结合路径标签和数据变异的模糊测试关键数据定位方法

针对现有的二进制程序模糊测试中关键数据定位方法资源消耗大、误报率较高等问题,提出一种结合路径标签和数据变异的模糊测试关键数据定位方法.该方法通过静态分析对二进制程序中的危险操作进行定位;使用动态插桩跟踪程序的执行过程,获取危险操作的路径标签和参数;通过分析输入数据变异前后跟踪结果的异同从而进行关键数据定位.实验结果表明,该方法能够在较低的资源消耗下有效进行关键数据定位,误报率小于0.3%,同时查全率大于70%,精确率大于60%;可用于提高二进制程序模糊测试的漏洞挖掘能力,具有较强的实用价值.

Key Data Location Method for Fuzz Testing Based on Path Label and Data Mutation

Aiming at the problem of high resource consumption and false positive rate in current key data location methods for binary program fuzz testing, a new key data location method for fuzz testing based on path label and data mutation was proposed. First, a static analysis was used to locate the dangerous operations in the binary program. Then dynamic instrumentation was used to track the execution of program and obtain the path labels and parameters of dangerous operation. Finally, the position of key data was located by analyzing the tracking data before and after input data mutation. Experimental results show that this method can locate key data of input effectively under low resource consumption, the false positive rate is less than 0.3%, the recall is greater than 70%, and the precision is greater than 60%. This method can be used to improve the vulnerability detection ability of fuzz testing, possessing a strong practical value.