基于关键点的混合式漏洞挖掘测试用例同步方法

混合式漏洞挖掘利用模糊测试和符号执行相互协作以达到优势互补的目标，测试用例的同步是相互协作的关键。然而，现有混合式漏洞挖掘技术方案中，测试用例同步是主要以交换和整合的方式实现，较为单一，忽略了程序状态探索时的运行时信息，对符号执行的执行过程没有充分利用。针对上述问题，本文提出了一种基于程序关键点的测试用例同步方法，旨在分析挖掘符号执行的执行过程，定位与识别代码覆盖率导向的程序关键点，进而指导模糊测试的测试用例调度与变异过程, 实现更细粒度的测试用例同步。首先，该方法在符号执行过程中识别模糊测试模块难以触及的分支对应的变量集合，并将其提取为程序的关键点。其次，为了充分利用符号求解的结果，该方法将单次求解得到的关键点信息进行进一步组合匹配，以帮助符号执行模块额外生成更多能够被模糊测试模块导入的测试用例。最后，在模糊测试模块中，该方法在种子挑选步骤中优先选择包含关键点信息的测试用例去引导测试过程探索程序的特定区域，并在测试用例变异中着重对关键点位置进行变异以引导其产生能覆盖新代码分支的测试用例。基于混合式漏洞挖掘工具QSYM，本文实现了一个原型系统Sol-QSYM，并选取了12个真实程序进行了实验评估。实验结果表明Sol-QSYM可以提升12.73%的测试用例成功导入率，相较于QSYM提升9.07%的代码覆盖率，并能够发现更多的程序crash。这些结果表明改进后的测试用例同步方法可以很好地提高混合式漏洞挖掘对符号执行中程序状态探索结果的利用率。

Testcase Synchronization Method for Hybrid Fuzzing Based on Keypoints

The hybrid fuzzing technique leveraged symbolic execution techniques and fuzzy testing techniques to collaborate with each other to achieve complementary goals, and synchronization of testcases was key to the collaboration. However, testcase synchronization was implemented with an exchange and integration approach in existing hybrid fuzzing techniques, which ignores runtime information during program state exploration, and does not take full advantage of the execution process of symbolic execution. To solve the above problems, a testcase synchronization method in hybrid fuzzing based on keypoint was proposed, aiming at analyzing and mining the execution process of symbolic execution, locating and identifying the code coverage oriented program keypoints, and then guiding the testcase scheduling and mutation rocess of fuzzy testing to achieve a finer-grained testcase synchronization. First, the set of variables corresponding to the hard-to-reach branches of the fuzzy test module was identified in the symbolic execution and extracted as the keypoints of the program. Secondly, to fully utilize the results of the symbolic solution, the keypoints of the single solution were further combined to help the symbolic execution module to additionally generate more testcases that can be imported by the fuzzy test module. Finally, in the fuzzy testing module, testcases containing keypoint in the seed selection step were preferentially selected to guide the testing process in exploring specific areas of the program, and keypoint locations were highlighted in the mutation step to guide the generation of testcases that would cover new branches of code. A prototype system Sol-QSYM was implemented based on the hybrid vulnerability mining tool QSYM, and 12 real programs were selected for experimental evaluation. The results of experiments showed that Sol-QSYM can improve the successful testcase import rate by 12.73%, improve the code coverage rate by 9.07% compared to QSYM, and find more program crashes compared to QSYM and AFL. All results indicated that the enhanced test case synchronization method can improve the utilization of program state exploration results in symbolic execution by hybrid vulnerability mining.