CN116541294A - Fuzzy test system and method based on symbol execution - Google Patents
Fuzzy test system and method based on symbol execution Download PDFInfo
- Publication number
- CN116541294A CN116541294A CN202310563313.7A CN202310563313A CN116541294A CN 116541294 A CN116541294 A CN 116541294A CN 202310563313 A CN202310563313 A CN 202310563313A CN 116541294 A CN116541294 A CN 116541294A
- Authority
- CN
- China
- Prior art keywords
- test
- module
- new
- fuzzy
- path
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000012360 testing method Methods 0.000 title claims abstract description 244
- 238000000034 method Methods 0.000 title claims description 12
- 230000035772 mutation Effects 0.000 claims abstract description 10
- 230000007704 transition Effects 0.000 claims description 7
- 230000008859 change Effects 0.000 claims description 5
- 238000004422 calculation algorithm Methods 0.000 claims description 3
- 230000007614 genetic variation Effects 0.000 claims description 3
- 238000010998 test method Methods 0.000 abstract description 8
- 230000008569 process Effects 0.000 description 7
- 238000006243 chemical reaction Methods 0.000 description 5
- 238000004458 analytical method Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012163 sequencing technique Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3684—Test management for test design, e.g. generating new test cases
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3688—Test management for test execution, e.g. scheduling of test suites
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3696—Methods or tools to render software testable
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention provides a fuzzy test system and a fuzzy test method based on symbol execution, comprising the following steps: the initialization module is used for loading the target binary file; the fuzzy test module is used for automating the mutation test cases and inputting the test cases obtained by mutation into the target binary file for execution so as to carry out fuzzy test, and outputting a signal that a new branch cannot be found when the branch coverage condition is that the new branch is not found beyond the preset time; the iteration module is used for acquiring the coverage condition of the branches, and outputting a signal for calling the symbol execution engine when the iteration module receives a signal for failing to find a new branch; the mixed execution module is used for acquiring a signal for calling the symbol execution engine, executing the symbol on the target binary file, generating a new test case, and sending the new test case to the fuzzy test module through the iteration module so as to reactivate the fuzzy test. The invention switches to symbol execution when the fuzzy test is stopped, thereby improving the test efficiency.
Description
Technical Field
The embodiment of the invention relates to the technical field of fuzzy test, in particular to a fuzzy test system and a fuzzy test method based on symbol execution.
Background
When the existing fuzzy test technology is used for software vulnerability mining, different paths for processing general input can be quickly found, that is, a fuzzy tester can have inputs with a plurality of different values and can trigger meaningful program behaviors. However, generating specific inputs to pass complex checks in applications is very challenging for fuzzy testers.
Therefore, in order to overcome the deficiencies of the current software vulnerability discovery, it is necessary to design a fuzzy test system and method based on symbolic execution to solve the above problems.
Disclosure of Invention
The invention provides a fuzzy test system and a fuzzy test method based on symbol execution, which are used for switching to symbol execution when fuzzy test is stopped, so that the test efficiency is improved.
The embodiment of the invention provides a fuzzy test system based on symbol execution, which comprises the following components:
the initialization module is used for loading the target binary file;
the fuzzy test module is used for interacting with the initialization module, and is used for automating mutation test cases, inputting the test cases obtained by mutation into the target binary file to carry out fuzzy test and outputting a fuzzy test result, wherein the fuzzy test result comprises a branch coverage condition, and outputting a signal that a new branch cannot be found when the branch coverage condition is that the new branch is not found beyond the preset time;
the iteration module is used for interacting with the fuzzy test module to acquire the branch coverage condition, and outputting a signal for calling a symbol execution engine when the iteration module receives the signal from which a new branch cannot be found;
the mixed execution module is used for interacting with the iteration module to acquire the signal of the calling symbol execution engine, performing symbol execution on the target binary file when acquiring the signal of the calling symbol execution engine, identifying path constraint conditions for generating path branches, and generating new test cases meeting different constraint conditions according to the path constraint conditions, wherein the new test cases are sent to the fuzzy test module through the iteration module to reactivate the fuzzy test.
Preferably, the specific value state and the symbol value state of the new test case are maintained at the same time when the target binary file is executed in a symbol mode.
