帳號:guest(18.212.102.174)          離開系統
字體大小: 字級放大   字級縮小   預設字形  

詳目顯示

以作者查詢圖書館館藏以作者&題名查詢臺灣博碩士以作者查詢全國書目
作者:鍾翔
作者(英文):Chung, Hsiang
論文名稱(中文):具目標認知符號執行模糊測試框架
論文名稱(英文):A Target-Aware Symbolic Execution Framework for Fuzz Testing
指導教授(中文):黃世昆
指導教授(英文):Huang, Shih-Kun
口試委員:許富皓
吳育松
學位類別:碩士
校院名稱:國立交通大學
系所名稱:資訊科學與工程研究所
學號:0156038
出版年(民國):103
畢業學年度:102
語文別:英文
論文頁數:45
中文關鍵詞:模糊測試符號執行
外文關鍵詞:fuzz testingfuzzersymbolic executions2eCraxCraxFuzzer
相關次數:
  • 推薦推薦:0
  • 點閱點閱:390
  • 評分評分:*****
  • 下載下載:35
  • 收藏收藏:0
  軟體設計不良所產生的漏洞,例如buffer overflows、integer overflows、uncontrolled format strings和command injections等,這些問題常被駭客操作使用、入侵使用者個人電腦或伺服器。Windows和Linux上的應用程式,或作業系統本身不時發布安全性更新就是為了修補這樣的問題。
  為了減少軟體的漏洞,有許多測試方法被提出來,其中最常使用的是模糊測試(fuzz testing)。但傳統的模糊測試必須執行到程式出現例外情況(如失控)才能發現該問題,導致覆蓋率不足時無法發現受測程式的漏洞,忽略可能存在的安全威脅。
  本篇論文提出使用S2E以symbolic execution為基礎的軟體測試架構,能在程式正常執行到某些自訂的敏感函式,例如malloc、strcpy和printf時,自動判斷此程式執行路徑在此位置是否可能造成安全性的威脅,若是,則進一步產生exploit的概念驗證(proof of concept),以及相對應的數學限制式。
  我們運用此方法成功且有效地產生許多在CVE網站公開的漏洞,並能協助開發者迅速找到問題所在,提升維護軟體品質的效率。
Vulnerabilities caused by implementation bugs, such as buffer overflows, integer overflows, uncontrolled format strings, and command injections, are often exploited by hackers to intrude users’ personal computer or servers. In order to reduce software bugs, many testing techniques are proposed. The most frequently used technique is fuzz testing. However, traditional fuzzers can only find bugs when program exceptions, especially crashes, raised. That means some security threats may pass these tests due to the insufficient code coverage.
In this thesis, we introduce a software testing framework based on symbolic execution using S2E, a whole system symbolic execution engine. When a program executes some pre-defined sensitive functions, such as malloc, strcpy or printf, our framework will initiate a triage process. It will determine whether any related security vulnerabilities would possibly occur in these functions automatically. If the answer is yes, a proof-of-concept exploit and its corresponding math constraints will be generated.
We successfully and efficiently reproduce some CVE vulnerabilities, which means developers could locate bugs faster, and improve the efficiency of software quality maintenance.
摘要 I
Abstract II
誌謝 III
Table of Contents IV
Table of Tables V
Table of Figures VI
CHAPTER 1 INTRODUCTION 1
CHAPTER 2 OVERVIEW 6
 A. Symbolic Execution 6
 B. Symbolic Execution Optimization 8
 C. S2E 9
 D. Vulnerable Situations 11
 E. DLL Injection 13
CHAPTER 3 Method 14
 A. Test Case Acquisition 15
 B. Target Searching 16
 C. Proof-of-Concept Generation 17
 D. Verification 20
 E. Example: XMail-1.21 20
 F. Implementation 23
CHAPTER 4 EVALUATION 27
 A. Experiment Setup 28
 B. Hot Bytes Identification 29
 C. Adaptive-Input Technique Evaluation 31
 D. Null-Constraint Technique Evaluation 32
 E. Fuzzing Results 34
 F. Case Studies 35
CHAPTER 5 CONCLUSION 39
References 42
[1] S. Anand, P. Godefroid, and N. Tillmann, "Demand-driven compositional symbolic execution," in Tools and Algorithms for the Construction and Analysis of Systems, ed: Springer, 2008, pp. 367-381.
[2] W. A. Arbaugh, W. L. Fithen, and J. McHugh, "Windows of vulnerability: A case study analysis," Computer, vol. 33, pp. 52-59, 2000.
[3] T. Avgerinos, S. K. Cha, B. L. T. Hao, and D. Brumley, "AEG: Automatic Exploit Generation," in NDSS, 2011, pp. 59-66.
[4] F. Bellard, "QEMU, a Fast and Portable Dynamic Translator," in USENIX Annual Technical Conference, FREENIX Track, 2005, pp. 41-46.
[5] C. Cadar, D. Dunbar, and D. R. Engler, "KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs," in OSDI, 2008, pp. 209-224.
[6] M. Canini, D. Venzano, P. Peresini, D. Kostic, and J. Rexford, "A NICE way to test OpenFlow applications," NSDI, Apr, 2012.
[7] D. Caselden, A. Bazhanyuk, M. Payer, L. Szekeres, S. McCamant, and D. Song, "Transformation-aware exploit generation using a HI-CFG," University of California, Berkeley, Tech. Rep. UCB/EECS-2013-85, 2013.
[8] V. Chipounov, V. Kuznetsov, and G. Candea, "S2E: A platform for in-vivo multi-path analysis of software systems," ACM SIGARCH Computer Architecture News, vol. 39, pp. 265-278, 2011.
[9] V. Chipounov, V. Kuznetsov, and G. Candea, "The s2e platform: Design, implementation, and applications," ACM Transactions on Computer Systems (TOCS), vol. 30, p. 2, 2012.
[10] C. Cowan, P. Wagle, C. Pu, S. Beattie, and J. Walpole, "Buffer overflows: Attacks and defenses for the vulnerability of the decade," in DARPA Information Survivability Conference and Exposition, 2000. DISCEX'00. Proceedings, 2000, pp. 119-129.
[11] L. De Moura and N. Bjørner, "Z3: An efficient SMT solver," in Tools and Algorithms for the Construction and Analysis of Systems, ed: Springer, 2008, pp. 337-340.
[12] M. Eddington. (2011). Peach fuzzing platform. Available: http://peachfuzzer.com/
[13] V. Ganesh and D. L. Dill, "A decision procedure for bit-vectors and arrays," in Computer Aided Verification, 2007, pp. 519-531.
[14] V. Ganesh, T. Leek, and M. Rinard, "Taint-based directed whitebox fuzzing," in Software Engineering, 2009. ICSE 2009. IEEE 31st International Conference on, 2009, pp. 474-484.
[15] P. Godefroid, M. Y. Levin, and D. A. Molnar, "Automated Whitebox Fuzz Testing," in NDSS, 2008, pp. 151-166.
[16] S. Heelan, "Automatic generation of control flow hijacking exploits for software vulnerabilities," University of Oxford, MSc Computer Science Dissertation, 2009.
[17] S. Hocevar. (2011). zzuf—multi-purpose fuzzer. Available: http://caca.zoy.org/wiki/zzuf
[18] S.-K. Huang, M.-H. Huang, P.-Y. Huang, C.-W. Lai, H.-L. Lu, and W.-M. Leong, "CRAX: Software Crash Analysis for Automatic Exploit Generation by Modeling Attacks as Symbolic Continuations," in Software Security and Reliability (SERE), 2012 IEEE Sixth International Conference on, 2012, pp. 78-87.
[19] J. C. King, "Symbolic execution and program testing," Communications of the ACM, vol. 19, pp. 385-394, 1976.
[20] C. Lattner and V. Adve, "LLVM: A compilation framework for lifelong program analysis & transformation," in Code Generation and Optimization, 2004. CGO 2004. International Symposium on, 2004, pp. 75-86.
[21] D. Libenzi. XMail. Available: http://www.xmailserver.org/
[22] J. Liu, Q. Wei, Q.-x. Wang, and T. Guo, "Trigger condition based test generation for finding security bugs," in Systems and Informatics (ICSAI), 2012 International Conference on, 2012, pp. 1106-1110.
[23] K.-K. Ma, K. Y. Phang, J. S. Foster, and M. Hicks, "Directed symbolic execution," in Static Analysis, ed: Springer, 2011, pp. 95-111.
[24] B. Martin, M. Brown, A. Paller, D. Kirby, and S. Christey, "2011 CWE/SANS Top 25 Most Dangerous Software Errors," Common Weakness Enumeration, vol. 7515, 2011.
[25] S. McCamant, M. Payer, D. Caselden, A. Bazhanyuk, and D. Song, "Transformationaware symbolic execution for system test generation," Tech. Rep. UCB/EECS-2013-125, University of California, Berkeley (Jun 2013)2013.
[26] B. P. Miller, L. Fredriksen, and B. So, "An empirical study of the reliability of UNIX utilities," Communications of the ACM, vol. 33, pp. 32-44, 1990.
[27] C. Miller, J. Caballero, N. M. Johnson, M. G. Kang, S. McCamant, P. Poosankam, et al., "Crash analysis with BitBlaze," at BlackHat USA, 2010.
[28] D. Molnar, X. C. Li, and D. A. Wagner, "Dynamic test generation to find integer bugs in x86 binary linux programs," in Proceedings of the 18th conference on USENIX security symposium, 2009, pp. 67-82.
[29] D. A. Molnar and D. Wagner, "Catchconv: Symbolic execution and run-time type inference for integer conversion errors," UC Berkeley EECS, 2007.
[30] T. Newsham, "Format string attacks," ed, 2000.
[31] J. Newsome and D. Song, "Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software," 2005.
[32] J. Röβler, G. Fraser, A. Zeller, and A. Orso, "Isolating failure causes through test case generation," in Proceedings of the 2012 International Symposium on Software Testing and Analysis, 2012, pp. 309-319.
[33] P. Saxena, P. Poosankam, S. McCamant, and D. Song, "Loop-extended symbolic execution on binary programs," in Proceedings of the eighteenth international symposium on Software testing and analysis, 2009, pp. 225-236.
[34] E. J. Schwartz, T. Avgerinos, and D. Brumley, "All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask)," in Security and Privacy (SP), 2010 IEEE Symposium on, 2010, pp. 317-331.
[35] K. Sen, "Concolic testing," in Proceedings of the twenty-second IEEE/ACM international conference on Automated software engineering, 2007, pp. 571-572.
[36] K. Sen, D. Marinov, and G. Agha, CUTE: a concolic unit testing engine for C vol. 30: ACM, 2005.
[37] J. Shewmaker, "Analyzing dll injection," GSM Presentation, 2006.
[38] D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M. G. Kang, et al., "BitBlaze: A new approach to computer security via binary analysis," in Information systems security, ed: Springer, 2008, pp. 1-25.
[39] M. Staats and C. Pǎsǎreanu, "Parallel symbolic execution for structural test generation," in Proceedings of the 19th international symposium on Software testing and analysis, 2010, pp. 183-194.
[40] M. Sutton, A. Greene, and P. Amini, Fuzzing: brute force vulnerability discovery: Pearson Education, 2007.
[41] J. Vanegue, S. Heelan, and R. Rolles, "SMT Solvers in Software Security," in WOOT, 2012, pp. 85-96.
[42] T. Wang, T. Wei, G. Gu, and W. Zou, "TaintScope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection," in Security and Privacy (SP), 2010 IEEE Symposium on, 2010, pp. 497-512.
[43] T. Wang, T. Wei, G. Gu, and W. Zou, "Checksum-aware fuzzing combined with dynamic taint analysis and symbolic execution," ACM Transactions on Information and System Security (TISSEC), vol. 14, p. 15, 2011.
[44] T. Wang, T. Wei, Z. Lin, and W. Zou, "IntScope: Automatically Detecting Integer Overflow Vulnerability in X86 Binary Using Symbolic Execution," in NDSS, 2009.
[45] M. Woo, S. K. Cha, S. Gottlieb, and D. Brumley, "Scheduling black-box mutational fuzzing," in Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, 2013, pp. 511-522.
[46] R.-G. Xu, P. Godefroid, and R. Majumdar, "Testing for buffer overflows with length abstraction," in Proceedings of the 2008 international symposium on Software testing and analysis, 2008, pp. 27-38.
[47] 黃世昆, 黃銘祥, 黃博彥, 賴俊維, and 呂翰霖, "自動脅迫產生器發展現況與威脅分析," 資訊安全通訊, vol. 18, pp. 88-100, 2012.
[48] 劉歡, "跨平台Web程式測試與攻擊產生系統," 碩士, 資訊科學與工程研究所, 國立交通大學, 2013.
 
 
 
 
第一頁 上一頁 下一頁 最後一頁 top
* *