摘要
目前,软件安全至关重要,而威胁到软件安全性能的罪魁祸首正是软件自身,即软件漏洞。软件漏洞有语言漏洞、逻辑漏洞等。模糊测试是检测漏洞方面使用的较多的一种技术,它能够根据输入自动生成测试用例,这种方法不需要测试人员的过多干预。但过多的冗余测试也是这种方法难以消除的。为了解决这个缺点,生成有效的测试用例,文中实现了基于符号执行的漏洞检测系统。符号化输入是该系统的前提,程序插桩可以获取符号变量之间的关系。通过求解在分支语句处的约束条件可以得到新的测试输入。实验证明本系统能较智能地进行漏洞检测,也大大地提升了漏洞检测的性能。
At present,the software security is very important,and the threat to the software security performance is the software itself, which is software vulnerabilities. Software vulnerabilities have loopholes in language,logic,etc. Fuzzy testing is a technology used in the detection of vulnerabilities,which can automatically generate test cases according to the input. This method does not need to test the excessive intervention of the personnel. However,this method is difficult to eliminate the drawbacks of redundant testing. In order to solve this shortcoming,the paper realizes the flaw detection system based on symbol execution. The symbolic input is the premise of the system,and the program can obtain the relationship between the symbolic variables. By solving the constraint condition at the branch sentence,the new test input is obtained. The experiments show that the system can detect the vulnerabilities of the intelligence,and improve the performance of the detection.
出处
《信息技术》
2016年第5期171-174,182,共5页
Information Technology
关键词
漏洞
冗余
符号执行
插桩
路径约束
自动化
vulnerability
redundancy
symbolic execution
instrumentation
path constrain
automation