CN116069672B - Seed variation method and test method for kernel directional fuzzy test of operating system - Google Patents

Seed variation method and test method for kernel directional fuzzy test of operating system Download PDF

Info

Publication number
CN116069672B
CN116069672B CN202310288727.3A CN202310288727A CN116069672B CN 116069672 B CN116069672 B CN 116069672B CN 202310288727 A CN202310288727 A CN 202310288727A CN 116069672 B CN116069672 B CN 116069672B
Authority
CN
China
Prior art keywords
seed
function
granularity
kernel
seeds
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310288727.3A
Other languages
Chinese (zh)
Other versions
CN116069672A (en
Inventor
施荣华
彭瑞康
施鹤远
胡超
梁锴
陈世俊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Central South University
Original Assignee
Central South University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Central South University filed Critical Central South University
Priority to CN202310288727.3A priority Critical patent/CN116069672B/en
Publication of CN116069672A publication Critical patent/CN116069672A/en
Application granted granted Critical
Publication of CN116069672B publication Critical patent/CN116069672B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3668Software testing
    • G06F11/3672Test management
    • G06F11/3684Test management for test design, e.g. generating new test cases
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3668Software testing
    • G06F11/3672Test management
    • G06F11/3688Test management for test execution, e.g. scheduling of test suites
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a seed mutation method for an operating system kernel directional fuzzy test, which comprises the steps of obtaining data information of a target operating system; constructing a function call graph and a control flow graph; obtaining an inter-process control flow graph; obtaining the distance measurement of the kernel code relative to the target position; evaluating the existing seeds and obtaining seeds meeting the set conditions; performing quality scoring and energy distribution on the obtained seeds to obtain test case seeds with different energies; and carrying out self-adaptive mutation on the seeds of the test cases to finish the corresponding seed mutation. The invention also discloses a testing method of the seed variation method comprising the kernel directional ambiguity test of the operating system. The method of the invention not only can ensure that high-quality seeds are subjected to preferential mutation execution and realize the high reliability, high efficiency and excellent mutation effect of the seed mutation, but also can ensure that the resource cost of the subsequent test process is less, the test time is shortened and the test efficiency is higher.

