CN114490314A - Coverage-guided virtual network equipment fuzzing method and device - Google Patents
Coverage-guided virtual network equipment fuzzing method and device Download PDFInfo
- Publication number
- CN114490314A CN114490314A CN202111512416.8A CN202111512416A CN114490314A CN 114490314 A CN114490314 A CN 114490314A CN 202111512416 A CN202111512416 A CN 202111512416A CN 114490314 A CN114490314 A CN 114490314A
- Authority
- CN
- China
- Prior art keywords
- target process
- target
- value
- virtual network
- test
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 287
- 230000008569 process Effects 0.000 claims abstract description 271
- 238000012360 testing method Methods 0.000 claims abstract description 139
- 230000008859 change Effects 0.000 claims description 17
- 230000002159 abnormal effect Effects 0.000 claims description 12
- 238000012545 processing Methods 0.000 claims description 12
- 230000006870 function Effects 0.000 claims description 10
- 238000012544 monitoring process Methods 0.000 claims description 10
- 238000013519 translation Methods 0.000 claims description 8
- 230000006854 communication Effects 0.000 claims description 7
- 230000035772 mutation Effects 0.000 claims description 7
- 230000004044 response Effects 0.000 claims description 5
- 238000012423 maintenance Methods 0.000 claims description 3
- 238000011084 recovery Methods 0.000 claims description 3
- 239000000126 substance Substances 0.000 claims description 2
- 238000010998 test method Methods 0.000 abstract description 10
- 238000005516 engineering process Methods 0.000 abstract description 6
- 238000004886 process control Methods 0.000 description 4
- 238000006243 chemical reaction Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000012163 sequencing technique Methods 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- FFBHFFJDDLITSX-UHFFFAOYSA-N benzyl N-[2-hydroxy-4-(3-oxomorpholin-4-yl)phenyl]carbamate Chemical compound OC1=C(NC(=O)OCC2=CC=CC=C2)C=CC(=C1)N1CCOCC1=O FFBHFFJDDLITSX-UHFFFAOYSA-N 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000007429 general method Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3676—Test management for coverage analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Environmental & Geological Engineering (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a coverage rate guided virtual network equipment fuzzy test method and device, and relates to a virtual network equipment fuzzy test technology, aiming at virtual network equipment, a customized virtual layer is used for comparing whether a CR3 register is equal to a target process PGD value or not, so that running time information of user-mode network service is obtained, and then variation of a sample is guided and whether the target process is broken down or not is monitored based on the running time information, so that non-invasive coverage rate feedback fuzzy test is carried out on the virtual network equipment.
Description
Technical Field
The invention relates to a virtual network equipment fuzzing test technology, in particular to a coverage rate guided virtual network equipment fuzzing test method and device.
Background
The technology involved in the invention comprises network function virtualization, an operating system kernel, a user mode process and fuzz testing.
Network function virtualization is a method for virtualizing network functions (such as routers, switches, firewalls, etc.) traditionally running on dedicated hardware, which can be packaged into a complete virtual machine called a virtual network device. With the development of SDN and virtualization technologies, a traditional physical network device evolves to a virtual network device, which can be operated on a server as an independent virtual machine through a virtual machine monitor (Hypervisor). The functions of the virtual network equipment are consistent with those of the entity network equipment, and the software implementation is also multiplexed to a great extent. By means of a network function virtualization technology, more and more mainstream network equipment manufacturers (such as Cisco, Juniper, huayi and the like) provide virtual network equipment and are mainly based on a Linux operating system. Similar to the physical network device, a manufacturer provides a customized interface CLI for performing network configuration operations, which is different from the shell, and even a virtual network device developed based on Linux cannot execute shell-related commands or run applications in the device.
The Linux operating system comprises an operating system developed based on Linux, and can be divided into an operating system kernel and a user mode process from the privilege level in the running process. The operating system kernel runs at the ring 0 high privilege level and the user mode process runs at the ring 3 low privilege level. Different user mode processes use independent virtual address spaces and are isolated from each other during operation. The operating system kernel is responsible for scheduling different user mode processes to execute, wherein control information of the user mode processes is stored in a process control block, in the Linux operating system, the process control block comprises a series of structural bodies such as task _ struct and mm _ struct, and a PGD (page global directory) in the process control block is stored in a CR3 register in the running process and can be changed when the processes are switched. For a virtual network device developed based on Linux, different network services are provided by different user mode processes, such as SNMP service support provided by a snmpd process, DHCP service support provided by a dhcpd process, SSH service support provided by an sshd process, and the like.
