轻量级污点导向型模糊测试技术研究

发布时间：2018-01-22 23:29

本文关键词： 动态污点传播黑盒模糊测试漏洞分析约束验证伯努利试验　出处：《中国科学技术大学》2017年硕士论文　论文类型：学位论文

【摘要】：模糊测试是重要的二进制漏洞挖掘方法。近些年来学术界尝试将模糊测试与污点传播、协议逆向、基因算法等技术相结合以提高其针对性。污点导向型模糊测试就是一种被广泛借鉴和认可的复合技术。然而由于漏洞机理的复杂性,且模糊测试本身缺乏完备的理论支撑,因而研究人员通常只验证了该技术的可行性,即能否成功挖掘出漏洞。对于技术本身的适用性、性能提升等基础性理论问题缺乏进一步的研究。此外,该技术并不能对其关联输入进行语义层次的限制,能否在继续保留轻量级特点的同时为其赋予更强的目标导向能力也是值得研究的方向。本文围绕污点导向型模糊测试技术,开发研究所需基础工具,重点研究了该技术的基础性理论问题及如何在保证技术轻量级特色的条件下予以改进。主要研究内容与成果如下:(1)设计并实现了二进制动态分析引擎与并行模糊测试平台。在动态分析引擎的设计中,通过多种设计保证引擎的通用性与高扩展性,主要包括基于pin与BAP的离线重放、基于Piqi的规范化轨迹格式描述、面向BIL中间语言等;在并行模糊测试平台的设计中,提出了使用内存虚拟硬盘技术转移硬盘瓶颈,使平台整体吞吐量大幅度提高。同时,结合测试机器内外环境优化、基于vmtools的脚本式管理等技术改善了平台稳定性及管理便捷性。这些工具为后续研究提供了高效、高可控的基本平台;(2)结合漏洞实例与数学分析研究了污点导向型模糊测试技术的适用限制及性能提升问题。在适用限制问题研究中,综合14个CVE漏洞的手工分析与前述基础工具的细粒度调试结果,建立了污点的元数据传播模型,解释了该技术存在的主要限制;在性能提升问题研究中,通过假设模糊测试变异前后样本比特长度不变,将模糊测试抽象成伯努利概型。利用概率论知识,求出该技术相比传统模糊测试的效率提升公式,依据公式下界值总结效率提升随关键参数的变化趋势。实验结果表明,效率提升公式的计算值接近实际值,具有良好的参考价值。上述工作为该技术的基础理论研究提供系统、数学的补充;(3)提出并分析了一种基于约束验证的改进方法。改进方法受启发于动态符号执行技术,但使用约束验证替代约束求解以保证原技术的轻量级特点—改进方法收集约束生成约束验证器,并以约束滤层的方式加进原技术流程,通过省去"过畸形"变异样本的实际测试来提升效率。该改进对于不同类型的漏洞,效果与最佳配置存在差异,本文给出了整数溢出型漏洞下改进方法的最佳配置。此外,改进方法具有很高的并行潜力,在多线程、进程环境下能获取更大的效率收益。实验结果表明,针对整数溢出型漏洞,改进方法相比原技术,效率提升了 2-4倍。
[Abstract]:Fuzzy testing is an important binary vulnerability mining method. In recent years, the academic circles try to spread fuzzy test and stain, and reverse the protocol. In order to improve the pertinence of genetic algorithms and other technologies, stain oriented fuzzy testing is a widely used and recognized composite technology. However, because of the complexity of vulnerability mechanism. And the fuzzy test itself is lack of complete theoretical support, so researchers usually only verify the feasibility of the technology, that is, whether the holes can be successfully excavated, and the applicability of the technology itself. The basic theoretical problems such as performance improvement are lack of further research. In addition, this technique can not limit the semantic level of the associated input. It is also worth studying whether we can keep the lightweight characteristics while giving it a stronger goal-oriented ability. In this paper, the basic tools are needed to develop and study the blemish oriented fuzzy testing technology. The basic theoretical problems of the technology and how to improve it under the condition of ensuring the lightweight characteristics of the technology are studied emphatically. The main research contents and results are as follows: 1). The binary dynamic analysis engine and the parallel fuzzy test platform are designed and implemented. The generality and high expansibility of the engine are ensured by various designs, including off-line playback based on pin and BAP, standardized track format description based on Piqi, BIL oriented intermediate language and so on. In the design of parallel fuzzy test platform, using memory virtual hard disk technology to transfer the bottleneck of hard disk, so that the overall throughput of the platform is greatly improved. At the same time, combined with the test machine inside and outside environment optimization. Scripting management based on vmtools improves platform stability and management convenience. These tools provide an efficient and highly controllable platform for future research. 2) combined with the example of vulnerability and mathematical analysis, this paper studies the application limitation and performance improvement of stain oriented fuzzy test technology. Based on the manual analysis of 14 CVE vulnerabilities and the fine-grained debugging results of the aforementioned basic tools, a tainted metadata propagation model is established, and the main limitations of the technology are explained. In the study of performance improvement, the fuzzy test is abstracted into Bernoulli probability form by assuming that the sample bit length is invariant before and after the fuzzy test mutation. Compared with the traditional fuzzy test, the efficiency promotion formula of this technique is obtained, and the change trend of efficiency improvement with key parameters is summarized according to the lower bound value of the formula. The experimental results show that the calculation value of efficiency promotion formula is close to the actual value. It has good reference value. The above work provides the supplement of system and mathematics for the basic theory research of this technology. An improved method based on constraint verification is proposed and analyzed. The improved method is inspired by the dynamic symbolic execution technique. But the constraint verification is used to replace the constraint solution to ensure the lightweight characteristics of the original technology. The improved method collects constraint generation constraint validators and adds the original technical process in the way of constraint filter. Efficiency can be improved by eliminating the actual test of the "over-deformity" mutation sample. The effect of this improvement differs from that of the best configuration for different types of vulnerabilities. In this paper, the optimal configuration of the improved method under integer overflow vulnerability is given. In addition, the improved method has high parallelism potential, and can obtain more efficiency gains under multi-thread and process environment. The experimental results show that the improved method has better efficiency. The efficiency of the improved method is 2-4 times higher than that of the original technique.
【学位授予单位】：中国科学技术大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TP311.53

【参考文献】