Description

Seed variation method and test method for kernel directional fuzzy test of operating system
Technical Field
The invention belongs to the technical field of computers, and particularly relates to a seed variation method and a testing method for an operating system kernel directional fuzzy test.
Background
Along with the development of economic technology and the improvement of living standard of people, the computer operating system is widely applied to the production and living of people, and brings endless convenience to the production and living of people. Therefore, ensuring stable and reliable operation of the operating system becomes one of the important research points of researchers.
The kernel is the core of an operating system. The kernel is a hardware-based first-tier software extension that provides the most basic functions of the operating system, which is the basis for the operating system to work. Therefore, in maintaining the security of a computer, it is important to ensure the security of the kernel of the operating system.
The fuzzy test is a software testing method which is currently mainstream. The method adopts an automatic or semi-automatic mode to generate test cases, then inputs the test cases into a target system, and captures vulnerabilities by monitoring abnormal behaviors of the system in the process of running the test cases. Currently, applying fuzzy testing to the field of kernel security has achieved good results.
The fuzzy test of the kernel of the operating system is to input a system call sequence as a seed in the fuzzy test process, generate random parameters and sequences for the operating system to execute, and monitor the operation of the operating system through a defect detection tool in the kernel at the same time so as to find out the abnormal state of the operating system during operation.
In the field of kernel fuzzy test, most of the current technical schemes are to conduct vulnerability discovery with coverage rate as a guide. The basic flow is as follows:
first the fuzzy test tool generates the valid seed for the system call by manually coded rules and puts it as an initial input into the seed pool. And then selecting test case seeds according to the seed coverage information, performing mutation operation on the test case seeds, and putting test cases generated by mutation into a tested kernel for execution. Executing the generated data stream and control stream information will guide the selection of the mutation strategy. If the new position is covered in the test case execution process, the test case is stored in the seed pool for the next use. If an abnormal state occurs in the program when the test case is executed, a kernel operation security violation report is received, and the test is ended; if no abnormal state occurs, the test case is invalid, and the invalid test case should be discarded at the moment, and the test is ended.
In the kernel ambiguity test process, the ambiguity test tool takes the kernel code coverage rate as the basis when selecting seeds. However, because the amount of kernel code is huge, and when aiming at certain specific requirements (such as fuzzy test on a designated position after patch repair), a coverage rate guiding mode is adopted, a large amount of resources are often consumed on test cases which cannot reach a target site, so that the running time is too long, and finally, the efficiency and the effectiveness of test work are obviously unbalanced.
Disclosure of Invention
The invention aims to provide a seed mutation method for the kernel directional fuzzy test of an operating system, which has high reliability, high efficiency and good mutation effect.
The second objective of the present invention is to provide a testing method including the seed mutation method for kernel directional ambiguity test of the operating system.
The seed mutation method for the kernel orientation fuzzy test of the operating system provided by the invention comprises the following steps:
s1, acquiring data information of a target operating system;
s2, carrying out static analysis on kernel source codes of a target operating system according to the data information obtained in the step S1, and constructing a function call graph and a control flow graph by taking functions and basic blocks as granularity;
s3, integrating the function call graph and the control flow graph constructed in the step S2 to obtain an inter-process control flow graph;
s4, performing kernel distance calculation on the target position to be detected and the inter-process control flow graph to obtain a distance measurement of the kernel code relative to the target position;
s5, evaluating seeds of the existing kernel seed library according to the distance measurement value of the kernel code relative to the target position, which is obtained in the step S4, and selecting seeds meeting the set conditions;
s6, according to the distance measurement obtained in the step S4, carrying out quality grading and energy distribution on the seeds obtained in the step S5 based on the function granularity grading and the basic block granularity grading to obtain test case seeds with different energies;
and S7, carrying out self-adaptive mutation on the test case seeds according to the coverage information of the test case seeds obtained in the step S6, and completing the seed mutation of the kernel directional fuzzy test of the operating system.
The step S2 specifically comprises the following steps:
performing static analysis on kernel source codes of a target operating system according to the data information acquired in the step S1, and constructing a function call graph and a control flow graph; wherein, on the function call graph, if there is a function
Figure SMS_1
Calling function->
Figure SMS_2
The call relationship is expressed as +.>
Figure SMS_3
The method comprises the steps of carrying out a first treatment on the surface of the For function->
Figure SMS_4
If basic block is existed on control flow graph +.>
Figure SMS_5
Point to->
Figure SMS_6
The control flow relation is expressed as +.>
Figure SMS_7
The method comprises the steps of carrying out a first treatment on the surface of the Meanwhile, the generated function call graph takes the function as granularity, and the generated control flow graph takes the basic block as granularity.
The step S4 specifically comprises the following steps:
A. mapping the kernel source code position of the target operating system to graph structure nodes of the inter-process control flow graph, and determining the kernel code position corresponding to each node in the function call graph and each basic block node in the intra-function control flow graph; setting the target to-be-measured position set asTThe location is represented on the inter-process control flow graph as a set of objective functions
Figure SMS_8
And target basic block set->
Figure SMS_9
The method comprises the steps of carrying out a first treatment on the surface of the Each target position->
Figure SMS_10
Represented as an objective function in a function call graph +.>
Figure SMS_11
And target basic block in function control flow graph +.>
Figure SMS_12
B. Calculating the granularity distance of the function according to the function call graph;
C. and calculating the granularity distance of the basic block according to the control flow graph.
The step B specifically comprises the following steps:
for the target position
Figure SMS_13
There are several paths to reach the reachable objective function; the more the number of occurrences of the modulated function, the smaller the distance to the function is considered; therefore, the corresponding first influence factor +.>
Figure SMS_14
Figure SMS_15
In->
Figure SMS_16
Setting parameters for the first;
for reachable objective functions
Figure SMS_17
