高级检索

    模糊测试技术综述

    A Review of Fuzzing Techniques

    • 摘要: 模糊测试是一种安全测试技术,主要用于检测安全漏洞,近几年模糊测试技术经历了快速发展,因此有必要对相关成果进行总结和分析.通过搜集和分析网络与系统安全国际四大顶级安全会议(IEEE S&P,USENIX Security,CCS, NDSS)中相关的文章,总结出模糊测试的基本工作流程,包括:预处理、输入数据构造、输入选择、评估、结果分析这5个环节,针对每个环节中面临的任务以及挑战,结合相应的研究成果进行分析和总结,其中重点分析以American Fuzzy Lop工具及其改进成果为代表的,基于覆盖率引导的模糊测试方法.模糊测试技术在不同领域中使用时,面对着巨大的差异性,通过对相应文献进行整理和分析,总结出特定领域中使用模糊测试的独特需求以及相应的解决方法,重点关注物联网领域,以及内核安全领域.近些年反模糊测试技术以及机器学习技术的进步,给模糊测技术的发展带来了挑战和机遇,这些机遇和挑战为下一步的研究提供了方向参考.

       

      Abstract: Fuzzing is a security testing technique, which is playing an increasingly important role, especially in detecting vulnerabilities. Fuzzing has experienced rapid development in recent years. A large number of new achievements have emerged, so it is necessary to summarize and analyze relevant achievements to follow fuzzing’s research frontier. Based on 4 top security conferences (IEEE S&P, USENIX Security, CCS, NDSS) about network and system security, we summarized fuzzing’s basic workflow, including preprocessing, input building, input selection, evaluation, and post-fuzzing. We discussed each link’s tasks, challenges, and the corresponding research results. We emphatically analyzed the fuzzing testing method based on coverage guidance, represented by the American Fuzzy Lop tool and its improvements. Using fuzzing testing technology in different fields will face vastly different challenges. We summarized the unique requirements and corresponding solutions for fuzzing testing in specific areas by sorting and analyzing the related literature. Mostly, we focused on the Internet of Things and the kernel security field because of their rapid development and importance. In recent years, the progress of anti-fuzzing testing technology and machine learning technology has brought challenges and opportunities to the development of fuzzing testing technology. These opportunities and challenges provide direction reference for the further research.

       

    /

    返回文章
    返回