模糊测试技术研究综述

摘要/Abstract

摘要： 随着人们对软件系统安全问题关注度的不断提升，模糊测试作为一种用于安全漏洞检测的安全测试技术，具有自动化程度高、误报率低等优点，其应用越来越广泛，地位也越来越重要。经过近些年的不断改进，模糊测试无论在技术发展上还是在应用创新上，都取得了诸多成就。首先，对模糊测试的相关概念和基本理论进行简要说明，总结了模糊测试在各领域的应用情况，针对不同领域的漏洞挖掘需求，分析得出相应的模糊测试解决方案。其次，重点总结了近几年来模糊测试的重要发展成果，包括测试工具、框架、系统及方法的改进与创新，并分析总结了各发展成果所采用的创新方法，提出的理论以及各工具、系统的优点与不足。最后，分别从协议逆向工程应用、云平台建设、新兴技术结合、模糊测试对抗技术研究及模糊测试工具集成的角度，为模糊测试下一步的研究提供了方向参考。

关键词: 模糊测试, 漏洞挖掘, 软件测试, 协议测试

Abstract: As people pay more and more attention to software system security issues, fuzzy testing, as a security testing technology for security vulnerability detection, has become more and more widely used and more and more important due to its high degree of automation and low false alarm rate. After continuous improvement in recent years, fuzzy testing has achieved many achievements in both technical development and application innovation. Firstly, we briefly explain the related concepts and basic theories of fuzzing, summarize the application of fuzzy testing in various fields, and analyze the corresponding fuzzy testing solutions according to the needs of vulnerability mining in different fields. Then ,we focus on the important development results of fuzzy testing in recent years, including the improvement and innovation of testing tools, frameworks, systems, and methods. We also analyze and summarize the innovative methods and theories adopted by each development results, as well as the advantages and disadvantages of each tools and systems. Finally, from the perspectives of protocol reverse engineering application, cloud platform construction, emerging technology integration, fuzzy testing countermeasure technology research, and fuzzing tool integration, we provide direction reference for the further research of fuzzy testing.

Key words: fuzzy testing, vulnerability mining, software test, protocol test

牛胜杰, 李鹏, 张玉杰, . 模糊测试技术研究综述[J]. 计算机工程与科学, 2022, 44(12): 2173-2186.

NIU Sheng-jie, LI Peng, ZHANG Yu-jie, . Survey on fuzzy testing technologies[J]. Computer Engineering & Science, 2022, 44(12): 2173-2186.

参考文献［63］

［1］	Miller B P,Fredriksen L,So B.An empirical study of the reliability of UNIX utilities［J］.Communications of the ACM,1990,33(12):32-44.
［2］	Miller B P.Fuzz Revisited:A re-examination of the reliability of UNIX utilities and services［J/OL］.［2001-12-09］.ftp://grilled.cs.wisc.edu/technical_papers/fuzz-revisited.ps.Z.
［3］	Kaksonen R,Laakso M,Takanen A.System security assessment through specification mutations and fault injection［C］∥Proc of International Conference on Communications and Multimedia Security Issues of the New Century, 2001：27.
［4］	Aitel D.The advantages of block-based protocol analysis for security testing［Z］.USA:Immunity Inc,2002.
［5］	Gao Jun, Xu Zhi-da, Li Jian. Research on fuzzing test for compound cocument［J］.Computer & Digital Engineering,2008,36(12):116-119.(in Chinese)
［6］	Ganesh V,Leek T,Rinard M.Taint-based directed whitebox fuzzing［C］∥Proc of the 31st IEEE International Conference on Software Engineering,2009:474-484.
［7］	Wang T,Tao W,Gu G,et al.TaintScope:A checksum-aware directed fuzzing tool for automatic software vulnerability detection［C］∥Proc of the IEEE Symposium on Security and Privacy,2010:497-512.
［8］	Zhu X Y,Wu Z Y,Atwood J W.A new fuzzing method using multi data samples combination［J］.Journal of Computers,2011,6(5):881-888.
［9］	Fratantonio Y,Bianchi A,Robertson W,et al.TriggerScope:Towards detecting logic bombs in Android applications［C］ ∥Proc of the IEEE Symposium on Security and Privacy,2016:377-396.
［10］	Zhang Y,Yang M,Yang Z,et al.Permission use analysis for vetting undesirable behaviors in Android apps［J］.IEEE Transactions on Information Forensics and Security,2014,9(11):1828-1842.
［11］	Fu H,Hu P,Zheng Z,et al.Towards automatic detection of nonfunctional sensitive transmissions in mobile applications［J］.IEEE Transactions on Mobile Computing,2021,20(10):3066-3080.
［12］	Wang X,Yang Y,Zhu S.Automated hybrid analysis of android malware through augmenting fuzzing with forced execution［J］.IEEE Transactions on Mobile Computing,2019,18(12):2768-2782.
［13］	Wang Kai, Liu Qi-xu, Zhang Yu-qing. Android inter- application communication vulnerability mining technique based on fuzzing［J］.Journal of University of Chinese Aca- demy of Sciences,2014,31(6):827-835.(in Chinese)
［14］	Zhang Mi,Yang Li,Zhang Jun-wei.FuzzerAPP：The robustness test of application component communication in Android［J］.Journal of Computer Research and Development,2017,54(2):338-347.(in Chinese)
［15］	Zhao Sai,Liu Hao,Wang Yu-feng,et al.Fuzz testing of Android inter-component communication［J］.Computer Science,2020,47(S2):303-309.(in Chinese)
［16］	He Yuan,Zhang Yu-qing,Zhang Guang-hua.Android driver vulnerability discovery based on black-box genetic algorithm［J］.Chinese Journal of Computers,2017,40(5):1031-1043.(in Chinese)
［17］	Din F,Zamli K.Fuzzy adaptive teaching learning-based optimization strategy for GUI functional test cases generation［C］∥Proc of the 7th International Conference on Software and Computer Applications,2018:92-96.
［18］	Zhang Xing,Feng Chao,Lei Jing,et al.Real time idle state decection method in fuzzing test in GUI program［J］.Journal of Software,2018,29(5):1288-1302.(in Chinese)
［19］	Zalewski M. American fuzzy lop ［CP/OL］.［2021-08-14］. https://lcamtuf.coredump.cx/afl/.
［20］	Huo Wei,Dai Ge,Shi Ji,et al.Browser fuzzing technology based on pattern-generation［J］.Journal of Software,2018,29(5):1275-1287.(in Chinese)
［21］	Li Wei-ming, Zhang Ai-fang,Liu Jian-cai,et al.An automa- tic network protocol fuzz testing and vulnerability discover- ing method［J］.Chinese Journal of Computers,2011,34(2):242-255.(in Chinese)
［22］	Ma R,Ren S M,Ma K,et al.Semi-valid fuzz testing case generation for stateful network protocol［J］.Tsinghua Science and Technology,2017,22(5):458-468.
［23］	Walz A, Sikora A.Exploiting dissent:Towards fuzzing-based differential black-box testing of TLS implementations［J］.IEEE Transactions on Dependable and Secure Comput- ing,2020,17(2):278-291.
［24］	Ma R,Wang D,Hu C,et al.Test data generation for stateful network protocol fuzzing using a rule-based state machine［J］.Tsinghua Science and Technology,2016,21(3):352-360.
［25］	Tacliad F,Nguyen T,Gondree M.DoS exploitation of allen-bradley's legacy protocol through fuzz testing［C］∥Proc of the 3rd Annual Industrial Control System Security Workshop,2017:24-31.