The more the number of basic blocks of the objective function included in the reachable objective function is, the more paths of the objective function are called; therefore, the corresponding second influence factor +.>
Figure SMS_18
Figure SMS_19
In->
Figure SMS_20
Setting parameters for a second set;
reachable objective function
Figure SMS_21
And objective function->
Figure SMS_22
Distance between->
Figure SMS_23
Represented as
Figure SMS_24
Defining kernel functions
Figure SMS_25
To the objective function set->
Figure SMS_26
Is the kernel function to target function set
Figure SMS_27
The harmonic mean of the distances of all objective functions in (a) and expressed as
Figure SMS_28
In->
Figure SMS_29
For the function +.>
Figure SMS_30
Set of objective functions starting from and denoted +.>
Figure SMS_31
The step C specifically comprises the following steps:
for the same function
Figure SMS_33
Any two basic blocks in->
Figure SMS_34
Point to->
Figure SMS_35
Define basic block distance +.>
Figure SMS_36
To be in the function->
Figure SMS_37
Control flow graph of->
Figure SMS_38
In (1) from->
Figure SMS_39
To->
Figure SMS_32
Is the distance of the shortest path of (a);
definition of the definition
Figure SMS_40
Is a function->
Figure SMS_41
Control flow graph of->
Figure SMS_42
Basic block->
Figure SMS_43
A set of functions called; at the same time +.>
Figure SMS_44
In reachable objective function->
Figure SMS_45
Is defined as +.>
Figure SMS_47
And is expressed as
Figure SMS_46
Wherein->
Figure SMS_48
Precursor nodes for all functions in the objective function set;
defining reachable objective function sets in inter-process control flow graphs
Figure SMS_49
The basic block set is +.>
Figure SMS_50
And is expressed as
Figure SMS_51
WhereinFA set of all functions in the function call graph;
finally, the basic blocks in the inter-process control flow graph are calculated by adopting the following formulas
Figure SMS_52
Relative target basic block->
Figure SMS_53
Distance of->
Figure SMS_54
Figure SMS_55
In the middle ofcIs a set weight parameter.
The quality score of step S6 specifically includes the following steps:
setting the seed set of the kernel seed library asPPThe basic block set covered is
Figure SMS_56
PThe covered function set is
Figure SMS_57
Seed calculation using the following algorithmpRelative to a target basic block set
Figure SMS_58
Distance of->
Figure SMS_59
Figure SMS_60
In->
Figure SMS_61
To test seedspA set of basic blocks covered; />
Figure SMS_62
For the collection->
Figure SMS_63
The number of basic blocks in (a);
the seed basic block granularity score is calculated by adopting the following formula
Figure SMS_64
Figure SMS_65
In->
Figure SMS_66
The minimum value of the basic block granularity scores of all seeds in the kernel seed library; />
Figure SMS_67
The maximum value of the basic block granularity scores of all seeds in the kernel seed library;
seed calculation using the following algorithmpRelative to the set of objective functionsClosing device
Figure SMS_68
Distance of->
Figure SMS_69
Figure SMS_70
In->
Figure SMS_71
Is seeds ofpA set of covered functions; />
Figure SMS_72
A function set of functions covered by all reachable seeds on the function call graph; />
Figure SMS_73
For reaching the target function on the function call graph +.>
Figure SMS_74
Is a function set of (a);
the seed function granularity score is calculated by adopting the following formula
Figure SMS_75
Figure SMS_76
In->
Figure SMS_77
The method comprises the steps of collecting granularity distances of all seed functions in a current seed library; />
Figure SMS_78
The minimum value of the granularity distance of the seed function in the current seed library; />
Figure SMS_79
The maximum value of the granularity distance of the seed function in the current seed library;
according to the seed basic blockParticle size scoring
Figure SMS_80
And seed function granularity score->
Figure SMS_81
Calculating the quality score of the final seed>
Figure SMS_82
Is->
Figure SMS_83
The method comprises the steps of carrying out a first treatment on the surface of the The higher the quality score of the seed, the closer the seed is to the target to be measured, and the higher the energy allocated.
The step S7 specifically comprises the following steps:
a. seed for each test casesEnergy of (2)
Figure SMS_84
And (3) judging:
if it is
Figure SMS_85
Greater than a set mutation threshold->
Figure SMS_86
Then seed the current test casesFine grain variation is carried out;
if it is
Figure SMS_87
Not more than the set mutation threshold +.>
Figure SMS_88
Then seed the current test casesPerforming coarse granularity variation;
b. correcting the variation probability of each test case seed:
for the test case seeds with fine granularity variation, judging again:
if the coverage information of the current seed can reach the target site, increasing the fine granularity mutation probability of the current seed;
if the coverage information of the current seed can not reach the target site, maintaining the fine granularity mutation probability of the current seed;
for the test case seeds with coarse granularity variation, judging again:
if the coverage information of the current seed can reach the target site, maintaining the coarse-granularity mutation probability of the current seed;
if the coverage information of the current seed can not reach the target site, increasing the coarse-granularity mutation probability of the current seed;
c. and carrying out corresponding mutation on each test case seed according to the modified mutation probability, and completing the seed mutation of the kernel directional fuzzy test of the operating system.
The step b specifically comprises the following steps:
for the test case seeds with fine granularity variation, judging again:
if the coverage information of the current seed can reach the target site, increasing the fine granularity mutation probability of the current seed, wherein the increased fine granularity mutation probability is that
Figure SMS_89
If the coverage information of the current seed can not reach the target site, maintaining the fine granularity mutation probability of the current seed as
Figure SMS_90
For the test case seeds with coarse granularity variation, judging again:
if the coverage information of the current seed can reach the target site, maintaining the coarse granularity mutation probability of the current seed as
Figure SMS_91
If the coverage information of the current seed can not reach the target site, increasing the coarse-grained mutation probability of the current seed, wherein the increased coarse-grained mutation probability is that
Figure SMS_92
Wherein the method comprises the steps of
Figure SMS_93
Constant ratio for a set fine-grained mutation, +.>
Figure SMS_94
Is a set constant ratio.
The invention also discloses a testing method of the seed variation method comprising the kernel directional ambiguity test of the operating system, which further comprises the following steps:
s8, taking the non-mutated test case seeds and mutated test case seeds as test cases;
s9, putting the test case obtained in the step S8 into a tested kernel of the target operating system for execution, and monitoring the execution state at the same time;
s10, according to the execution state obtained in the step S9, testing is completed.
The step S10 specifically comprises the following steps:
(1) If the current test case covers a new kernel position during execution, the test case is put into a seed pool for subsequent testing;
if the current test case does not cover the new kernel position during execution, carrying out subsequent judgment:
(2) If the current test case has set abnormal behavior in the executing process, acquiring a kernel operation security violation report of the current test case, and ending the test;
if the current test case does not have the set abnormal behavior in the executing process, the test case is directly discarded, and the test is ended.
