期刊文献+
任意字段
题名或关键词
题名
关键词
文摘
作者
第一作者
机构
刊名
分类号
参考文献
作者简介
基金资助
栏目信息

基于多维Fuzzing的缓冲区溢出漏洞挖掘技术研究 被引量:6

Research for buffer overflow vulnerabilities based on multi-dimensional Fuzzing technology
下载PDF
导出
摘要 缓冲区溢出漏洞一直是计算机安全威胁中最为严重的漏洞之一,在黑客发现利用前检测出漏洞并及时修复极为重要;基于多维Fuzzing设计和实现了一种缓冲区溢出漏洞挖掘模型MFBOF,应用输入样本结构知识、结合静态二进制分析技术和动态输入/输出测试技术,运用自适应模拟退火遗传算法生成测试用例进行测试,并以挖掘Libpng的漏洞为实例说明了该模型的有效性;最后,提出了模型需要优化的地方和下一步研究方向。 Buffer overflow(BOF) is always one of the most dangerous vulnerabilities to computer security.This paper proposed multi-dimentional Fuzzing of buffer overflow(MFBOF),which was based on multi-dimentional Fuzzing technology,combined the structure knowledge of target's input,static binary code analysis and dynamic I/O analysis technique,generated test cases using adaptive simulated annealing genetic algorithm.The results of testing Libpng validate that MFBOF is effective.At last,this paper gave its further improvement directions.
作者 夏建军 孙乐昌 刘京菊 张旻 蔡铭
机构地区 解放军电子工程学院 解放军电子工程学院
出处 《计算机应用研究》 CSCD 北大核心 2011年第9期3539-3541,共3页 Application Research of Computers
基金 国家自然科学基金资助项目(60972161)
关键词 多维Fuzzing技术 缓冲区溢出 漏洞挖掘 multi-dimensional Fuzzing buffer overflow vulnerability mining
分类号 TP391 [自动化与计算机技术—计算机应用技术]
  • 相关文献

参考文献13

  • 1吴志勇,夏建军,孙乐昌,张旻.多维Fuzzing技术综述[J].计算机应用研究,2010,27(8):2810-2813. 被引量:12
  • 2彭建山,吴灏.Windows Vista内存保护关键技术研究[J].计算机工程与科学,2007,29(12):33-36. 被引量:9
  • 3Common Weakness Enumeration(CWE).Vulnerabilities type distri-butions in CVE,version 1.9. http://cwe.mitre.org/documents/vuln-trends/index.html . 2010
  • 4LAROCHELLE D,EVANS D.Statically detecting likely buffer over-flow vulnerabilities. Proc of the 10th USENIX Security Symposi-um . 2001
  • 5GANESH V,LEEK T,RINARD M.Taint-based directed whiteboxfuzzing. Proc of the 31st ICSE’’09 . 2009
  • 6Del GROSSO C,Di PENTA M,ANTONIOL G,et al.Improving net-work applications security:a new heuristic to generate stress testingdata. Proc of Genetic and Evolutionary Computation Conference . 2005
  • 7SCHROEDER P J,KOREL B.Black-box test reduction using I/Oanalysis. Proc of International Symposium on Software and Anal-ysis . 2000
  • 8Del GROSSO C,Di PENTA M,ANTONIOL G,et al.Detecting bufferoverflow via automatic test input data generation. Computers andOperations Research . 2008
  • 9Del GROSSO C,ANRONIOL G,Di PENTA M.An evolutionary testingapproach to detect buffer overflows. Proc of International Sympo-sium on Software Reliability Engineering(ISSRE) . 2004
  • 10WU Zhi-yong,ATWOOD J W,ZHU Xue-yong.A new fuzzing tech-nique for software vulnerability mining. Proc of International Conference on Software Engineering . 2009

二级参考文献52

  • 1邵林,张小松,苏恩标.一种基于fuzzing技术的漏洞发掘新思路[J].计算机应用研究,2009,26(3):1086-1088. 被引量:17
  • 2KING J C.Symbolic execution and program testing[J].Journal of the ACM,1976,19(7):385-394.
  • 3YANG J,SAR C,TWOHEY P,et al.Automatically generating malicious disks using symbolic execution[C] //Proc of IEEE Symposium on Security and Privacy.Washington DC:IEEE Computer Society,2006:243-257.
  • 4ANAND S,GODEFROID P,TILLMANN N.Demand-driven compositional symbolic execution[C] //Proc of International Conference on Tools and Algorithms for the Construction and Analysis of Systems.2008:367-381.
  • 5LAROCHELLE D,EVANS D.Statically detecting likely buffer overflow vulnerabilities[C] //Proc of the 10th USENIX Security Symposium.Berkeley:USENIX Association,2001:177-190.
  • 6SUTTON M,GREENE A,AMINI P.Fuzzing:brute force vulnerability discovery[M].[S.l.] :Pearson Education Inc,2007:16.
  • 7LIPNER S,HOWARD M.The trustworthy computing security deve-lopment lifecycle[EB/OL].(2005-03).http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnsecure/html/sdl.asp.
  • 8MAXWELL S A.The bulletproof penguin[EB/OL].(2001-08-03).http://home.pacbell.net/s-max/scott/bulletproof-penguin.html.
  • 9GRIMES R.The buzz about fuzzers[EB/OL].(2005-11-28).http://www.infoworld.com/article/05/09/09/37OPsec advise_1.html.
  • 10MILLER B P,FREDRIKSON L,SO B.An empirical study of the reliablity of UNIX utilities[J].Communications of the ACM,1990,33(12):32-44.

共引文献19

同被引文献56

  • 1邵林,张小松,苏恩标.一种基于fuzzing技术的漏洞发掘新思路[J].计算机应用研究,2009,26(3):1086-1088. 被引量:17
  • 2张宝峰,张翀斌,许源.基于模糊测试的网络协议漏洞挖掘[J].清华大学学报(自然科学版),2009(S2):2113-2118. 被引量:14
  • 3王清.Oday安全:软件漏洞分析技术[M].北京:电子工业出版社,2008:72-79.
  • 4王彤彤,韩文报,王航.基于安全需求的软件漏洞分析模型[J].计算机科学,2007,34(9):287-289. 被引量:5
  • 5Batyuk L,Herpich M,CAMTEPE S. Using static analysis for auto-matic assessment and mitigation of unwanted and malicious activities within android application[A].2011.66-72.
  • 6Felt A.P,Chin E,Hanna S. Android permissions demystified[A].2011.627-638.
  • 7Au K,Zhou B,Huang Z. A look at smartphone permission models[A].2011.63-68.
  • 8Gibler C,Crussell J,Erickson J. Automatically detecting potential privacy leaks in android applications on a large scale[A].2012.
  • 9Mahmood R,Esfahani N. A whitebox approach for automated se-curity testing of Android application on the cloud[A].2012.
  • 10Payet E,Spoto F. Static analysis of android programs[A].2011.439-445.

引证文献6

二级引证文献23

计算机应用研究
2011年 第9期

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部