［26］	Zhang Ya-feng,Hong Zheng,Wu Li-fa,et al.Protocol state based fuzzing method for industrial control protocol［J］.Computer Science,2017,44(5):132-140.(in Chinese)
［27］	Kim S, Jo W, Shon T.A novel vulnerability analysis approach to generate fuzzing test case in industrial control systems［C］ ∥Proc of the IEEE Information Technology,Networking,Electronic and Automation Control Conference,2016:566-570.
［28］	Li H F,Wang S L,Zhang B, et al.Network protocol security testing based on fuzz［C］∥Proc of the 4th International Conference on Computer Science and Network Technology,2015:955-958.
［29］	Wang W,Sun H,Zeng Q.SeededFuzz:Selecting and generat- ing seeds for directed fuzzing［C］∥Proc of the 10th International Symposium on Theoretical Aspects of Software Engineering,2016:49-56.
［30］	Li Jia-li,Chen Yong-le,Li Zhi,et al.Mining RTSP protocol vulnerabilities based on traversal of protocol state graph［J］.Computer Science,2018,45(9):171-176.(in Chinese)
［31］	Zhang Wei-yao,Zhang Lei,Mao Jian-ling,et al.An automated method of unknown protocol fuzzing test［J］.Chinese Journal of Computers,2020,43(4):653-667.(in Chinese)
［32］	Peng C, Rajan A.Automated test generation for OpenCL kernels using fuzzing and constraint solving［C］∥Proc of the 13th Annual Workshop on General Purpose Processing using Graphics,2020:61-70.
［33］	Wang Ying,Wang Bing-qing,Guan Yong,et al.Differential fuzz testing of robot operating system［J］.Journal of Software,2021,32(6):1867-1881.(in Chinese)
［34］	Sha Le-tian, Xiao Fu,Yang Hong-ke,et al.Vulnerability discovery method for virtualization in IaaS based on self- adapting fuzzing test［J］.Journal of Software,2018,29(5):1303-1317.(in Chinese)
［35］	Gao J,Xu Y,Jiang Y,et al.EM-Fuzz:Augmented firmware fuzzing via memory checking［J］.IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems,2020,39(11):3420-3432.
［36］	Shukla A, Saidi S J,Schmid S,et al.Toward consistent SDNs:A case for network state fuzzing［J］.IEEE Transactions on Network and Service Management,2020,17(2):668-681.
［37］	Zhang Q,Wang J,Gulzar M A,et al.BigFuzz:Efficient fuzz testing for data analytics using framework abstraction［C］∥Proc of the 35th IEEE/ACM International Conference on Automated Software Engineering,2020:722-733.
［38］	Li Wei-ming,Yu Jun-qing,Ai Shao-bo.PyFuzzer:Automatic in-memory fuzz testing method［J］.Journal on Communications,2013,34(S2):64-68.(in Chinese)
［39］	Wang Ying,Gu Li-ze,Yang Yi-xian,et al.EWFT:Execution whitebox fuzzing for executables［J］.Chinese Journal of Electronics,2014,42(10):2016-2023.(in Chinese)
［40］	Wen C,Wang H,Li Y,et al.MEMLOCK:Memory usage guided fuzzing［C］∥Proc of the 42nd IEEE/ACM International Conference on Software Engineering,2020:765-777.
［41］	Fu Y,Ren M,Ma F,et al.EVMFuzzer:Detect EVM vulnerabilities via fuzz testing［C］∥Proc of the 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering,2019:1110-1114.
［42］	Kargén U,Shahmehri N.Turning programs against each other:High coverage fuzz-testing using binary-code mutation and dynamic slicing［C］∥Proc of the 10th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering,2015:782-792.
［43］	Le De-guang,Gong Sheng-rong,Wu Shao-gang,et al.Research on RTF array overflow vulnerability detection ［J］.Journal on Communications,2017,38(5):96-107.(in Chinese)
［44］	Lemieux C,Sen K.FairFuzz:A targeted mutation strategy for increasing greybox fuzz testing coverage［C］∥Proc of the 33rd ACM/IEEE International Conference on Automated Software Engineering,2018:475-485.
［45］	Jiang H, Chen X, He T, et al. Fuzzy clustering of crowdsourced test reports for apps［J］.ACM Transactions on Internet Technology,2018,18(2):1-28.
［46］	Huang Hua-feng,Wang Jia-jie,Yang Yi,et al.Automatic software vulnerability discovery and exploit under the limited resource conditions［J］.Journal of Computer Research and Development,2019,56(11):2299-2314.(in Chinese)
［47］	Yang Mei-fang,Huo Wei,Zou Yan-yan,et al.Programmable fuzzing technology［J］.Journal of Software,2018,29(5):1258-1274.(in Chinese)
［48］	Xie X F,Ma L,Juefei-Xu F,et al.DeepHunter:A coverage-guided fuzz testing framework for deep neural networks［C］∥Proc of the 28th ACM SIGSOFT International Sympo- sium on Software Testing and Analysis,2019:146-157.
［49］	Zhou C,Wang M,Liang J,et al.Zeror:Speed up fuzzing with coverage-sensitive tracing and scheduling［C］∥Proc of the 35th IEEE/ACM International Conference on Automated Software Engineering,2020:858-870.
［50］	Li Y, Ji S, Lyu C, et al. V-Fuzz:Vulnerability prediction- assisted evolutionary fuzzing for binary programs［J］.IEEE Transactions on Cybernetics,2020,52(5):3745-3765.
［51］	Chen K, Zhang Y,Liu P.Dynamically discovering likely memory layout to perform accurate fuzzing［J］.IEEE Transactions on Reliability,2016,65(3):1180-1194.
［52］	Eddington M.Peach fuzzing platform ［CP/OL］.［2021-08-14］. https:∥community.peachfuzzer.com/WhatIsPeach.html.
［53］	Xie Xiao-fei,Li Xiao-hong,Chen Xiang,et al.Hybrid testing based on symbolic execution and fuzzing［J］.Journal of Software,2019,30(10):3071-3089.(in Chinese)
［54］	Chen K,Feng D,Su P,et al.Black-box testing based on colorful taint analysis［J］.Science China Information Sciences,2012,55(1):171-183.
［55］	Li Ming-lei,Huang Hui,Lu Yu-liang,et al.SymFuzz:Vulnerability detection technology under complex path conditions［J］.Computer Science,2021,48(5):25-31.(in Chinese)
［56］	Godefroid P,Peleg H,Singh R.Lean&Fuzz：Machine learning for input fuzzing［C］∥Proc of the 32nd IEEE/ACM International Conference on Automated Software Engineering,2017:50-59.
［57］	Dolan-Gavitt B,Hulin P,Kirda E,et al.LAVA:Large-scale automated vulnerability addition［C］∥Proc of the IEEE Symposium on Security and Privacy,2016:110-121.
［58］	Zou Yan-yan,Zou Wei,Yin Jia-wei,et al.Research on mutator strategy-aware parallel fuzzing［J］.Journal of Information Security,2020,5(5):1-16.(in Chinese)
［59］	Zhang Yi-chen,Zhao Lei,Jin Yin-shan.Sensitive region prediction based on neural network in fuzzy test algorithm research［J］.Journal of Information Security,2020,5(1):10-19.(in Chinese)
［60］	Tu Ling,Ma Yue,Cheng Cheng,et al.Hybrid protocol deformation based Web security fuzzy testing and utility evaluation approach［J］.Computer Science,2017,44(5):141-145.(in Chinese)
［61］	Liu Yuan,Yang Yong-hui,Zhang Chun-rui,et al.A novel method for fuzzing test cases generating based on genetic algorithm［J］.Acta Electronics Sinica,2017,45(3):552-556.(in Chinese)
［62］	Cheng Cheng,Zhou Yan-hui.Findding XSS vulnerability based on fuzzing test and genetic algorithm［J］.Computer Science,2016,43(Z6):328-331.(in Chinese)
［63］	Lin Chuang, Su Wen-bo,Meng Kun,et al.Cloud computing security:Architecture,mechanism and modeling［J］.Chinese Journal of Computers,2013,36(9):1765-1784.(in Chinese)
	附中文参考文献：
［5］	高峻，徐志大，李健. 针对复合文档的Fuzzing测试技术［J］. 计算机与数字工程,2008,36(12):116-119.
［13］	王凯，刘奇旭，张玉清.基于Fuzzing的Android应用通信过程漏洞挖掘技术［J］.中国科学院大学学报,2014,31(6):827-835.
［14］	张密，杨力，张俊伟.FuzzerAPP:Android 应用程序组件通信鲁棒性测试［J］.计算机研究与发展,2017,54(2):338-347.
［15］	赵赛，刘昊，王雨峰，等.Android组件间通信的模糊测试方法［J］.计算机科学,2020,47(S2):303-309.
［16］	何远，张玉清，张光华.基于黑盒遗传算法的Android驱动漏洞挖掘［J］.计算机学报,2017,40(5):1031-1043.
［18］	张兴，冯超，雷菁，等.一种面向模糊测试的GUI程序空转状态实时检测方法［J］.软件学报,2018,29(5):1288-1302.
［20］	霍玮，戴戈，史记，等.基于模式生成的浏览器模糊测试技术［J］.软件学报,2018,29(5):1275-1287.
［21］	李伟明，张爱芳，刘建财，等.网络协议的自动化模糊测试漏洞挖掘方法［J］.计算机学报,2011,34(2):242-255.
［26］	张亚丰，洪征，吴礼发，等.基于状态的工控协议Fuzzing测试技术［J］.计算机科学,2017,44(5):132-140.
［30］	李佳莉，陈永乐，李志，等.基于协议状态图遍历的RTSP协议漏洞挖掘［J］.计算机科学,2018,45(9):171-176.
［31］	张蔚瑶，张磊，毛建瓴，等.未知协议的逆向分析与自动化测试［J］.计算机学报,2020,43(4):653-667.
［33］	王颖，王冰青，关永，等.面向ROS的差分模糊测试方法［J］.软件学报,2021,32(6):1867-1881.
［34］	沙乐天，肖甫，杨红柯，等.基于自适应模糊测试的IaaS层漏洞挖掘方法［J］.软件学报,2018,29(5):1303-1317.
［38］	李伟明，于俊清，艾少波.PyFuzzer:自动化高效内存模糊测试方法［J］.通信学报,2013,34(S2):64-68.
［39］	王颖，谷利泽，杨义先，等.EWFT：基于程序执行过程的白盒测试工具［J］.电子学报,2014,42(10):2016-2023.
［43］	乐德广，龚声蓉，吴少刚，等.RTF数组溢出漏洞挖掘技术研究［J］.通信学报,2017,38(5):96-107.
［46］	黄桦烽，王嘉捷，杨轶，等.有限资源条件下的软件漏洞自动挖掘与利用［J］.计算机研究与发展,2019,56(11):2299-2314.
［47］	杨梅芳，霍玮，邹燕燕，等.可编程模糊测试技术［J］.软件学报,2018,29(5):1258-1274.
［53］	谢肖飞，李晓红，陈翔，等.基于符号执行与模糊测试的混合测试方法［J］.软件学报,2019,30(10):3071-3089.
［55］	李明磊，黄晖，陆余良，等.SymFuzz:一种复杂路径条件下的漏洞检测技术［J］.计算机科学,2021,48(5):25-31.
［58］	邹燕燕，邹维，尹嘉伟，等.变异策略感知的并行模糊测试研究［J］.信息安全学报,2020,5(5):1-16.
［59］	张羿辰，赵磊，金银山.模糊测试中基于神经网络的敏感区域预测算法研究［J］.信息安全学报,2020,5(1):10-19.
［60］	涂玲，马跃，程诚，等.基于协议混合变形的Web安全模糊测试与效用评估方法［J］.计算机科学,2017,44(5):141-145.
［61］	刘渊，杨永辉，张春瑞，等.一种基于遗传算法的Fuzzing测试用例生成新方法［J］.电子学报,2017,45(3):552-556.
［62］	程诚，周彦晖.基于模糊测试和遗传算法的XSS漏洞挖掘［J］.计算机科学,2016,43(Z6):328-331.
［63］	林闯, 苏文博, 孟坤, 等. 云计算安全:架构、机制与模型评价［J］. 计算机学报, 2013, 36(9): 1765-1784.

[1]	顾涛涛, 卢帅兵, 李响, 况晓辉, 赵刚. 并行模糊测试综述[J]. 计算机工程与科学, 2022, 44(06): 1046-1055.
[2]	张卫祥，齐玉华，魏波，张敏，窦朝晖. 基于蚁群算法的测试用例优先排序[J]. 计算机工程与科学, 2020, 42(02): 241-249.
[3]	宋丛溪，王辛，张文喆. Angr动态软件测试应用分析与优化[J]. 计算机工程与科学, 2018, 40(增刊S1): 163-168.
[4]	占徐政. 一种针对高维输入域的适应性随机测试改进性算法[J]. 计算机工程与科学, 2018, 40(11): 1936-1943.
[5]	赵一丁，缑西梅，底恒. 项目驱动教学法在软件测试课程中的过程控制[J]. 计算机工程与科学, 2016, 38(增刊): 112-116.
[6]	赵一丁1,樊银亭1,郑秋生1,楚纪正2,罗菁1. 工业软件现场测试中的拆分及其测试数据设计[J]. J4, 2016, 38(05): 921-931.
[7]	赵翀，高鹏. 软件测试课程工程实践教学模式的探索与实施[J]. J4, 2014, 36(A1): 51-55.
[8]	鞠小林1, 2,姜淑娟1,陈翔2,曹鹤玲1,王兴亚1. 一种基于多变量Logistic模型的缺陷定位方法[J]. J4, 2014, 36(10): 1952-1960.
[9]	吴洁明，李硕征. CNONIX标准符合性测试研究[J]. J4, 2014, 36(05): 884-890.
[10]	王蓁蓁. 基于测试结果调整语句出错概率方法[J]. J4, 2014, 36(05): 891-899.
[11]	李毅1，徐萍1，万寒2. 基于QEMU实现的处理器类故障模拟与注入方法研究[J]. J4, 2014, 36(01): 19-27.
[12]	时贵英. 改进PSO算法在软件测试数据生成中的应用[J]. J4, 2012, 34(1): 86-89.
[13]	牟永敏，姜宇，张志华. 软件自动化测试中热点路径的研究[J]. J4, 2011, 33(6): 79-83.
[14]	施寅生，王峰，齐璇. 一种新颖的Web服务安全性测试方法[J]. J4, 2010, 32(9): 81-83.
[15]	周志远, 张大方, 缪力. 基于Java内存模型的并发程序模型检测[J]. J4, 2010, 32(3): 111-114.