The fuzz test of the virtual network equipment refers to the fuzz test of the network service process. In an operating system developed based on the Linux operating system, a network service process often provides network services in the form of a user-mode daemon process. Because of the limited shell, the mainstream fuzz testing work is done in a non-intrusive manner. The non-intrusive mode means that original programs in the virtual network equipment are not modified, and third party programs are not placed in the virtual network equipment to be executed, namely original operation logics in the original virtual network equipment are not interfered. The current fuzzy test method for the network service process is to use a network communication mode to perform black box fuzzy test, and to generate and mutate malformed data packets by a data packet sender, the test is performed in a mode of 'request-response' for a target process. This test method has the following limitations:
1. random variation of black box tests can take a significant amount of time on useless tests because there is no strategy to direct variation;
2. due to lack of process runtime information, such as which codes were executed, the effect of black box fuzz testing is difficult to quantitatively evaluate;
3. the test logic which is only dependent on the 'request-response mode' is difficult to accurately monitor abnormal behaviors (such as process crash), and a large amount of false alarms can be caused;
coverage rate guided fuzz testing is taken as the current mainstream fuzz testing method, and the above limitations can be well solved. The coverage rate guided fuzzy test is a gray box fuzzy test technology, on the basis of the traditional black box fuzzy test, execution information during process running is introduced to discriminate different test cases, and deep iterative variation is carried out on the test cases generating new execution information (such as new code blocks or new edges), so that deeper fuzzy test is realized, and the specific embodiment is that the code coverage rate deeper than that of the black box fuzzy test is reached in the same time, so that more bugs are discovered. At present, coverage rate guided fuzz testing is widely applied to desktop open source software and closed source software, and coverage rate guided fuzz testing of network equipment is less researched. As mentioned above, the network device environment has a very limited internal environment authority, so the method of intrusively placing the auxiliary program to obtain the runtime information cannot be applied to the network device as a general method. Meanwhile, compared with the entity network equipment, the virtual network equipment is additionally provided with a controllable virtual layer in the running process, so that the execution information of the process running can be obtained through the virtual layer in the beginning of the customized design of the virtual layer, and the gray box fuzzy test of the coverage rate feedback of the network equipment is realized. The practical problems solved include:
1. how to position a user-mode target process in the virtual network equipment, namely judging whether the target process is executed from the view point of a virtual machine monitor;
for a complete operating system including virtualization of virtual network devices, a virtual machine monitor can obtain all execution information and memory contents in the running process of a virtual machine, but the information is semantically lacked from the viewpoint of the virtual machine monitor, for example, for a block of memory, the virtual machine monitor does not know which process the block of memory belongs to and what function is responsible, which is a so-called "semantic gap" problem. For the scenario in the present invention, the virtual machine monitor may obtain the instruction execution information of all processes in the virtual network device, but the fuzzy test only relates to a certain target process, and therefore, the instruction execution information needs to be distinguished to obtain the instruction execution information of a specific process.
2. How to drive coverage of network services in virtual network devices to guide fuzzy testing;
the network service process to be tested often exists in the device in the form of a daemon process, and different from the mode that the traditional desktop software needs to restart the program to be tested each time the desktop software is tested, the mode that the target process is restarted every time a network request is sent brings great performance loss. In addition, the test flow needs to be redesigned because a process is introduced to perform the information-guided mutation process.
Disclosure of Invention
In order to solve the problems that the prior fuzzy test method cannot acquire process running information in the process of testing network equipment and cannot perform coverage rate guided fuzzy test, the invention provides a coverage rate guided virtual network equipment fuzzy test method and a coverage rate guided virtual network equipment fuzzy test device. The whole process, including the target process positioning and the actual testing process, is transparent to the virtual network equipment, namely, the operation of the virtual network equipment in the testing process is not different from the normal operation.
On one hand, the invention provides a coverage rate guided virtual network equipment fuzzing test method, which comprises the following steps:
correctly configuring a target process in virtual network equipment, sending a request packet to the target process, recording the switching of CR3 register values for N times, and acquiring a list L containing PGD values of the target process, wherein the list L is arranged according to the recorded occurrence frequency of the CR3 register values in a descending order;
saving the virtual network device snapshot;
forbidding a target process in the virtual network equipment, recording N times of CR3 register value switching, and obtaining a list L not containing the PGD value of the target process1Said list L1Arranging according to the descending order of the occurrence times of the recorded values;
traverse the lists L and L1Selecting the first one appearing on said list L but not appearing on said list L1The value in (1) is the PGD value of the target process;
comparing whether the current running CR3 register value is equal to the PGD value of the target process, and judging whether the current running code in the virtual network equipment belongs to the target process;
taking a data packet collected from a network or in a communication process with a target process as a fuzzy test seed, placing the fuzzy test seed in a priority queue, and carrying out test circulation; when a test cycle is carried out, acquiring the data packet from the priority queue for mutation, and constructing a target process of requesting to send to the virtual network equipment;
and acquiring the execution information of the target process through an instrumentation flow to perform a fuzzy test, judging that the request causes the target process to crash if a code responsible for recording the process crash is executed in the process of one round of test, recording a data packet and test content related to the target process crash after the round of test is finished, reloading the snapshot of the virtual network equipment, and continuing to perform subsequent test circulation.
Preferably, N is 500 or more.
Preferably, the reading and writing of the CR3 register is handled by a handling function, which is modified to obtain the original and target values of the CR3 register as a process switch before each change of the CR3 register value.
Preferably, the PGD value of the target process is determined by counting the number of times of switching the CR3 register value and the change of the CR3 register value after the target process is closed.
Preferably, during the fuzzy test process, the instrumentation process is performed on the non-executed instructions during the first execution, and the instrumentation process includes the following steps:
in the PROCESS of the fuzzing test of the virtual network equipment, if the TARGET value changed by the CR3 register is the PGD value of the TARGET PROCESS acquired when the PROCESS is positioned, setting a TARGET _ PROCESS global variable to True in the PROCESS of translating the instruction of the virtual network equipment, and judging whether the instruction is in the context of the TARGET PROCESS according to the value of TARGET _ PROCESS;
judging the instruction in the target process context as a user mode or a kernel mode according to the address of the instruction;
if the address of the instruction is a user mode address, adding a code for coverage rate statistics in the translation process, and updating a bitmap in a shared memory when the instruction is executed;
if the address of the instruction is the kernel-mode address, judging whether the address of the instruction is the address for processing the abnormal signal in the kernel, if so, adding a monitoring code, and recording when the instruction is executed.
On the other hand, the invention also provides a coverage rate guided virtual network device fuzzing test device, which comprises:
the target process identification acquisition module is used for recording the PGD value, triggering the target process in the PGD value recording process and analyzing the recorded PGD value so as to determine the PGD value of the target process;
the fuzzy test controller is used for driving the whole fuzzy test process, and comprises synchronization and updating of execution information when a process runs, maintenance of a priority queue, monitoring of abnormal information of a target process and recovery of a device snapshot;
the data packet transmitter is used for carrying out variation on the data packets in the priority queue, constructing requests according to different target processes and transmitting the requests;
the virtual machine monitor adopts a customized QEMU and is used for judging whether a target process is scheduled to run or not through CR3 register value change, then acquiring execution information of the target process through a instrumentation flow, and recording a data packet and test contents related to target process crash; wherein the content of the first and second substances,
the target process identification obtaining module sends a request packet to the target process, records the CR3 register value switching for N times, and obtains a list L containing the PGD value of the target process, wherein the list L is arranged according to the recorded CR3 register value occurrence times in a descending order; saving the virtual network device snapshot; forbidding a target process in the virtual network equipment, recording N times of CR3 register value switching, and obtaining a list L not containing the PGD value of the target process1Said list L1Arranging according to the descending order of the occurrence times of the recorded values; traverse the lists L and L1Selecting the first one appearing on said list L but not appearing on said list L1The value in (1) is the PGD value of the target process;
the fuzzy test controller loads the PGD value of the target process and the network configuration of the virtual network equipment, transmits the PGD value of the target process to the virtual machine monitor, and loads the saved snapshot;
comparing, by the virtual machine monitor, whether a currently running CR3 register value is equal to a PGD value of the target process, and determining whether a currently running code in the virtual network device belongs to the target process, that is, positioning the target process in the virtual network device;
the fuzzy test controller initializes the data packet sender by utilizing the network configuration of the virtual network equipment, takes the data packet collected from the network or in the communication process with the target process as a fuzzy test seed, places the fuzzy test seed in a priority queue and performs test circulation; when a test cycle is carried out, the data packet transmitter acquires the data packet from the priority queue for mutation and constructs a target process which requests to be transmitted to the virtual network equipment;
the virtual machine monitor acquires execution information of the target process through an instrumentation flow to perform fuzzy test, if a code responsible for recording process crash is executed in the process of one round of test, the request is judged to cause the target process crash, after the round of test is finished, the virtual machine monitor and the fuzzy test controller synchronize abnormal information, and the fuzzy test controller records a data packet and test content related to the target process crash, reloads a snapshot of the virtual network equipment and continues to perform subsequent test circulation.
Preferably, the virtual machine monitor uses TCG to convert the instructions in the virtual network device into the intermediate language used by the virtual machine monitor, the conversion is performed in units of basic blocks, and the virtual machine monitor implements different methods for converting different instructions in the basic blocks.
Preferably, the fuzz test controller transfers the PGD value of the target process to the virtual machine monitor through QMP protocol.
Preferably, in the test loop, the fuzzy test controller notifies the virtual machine monitor to start recording the execution information of the target process, and notifies the packet transmitter to construct a request to be sent to the target process, and when the packet transmitter receives a response or reaches a set time limit, the virtual machine monitor stops recording the execution information of the target process.
Preferably, in the request processing process, the execution information of the target process is transmitted to the fuzzy test controller in the form of bitmap through a shared memory; and the fuzzy test controller judges whether the request triggers new execution information according to the execution information, calculates corresponding priority and puts the priority into the priority queue.
Preferably, during the fuzzy test process, the instrumentation process is performed on the non-executed instructions during the first execution, and the instrumentation process includes the following steps:
in the PROCESS of the fuzzing test of the virtual network equipment, detecting the change of the CR3 register through the virtual machine monitor, if the TARGET value of the change of the CR3 register is the PGD value of the TARGET PROCESS acquired when the PROCESS is positioned, setting a TARGET _ PROCESS global variable to True in the PROCESS of translating the instructions of the virtual network equipment, and judging whether the instructions are in the context of the TARGET PROCESS according to the value of the TARGET _ PROCESS;
judging the instruction in the target process context as a user mode or a kernel mode according to the address of the instruction;
if the address of the instruction is a user mode address, adding a code for coverage rate statistics in the translation process of the virtual machine monitor, and updating a bitmap in a shared memory when the instruction is executed;
if the address of the instruction is the kernel-mode address, judging whether the address of the instruction is the address for processing the abnormal signal in the kernel, if so, adding a monitoring code, and recording through the virtual machine monitor when the instruction is executed.
The invention achieves the following technical effects:
1. the method is completely transparent to the virtual network equipment, and is a non-intrusive fuzzy test method without sensing the complete virtual equipment because the execution information of the target process is obtained from the virtual machine monitor and the virtual network equipment does not need to be modified or a third-party application program is executed in the virtual network equipment;
2. the method is oriented to virtual network equipment developed based on Linux, is generally applied to various major manufacturers, and can be used for testing different network service processes of specific virtual network equipment;
3. the method solves the problem that the coverage rate guided fuzzy test method cannot be applied to the network equipment at present, can perform higher-quality fuzzy test and discover more security holes;
4. the fuzzy test of the virtual network equipment can save the hardware cost of the entity network equipment required by the test by means of the computing resources of the server, and simultaneously carry out a plurality of groups of tests by utilizing the computing resources;
drawings
Fig. 1 is a flowchart of acquiring a CR3 register value corresponding to a target process in a running virtual network device in an embodiment of the present invention.
Fig. 2 is a block diagram of fuzz testing of coverage feedback on a virtual network device in an embodiment of the invention.
FIG. 3 is a flow diagram of coverage statistics and anomaly monitoring instrumentation on a target process in an embodiment of the invention.
Detailed Description
In order to make the aforementioned and other features and advantages of the invention more comprehensible, embodiments accompanied with figures are described in detail below.
The embodiment of the invention discloses a coverage-guided virtual network equipment fuzzy test method, which is characterized in that a user-state target process is positioned through customizing QEMU, and the execution condition of the user-state target process is obtained and monitored, so that coverage-guided gray box fuzzy test is developed under the condition of not invading and not modifying virtual network equipment.
The test object of the embodiment of the invention is a virtual network device, which can be operated on a server or a personal computer as an independent virtual machine, specifically, a host uses the QEMU as a virtual machine monitor to start the virtual network device and perform related configuration operation.
For a given network service in a virtual network device, in the embodiment of the present invention, a target process corresponding to the network service is first located, that is, a PGD (page global directory) value in a process control block of the target process is obtained, and each process has a different value, so that the PGD value can be used as a process identifier, and thus, the process can be identified by judging a CR3 register value (storing a PGD value of a currently running process) in a virtual layer view, and then execution information of the target process in running is obtained. As shown in fig. 1, the flowchart is a flowchart for acquiring a PGD value corresponding to the target process in the running virtual network device, and corresponding to the target process positioning process of the present invention, a PGD value corresponding to the target process is determined by counting the number of times the PGD value occurs and a difference between PGD values brought by deactivating the target process. The PGD value of the target process is determined by counting the number of times of switching the PGD value and the change of the PGD value after the target process is closed. In the running process of the virtual network equipment, the customized QEMU uses TCG to convert the instruction in the virtual network equipment into the intermediate language used by the QEMU, the conversion is carried out by taking a basic block as a unit, and for different instructions in the basic block, the QEMU realizes the conversion by different methods. The CR3 register value is read and written with a special processing function for processing, and the original value and the target value of the CR3 register can be acquired before the CR3 register value is changed every time as a process switching by modifying the processing function. The process of determining the PGD value of the target process is as follows:
s11, correctly configuring target services in the virtual network equipment, and ensuring that the target process operates correctly, so that the target process has a corresponding PGD value.
And S12, the CR3 register value change is equivalent to process switching, according to a process scheduling strategy of a Linux kernel, if a process is frequently called, the priority is higher, and the process switching is more frequent, so that the process is awakened by uninterruptedly sending a data packet to the process, a target process identification acquisition module records the CR3 register value change for N times (N can be more than 500 according to the requirement), and a PGD value list and the number of times each PGD value as a target value appears can be obtained.
S13, sequencing the PGD values according to the occurrence times to obtain a PGD value list containing the target process
And L. Since the target process is frequently woken up, the CR3 register value should appear as the target value more times, i.e., more times
In the front position of said list L.
And S14, storing the snapshot of the virtual network equipment for subsequent fuzzy test.
And S15, disabling the target process in the virtual network equipment, and ensuring that the target process is closed, so that the PGD value corresponding to the target process is invalid.
And S16, the target process identification acquisition module records the change of the CR3 register value for N times, wherein the recorded PGD value does not contain the PGD value of the target process.
S17, sequencing the PGD values obtained in the step S16 according to the occurrence times to obtain a list L not containing the PGD value of the target process1。
S18, traversing the lists L and L1The first of which is present in the list L and is present in the list L1The value that does not exist in the target process is considered as the PGD value of the target process, and the PGD value of the target process is used for realizing subsequent target process positioning.
The fuzz testing phase of coverage feedback is shown in fig. 2 and is mainly completed by three modules, namely a fuzz testing controller, a data packet transmitter and a customized QEMU. The fuzzy test controller is used for driving the whole fuzzy test process, and comprises synchronization and updating of process execution information, maintenance of a priority queue, monitoring of abnormal information of a target process, recovery of equipment snapshot and the like. The data packet transmitter is used for carrying out mutation on the data packet, and constructing and transmitting a request according to different target processes. The customized QEMU is a virtual machine monitor customized according to test requirements, whether a target process is scheduled to run or not can be judged through CR3 register value change, and then a coverage rate statistical code is inserted into the target process execution code after TCG translation, so that the execution information of the target process is recorded during running. And the execution information is stored in a shared memory in a bitmap form and is shared with the fuzzy test controller. And if the target process crashes in the testing process, the customized QEMU records crash information, synchronizes with the fuzzy test controller, and records related data packets and test contents.
The fuzz testing of the coverage feedback of the virtual network device is performed by means of network communication, according to the following steps (corresponding to the steps in fig. 2):
and S21, the fuzzy test controller loads the positioned PGD value of the target process and the network configuration of the virtual network equipment.
And S22, the fuzzy test controller transmits the PGD value for positioning the target process to the customized QEMU through an QMP protocol, and loads the saved snapshot to finish the initialization of the test environment.
And S23, comparing whether the current running CR3 register value is equal to the PGD value of the target process or not by using the customized virtual machine monitor, and judging whether the currently running code in the virtual network equipment belongs to the target process or not, namely, the target process in the positioning virtual network equipment.
S24, the fuzzy test controller initializes the data packet sender by using the network configuration of the virtual network equipment, places initial data packets (data packets collected from the network or in the communication process with a target process) as fuzzy test seeds in a priority queue, and enters a test cycle. The priority queue is used as the input of the data packet transmitter, and variation is carried out according to the data packets stored in the priority queue, so that coverage rate guided fuzz test is realized. In a test cycle, the fuzzy test controller simultaneously informs the customized QEMU to start recording the execution information of the target process, and informs the data packet transmitter to take out a seed from a priority queue for mutation and construct a request to be sent to the target process, and when the data packet transmitter receives a response or reaches a set time limit, the virtual machine monitor stops recording the execution information of the target process.
And S25, transmitting the execution information of the target process in the request processing process to the fuzzy test controller through the shared memory in the form of bitmap. And the fuzzy test controller judges whether the request triggers new execution information according to the execution information in the request processing process, calculates corresponding priority and puts the priority into a priority queue.
S26, the coverage rate acquired by the customized QEMU comes from a user mode process in the virtual network equipment, but the mode cannot monitor abnormal information. In order to realize monitoring, the customized QEMU instrumentation executes part of kernel code in the virtual network device. In the process of one test cycle operation, if the specific kernel code responsible for recording the process crash is executed, it is considered that the request (i.e. one request in the test cycle in step S24) causes the target process crash, after the operation is finished, the customized QEMU synchronizes abnormal information with the fuzzy test controller, and the fuzzy test controller records the relevant information (request content, time, test number, etc.), and reloads the snapshot of the virtual network device for subsequent tests.
The instrumentation flow corresponding to the step S26 is only applied to the instruction and a small amount of kernel codes of the target process, and the specific flow is shown in fig. 3. During the operation of the virtual network device, the QEMU may detect a change of the CR3 register, and if a TARGET value of the change of the CR3 register is a PGD value of the TARGET PROCESS obtained in a PROCESS positioning stage, set a TARGET _ PROCESS global variable to True, so that during instruction translation of the virtual network device, it may be determined whether the instruction is in a context of the TARGET PROCESS according to the TARGET _ PROCESS value. And judging the instruction in the target process context as a user mode or a kernel mode according to the address of the instruction. And if the address of the instruction is a user mode address, adding a code of coverage rate statistics in the translation process of the customized QEMU, and updating the bitmap in the shared memory when the instruction is executed. If the address of the instruction is the kernel-mode address, judging whether the address of the instruction is the address for processing the abnormal signal in the kernel, if so, adding a monitoring code, and recording through the customized QEMU when the instruction is executed.
Although the present invention has been described with reference to the above embodiments, it should be understood that various changes, substitutions and alterations can be made herein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (10)
1. A coverage-guided virtual network device fuzzing method is characterized by comprising the following steps:
correctly configuring a target process in virtual network equipment, sending a request packet to the target process, recording the switching of CR3 register values for N times, and acquiring a list L containing PGD values of the target process, wherein the list L is arranged according to the recorded occurrence frequency of the CR3 register values in a descending order;
saving the virtual network device snapshot;
forbidding a target process in the virtual network equipment, recording N times of CR3 register value switching, and obtaining a list L not containing the PGD value of the target process1Said list L1Arranging according to the descending order of the occurrence times of the recorded values;
traverse the lists L and L1Selecting the first one appearing on said list L but not appearing on said list L1The value in (1) is the PGD value of the target process;
comparing whether the current running CR3 register value is equal to the PGD value of the target process, and judging whether the current running code in the virtual network equipment belongs to the target process;
taking a data packet collected from a network or in a communication process with a target process as a fuzzy test seed, placing the fuzzy test seed in a priority queue, and carrying out test circulation; when a test cycle is carried out, acquiring the data packet from the priority queue for mutation, and constructing a target process of requesting to send to the virtual network equipment;
and acquiring the execution information of the target process through an instrumentation flow to perform a fuzzy test, judging that the request causes the target process to crash if a code responsible for recording the process crash is executed in the process of one round of test, recording a data packet and test content related to the target process crash after the round of test is finished, reloading the snapshot of the virtual network equipment, and continuing to perform subsequent test circulation.
2. The method of claim 1 wherein reads and writes to the CR3 register are handled by a handling function that is modified to obtain the original and target values of the CR3 register as a process switch before each change in the CR3 register value.
3. The method of claim 1, wherein the PGD value of the target process is determined by counting the number of times the CR3 register value is switched and the change in the CR3 register value after the target process is shut down.
4. The method of claim 1, wherein the instrumentation process is performed on a first run for non-run instructions during a fuzz testing process, the instrumentation process comprising the steps of:
in the PROCESS of the fuzzing test of the virtual network equipment, if the TARGET value changed by the CR3 register is the PGD value of the TARGET PROCESS acquired when the PROCESS is positioned, setting a TARGET _ PROCESS global variable to True in the PROCESS of translating the instruction of the virtual network equipment, and judging whether the instruction is in the context of the TARGET PROCESS according to the value of TARGET _ PROCESS;
judging the instruction in the target process context as a user mode or a kernel mode according to the address of the instruction;
if the address of the instruction is a user mode address, adding a code for coverage rate statistics in the translation process, and updating a bitmap in a shared memory when the instruction is executed;
if the address of the instruction is the kernel-mode address, judging whether the address of the instruction is the address for processing the abnormal signal in the kernel, if so, adding a monitoring code, and recording when the instruction is executed.
5. A coverage-guided virtual network device fuzzing test apparatus, comprising:
the target process identification acquisition module is used for recording the PGD value, triggering the target process in the PGD value recording process and analyzing the recorded PGD value so as to determine the PGD value of the target process;
the fuzzy test controller is used for driving the whole fuzzy test process, and comprises synchronization and updating of execution information when a process runs, maintenance of a priority queue, monitoring of abnormal information of a target process and recovery of a device snapshot;
the data packet transmitter is used for carrying out variation on the data packets in the priority queue, constructing requests according to different target processes and transmitting the requests;
the virtual machine monitor adopts a customized QEMU and is used for judging whether a target process is scheduled to run or not through CR3 register value change, then acquiring execution information of the target process through a instrumentation flow, and recording a data packet and test contents related to target process crash; wherein the content of the first and second substances,
the target process identification obtaining module sends a request packet to the target process, records the CR3 register value switching for N times, and obtains a list L containing the PGD value of the target process, wherein the list L is arranged according to the recorded CR3 register value occurrence times in a descending order; saving the virtual network device snapshot; disabling a target process in the virtual network device, and then recording N times of CR3 register value switching to obtain that the target process does not contain the target processList L of target Process PGD values1Said list L1Arranging according to the descending order of the occurrence times of the recorded values; traverse the lists L and L1Selecting the first one appearing on said list L but not appearing on said list L1The value in (1) is the PGD value of the target process;
the fuzzy test controller loads the PGD value of the target process and the network configuration of the virtual network equipment, transmits the PGD value of the target process to the virtual machine monitor, and loads the saved snapshot;
comparing, by the virtual machine monitor, whether a currently running CR3 register value is equal to a PGD value of the target process, and determining whether a currently running code in the virtual network device belongs to the target process;
the fuzzy test controller initializes the data packet sender by utilizing the network configuration of the virtual network equipment, takes the data packet collected from the network or in the communication process with the target process as a fuzzy test seed, places the fuzzy test seed in a priority queue and performs test circulation; when a test cycle is carried out, the data packet transmitter acquires the data packet from the priority queue for mutation and constructs a target process which requests to be transmitted to the virtual network equipment;
the virtual machine monitor acquires execution information of the target process through an instrumentation flow to perform fuzzy test, if a code responsible for recording process crash is executed in the process of one round of test, the request is judged to cause the target process crash, after the round of test is finished, the virtual machine monitor and the fuzzy test controller synchronize abnormal information, and the fuzzy test controller records a data packet and test content related to the target process crash, reloads a snapshot of the virtual network equipment and continues to perform subsequent test circulation.
6. The apparatus of claim 5, wherein the virtual machine monitor uses a TCG to translate instructions in a virtual network device into an intermediate language used by the virtual machine monitor, translation being in basic block units.
7. The apparatus of claim 5, wherein the fuzz test controller passes the PGD value of the target process to the virtual machine monitor via an QMP protocol.
8. The apparatus of claim 5, wherein in the test loop, the fuzzy test controller notifies the virtual machine monitor to start recording the execution information of the target process and notifies the packet sender to construct a request to send to the target process, and when the packet sender receives a response or reaches a set time limit, the virtual machine monitor stops recording the execution information of the target process.
9. The apparatus of claim 5, wherein in the request processing process, the execution information of the target process is passed through a shared memory and transferred to the fuzzy test controller in the form of bitmap; and the fuzzy test controller judges whether the request triggers new execution information according to the execution information, calculates corresponding priority and puts the priority into the priority queue.
10. The apparatus of claim 5, wherein the instrumentation process is performed on a first run for non-run instructions during a fuzz testing process, the instrumentation process comprising the steps of:
in the PROCESS of the fuzzing test of the virtual network equipment, detecting the change of the CR3 register through the virtual machine monitor, if the TARGET value of the change of the CR3 register is the PGD value of the TARGET PROCESS acquired when the PROCESS is positioned, setting a TARGET _ PROCESS global variable to True in the PROCESS of translating the instructions of the virtual network equipment, and judging whether the instructions are in the context of the TARGET PROCESS according to the value of the TARGET _ PROCESS;
judging the instruction in the target process context as a user mode or a kernel mode according to the address of the instruction;
if the address of the instruction is a user mode address, adding a code for coverage rate statistics in the translation process of the virtual machine monitor, and updating a bitmap in a shared memory when the instruction is executed;
