| As the development of information technology, information security becomes in-creasingly important. The software defect has become one root cause of various threats to the information security. Dynamic software defect testing is an important mean to trigger and eliminate software defects. However, due to the lack of guidance from the defect knowledge, most of the current defect testing techniques are not efficient enough and usually have many false negatives.In this dissertation, we make deep analysis on current dynamic defect testing tech-niques, and focus on improving the defect detection effectiveness and efficiency of concolic testing and directed fuzzing. The contributions of this dissertation can be summarized as follows:1. Concolic testing is a effective defect detection method based on symbolic execu-tion technique. Initial input is one key factor that can affect the cocolic testing’s defect detection performance. However, current concolic testing tools usually randomly select one well-formed concrete input to start their workflow. To solve the problem, we propose an evaluation method for concolic testing to select bet-ter initial inputs. The method firstly uses partially control-flow-sensitive taint analysis to identify error-prone operations and dangerous paths which are re-lated to these operations. Then it scores the initial input candidates according to their coverage on these identified dangerous paths. In this way, initial inputs hav-ing higher possibility to trigger defects during concolic testing can be assigned higher scores. As shown in the experiments, with carefully selected initial inputs, concolic testing can detect more defects.2. Concolic testing tools usually make selection on the new generated test cases to decide which paths to explore first. However, experimental results have shown that there is not a consistent correlation between blocks explored and defects detected. In order to improve the defect detection efficiency, we propose critical operation oriented path selection method. In this method, we make analysis on different paths and make decision on the their probability of triggering defects. Then we prioritize the exploration of the paths which are more prone to defects. The experiment shows that this path selection method can successfully accelerate the defect detection.3. As an improvement on traditional random fuzzing, directed fuzzing utilizes dy-namic taint analysis to locate regions of seed inputs which can influence security-sensitive program points, and focuses on mutating these identified regions to gen-erate error-revealing test cases. The seed inputs are of great importance to direct-ed fuzzing, because they essentially determine the number of security-sensitive program points we can test. We present a seed selection method complement-ing with a seed generation method for directed fuzzing. Using static analysis, dynamic monitoring and symbolic execution, our approach can provide directed fuzzing with seeds that can cover more security-sensitive program points in a cost-effective way and can make directed fuzzing detect more defects.4. We design and implement a concolic testing tool CrashFinder and a directed fuzzing tool SeededFuzz. We apply the two systems to dozens of widely used applications in Linux, and we have detected a number of defects in these appli-cations, such as readelf and convert.
|
PDF Full Text Request