According to the seed variation method and the seed variation test method for the kernel directional fuzzy test of the operating system, provided by the invention, the distance measurement of the kernel code relative to the target position to be tested is introduced, the seed quality score is calculated according to the distance measurement, the high-quality seed closest to the target position to be tested is obtained according to the seed score, energy is distributed according to the seed quality, and the variation of proper granularity is developed on the seed according to the energy distribution difference, so that the seed can be subjected to self-adaptive variation to obtain a reasonable number of test cases; therefore, the method of the invention not only can ensure that high-quality seeds are subjected to preferential mutation execution and realize the high reliability, high efficiency and excellent mutation effect of the seed mutation, but also can ensure that the resource cost of the subsequent test process is less, the test time is shortened and the test efficiency is higher.
Drawings
FIG. 1 is a schematic flow chart of a variation method of the present invention.
FIG. 2 is a flow chart of the testing method of the present invention.
Detailed Description
FIG. 1 is a schematic flow chart of the mutation method of the present invention: the seed mutation method for the kernel orientation fuzzy test of the operating system provided by the invention comprises the following steps:
s1, acquiring data information of a target operating system;
s2, carrying out static analysis on kernel source codes of a target operating system according to the data information obtained in the step S1, and constructing a function call graph and a control flow graph by taking functions and basic blocks as granularity; the method specifically comprises the following steps:
performing static analysis on kernel source codes of a target operating system according to the data information acquired in the step S1, and constructing a function call graph and a control flow graph; wherein, on the function call graph, if there is a function
Figure SMS_95
Calling function->
Figure SMS_96
The call relationship is expressed as +.>
Figure SMS_97
The method comprises the steps of carrying out a first treatment on the surface of the For function->
Figure SMS_98
If basic block is existed on control flow graph +.>
Figure SMS_99
Point to->
Figure SMS_100
The control flow relation is expressed as +.>
Figure SMS_101
The method comprises the steps of carrying out a first treatment on the surface of the Meanwhile, the generated function call graph takes the function as granularity, and the generated control flow graph takes the basic block as granularity;
s3, integrating the function call graph and the control flow graph constructed in the step S2 to obtain an inter-process control flow graph;
s4, performing kernel distance calculation on the target position to be detected and the inter-process control flow graph to obtain a distance measurement of the kernel code relative to the target position; the method specifically comprises the following steps:
A. mapping the kernel source code position of the target operating system to graph structure nodes of the inter-process control flow graph, and determining the kernel code position corresponding to each node in the function call graph and each basic block node in the intra-function control flow graph; setting the target to-be-measured position set asTThe location is represented on the inter-process control flow graph as a set of objective functions
Figure SMS_102
And target basic block set->
Figure SMS_103
The method comprises the steps of carrying out a first treatment on the surface of the Each target position->
Figure SMS_104
Represented as an objective function in a function call graph +.>
Figure SMS_105
And target basic block in function control flow graph +.>
Figure SMS_106
B. Calculating the granularity distance of the function according to the function call graph; the method specifically comprises the following steps:
for the target position
Figure SMS_107
There are several paths to reach the reachable objective function; the more the number of occurrences of the modulated function, the smaller the distance to the function is considered; therefore, the corresponding first influence factor +.>
Figure SMS_108
Figure SMS_109
In->
Figure SMS_110
Setting parameters for the first;
for reachable objective functions
Figure SMS_111
The more the number of basic blocks of the objective function included in the reachable objective function is, the more paths of the objective function are called; therefore, the corresponding second influence factor +.>
Figure SMS_112
Figure SMS_113
In->
Figure SMS_114
Setting parameters for a second set;
reachable objective function
Figure SMS_115
And objective function->
Figure SMS_116
Distance between->
Figure SMS_117
Represented as
Figure SMS_118
Defining kernel functions
Figure SMS_120
To the objective function set->
Figure SMS_121
Is the kernel function to target function set
Figure SMS_123
The harmonic mean of the distances of all objective functions in (a) and expressed as
Figure SMS_124
In->
Figure SMS_126
For the function +.>
Figure SMS_128
A set of objective functions that are starting points, and are expressed as
Figure SMS_129
The method comprises the steps of carrying out a first treatment on the surface of the This definition indicates that if->
Figure SMS_119
Can reach a certain objective function->
Figure SMS_122
Then the objective function->
Figure SMS_125
Must be in the aggregate->
Figure SMS_127
In (a) and (b);
C. calculating the granularity distance of the basic block according to the control flow graph; the method specifically comprises the following steps:
for the same function
Figure SMS_131
Any two basic blocks in->
Figure SMS_132
Point to->
Figure SMS_133
Define basic block distance +.>
Figure SMS_134
To be in the function->
Figure SMS_135
Control flow graph of->
Figure SMS_136
In (1) from->
Figure SMS_137
To->
Figure SMS_130
Is the distance of the shortest path of (a);
definition of the definition
Figure SMS_139
Is a function->
Figure SMS_140
Control flow graph of->
Figure SMS_141
Basic block->
Figure SMS_142
A set of functions called; at the same time +.>
Figure SMS_144
In reachable objective function->
Figure SMS_145
Is defined as +.>
Figure SMS_146
And watchShown as
Figure SMS_138
Wherein->
Figure SMS_143
Precursor nodes for all functions in the objective function set;
defining reachable objective function sets in inter-process control flow graphs
Figure SMS_147
The basic block set is +.>
Figure SMS_148
And is expressed as
Figure SMS_149
WhereinFA set of all functions in the function call graph; the definition indicates any basic blocks in the inter-process control flow graphbb m In the called function set, if there is a function of the reachable target function on the function call graph, the basic blocks are all inTrans b In (a) and (b);
finally, the basic blocks in the inter-process control flow graph are calculated by adopting the following formulas
Figure SMS_150
Relative target basic block->
Figure SMS_151
Distance of->
Figure SMS_152
Figure SMS_153
In the middle ofcThe method is used for controlling the influence of the function granularity distance on the basic block granularity distance;
s5, evaluating seeds of the existing kernel seed library according to the distance measurement value of the kernel code relative to the target position, which is obtained in the step S4, and selecting seeds meeting the set conditions;
s6, according to the distance measurement obtained in the step S4, carrying out quality grading and energy distribution on the seeds obtained in the step S5 based on the function granularity grading and the basic block granularity grading to obtain test case seeds with different energies; wherein, the quality score specifically comprises the following steps:
setting the seed set of the kernel seed library asPPThe basic block set covered is
Figure SMS_154
PThe covered function set is
Figure SMS_155
Seed calculation using the following algorithmpRelative to a target basic block set
Figure SMS_156
Distance of->
Figure SMS_157
Figure SMS_158
In->
Figure SMS_159
To test seedspA set of basic blocks covered;
Figure SMS_160
for the collection->
Figure SMS_161
The number of basic blocks in (a);
the seed basic block granularity score is calculated by adopting the following formula
Figure SMS_162
Figure SMS_163
In->
Figure SMS_164
The minimum value of the basic block granularity scores of all seeds in the kernel seed library; />
Figure SMS_165
The maximum value of the basic block granularity scores of all seeds in the kernel seed library;
seed calculation using the following algorithmpWith respect to a set of objective functions
Figure SMS_166
Distance of->
Figure SMS_167
Figure SMS_168
In->
Figure SMS_169
Is seeds ofpA set of covered functions;
Figure SMS_170
a function set of functions covered by all reachable seeds on the function call graph; />
Figure SMS_171
For reaching the target function on the function call graph +.>
Figure SMS_172
Is a function set of (a);
the seed function granularity score is calculated by adopting the following formula
Figure SMS_173
Figure SMS_174
In->
Figure SMS_175
The method comprises the steps of collecting granularity distances of all seed functions in a current seed library; />
Figure SMS_176
The minimum value of the granularity distance of the seed function in the current seed library; />
Figure SMS_177
The maximum value of the granularity distance of the seed function in the current seed library;
scoring according to seed basic block granularity
Figure SMS_178
And seed function granularity score->
Figure SMS_179
Calculating the quality score of the final seed>
Figure SMS_180
Is->
Figure SMS_181
The method comprises the steps of carrying out a first treatment on the surface of the The higher the quality score of the seed, the closer the seed is to the target to be measured, and the higher the energy is distributed;
s7, carrying out self-adaptive variation on the test case seeds according to the coverage information of the test case seeds obtained in the step S6, and completing the seed variation of the kernel directional fuzzy test of the operating system; the method specifically comprises the following steps:
a. seed for each test casesEnergy of (2)
Figure SMS_182
And (3) judging:
if it is
Figure SMS_183
Greater than a set mutation threshold->
Figure SMS_184
Then seed the current test casesFine grain variation is carried out;
if it is
Figure SMS_185
Not more than the set mutation threshold +.>
Figure SMS_186
Then seed the current test casesPerforming coarse granularity variation;
b. correcting the variation probability of each test case seed:
for the test case seeds with fine granularity variation, judging again: if the coverage information of the current seed can reach the target site, increasing the fine granularity mutation probability of the current seed; preferably, the increased fine grain mutation probability is
Figure SMS_187
If the coverage information of the current seed can not reach the target site, maintaining the fine granularity mutation probability of the current seed; preferably, the fine grain mutation probability of the current seed is maintained as follows
Figure SMS_188
For the test case seeds with coarse granularity variation, judging again:
if the coverage information of the current seed can reach the target site, maintaining the coarse-granularity mutation probability of the current seed; preferably, the mutation probability of maintaining the coarse granularity of the current seed is
Figure SMS_189
If the coverage information of the current seed can not reach the target site, increasing the coarse-granularity mutation probability of the current seed; preferably, the increased coarse-grained mutation probability is
Figure SMS_190
Wherein the method comprises the steps of
Figure SMS_191
To be set upConstant ratio of fine-grained mutations, +.>
Figure SMS_192
Is a set constant ratio;
c. and carrying out corresponding mutation on each test case seed according to the modified mutation probability, and completing the seed mutation of the kernel directional fuzzy test of the operating system.
Table 1 shows a comparison of the number of defects found in the test on the target site in the examples of the present invention. In this embodiment, as can be seen from the experimental results, the number of defects found by the directional kernel ambiguity test method in 8 hours is better than that of the general kernel ambiguity test. The average number of defects found by the general kernel fuzzy test is 2.33, and the average number of defects found by the directional kernel fuzzy test is 4.67.
TABLE 1 comparative schematic table of the number of relevant defects found for the target site-specific test
Figure SMS_193
As can be seen from Table 1, the experiments were also performed for 8 hours, and the directional core ambiguity test was able to find an average of 2.34 more than the general core ambiguity test. It can be seen that according to the optimization of the present invention, seeds that reach the target site more quickly and with better quality can be indeed screened out.
FIG. 2 is a flow chart of the test method according to the present invention: the invention provides a testing method of a seed variation method comprising the kernel directional ambiguity test of an operating system, which comprises the following steps:
s1, acquiring data information of a target operating system;
s2, carrying out static analysis on kernel source codes of a target operating system according to the data information obtained in the step S1, and constructing a function call graph and a control flow graph by taking functions and basic blocks as granularity;
s3, integrating the function call graph and the control flow graph constructed in the step S2 to obtain an inter-process control flow graph;
s4, performing kernel distance calculation on the target position to be detected and the inter-process control flow graph to obtain a distance measurement of the kernel code relative to the target position;
s5, evaluating seeds of the existing kernel seed library according to the distance measurement value of the kernel code relative to the target position, which is obtained in the step S4, and selecting seeds meeting the set conditions;
s6, according to the distance measurement obtained in the step S4, carrying out quality grading and energy distribution on the seeds obtained in the step S5 based on the function granularity grading and the basic block granularity grading to obtain test case seeds with different energies;
s7, carrying out self-adaptive variation on the test case seeds according to the coverage information of the test case seeds obtained in the step S6, and completing the seed variation of the kernel directional fuzzy test of the operating system;
s8, taking the non-mutated test case seeds and mutated test case seeds as test cases;
s9, putting the test case obtained in the step S8 into a tested kernel of the target operating system for execution, and monitoring the execution state at the same time;
s10, completing the test according to the execution state obtained in the step S9; the method specifically comprises the following steps:
(1) If the current test case covers a new kernel position during execution, the test case is put into a seed pool for subsequent testing;
if the current test case does not cover the new kernel position during execution, carrying out subsequent judgment:
(2) If the current test case has abnormal behavior in the executing process, acquiring a kernel operation security violation report of the current test case, and ending the test;
if the current test case does not have abnormal behavior in the execution process, the test case is directly discarded, and the test is ended.

