本文關鍵詞： 動態(tài)污點傳播 黑盒模糊測試 漏洞分析 約束驗證 伯努利試驗　出處：《中國科學技術大學》2017年碩士論文　論文類型：學位論文

【摘要】：模糊測試是重要的二進制漏洞挖掘方法。近些年來學術界嘗試將模糊測試與污點傳播、協(xié)議逆向、基因算法等技術相結合以提高其針對性。污點導向型模糊測試就是一種被廣泛借鑒和認可的復合技術。然而由于漏洞機理的復雜性,且模糊測試本身缺乏完備的理論支撐,因而研究人員通常只驗證了該技術的可行性,即能否成功挖掘出漏洞。對于技術本身的適用性、性能提升等基礎性理論問題缺乏進一步的研究。此外,該技術并不能對其關聯(lián)輸入進行語義層次的限制,能否在繼續(xù)保留輕量級特點的同時為其賦予更強的目標導向能力也是值得研究的方向。本文圍繞污點導向型模糊測試技術,開發(fā)研究所需基礎工具,重點研究了該技術的基礎性理論問題及如何在保證技術輕量級特色的條件下予以改進。主要研究內容與成果如下:(1)設計并實現(xiàn)了二進制動態(tài)分析引擎與并行模糊測試平臺。在動態(tài)分析引擎的設計中,通過多種設計保證引擎的通用性與高擴展性,主要包括基于pin與BAP的離線重放、基于Piqi的規(guī)范化軌跡格式描述、面向BIL中間語言等;在并行模糊測試平臺的設計中,提出了使用內存虛擬硬盤技術轉移硬盤瓶頸,使平臺整體吞吐量大幅度提高。同時,結合測試機器內外環(huán)境優(yōu)化、基于vmtools的腳本式管理等技術改善了平臺穩(wěn)定性及管理便捷性。這些工具為后續(xù)研究提供了高效、高可控的基本平臺;(2)結合漏洞實例與數(shù)學分析研究了污點導向型模糊測試技術的適用限制及性能提升問題。在適用限制問題研究中,綜合14個CVE漏洞的手工分析與前述基礎工具的細粒度調試結果,建立了污點的元數(shù)據(jù)傳播模型,解釋了該技術存在的主要限制;在性能提升問題研究中,通過假設模糊測試變異前后樣本比特長度不變,將模糊測試抽象成伯努利概型。利用概率論知識,求出該技術相比傳統(tǒng)模糊測試的效率提升公式,依據(jù)公式下界值總結效率提升隨關鍵參數(shù)的變化趨勢。實驗結果表明,效率提升公式的計算值接近實際值,具有良好的參考價值。上述工作為該技術的基礎理論研究提供系統(tǒng)、數(shù)學的補充;(3)提出并分析了一種基于約束驗證的改進方法。改進方法受啟發(fā)于動態(tài)符號執(zhí)行技術,但使用約束驗證替代約束求解以保證原技術的輕量級特點—改進方法收集約束生成約束驗證器,并以約束濾層的方式加進原技術流程,通過省去"過畸形"變異樣本的實際測試來提升效率。該改進對于不同類型的漏洞,效果與最佳配置存在差異,本文給出了整數(shù)溢出型漏洞下改進方法的最佳配置。此外,改進方法具有很高的并行潛力,在多線程、進程環(huán)境下能獲取更大的效率收益。實驗結果表明,針對整數(shù)溢出型漏洞,改進方法相比原技術,效率提升了 2-4倍。
[Abstract]:Fuzzy testing is an important binary vulnerability mining method. In recent years, the academic circles try to spread fuzzy test and stain, and reverse the protocol. In order to improve the pertinence of genetic algorithms and other technologies, stain oriented fuzzy testing is a widely used and recognized composite technology. However, because of the complexity of vulnerability mechanism. And the fuzzy test itself is lack of complete theoretical support, so researchers usually only verify the feasibility of the technology, that is, whether the holes can be successfully excavated, and the applicability of the technology itself. The basic theoretical problems such as performance improvement are lack of further research. In addition, this technique can not limit the semantic level of the associated input. It is also worth studying whether we can keep the lightweight characteristics while giving it a stronger goal-oriented ability. In this paper, the basic tools are needed to develop and study the blemish oriented fuzzy testing technology. The basic theoretical problems of the technology and how to improve it under the condition of ensuring the lightweight characteristics of the technology are studied emphatically. The main research contents and results are as follows: 1). The binary dynamic analysis engine and the parallel fuzzy test platform are designed and implemented. The generality and high expansibility of the engine are ensured by various designs, including off-line playback based on pin and BAP, standardized track format description based on Piqi, BIL oriented intermediate language and so on. In the design of parallel fuzzy test platform, using memory virtual hard disk technology to transfer the bottleneck of hard disk, so that the overall throughput of the platform is greatly improved. At the same time, combined with the test machine inside and outside environment optimization. Scripting management based on vmtools improves platform stability and management convenience. These tools provide an efficient and highly controllable platform for future research. 2) combined with the example of vulnerability and mathematical analysis, this paper studies the application limitation and performance improvement of stain oriented fuzzy test technology. Based on the manual analysis of 14 CVE vulnerabilities and the fine-grained debugging results of the aforementioned basic tools, a tainted metadata propagation model is established, and the main limitations of the technology are explained. In the study of performance improvement, the fuzzy test is abstracted into Bernoulli probability form by assuming that the sample bit length is invariant before and after the fuzzy test mutation. Compared with the traditional fuzzy test, the efficiency promotion formula of this technique is obtained, and the change trend of efficiency improvement with key parameters is summarized according to the lower bound value of the formula. The experimental results show that the calculation value of efficiency promotion formula is close to the actual value. It has good reference value. The above work provides the supplement of system and mathematics for the basic theory research of this technology. An improved method based on constraint verification is proposed and analyzed. The improved method is inspired by the dynamic symbolic execution technique. But the constraint verification is used to replace the constraint solution to ensure the lightweight characteristics of the original technology. The improved method collects constraint generation constraint validators and adds the original technical process in the way of constraint filter. Efficiency can be improved by eliminating the actual test of the "over-deformity" mutation sample. The effect of this improvement differs from that of the best configuration for different types of vulnerabilities. In this paper, the optimal configuration of the improved method under integer overflow vulnerability is given. In addition, the improved method has high parallelism potential, and can obtain more efficiency gains under multi-thread and process environment. The experimental results show that the improved method has better efficiency. The efficiency of the improved method is 2-4 times higher than that of the original technique.
【學位授予單位】：中國科學技術大學
【學位級別】：碩士
【學位授予年份】：2017
【分類號】：TP311.53

【參考文獻】

相關期刊論文 前1條

1 李偉明;張愛芳;劉建財;李之棠;;網絡協(xié)議的自動化模糊測試漏洞挖掘方法[J];計算機學報;2011年02期

，

本文編號：1456028