基于关键点的混合式漏洞挖掘测试用例同步方法

Testcase Synchronization Method for Hybrid Fuzzing Based on Keypoints

混合式漏洞挖掘利用模糊测试模块和符号执行模块相互协作以达到优势互补的目标,测试用例的同步是相互协作的关键。然而,现有混合式漏洞挖掘技术方案中,测试用例同步主要以交换和整合的方式实现,较为单一,忽略了符号执行模块在探索程序状态时的运行时信息。针对上述问题,本文提出了一种基于程序关键点的测试用例同步方法(简称Sol-QSYM),旨在分析挖掘符号执行模块的执行过程,定位与识别代码覆盖率导向的程序关键点,进而指导模糊测试的测试用例调度与变异过程,实现更细粒度的测试用例同步。首先,该方法在符号执行过程中识别模糊测试模块难以触及的分支对应的变量集合,并将其提取为程序的关键点。其次,为了充分利用符号求解的结果,该方法将单次求解得到的关键点信息进行进一步组合匹配,以帮助符号执行模块额外生成更多的能够被模糊测试模块导入的测试用例。最后,在模糊测试模块中,该方法在种子挑选步骤中优先选择包含关键点信息的测试用例去引导测试过程探索程序的特定区域,并在测试用例变异中着重对关键点位置进行变异以引导其产生能覆盖新代码分支的测试用例。基于混合式漏洞挖掘工具QSYM,本文实现了一个原型系统,并选取了12个真实程序进行了实验评估。实验结果表明,相较于QSYM,Sol-QSYM的测试用例成功导入率提升了12.73%,代码覆盖率提升了9.07%,并能够发现更多的程序崩溃。这些结果表明改进后的测试用例同步方法可以很好地提高混合式漏洞挖掘对符号执行模块中程序状态探索结果的利用率。

The hybrid fuzzing technique leverages the symbolic execution techniques and the fuzz testing techniques to achieve complementary goals.The synchronization of testcase is the key to collaborate between modules.However,the testcase synchronization was implemented with an exchange and integration approach in existing hybrid fuzzing techniques,which ignores runtime information when the symbolic execution module was exploring the program state.To solve the above problem,a testcase synchronization method for hybrid fuzzing based on keypoints,namely Sol-QSYM,was proposed.Sol-QSYM aims to analyze the execution process of symbolic execution,locate and identify the code coverage oriented program keypoints,and then guide the testcase scheduling and mutation process of fuzz testing to achieve a finer-grained testcase synchronization.First,a set of variables corresponding to the hard-to-reach branches of the fuzz testing module was identified in the symbolic execution and extracted as the keypoints of the program.Secondly,to fully utilize the results of the symbolic solution,the keypoints of the single solution were further combined to help the symbolic execution module to additionally generate more testcases that can be imported by the fuzz testing module.Finally,in the fuzz testing module,the testcases containing keypoints in the seed selection step were preferentially selected to guide the testing process in exploring specific areas of the program,and the keypoint locations were highlighted in the mutation step to guide the generation of testcases that would cover new branches of code.A prototype system was implemented based on the hybrid vulnerability mining tool QSYM,and 12 real programs were selected for experimental evaluation.The results of experiments showed that compared to QSYM,Sol-QSYM im-proved the import rate of test cases by 12.73%,code coverage rate by 9.07%.Meanwhile,it found more program crashes.All these results indic-ated that the enhanced test case synchronization method can improve the utilization of program state exploration results in symbolic execution by hybrid vulnerability mining.