Claims (3)

1. A seed mutation method for an operating system kernel orientation ambiguity test is characterized by comprising the following steps:
s1, acquiring data information of a target operating system;
s2, carrying out static analysis on kernel source codes of a target operating system according to the data information obtained in the step S1, and constructing a function call graph and a control flow graph by taking functions and basic blocks as granularity; the method specifically comprises the following steps:
performing static analysis on kernel source codes of a target operating system according to the data information acquired in the step S1, and constructing a function call graph and a control flow graph; wherein, on the function call graph, if there is a function
Figure QLYQS_1
Calling function->
Figure QLYQS_2
The call relationship is expressed as
Figure QLYQS_3
The method comprises the steps of carrying out a first treatment on the surface of the For function->
Figure QLYQS_4
If basic block is existed on control flow graph +.>
Figure QLYQS_5
Point to->
Figure QLYQS_6
Then the control flow relationship is expressed as
Figure QLYQS_7
The method comprises the steps of carrying out a first treatment on the surface of the Meanwhile, the generated function call graph takes the function as granularity, and the generated control flow graph takes the basic block as granularity;
s3, integrating the function call graph and the control flow graph constructed in the step S2 to obtain an inter-process control flow graph;
s4, performing kernel distance calculation on the target position to be detected and the inter-process control flow graph to obtain a distance measurement of the kernel code relative to the target position; the method specifically comprises the following steps:
A. kernel source code of target operating systemThe position is mapped to a graph structure node of the inter-process control flow graph, and the positions of kernel codes corresponding to each node in the function call graph and each basic block node in the intra-function control flow graph are determined; setting the target to-be-measured position set asTThe location is represented on the inter-process control flow graph as a set of objective functions
Figure QLYQS_8
And target basic block set->
Figure QLYQS_9
The method comprises the steps of carrying out a first treatment on the surface of the Each target position->
Figure QLYQS_10
Represented as an objective function in a function call graph +.>
Figure QLYQS_11
And target basic block in function control flow graph +.>
Figure QLYQS_12
B. Calculating the granularity distance of the function according to the function call graph; the method specifically comprises the following steps:
for the target position
Figure QLYQS_13
There are several paths to reach the reachable objective function; the more the number of occurrences of the modulated function, the smaller the distance to the function is considered; therefore, the corresponding first influence factor +.>
Figure QLYQS_14
Figure QLYQS_15
In->
Figure QLYQS_16
Setting parameters for the first;
for reachable objective functions
Figure QLYQS_17
The more the number of basic blocks of the objective function included in the reachable objective function is, the more paths of the objective function are called; therefore, the corresponding second influence factor +.>
Figure QLYQS_18
Figure QLYQS_19
In->
Figure QLYQS_20
Setting parameters for a second set;
reachable objective function
Figure QLYQS_21
And objective function->
Figure QLYQS_22
Distance between->
Figure QLYQS_23
Denoted as->
Figure QLYQS_24
Defining kernel functions
Figure QLYQS_25
To the objective function set->
Figure QLYQS_26
The function granularity distance of (2) is kernel function to target function set +.>
Figure QLYQS_27
A harmonic mean of the distances of all objective functions in the system,and is expressed as:
Figure QLYQS_28
in->
Figure QLYQS_29
For the function +.>
Figure QLYQS_30
Set of objective functions starting from and denoted +.>
Figure QLYQS_31
C. Calculating the granularity distance of the basic block according to the control flow graph; the method specifically comprises the following steps:
for the same function
Figure QLYQS_32
Any two basic blocks in->
Figure QLYQS_34
Point to->
Figure QLYQS_35
Define basic block distance +.>
Figure QLYQS_36
To be in the function->
Figure QLYQS_37
Control flow graph of->
Figure QLYQS_38
In (1) from->
Figure QLYQS_39
To->
Figure QLYQS_33
Is the distance of the shortest path of (a);
definition of the definition
Figure QLYQS_40
Is a function->
Figure QLYQS_42
Control flow graph of->
Figure QLYQS_44
Basic block->
Figure QLYQS_45
A set of functions called; at the same time +.>
Figure QLYQS_46
In reachable objective function->
Figure QLYQS_47
Is defined as +.>
Figure QLYQS_48
And is expressed as
Figure QLYQS_41
Wherein->
Figure QLYQS_43
Precursor nodes for all functions in the objective function set;
defining reachable objective function sets in inter-process control flow graphs
Figure QLYQS_49
The basic block set is +.>
Figure QLYQS_50
And is expressed as
Figure QLYQS_51
WhereinFA set of all functions in the function call graph;
finally, the basic blocks in the inter-process control flow graph are calculated by adopting the following formulas
Figure QLYQS_52
Relative target basic block->
Figure QLYQS_53
Distance of (2)
Figure QLYQS_54
Figure QLYQS_55
In the middle ofcThe weight parameters are set;
s5, evaluating seeds of the existing kernel seed library according to the distance measurement value of the kernel code relative to the target position, which is obtained in the step S4, and selecting seeds meeting the set conditions;
s6, according to the distance measurement obtained in the step S4, carrying out quality grading and energy distribution on the seeds obtained in the step S5 based on the function granularity grading and the basic block granularity grading to obtain test case seeds with different energies; the method specifically comprises the following steps:
setting the seed set of the kernel seed library asPPThe basic block set covered is
Figure QLYQS_56
PThe covered function set is +.>
Figure QLYQS_57
Seed calculation using the following algorithmpRelative to a target basic block set
Figure QLYQS_58
Distance of->
Figure QLYQS_59
Figure QLYQS_60
In->
Figure QLYQS_61
To test seedspA set of basic blocks covered; />
Figure QLYQS_62
For the collection->
Figure QLYQS_63
The number of basic blocks in (a);
the seed basic block granularity score is calculated by adopting the following formula
Figure QLYQS_64
:/>
Figure QLYQS_65
In->
Figure QLYQS_66
The minimum value of the basic block granularity scores of all seeds in the kernel seed library; />
Figure QLYQS_67
The maximum value of the basic block granularity scores of all seeds in the kernel seed library;
seed calculation using the following algorithmpWith respect to a set of objective functions
Figure QLYQS_68
Distance of->
Figure QLYQS_69
Figure QLYQS_70
In->
Figure QLYQS_71
Is seeds ofpA set of covered functions;
Figure QLYQS_72
a function set of functions covered by all reachable seeds on the function call graph; />
Figure QLYQS_73
For reaching the target function on the function call graph +.>
Figure QLYQS_74
Is a function set of (a);
the seed function granularity score is calculated by adopting the following formula
Figure QLYQS_75
:/>
Figure QLYQS_76
In->
Figure QLYQS_77
The method comprises the steps of collecting granularity distances of all seed functions in a current seed library; />
Figure QLYQS_78
The minimum value of the granularity distance of the seed function in the current seed library; />
Figure QLYQS_79
The maximum value of the granularity distance of the seed function in the current seed library;
scoring according to seed basic block granularity
Figure QLYQS_80
And seed function granularity score->
Figure QLYQS_81
Calculating the quality score of the final seed>
Figure QLYQS_82
Is->
Figure QLYQS_83
The method comprises the steps of carrying out a first treatment on the surface of the The higher the quality score of the seed, the closer the seed is to the target to be measured, and the higher the energy is distributed;
s7, carrying out self-adaptive variation on the test case seeds according to the coverage information of the test case seeds obtained in the step S6, and completing the seed variation of the kernel directional fuzzy test of the operating system; the method specifically comprises the following steps:
a. seed for each test casesEnergy of (2)
Figure QLYQS_84
And (3) judging:
if it is
Figure QLYQS_85
Greater than a set mutation threshold->
Figure QLYQS_86
Then seed the current test casesFine grain variation is carried out;
if it is
Figure QLYQS_87
Not more than the set mutation threshold +.>
Figure QLYQS_88
Then seed the current test casesPerforming coarse granularity variation;
b. correcting the variation probability of each test case seed:
for the test case seeds with fine granularity variation, judging again:
if the coverage information of the current seed can reach the target site, increasing the fine granularity mutation probability of the current seed;
if the coverage information of the current seed can not reach the target site, maintaining the fine granularity mutation probability of the current seed;
for the test case seeds with coarse granularity variation, judging again:
if the coverage information of the current seed can reach the target site, maintaining the coarse-granularity mutation probability of the current seed;
if the coverage information of the current seed can not reach the target site, increasing the coarse-granularity mutation probability of the current seed;
the specific implementation method comprises the following steps:
for the test case seeds with fine granularity variation, judging again:
if the coverage information of the current seed can reach the target site, increasing the fine granularity mutation probability of the current seed, wherein the increased fine granularity mutation probability is that
Figure QLYQS_89
If the coverage information of the current seed can not reach the target site, maintaining the fine granularity mutation probability of the current seed as
Figure QLYQS_90
For the test case seeds with coarse granularity variation, judging again:
if the coverage information of the current seed can reach the target site, maintaining the coarse granularity mutation probability of the current seed as
Figure QLYQS_91
If the coverage information of the current seed can not reach the target site, increasing the coarse-grained mutation probability of the current seed, wherein the increased coarse-grained mutation probability is that
Figure QLYQS_92
Wherein the method comprises the steps of
Figure QLYQS_93
Constant ratio for a set fine-grained mutation, +.>
Figure QLYQS_94
For a set constant ratio
c. And carrying out corresponding mutation on each test case seed according to the modified mutation probability, and completing the seed mutation of the kernel directional fuzzy test of the operating system.
2. A test method comprising the seed variation method of the kernel orientation ambiguity test of claim 1, further comprising the steps of:
s8, taking the non-mutated test case seeds and mutated test case seeds as test cases;
s9, putting the test case obtained in the step S8 into a tested kernel of the target operating system for execution, and monitoring the execution state at the same time;
s10, according to the execution state obtained in the step S9, testing is completed.
3. The test method according to claim 2, wherein the step S10 comprises the following steps:
(1) If the current test case covers a new kernel position during execution, the test case is put into a seed pool for subsequent testing;
if the current test case does not cover the new kernel position during execution, carrying out subsequent judgment:
(2) If the current test case has set abnormal behavior in the executing process, acquiring a kernel operation security violation report of the current test case, and ending the test;
if the current test case does not have the set abnormal behavior in the executing process, the test case is directly discarded, and the test is ended.
CN202310288727.3A 2023-03-23 2023-03-23 Seed variation method and test method for kernel directional fuzzy test of operating system Active CN116069672B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310288727.3A CN116069672B (en) 2023-03-23 2023-03-23 Seed variation method and test method for kernel directional fuzzy test of operating system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310288727.3A CN116069672B (en) 2023-03-23 2023-03-23 Seed variation method and test method for kernel directional fuzzy test of operating system

