摘要
软件漏洞的研究是信息安全的一个重要分支。漏洞挖掘的主要方法是通过精心构造测试数据输入程序来触发漏洞,由此可见如何生成测试数据是该技术的关键,也是成功挖掘漏洞的关键。在分析漏洞存在原理和触发条件的基础上,提出一种更为高效的测试数据生成方法。该方法通过不安全函数来定位漏洞的触发点,深度与宽度混合遍历来确定触发的路径,利用符号执行技术来确立漏洞触发的条件,最后再根据条件生成测试数据,使生成的数据不仅有更高针对性,并且还提高了代码的覆盖率,从而能提高漏洞挖掘的效率和准确性。实验结果表明该方法具有良好的效率和准确性。
The research on software vulnerabilities is one of the most important branches in information security.The main vulnerability discovery method is to input the elaborately structured test data to the program to trigger the vulnerability.So one can see that how to generate the test data is the key of the technology and the key for successful vulnerability discovery.Based on the analysis of existence principle of the vulnerability and triggering condition,we present a kind of more efficient test data generation method.In this method,the trigger points of the vulnerabilities are located by unsafe functions,the trigger paths are determined by mixed traversal in depth and width,and the trigger condi-tions of the vulnerabilities are determined by symbols execution technology,at last the test data are generated on the basis of these conditions. The test data formed in this way become more targeted,and the coverage rate of the code is raised as well,consequently the efficiency and ac-curacy of software vulnerability discovery can be increased.Experimental results show that the method has good efficiency and accuracy.
出处
《计算机应用与软件》
CSCD
北大核心
2014年第2期303-306,共4页
Computer Applications and Software
关键词
测试数据生成
不安全函数
混合遍历
符号执行技术
漏洞挖掘
Test data generation
Unsafe functions
Mixed traversal
Symbols execution technology
Vulnerability discover