结合静态分析与动态符号执行的软件漏洞检测方法

动态符号执行是近年来新兴的一种软件漏洞检测方法,它可以为目标程序的不同执行路径自动生成测试用例,从而获得较高的测试代码覆盖率。然而,程序的执行路径很多,且大部分路径都是漏洞无关的,通常那些包含危险函数调用的路径更有可能通向漏洞。提出一种基于静态分析的有导动态符号执行方法,并实现了一个工具原型SAGDSE。该方法通过静态分析识别目标程序中调用危险函数的指令地址,在动态符号执行过程中遇到这些指令地址时收集危险路径约束,再通过约束求解生成走危险路径的测试用例,这些测试用例将更可能触发程序漏洞。实验结果表明了该方法的有效性。

A software vulnerability detection method based on static analysis and dynamic symbolic execution

Dynamic symbolic execution is a software vulnerability detection method emerging in recent years, which can automatically generate test cases for different execution paths of the target program, so it can obtain high test code coverage. However, there are so many execution paths of a program, and most of them are unrelated to vulnerabilities, and those paths containing dangerous function calls are more likely to lead to vulnerabilities. We propose a guided dynamic symbolic execution method based on static analysis, and implement a tool prototype named SAGDSE. This method firstly identifies the program instructions that call dangerous functions via static analysis, and then collects the constraints of dangerous paths during the dynamic symbolic execution process when encountering these instructions. Finally it generates test cases that go through these dangerous paths by solving the constraints. These test cases are more likely to trigger program vulnerabilities. Experimental results verify the effectiveness of the proposed method.