if the address of the instruction is the kernel-mode address, judging whether the address of the instruction is the address for processing the abnormal signal in the kernel, if so, adding a monitoring code, and recording through the virtual machine monitor when the instruction is executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111512416.8A CN114490314B (en) | 2021-12-08 | Coverage rate guided virtual network equipment fuzzy test method and coverage rate guided virtual network equipment fuzzy test device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111512416.8A CN114490314B (en) | 2021-12-08 | Coverage rate guided virtual network equipment fuzzy test method and coverage rate guided virtual network equipment fuzzy test device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114490314A true CN114490314A (en) | 2022-05-13 |
| CN114490314B CN114490314B (en) | 2024-07-16 |
Family
ID=
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180365139A1 (en) * | 2017-06-15 | 2018-12-20 | Microsoft Technology Licensing, Llc | Machine learning for constrained mutation-based fuzz testing |
| CN110348216A (en) * | 2019-05-24 | 2019-10-18 | 中国科学院信息工程研究所 | A kind of fuzz testing method and system for cloud computing system virtual unit |
| US10713151B1 (en) * | 2019-04-18 | 2020-07-14 | Microsoft Technology Licensing, Llc | Program execution coverage expansion by selective data capture |
| CN111709031A (en) * | 2020-05-28 | 2020-09-25 | 杭州电子科技大学 | Coverage-guided VxWorks kernel fuzzy test method |
| CN111797405A (en) * | 2020-07-01 | 2020-10-20 | 北京华昱卓程软件有限公司 | Sequence-oriented hybrid fuzzy test method and device |
| US20210026758A1 (en) * | 2019-07-26 | 2021-01-28 | Vmware, Inc. | Efficient fuzz testing of low-level virtual devices |
| CN112286823A (en) * | 2020-11-18 | 2021-01-29 | 山石网科通信技术股份有限公司 | Method and device for testing kernel of operating system |
| WO2021057057A1 (en) * | 2019-09-23 | 2021-04-01 | 上海创景信息科技有限公司 | Target-code coverage testing method, system, and medium of operating system-level program |
| CN113762335A (en) * | 2021-07-27 | 2021-12-07 | 北京交通大学 | Intelligent system test data generation method based on uncertainty |
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180365139A1 (en) * | 2017-06-15 | 2018-12-20 | Microsoft Technology Licensing, Llc | Machine learning for constrained mutation-based fuzz testing |
| US10713151B1 (en) * | 2019-04-18 | 2020-07-14 | Microsoft Technology Licensing, Llc | Program execution coverage expansion by selective data capture |
| CN110348216A (en) * | 2019-05-24 | 2019-10-18 | 中国科学院信息工程研究所 | A kind of fuzz testing method and system for cloud computing system virtual unit |
| US20210026758A1 (en) * | 2019-07-26 | 2021-01-28 | Vmware, Inc. | Efficient fuzz testing of low-level virtual devices |
| WO2021057057A1 (en) * | 2019-09-23 | 2021-04-01 | 上海创景信息科技有限公司 | Target-code coverage testing method, system, and medium of operating system-level program |
| CN111709031A (en) * | 2020-05-28 | 2020-09-25 | 杭州电子科技大学 | Coverage-guided VxWorks kernel fuzzy test method |
| CN111797405A (en) * | 2020-07-01 | 2020-10-20 | 北京华昱卓程软件有限公司 | Sequence-oriented hybrid fuzzy test method and device |
| CN112286823A (en) * | 2020-11-18 | 2021-01-29 | 山石网科通信技术股份有限公司 | Method and device for testing kernel of operating system |
| CN113762335A (en) * | 2021-07-27 | 2021-12-07 | 北京交通大学 | Intelligent system test data generation method based on uncertainty |
Non-Patent Citations (3)
| Title |
|---|
| 张旖旎: "基于定向模糊测试技术的缺陷检测***研究与实现", 31 December 2013 (2013-12-31) * |
| 彭勇;王婷;熊琦;戴忠华;伊胜伟;高海辉: "针对私有协议的模糊测试技术研究", 北京交通大学学报. 自然科学版, vol. 37, no. 5, 31 December 2019 (2019-12-31) * |
| 林敏;张超;: "针对WebAssembly虚拟机的模糊测试方案", 网络安全技术与应用, no. 06, 11 June 2020 (2020-06-11) * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10944764B2 (en) | Security event detection through virtual machine introspection | |
| TWI544328B (en) | Method and system for probe insertion via background virtual machine | |
| JP5665188B2 (en) | System for inspecting information processing equipment to which software update is applied | |
| US9529614B2 (en) | Automatically bridging the semantic gap in machine introspection | |
| US20140143775A1 (en) | Virtual machine image analysis | |
| KR20180099682A (en) | Systems and Methods for Virtual Machine Auditing | |
| Wu et al. | System call redirection: A practical approach to meeting real-world virtual machine introspection needs | |
| KR101715759B1 (en) | Apparatus and method for analysing malicious code in multi core environments | |
| Henderson et al. | Vdf: Targeted evolutionary fuzz testing of virtual devices | |
| US20220035905A1 (en) | Malware analysis through virtual machine forking | |
| KR20130031860A (en) | System testing method | |
| Delgado et al. | Performance implications of system management mode | |
| CN106155883A (en) | A kind of virtual machine method for testing reliability and device | |
| Li et al. | From library portability to para-rehosting: Natively executing microcontroller software on commodity hardware | |
| Scordino et al. | Real-time virtualization for industrial automation | |
| WO2015065330A1 (en) | Virtual machine introspection | |
| US20180316591A1 (en) | Scout functions | |
| Zhou et al. | A coprocessor-based introspection framework via intel management engine | |
| CN114490273A (en) | Data processing method and system | |
| CN116414722B (en) | Fuzzy test processing method and device, fuzzy test system and storage medium | |
| US11550697B2 (en) | Cross jobs failure dependency in CI/CD systems | |
| CN114490314B (en) | Coverage rate guided virtual network equipment fuzzy test method and coverage rate guided virtual network equipment fuzzy test device | |
| CN114490314A (en) | Coverage-guided virtual network equipment fuzzing method and device | |
| US11720348B2 (en) | Computing node allocation based on build process specifications in continuous integration environments | |
| Delgado et al. | EPA-RIMM: A framework for dynamic SMM-based runtime integrity measurement |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |