Research And Implementation Of Vulnerability Detection System Based On Symbolic Execution

With the popularity of the Internet, the Internet has been applied in variousfields, But more and more attacks have been appeared as the development of theInternet, and the Internet become more and more dangerous. It has been usedMulti-layered measures to ensure security, but these measures can’t eliminate thethreats caused by the vulnerabilities of web applications, The most basic way tosolve this issues is to find out the vulnerabilities and repair them.Black-box testing based on Fuzzing detect vulnerabilities by simulate theattacker’ behavior, so the test results very accurate. But nowadays,Web become moreand more complex, The input data usually validated by Web application, butBlack-box testing often can’t automatically construct valid input data, on the onehand, it affect the system’s detection depth, on the other hand, the instance of thesimulated attack is not precise enough and effect the system’s detection effective.For the above problem, this paper reseach the symbolic execution technologyand Fuzzing testing technology, and implement a complete Web detection systembased on symbolic execution (JSCAN). JSCAN can automatically generate accurateinput data and solve the drawback of previous web detection system. The maincontribution of this paper include: We reseach the status of symbolic execution andFuzzing testing, propose a Fuzzing testing model based on symbolic execution. WeIn-depth reseach the basis principle of symbolic execution, combining thecharacteristics of the Web application input data, design a approach that automaticgeneration of accurate input data,which is based on symbolic execution. Thismethod use symbolic execution for program fragment, extract and solve the staticconstraint and dynamic constraint of path, eventually can generate accurate inputdata. It conjunctive input constraints and characteristics of the testing word, thensolve the constraint, can automatically generates precise attack parameters.Weapplied this method to Fuzzing black box technology and implement a completeweb detection system. Finally, we evaluate this approach in web crawling,time-consuming and vulnerability detection.Given detection target, the system can automatically generate the acrawl inputdata and simulation attack parameters, automatically detect the target system andgenerate a complete test report.