Publications (2)

Publication Number Publication Date
CN116069672A CN116069672A (en) 2023-05-05
CN116069672B true CN116069672B (en) 2023-07-04

Family

ID=86171731

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310288727.3A Active CN116069672B (en) 2023-03-23 2023-03-23 Seed variation method and test method for kernel directional fuzzy test of operating system

Country Status (1)

Country Link
CN (1) CN116069672B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117033248B (en) * 2023-10-08 2024-01-26 中国海洋大学 Web fuzzy test method based on program state feedback and control flow diagram
CN118260209A (en) * 2024-05-24 2024-06-28 摩尔线程智能科技(北京)有限责任公司 Code testing method and device, electronic equipment and storage medium

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7530107B1 (en) * 2007-12-19 2009-05-05 International Business Machines Corporation Systems, methods and computer program products for string analysis with security labels for vulnerability detection
US10380350B1 (en) * 2019-01-15 2019-08-13 Cyberark Software Ltd. Efficient and comprehensive source code fuzzing
CN112506564A (en) * 2021-02-04 2021-03-16 中国人民解放军国防科技大学 Method, system and medium for establishing control flow graph
CN112559367A (en) * 2020-12-23 2021-03-26 南京大学 Kernel fuzzy test case generation method based on system call dependency graph
CN113076545A (en) * 2021-04-20 2021-07-06 湖南大学 Deep learning-based kernel fuzzy test sequence generation method
KR102289574B1 (en) * 2020-05-14 2021-08-13 한국과학기술원 Method and apparatus for grey-box fuzzing with distance-based fitness function
CN114077742A (en) * 2021-11-02 2022-02-22 清华大学 Intelligent software vulnerability mining method and device
CN114428733A (en) * 2022-01-19 2022-05-03 南京大学 Kernel data competition detection method based on static program analysis and fuzzy test
CN114662519A (en) * 2022-05-24 2022-06-24 武汉朗修科技有限公司 QR code blind deblurring method based on position detection graph gradient and strength prior
CN115828260A (en) * 2022-11-18 2023-03-21 上海交通大学 Multi-machine collaborative vulnerability detection system based on vulnerability clustering and distance space division

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112286823A (en) * 2020-11-18 2021-01-29 山石网科通信技术股份有限公司 Method and device for testing kernel of operating system
US11366748B1 (en) * 2020-11-30 2022-06-21 Irdeto B.V. Fuzzy testing a software system
KR102578430B1 (en) * 2021-08-13 2023-09-15 한국과학기술원 Type-aware windows kernel fuzzing method based on static binary analysis
CN114840437B (en) * 2022-05-24 2023-04-07 中南大学 Operating system kernel fuzzy test seed evaluation distribution method

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7530107B1 (en) * 2007-12-19 2009-05-05 International Business Machines Corporation Systems, methods and computer program products for string analysis with security labels for vulnerability detection
US10380350B1 (en) * 2019-01-15 2019-08-13 Cyberark Software Ltd. Efficient and comprehensive source code fuzzing
KR102289574B1 (en) * 2020-05-14 2021-08-13 한국과학기술원 Method and apparatus for grey-box fuzzing with distance-based fitness function
CN112559367A (en) * 2020-12-23 2021-03-26 南京大学 Kernel fuzzy test case generation method based on system call dependency graph
CN112506564A (en) * 2021-02-04 2021-03-16 中国人民解放军国防科技大学 Method, system and medium for establishing control flow graph
CN113076545A (en) * 2021-04-20 2021-07-06 湖南大学 Deep learning-based kernel fuzzy test sequence generation method
CN114077742A (en) * 2021-11-02 2022-02-22 清华大学 Intelligent software vulnerability mining method and device
CN114428733A (en) * 2022-01-19 2022-05-03 南京大学 Kernel data competition detection method based on static program analysis and fuzzy test
CN114662519A (en) * 2022-05-24 2022-06-24 武汉朗修科技有限公司 QR code blind deblurring method based on position detection graph gradient and strength prior
CN115828260A (en) * 2022-11-18 2023-03-21 上海交通大学 Multi-machine collaborative vulnerability detection system based on vulnerability clustering and distance space division

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
结合混合符号执行的导向式灰盒模糊测试技术;戴渭;陆余良;朱凯龙;;计算机工程(08);全文 *

Also Published As

Publication number Publication date
CN116069672A (en) 2023-05-05

Similar Documents

Publication Publication Date Title
CN116069672B (en) Seed variation method and test method for kernel directional fuzzy test of operating system
CN111985796B (en) Method for predicting concrete structure durability based on random forest and intelligent algorithm
CN107272667B (en) A kind of industrial process fault detection method based on parallel Partial Least Squares
JP2018532214A (en) Integrated method and system for identifying functional patient-specific somatic abnormalities using multi-omic cancer profiles
CN111916150A (en) Method and device for detecting genome copy number variation
CN111507518A (en) Wavelet neural network concrete impermeability prediction method based on random forest
CN114840437B (en) Operating system kernel fuzzy test seed evaluation distribution method
CN115018117A (en) Building construction progress prediction and supervision system based on big data
WO2023236387A1 (en) Method and apparatus for predicting element information, and device and medium
CN111833970B (en) Cement clinker quality characterization parameter prediction model construction method and application thereof
CN116886329A (en) Quantitative index optimization method for industrial control system safety
CN110991079A (en) Oil and gas reservoir parameter interpretation method and device based on neural network and electronic equipment
CN113242213B (en) Power communication backbone network node vulnerability diagnosis method
CN108229586B (en) The detection method and system of a kind of exceptional data point in data
CN116303082A (en) Seed scheduling and evaluating method for fuzzy test of kernel of operating system
CN115509931A (en) System-based performance test method and device, electronic equipment and storage medium
Liang et al. Rlf: Directed fuzzing based on deep reinforcement learning
Renard et al. Spatiotemporal ICA improves the selection of differentially expressed genes.
CN114334033A (en) Screening method, system and terminal for molecular descriptors of anti-breast cancer candidate drugs
CN111949555A (en) Random test method and device based on multi-dimensional vector and rule script
CN117973087B (en) Big data prediction method based on multi-modal digital twin technology
CN110490226A (en) A kind of recognition methods and equipment
Liu et al. Time-to-event supervised genetic algorithm enables induction chemotherapy decision making for nasopharyngeal carcinoma
TWI723941B (en) Defect classification device, defect classification program
CN118314964A (en) Construction and use method and device of microorganism related metabolite prediction model

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant