnerability cause characteristics; comprising the following steps:
situation of vulnerability caused by function misuse: verifying the loophole type for buffer overflow loopholes, formatting character string loopholes and incorrect input, and taking function names of functions in the loophole point code statement as loophole causation characteristics;
cases where zero divisor triggers a vulnerability: converting code sentences with divisors of zero into regular expressions, and taking the regular expressions as vulnerability causative features;
integer overflow triggers the case of loopholes: code sentences for calculating integers are converted into regular expressions, and the regular expressions are used as vulnerability causative features;
the situation of loopholes caused by array boundary crossing: taking the regular expression of the array operation statement as a vulnerability cause characteristic;
cases where assertion failure triggers a vulnerability: deleting parameters in the vulnerability point code statement, and taking the assertion operation as vulnerability causative characteristics;
the situation that the memory operation is improper and loopholes are caused is as follows: for double release loopholes, reuse of loopholes and memory leakage types after release, deleting function parameters of the loophole point code statement, and taking function names of memory operation as loophole causation characteristics;
pointer error use triggers the vulnerability scenario: and replacing the function parameters of the loophole point code statement for the null pointer unreferenced loophole type, and taking the function name operated by the pointer as the loophole causation characteristic.
7. A directional dust box ambiguity test apparatus implementing the directional dust box ambiguity test method based on software vulnerability cause guidance of claim 1, comprising: constructing a vulnerability cause knowledge base module, a vulnerability region identification module, a test case selection module and a fuzzy test module; wherein:
the loophole origin knowledge base module is constructed through the disclosed loophole information and the extracted loophole origin, and the loophole origin knowledge base structure is in a form of quaternary group of the loophole type, the loophole code, the loophole POC and the loophole origin characteristic; the constructed vulnerability cause knowledge base is used for identifying the vulnerability area of the code to be detected;
the vulnerability region identification module is obtained by matching vulnerability cause characteristics in a vulnerability cause knowledge base with software to be detected and is used for identifying a region with a vulnerability in the code to be detected;
the test case selection module is used for selecting test cases covering the potential vulnerability area, and distributing corresponding weights for the test cases according to the number of key basic blocks contained in all basic blocks in a program path triggered by the test cases;
and the fuzzy test module is used for carrying out the directional gray box fuzzy test on the software to be tested according to the screened test cases.
8. An electronic device, comprising: a processor, a memory, a bus, and a computer program stored on the memory and executable on the processor;
the processor and the memory complete communication with each other through the bus;
the directional soot cartridge fuzziness testing apparatus of claim 7 is implemented when a processor executes a computer program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310686869.5A CN116451244B (en) | 2023-06-12 | 2023-06-12 | Directional dust box fuzzy test method and device based on software vulnerability cause guidance |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310686869.5A CN116451244B (en) | 2023-06-12 | 2023-06-12 | Directional dust box fuzzy test method and device based on software vulnerability cause guidance |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116451244A CN116451244A (en) | 2023-07-18 |
| CN116451244B true CN116451244B (en) | 2023-08-18 |
Family
ID=87125928
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310686869.5A Active CN116451244B (en) | 2023-06-12 | 2023-06-12 | Directional dust box fuzzy test method and device based on software vulnerability cause guidance |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116451244B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7284274B1 (en) * | 2001-01-18 | 2007-10-16 | Cigital, Inc. | System and method for identifying and eliminating vulnerabilities in computer software applications |
| CN104573524A (en) * | 2014-12-19 | 2015-04-29 | 中国航天科工集团第二研究院七〇六所 | Fuzz testing method based on static detection |
| CN114328213A (en) * | 2021-12-27 | 2022-04-12 | 杭州电子科技大学 | Parallelization fuzzy test method and system based on target point task division |
| CN114626071A (en) * | 2022-03-21 | 2022-06-14 | 中国人民解放军国防科技大学 | Vulnerability-oriented fuzzy test method, system and medium |
| CN114756471A (en) * | 2022-04-25 | 2022-07-15 | 尚蝉(浙江)科技有限公司 | Vulnerability type oriented fuzzy test method and system based on byte sensitive energy distribution |
| CN115048298A (en) * | 2022-06-13 | 2022-09-13 | 思极星能科技(四川)有限公司 | Seed scheduling weight value distribution method for data packet splicing |
| CN116049831A (en) * | 2022-12-27 | 2023-05-02 | 天翼云科技有限公司 | Software vulnerability detection method based on static analysis and dynamic analysis |
| CN116069656A (en) * | 2023-02-20 | 2023-05-05 | 清华大学深圳国际研究生院 | Efficient area fuzzy test method taking loopholes as guide |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10764319B2 (en) * | 2017-10-05 | 2020-09-01 | Honeywell International Inc. | Intelligent automated security vulnerability detection and analysis for industrial internet of things (IIOT) devices |
-
2023
- 2023-06-12 CN CN202310686869.5A patent/CN116451244B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7284274B1 (en) * | 2001-01-18 | 2007-10-16 | Cigital, Inc. | System and method for identifying and eliminating vulnerabilities in computer software applications |
| CN104573524A (en) * | 2014-12-19 | 2015-04-29 | 中国航天科工集团第二研究院七〇六所 | Fuzz testing method based on static detection |
| CN114328213A (en) * | 2021-12-27 | 2022-04-12 | 杭州电子科技大学 | Parallelization fuzzy test method and system based on target point task division |
| CN114626071A (en) * | 2022-03-21 | 2022-06-14 | 中国人民解放军国防科技大学 | Vulnerability-oriented fuzzy test method, system and medium |
| CN114756471A (en) * | 2022-04-25 | 2022-07-15 | 尚蝉(浙江)科技有限公司 | Vulnerability type oriented fuzzy test method and system based on byte sensitive energy distribution |
| CN115048298A (en) * | 2022-06-13 | 2022-09-13 | 思极星能科技(四川)有限公司 | Seed scheduling weight value distribution method for data packet splicing |
| CN116049831A (en) * | 2022-12-27 | 2023-05-02 | 天翼云科技有限公司 | Software vulnerability detection method based on static analysis and dynamic analysis |
| CN116069656A (en) * | 2023-02-20 | 2023-05-05 | 清华大学深圳国际研究生院 | Efficient area fuzzy test method taking loopholes as guide |
Non-Patent Citations (1)
| Title |
|---|
| 结合混合符号执行的导向式灰盒模糊测试技术;戴渭;陆余良;朱凯龙;;计算机工程(第08期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116451244A (en) | 2023-07-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP5430570B2 (en) | Method for test suite reduction by system call coverage criteria | |
| TWI553503B (en) | Method of generating in-kernel hook point candidates to detect rootkits and system thereof | |
| CN109583200B (en) | Program abnormity analysis method based on dynamic taint propagation | |
| US20050268286A1 (en) | Method of detecting memory leak causing portion and execution program thereof | |
| CN112733150B (en) | Firmware unknown vulnerability detection method based on vulnerability analysis | |
| CN111240991B (en) | Dynamic stain detection method and system for resisting implicit stain propagation | |
| CN111832026B (en) | Vulnerability utilization positioning method, system, device and medium | |
| CN104750563B (en) | A kind of memory overflow self-repairing method based on controlling stream graph | |
| Liang et al. | Sequence directed hybrid fuzzing | |
| WO2018127794A1 (en) | Management of security vulnerabilities | |
| Xu et al. | Melton: a practical and precise memory leak detection tool for C programs | |
| CN111919214A (en) | Automatic generation of patches for security violations | |
| Zhang et al. | Intelligen: Automatic driver synthesis for fuzz testing | |
| CN112131122A (en) | Method and device for source code defect detection tool misinformation evaluation | |
| Pagani et al. | Back to the whiteboard: A principled approach for the assessment and design of memory forensic techniques | |
| US20060080578A1 (en) | Defect detection for integers | |
| Suneja et al. | Towards reliable ai for source code understanding | |
| CN116451244B (en) | Directional dust box fuzzy test method and device based on software vulnerability cause guidance | |
| CN111428247B (en) | Method for improving computer leak library | |
| Charest et al. | Comparison of static analysis tools for Java using the Juliet test suite | |
| EP3692456B1 (en) | Binary image stack cookie protection | |
| CN116225905A (en) | Air judgment processing detection method, air judgment processing model training device and medium | |
| Oliveri et al. | An os-agnostic approach to memory forensics | |
| CN116166535A (en) | Method for automatically mining non-volatile memory heap loopholes based on fuzzy test | |
| CN114741700A (en) | Public component library vulnerability availability analysis method and device based on symbolic taint analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |