由於軟體實作缺陷造成的錯誤，例如存取變數或整數溢位等，可能形成安全弱點。一般都藉由靜態分析或動態測試來找尋這類的問題。然而，因為測試的不完整，相關軟體弱點層出不窮，尤其大型程式更可能隱藏許多未知的安全漏洞，這是屬於程式安全的研究議題，因此越受重視。
為了尋找更多軟體的弱點，模糊測試是常見被使用的一種方法。由於傳統模糊測試並未設定特定目標，只藉由隨機變異測試資料，使程式產生失誤。我們提出以特定敏感函式為目標，符號化程式的測試資料，以進行符號測試。測資若能經傳遞而感染到設定的目標，就能收集相關執行路徑與目標函式傳入資料的限制式，再使用排程演算法來適當選擇加入的路徑限制式，以產生受測程式失誤並異常終止的測資。若使程式異常終止，就極有可能發現程式的弱點。我們評估4種軟體，可在短時間內自動生成令程式異常終止的測試資料，這些測試資料若經由傳統模糊測試，要高達 500,000 秒以上。

Due to software implementation flaws, such as buffer overflow and integer overflow, the flaws may further cause software vulnerabilities. We often take advantages of static analysis or dynamic testing to find these issues. However, because of incomplete testing coverage, software vulnerabilities are still uncovered, especially for large software systems. Therefore, secure programs are getting more and more attentions in recent years.
In order to improve the finding process of software vulnerabilities, fuzz testing is a commonly used approach. Because traditional fuzz testing has no specific target for input data mutation, the testing is an unpredictable process with indefinite testing time. We propose to hook sensitive functions as the mutation target and use symbolic execution to automate the fuzzing process.
If we can reach the sensitive functions with symbolic input, we will be able to collect all the constraints and schedule the selection of constraints to generate test cases, which can lead the program to the crash point. We have evaluated four software systems and produce crash inputs in 30 minutes, compared with the traditional fuzzing taking more than 500,000 seconds.

目錄
摘要 I
ABSTRACT II
誌謝 IV
目錄 V
表目錄 VII
圖目錄 VIII
第一章 緒論 1
1-1 問題描述 1
1-2 研究動機 2
1-3 研究目標 3
1-4 論文大綱 3
第二章 研究背景 4
2-1 軟體品質測試 4
2-1-1 符號執行 4
2-1-2 擬真執行 6
2-1-3 單一路徑擬真執行 8
2-1-4 S2E 8
2-2 程式安全弱點 10
2-2-1 緩衝區溢位(Buffer Overflow) 10
2-2-2 整數類別的弱點(Integer Vulnerabilities) 10
2-2-3 無控制的格式串(Uncontrolled Format String) 10
2-2-4 系統指令注碼(OS Command Injection) 11
2-3 相關研究 11
2-3-1 SAGE(Scalable Automated Guided Execution) 11
2-3-2 TaintScope 12
2-3-3 BFF(Basic Fuzzing Framework) 13
2-3-4 FuzzSim 13
2-3-5 COVERSET 13
2-3-6 DIODE 14
第三章 研究方法與實作 16
3-1 系統架構 16
3-2 取得初始測資 17
3-3 尋找目標函式 18
3-4 排程限制式 19
3-5 產生新測資 21
3-6 驗證 22
3-7 範例 22
3-8 自動化 24
3-9 實作 26
第四章 實驗結果與分析 28
4-1 實驗環境 28
4-2 實驗結果 32
4-3 分析 34
第五章 結論與未來展望 35
5-1 結論 35
5-2 未來展望 35
參考文獻 36

參考文獻
[1] Common vulnerabilities and exposures. Available: http://cve.mitre.org/
[2] T. M. Bezenek and D. Wright, "Using Fuzz to Test the Reliability of Unix Kernels," 1996.
[3] S. Hocevar, "zzuf—multi-purpose fuzzer," ed, 2011.
[4] M. Eddington, "Peach fuzzing platform," Peach Fuzzer, 2011.
[5] 鍾翔 and 黃世昆, "具目標認知符號執行模糊測試框架," 2013.
[6] J. C. King, "Symbolic execution and program testing," Communications of the ACM, vol. 19, pp. 385-394, 1976.
[7] V. Ganesh and D. L. Dill, "A decision procedure for bit-vectors and arrays," in Computer Aided Verification, 2007, pp. 519-531.
[8] L. De Moura and N. Bj#westeur057#rner, "Z3: An efficient SMT solver," in Tools and Algorithms for the Construction and Analysis of Systems, ed: Springer, 2008, pp. 337-340.
[9] S.-K. Huang, M.-H. Huang, P.-Y. Huang, C.-W. Lai, H.-L. Lu, and W.-M. Leong, "CRAX: Software Crash Analysis for Automatic Exploit Generation by Modeling Attacks as Symbolic Continuations," in Software Security and Reliability (SERE), 2012 IEEE Sixth International Conference on, 2012, pp. 78-87.
[10] K. Sen, "Concolic testing," in Proceedings of the twenty-second IEEE/ACM international conference on Automated software engineering, 2007, pp. 571-572.
[11] V. Chipounov, V. Kuznetsov, and G. Candea, S2E: A platform for in-vivo multi-path analysis of software systems vol. 39: ACM, 2011.
[12] F. Bellard, "QEMU, a Fast and Portable Dynamic Translator," in USENIX Annual Technical Conference, FREENIX Track, 2005, pp. 41-46.
[13] C. Cadar, D. Dunbar, and D. R. Engler, "KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs," in OSDI, 2008, pp. 209-224.
[14] C. Lattner and V. Adve, "LLVM: A compilation framework for lifelong program analysis & transformation," in Code Generation and Optimization, 2004. CGO 2004. International Symposium on, 2004, pp. 75-86.
[15] B. Martin, M. Brown, A. Paller, D. Kirby, and S. Christey, "2011 CWE/SANS top 25 most dangerous software errors," Common Weakness Enumeration, vol. 7515, 2011.
[16] C. Cowan, P. Wagle, C. Pu, S. Beattie, and J. Walpole, "Buffer overflows: Attacks and defenses for the vulnerability of the decade," in DARPA Information Survivability Conference and Exposition, 2000. DISCEX'00. Proceedings, 2000, pp. 119-129.
[17] T. Newsham, "Format string attacks," ed, 2000.
[18] P. Godefroid, M. Y. Levin, and D. A. Molnar, "Automated Whitebox Fuzz Testing," in NDSS, 2008, pp. 151-166.
[19] T. Wang, T. Wei, G. Gu, and W. Zou, "TaintScope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection," in Security and Privacy (SP), 2010 IEEE Symposium on, 2010, pp. 497-512.
[20] Basic Fuzzing Framework (BFF). Available: https://www.cert.org/vulnerability-analysis/tools/bff.cfm?
[21] The CERT Division Available: https://www.cert.org/
[22] M. Woo, S. K. Cha, S. Gottlieb, and D. Brumley, "Scheduling black-box mutational fuzzing," in Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, 2013, pp. 511-522.
[23] A. Rebert, S. K. Cha, T. Avgerinos, J. Foote, D. Warren, G. Grieco, et al., "Optimizing seed selection for fuzzing," in Proceedings of the USENIX Security Symposium, 2014, pp. 861-875.
[24] S. Sidiroglou-Douskos, E. Lahtinen, N. Rittenhouse, P. Piselli, F. Long, D. Kim, et al., "Targeted Automatic Integer Overflow Discovery Using Goal-Directed Conditional Branch Enforcement," 2015.
[25] Sudo. Available: http://www.sudo.ws/
[26] Xmail. Available: http://www.xmailserver.org/
[27] Socat. Available: http://www.dest-unreach.org/socat/
[28] Ncompress. Available: http://ncompress.sourceforge.net/