Preferably, the identifying the path constraint condition of the generating path branch includes collecting the condition judgment statement of the generating path branch along the execution path of the new test case, sorting the condition judgment statement into symbol constraints, and deducing the change of the test case by using constraint solving.
Preferably, the iteration module is further configured to record path exploration progress to synchronize code addresses between the fuzzy test module and the hybrid execution module.
Preferably, the initialization module is further configured to load an initial seed test case.
Preferably, the fuzzing module performs fuzzing on the target binary file, wherein the fuzzing module adds valid test cases to a seed subset, generates new test cases by using a genetic variation algorithm based on the test cases of the seed subset, and performs fuzzing, and the valid test cases comprise test cases for triggering the target to be tested to crash and finding new code branches.
Preferably, the fuzzing module fuzzes the target binary file including converting the target binary file into an IR intermediate language and translating the IR intermediate language into a machine language executable by the architecture.
Preferably, the generating the new test case satisfying the different constraint conditions according to the path constraint conditions includes generating the new test case if the condition is reversed to find a new state transition when a judgment condition determining a control flow change is encountered on a test case execution path.
Preferably, the generating a new test case meeting different constraint conditions according to the path constraint conditions further includes executing a test case jammed by a fuzzy test, collecting the path constraint conditions along an execution path of the test case jammed by the fuzzy test, reversing condition judgment in the path constraint conditions according to the sequence from deep to shallow of the execution path, obtaining a new path constraint condition, and solving according to the new path constraint condition to obtain the new test case, wherein the path constraint condition is a sign value of the hybrid execution module, and the new test case is a specific value of the hybrid execution module.
The embodiment of the invention also provides a fuzzy test method based on symbol execution, which comprises the following steps:
loading a target binary file;
acquiring the target binary file, performing fuzzy test on the target binary file by the fuzzy test module, and outputting a fuzzy test result, wherein the fuzzy test result comprises a branch coverage condition, and outputting a signal that a new branch cannot be found when the branch coverage condition is that the new branch is not found beyond a preset time;
acquiring the branch coverage condition, and outputting a signal for calling a symbol execution engine when the iteration module receives the signal from which a new branch cannot be found;
and acquiring a signal for calling the symbol execution engine, performing symbol execution on the target binary file when the signal for calling the symbol execution engine is acquired, identifying path constraint conditions for generating path branches, and generating new test cases meeting different constraint conditions according to the path constraint conditions, wherein the new test cases are used for reactivating fuzzy tests.
Compared with the prior art, the technical scheme of the embodiment of the invention has the following beneficial effects:
the fuzzy test system and the fuzzy test method based on symbol execution in the embodiment of the invention comprise the following steps: the initialization module is used for loading the target binary file; the fuzzy test module is used for interacting with the initialization module to acquire the target binary file, carrying out fuzzy test on the target binary file and outputting a fuzzy test result, wherein the fuzzy test result comprises a branch coverage condition, and outputting a signal that a new branch cannot be found when the branch coverage condition is that the new branch is not found beyond a preset time; the iteration module is used for interacting with the fuzzy test module to acquire the branch coverage condition, and outputting a signal for calling a symbol execution engine when the iteration module receives the signal from which a new branch cannot be found; the mixed execution module is used for interacting with the iteration module to acquire a signal of the calling symbol execution engine, carrying out symbol execution on the target binary file when acquiring the signal of the calling symbol execution engine, identifying path constraint conditions for generating path branches, generating new test cases meeting different constraint conditions according to the path constraint conditions, sending the new test cases to the fuzzy test module through the iteration module to reactivate the fuzzy test, carrying out symbol execution on the target binary file when the branch coverage condition of the fuzzy test is that no new branch is found out in a preset time, identifying the path constraint conditions for generating the path branches, generating new test cases meeting different constraint conditions according to the path constraint conditions, sending the new test cases to the fuzzy test module through the iteration module to reactivate the fuzzy test, sequencing the priority of the fuzzy test according to the discovered control flow conversion, and obtaining the input of the execution of different paths in the generation of future according to the priority, thereby enabling the variation of the test cases to be more efficient;
further, the mutation direction is guided through symbol execution, so that the fuzzy test is helped to cross control flow conversion nodes which are difficult to meet, a new code block is touched, the fuzzy test and the symbol execution are flexibly switched according to the real-time test result of the fuzzy test, and the code block test analysis of the target binary file under the common input condition is completed with low calculation effort cost;
further, the iteration module is further used for recording the path exploration progress so as to synchronize the code addresses between the fuzzy test module and the mixed execution module, thereby ensuring smooth transition of tracking under different test modes and avoiding analysis failure caused by inconsistent symbol execution and fuzzy test execution addresses;
furthermore, the initialization module is also used for loading the initial seed test case, so that the initialization process of the fuzzy test is effectively shortened.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the prior art, a brief description of the drawings is provided below, wherein it is apparent that the drawings in the following description are some, but not all, embodiments of the present invention. Other figures may be derived from these figures without inventive effort for a person of ordinary skill in the art.
FIG. 1 is a schematic diagram of a fuzzy test system based on symbol execution according to an embodiment of the present invention;
FIG. 2 is a test flow diagram of a fuzzy test system based on symbol execution provided in accordance with one embodiment of the present invention;
fig. 3 is a flowchart of a fuzzy test method based on symbol execution according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The technical scheme of the invention is described in detail below by specific examples. The following embodiments may be combined with each other, and some embodiments may not be repeated for the same or similar concepts or processes.
Based on the problems existing in the prior art, the embodiment of the invention provides a fuzzy test system and a fuzzy test method based on symbol execution, which are switched to symbol execution when the fuzzy test is stopped, so that the test efficiency is improved.
Fig. 1 is a schematic structural diagram of a fuzzy test system based on symbol execution according to an embodiment of the present invention, and fig. 2 is a test flow chart of the fuzzy test system based on symbol execution according to an embodiment of the present invention.
Referring to fig. 1 and 2, an embodiment of the present invention provides a ambiguity test system based on symbol execution, including:
an initialization module 11 for loading a target binary file;
the fuzzy test module 12 is configured to interact with the initialization module 11, where the fuzzy test module 12 is configured to automate a mutation test case and input the test case obtained by the mutation to the target binary file to perform a fuzzy test and output a fuzzy test result, where the fuzzy test result includes a branch coverage condition, and output a signal that a new branch cannot be found when the branch coverage condition is that a new branch is not found beyond a preset time;
the iteration module 13 is used for interacting with the fuzzy test module 12 to acquire the branch coverage condition, and outputting a signal for calling a symbol execution engine when the iteration module 13 receives the signal that the new branch cannot be found;
the hybrid execution module 14 is configured to interact with the iteration module 13 to obtain a signal of the call symbol execution engine, where the hybrid execution module 14 performs symbol execution on the target binary file when obtaining the signal of the call symbol execution engine, identifies a path constraint condition generating a path branch, and generates a new test case satisfying different constraint conditions according to the path constraint condition, where the new test case is sent to the fuzzy test module 12 through the iteration module 13 to reactivate the fuzzy test.
Specifically, the initialization module 11 calls the I/O controller to load the target binary file, transfers the target binary file to the virtual machine of the fuzzy test module 12, generates an initial seed test case, uses the initial seed test case as a starting point of the fuzzy test, and guides the subsequent seed variation according to the test result.
In a specific implementation, the specific value state and the symbol value state of the new test case are maintained simultaneously when the target binary file is executed in a symbol mode.
The symbol value state represents the variable expression mode of the test case, and the specific value state is one specific value in the corresponding symbol constraint solving set. Illustrating:
there is a code that judges the number entered and outputs the number "whether or not it is a two-digit number" (when the number is less than 100 and greater than 9) and "whether or not it is close to 100" (when the number is greater than 50). The code is expressed by a variable "n", where n is subjected to a judgment condition "(if (9 < n & n < 100))" and then to a judgment condition "(if (n > 50))". When the output of the program is "the number is two digits and is close to 100", the symbol value state of the test case is "n < 100 &n > 50", the specific value states are "51, 52, 53, & gt, 98, 99", and as the path constraint conditions are increased, the more symbol value states generated by the test case through symbol execution, the smaller the corresponding specific value state ranges are.
In a specific implementation, the identifying the path constraint condition generating the path branch includes executing a test case jammed by a fuzzy test, collecting the path constraint condition along the execution path of the test case jammed by the fuzzy test, inverting the condition judgment in the path constraint condition according to the sequence from deep to shallow of the execution path, obtaining a new path constraint condition, and solving according to the new path constraint condition to obtain the new test case, wherein the path constraint condition is a symbol value of the hybrid execution module, and the new test case is a specific value of the hybrid execution module. That is, the symbolic execution collects path constraints along the execution path of the previously input test case and inverts the different path constraints collected to obtain new path constraints, and uses constraint solving to obtain a different case from the previously input test case, i.e., a new test case, in order to identify the input to execute the unexplored path.
In a specific implementation, the iteration module is further configured to record path exploration progress to synchronize code addresses between the fuzzy test module and the hybrid execution module.
Specifically, GDB (The GNU Project Debugger) is used to track the case execution path of the fuzzy test, overseeing the coverage variation of the fuzzy test.
In a specific implementation, the initialization module is further used for loading an initial seed test case, and the initialization process of the fuzzy test can be effectively shortened by loading the initial seed test case.
In a specific implementation, the fuzzing test module performs fuzzing test on the target binary file, wherein the fuzzing test module adds valid test cases to a seed set, generates new test cases by using a genetic variation algorithm based on the test cases of the seed set, and performs fuzzing test, and the valid test cases comprise test cases for triggering the target to be tested to crash and finding new code branches.
In implementations, the fuzzing module fuzzing the target binary file includes converting the target binary file into an IR (Intermediate Representation ) intermediate language, and translating the IR intermediate language into a machine language executable by the architecture. The fuzzy test tool AFL (American Fuzzy Lop) is adopted, the target binary file is taken as input, and the target binary file is dynamically operated through QEMU simulation technology. The dynamic code generator TGC (Tiny Code Generator) of the QEMU is applied for instrumentation and coverage monitoring.
In a specific implementation, the generating the new test case meeting different constraint conditions according to the path constraint conditions includes generating the new test case if the condition is reversed and a new state transition is found when a judging condition for determining the control flow change is encountered on the test case execution path. The state transition specifically refers to the change of control flow, and in the fuzzy test, the test case already covers a certain code statement, and the code statement accords with a certain amount of path constraint conditions, or meets a certain amount of condition judgment. In the process of fuzzy test, the coverage rate of codes is increased by mutating test cases, namely state transition is generated. According to the path constraint condition collected by the test case through symbol execution, the path constraint condition is reversed, for example, in the example of the above-mentioned judgment value, the original n < 100 is changed into n > =100, constraint solution is carried out to obtain a new n value, namely a new test case, whether the new test case can walk to a code branch which is not executed before, and if the new test case is executed, the conversion of the control flow state is generated.
In a specific implementation, the generating a new test case meeting different constraint conditions according to the path constraint conditions further includes executing a test case jammed by a fuzzy test, collecting the path constraint conditions along an execution path of the test case jammed by the fuzzy test, reversing condition judgment in the path constraint conditions according to the sequence from deep to shallow of the execution path to obtain a new path constraint condition, and solving according to the new path constraint condition to obtain the new test case, wherein the path constraint condition is a symbol value of the hybrid execution module, and the new test case is a specific value of the hybrid execution module. The path constraint conditions are collected in the process of testing the execution of the use case, and new path constraint conditions are continuously added in the process of testing the execution of the use case, so that different condition requirements in the path constraint conditions are that the code execution sequence exists.
Specifically, the symbol execution engine angr is used to track the use case path stuck by the fuzzy tester.
Fig. 3 is a schematic structural diagram of a fuzzy test system based on symbol execution according to an embodiment of the present invention. Referring now to fig. 3, an embodiment of the present invention provides a ambiguity test method based on symbol execution, including:
step S301: loading a target binary file;
step S302: acquiring the target binary file, performing fuzzy test on the target binary file by the fuzzy test module, and outputting a fuzzy test result, wherein the fuzzy test result comprises a branch coverage condition, and outputting a signal that a new branch cannot be found when the branch coverage condition is that the new branch is not found beyond a preset time;
step S303: acquiring the branch coverage condition, and outputting a signal for calling a symbol execution engine when the iteration module receives the signal from which a new branch cannot be found;
step S304: and acquiring a signal for calling the symbol execution engine, performing symbol execution on the target binary file when the signal for calling the symbol execution engine is acquired, identifying path constraint conditions for generating path branches, and generating new test cases meeting different constraint conditions according to the path constraint conditions, wherein the new test cases are used for reactivating fuzzy tests.
In summary, the ambiguity test system and method based on symbol execution according to the embodiment of the present invention include: the initialization module is used for loading the target binary file; the fuzzy test module is used for interacting with the initialization module to acquire the target binary file, carrying out fuzzy test on the target binary file and outputting a fuzzy test result, wherein the fuzzy test result comprises a branch coverage condition, and outputting a signal that a new branch cannot be found when the branch coverage condition is that the new branch is not found beyond a preset time; the iteration module is used for interacting with the fuzzy test module to acquire the branch coverage condition, and outputting a signal for calling a symbol execution engine when the iteration module receives the signal from which a new branch cannot be found; the mixed execution module is used for interacting with the iteration module to acquire a signal of the calling symbol execution engine, carrying out symbol execution on the target binary file when acquiring the signal of the calling symbol execution engine, identifying path constraint conditions for generating path branches, generating new test cases meeting different constraint conditions according to the path constraint conditions, sending the new test cases to the fuzzy test module through the iteration module to reactivate the fuzzy test, carrying out symbol execution on the target binary file when the branch coverage condition of the fuzzy test is that no new branch is found out in a preset time, identifying the path constraint conditions for generating the path branches, generating new test cases meeting different constraint conditions according to the path constraint conditions, sending the new test cases to the fuzzy test module through the iteration module to reactivate the fuzzy test, sequencing the priority of the fuzzy test according to the discovered control flow conversion, and obtaining the input of the execution of different paths in the generation of future according to the priority, thereby enabling the variation of the test cases to be more efficient;
further, the mutation direction is guided through symbol execution, so that the fuzzy test is helped to cross control flow conversion nodes which are difficult to meet, a new code block is touched, the fuzzy test and the symbol execution are flexibly switched according to the real-time test result of the fuzzy test, and the code block test analysis of the target binary file under the common input condition is completed with low calculation effort cost;
further, the iteration module is further used for recording the path exploration progress so as to synchronize the code addresses between the fuzzy test module and the mixed execution module, thereby ensuring smooth transition of tracking under different test modes and avoiding analysis failure caused by inconsistent symbol execution and fuzzy test execution addresses;
furthermore, the initialization module is also used for loading the initial seed test case, so that the initialization process of the fuzzy test is effectively shortened.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the same; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the invention.
Claims (10)
1. A ambiguity test system based on symbolic execution, comprising:
the initialization module is used for loading the target binary file;
the fuzzy test module is used for interacting with the initialization module, and is used for automating mutation test cases, inputting the test cases obtained by mutation into the target binary file to carry out fuzzy test and outputting a fuzzy test result, wherein the fuzzy test result comprises a branch coverage condition, and outputting a signal that a new branch cannot be found when the branch coverage condition is that the new branch is not found beyond the preset time;
the iteration module is used for interacting with the fuzzy test module to acquire the branch coverage condition, and outputting a signal for calling a symbol execution engine when the iteration module receives the signal from which a new branch cannot be found;
the mixed execution module is used for interacting with the iteration module to acquire the signal of the calling symbol execution engine, performing symbol execution on the target binary file when acquiring the signal of the calling symbol execution engine, identifying path constraint conditions for generating path branches, and generating new test cases meeting different constraint conditions according to the path constraint conditions, wherein the new test cases are sent to the fuzzy test module through the iteration module to reactivate the fuzzy test.
2. The system of claim 1, wherein the specific value state and the symbol value state of the new test case are maintained simultaneously when the target binary file is symbolically executed.
3. The fuzzy test system of claim 1, wherein the identifying path constraints that produce path branches includes gathering conditional predicate statements that produce path branches along an execution path of the new test case, sorting into symbol constraints, and using constraint solving to infer changes in the test case.
4. The symbolic based fuzzy test system of claim 1, wherein the iterative module is further configured to record path exploration progress to synchronize code addresses between the fuzzy test module and the hybrid execution module.
5. The symbolic execution based fuzzy test system of claim 1, wherein the initialization module is further configured to load an initial seed test case.
6. The system of claim 1, wherein the fuzzing module fuzzing the target binary file comprises adding valid test cases to a seed subset, generating new test cases using a genetic variation algorithm based on the test cases of the seed subset, and fuzzing the valid test cases comprising test cases that trigger a target crash to be tested and find new code branches.
7. The symbolic execution-based ambiguity test system of claim 1, wherein the ambiguity test module fuzzes the target binary file comprises translating the target binary file into an IR intermediate language and translating the IR intermediate language into a machine language executable by the architecture.
8. The fuzzy test system of claim 1, wherein the generating a new test case satisfying a different constraint according to the path constraint includes generating a new test case if reversing a condition that finds a new state transition when a decision condition that determines a change in control flow is encountered on a test case execution path.
9. The fuzzy test system of claim 8, wherein the generating new test cases satisfying different constraint conditions according to the path constraint conditions further comprises executing test cases with fuzzy test jams, collecting path constraint conditions along an execution path of the test cases with fuzzy test jams, reversing condition judgment in the path constraint conditions according to a sequence from deep to shallow of the execution path, obtaining new path constraint conditions, solving according to the new path constraint conditions, and obtaining the new test cases, wherein the path constraint conditions are symbol values of the hybrid execution module, and the new test cases are specific values of the hybrid execution module.
10. A method of ambiguity testing based on symbolic execution, comprising:
loading a target binary file;
acquiring the target binary file, performing fuzzy test on the target binary file by the fuzzy test module, and outputting a fuzzy test result, wherein the fuzzy test result comprises a branch coverage condition, and outputting a signal that a new branch cannot be found when the branch coverage condition is that the new branch is not found beyond a preset time;
acquiring the branch coverage condition, and outputting a signal for calling a symbol execution engine when the iteration module receives the signal from which a new branch cannot be found;
and acquiring a signal for calling the symbol execution engine, performing symbol execution on the target binary file when the signal for calling the symbol execution engine is acquired, identifying path constraint conditions for generating path branches, and generating new test cases meeting different constraint conditions according to the path constraint conditions, wherein the new test cases are used for reactivating fuzzy tests.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310563313.7A CN116541294B (en) | 2023-05-18 | 2023-05-18 | Fuzzy test system and method based on symbol execution |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310563313.7A CN116541294B (en) | 2023-05-18 | 2023-05-18 | Fuzzy test system and method based on symbol execution |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116541294A true CN116541294A (en) | 2023-08-04 |
| CN116541294B CN116541294B (en) | 2023-11-17 |
Family
ID=87452142
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310563313.7A Active CN116541294B (en) | 2023-05-18 | 2023-05-18 | Fuzzy test system and method based on symbol execution |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116541294B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104375942A (en) * | 2014-12-11 | 2015-02-25 | 无锡江南计算技术研究所 | Binary oriented hybrid fuzzing method |
| CN108052825A (en) * | 2017-12-29 | 2018-05-18 | 哈尔滨工业大学 | The leakage location being combined for the fuzz testing of binary executable with semiology analysis |
| CN108845944A (en) * | 2018-06-28 | 2018-11-20 | 中国人民解放军国防科技大学 | Method for improving software fuzz testing efficiency by combining symbolic execution |
| CN109739755A (en) * | 2018-12-27 | 2019-05-10 | 北京理工大学 | A kind of fuzz testing system executed based on program trace and mixing |
| US20190384697A1 (en) * | 2018-06-18 | 2019-12-19 | Fujitsu Limited | Branch coverage guided symbolic execution for hybrid fuzz testing of software binaries |
| CN111797405A (en) * | 2020-07-01 | 2020-10-20 | 北京华昱卓程软件有限公司 | Sequence-oriented hybrid fuzzy test method and device |
| CN115017516A (en) * | 2022-06-02 | 2022-09-06 | 电子科技大学 | Fuzzy test method based on symbolic execution |
-
2023
- 2023-05-18 CN CN202310563313.7A patent/CN116541294B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104375942A (en) * | 2014-12-11 | 2015-02-25 | 无锡江南计算技术研究所 | Binary oriented hybrid fuzzing method |
| CN108052825A (en) * | 2017-12-29 | 2018-05-18 | 哈尔滨工业大学 | The leakage location being combined for the fuzz testing of binary executable with semiology analysis |
| US20190384697A1 (en) * | 2018-06-18 | 2019-12-19 | Fujitsu Limited | Branch coverage guided symbolic execution for hybrid fuzz testing of software binaries |
| CN108845944A (en) * | 2018-06-28 | 2018-11-20 | 中国人民解放军国防科技大学 | Method for improving software fuzz testing efficiency by combining symbolic execution |
| CN109739755A (en) * | 2018-12-27 | 2019-05-10 | 北京理工大学 | A kind of fuzz testing system executed based on program trace and mixing |
| CN111797405A (en) * | 2020-07-01 | 2020-10-20 | 北京华昱卓程软件有限公司 | Sequence-oriented hybrid fuzzy test method and device |
| CN115017516A (en) * | 2022-06-02 | 2022-09-06 | 电子科技大学 | Fuzzy test method based on symbolic execution |
Non-Patent Citations (3)
| Title |
|---|
| 李天凯: "基于符号执行的模糊测试的研究与实现", 《中国优秀博硕士学位论文全文数据库(硕士)工程科技Ⅱ辑》 * |
| 李政宇: "基于混合执行的二进制程序模糊测试关键技术研究", 《中国优秀博硕士学位论文全文数据库(硕士)工程科技Ⅱ辑》 * |
| 黄超: "基于符号执行的模糊测试改进方法研究与实现", 《中国优秀博硕士学位论文全文数据库(硕士)工程科技Ⅱ辑》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116541294B (en) | 2023-11-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108710575B (en) | Unit test method based on automatic generation of path coverage test case | |
| CN111930903B (en) | System anomaly detection method and system based on deep log sequence analysis | |
| CN108845944B (en) | Method for improving software fuzz testing efficiency by combining symbolic execution | |
| KR102270347B1 (en) | Apparatus for detecting abnormal situation using deep learning ensemble model and method thereof | |
| KR20190041912A (en) | System for detecting security vulnerability based on binary, method and program thereof | |
| Pinto et al. | A multi-objective genetic algorithm to test data generation | |
| EP3264274B1 (en) | Input discovery for unknown program binaries | |
| Liu et al. | Effective fault localization of automotive Simulink models: achieving the trade-off between test oracle effort and fault localization accuracy | |
| WO2011050657A1 (en) | Software testing method and testing device | |
| Chi et al. | Multi-level random walk for software test suite reduction | |
| CN113836023B (en) | Compiler security testing method based on architecture cross check | |
| CN116541294B (en) | Fuzzy test system and method based on symbol execution | |
| US5604841A (en) | Hierarchical restructuring generic test templates and reusable value spaces for machine failure isolation using qualitative physics | |
| CN117851254A (en) | MC/DC coverage use case generation method based on symbol execution and path number reduction | |
| CN110737590B (en) | Offline debugging method | |
| CN112162932B (en) | Symbol execution optimization method and device based on linear programming prediction | |
| EP0871126A2 (en) | Machine failure isolation using qualitative physics | |
| CN113569252A (en) | Vulnerability detection method based on function and branch coverage by combining neural network | |
| Mandal et al. | A static analyzer for Industrial robotic applications | |
| CN109977019B (en) | Compiler optimization sequence test method based on incremental sampling | |
| Deng et al. | Inferred dependence coverage to support fault contextualization | |
| CN116841886B (en) | Directional fuzzy test method for configuration defects | |
| Vidineev et al. | Improved stochastic control flow model for LLVM-based software reliability analysis | |
| Grishin | Human-Controlled Fuzzing With AFL | |
| Wotawa | Debugging VHDL designs: Introducing multiple models and first empirical results |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: A Fuzzy Testing System and Method Based on Symbol Execution Granted publication date: 20231117 Pledgee: The Bank of Shanghai branch Caohejing Limited by Share Ltd. Pledgor: Shanghai Anban Information Technology Co.,Ltd. Registration number: Y2024980025283 |