| 一种改进的智能Fuzzing平台设计方案 |
| |
| 引用本文: | 聂森,李骁,王轶骏,薛质.一种改进的智能Fuzzing平台设计方案[J].信息安全与通信保密,2013(12):134-139. |
| |
| 作者姓名: | 聂森 李骁 王轶骏 薛质 |
| |
| 作者单位: | 上海交通大学信息安全工程学院,上海200240 |
| |
| 基金项目: | 国家自然科学基金项目资助(批准号:61272101). |
| |
| 摘 要: | 随着软件安全问题的日趋严重,智能Fuzzing技术被广泛应用于漏洞挖掘、软件安全领域.基于符号执行和污点分析技术的各种智能Fuzzing平台相继诞生.该文首先以漏洞安全问题以及软件测试方法学为背景,介绍了智能Fuzzing技术中用到的理论,包括符号执行、污点分析等;然后介绍了现有成型智能Fuzzing平台,包括SAGE、KLEE、BitBlaze等,并且提出它们现存的主要问题;最后通过总结智能Fuzzing平台的可改进之处,提出了一种更有效的智能Fuzzing平台的设计方案,该方案基于全系统的符号执行技术,利用云计算平台进行调度,可以有效应用于商业级软件的Fuzzing工作.
|
| 关 键 词: | 智能Fuzzing技术 漏洞挖掘 符号执行 污点分析 |
An Improved Design for Smart Fuzzing Platform |
| |
| NIE Sen,LI Xiao,WANG Yi-jun,XUE Zhi.An Improved Design for Smart Fuzzing Platform[J].China Information Security,2013(12):134-139. |
| |
| Authors: | NIE Sen LI Xiao WANG Yi-jun XUE Zhi |
| |
| Affiliation: | ( School of Information Security, Shanghai Jiaotong University, Shanghai 200240, China) |
| |
| Abstract: | As the problem of software vulnerabilities becomes increasingly serious, smart Fuzzing technology is widely applied in the field of vulnerability mining and software security. Frameworks for smart Fuzzing based on symbolic execution and taint analysis are developed. Under the concept of vulnerability problem and software test methodology, this paper describes theories in smart Fuzzing technology and some released smart Fuzzing frameworks, including the bottlenecks. Finally, this paper proposes a blueprint of smart Fuzzing framework based on whole system symbolic execution and cloud computing infrastructure. It can be used as a practical platform toward the COTS software fuzzing. |
| |
| Keywords: | smart Fuzzing technology vulnerability mining symbolic execution taint analysis |
| 本文献已被 维普 等数据库收录! |
|
