微信服务号

微信订阅号

2025年5月11日 11:21 星期日
首页 > 过刊浏览>2023年第34卷第4期 >1594-1612. DOI:10.13328/j.cnki.jos.006691
PDF HTML阅读 XML下载 导出引用 引用提醒
一种结合动态链接库信息的崩溃输入分类方法
作者:
作者简介:

王文祥(1998-),男,硕士生,主要研究领域为软件工程,代码静态分析;许可(1990-),女,博士,讲师,主要研究领域为数据挖掘,非结构化数据分析;高庆(1989-),男,博士,助理研究员,主要研究领域为软件分析,漏洞检测;张世琨(1969-),男,博士,研究员,博士生导师,CCF高级会员,主要研究领域为软件工程,网络安全,知识计算.

中图分类号:

TP311

基金项目:

国家自然科学基金(12001102); 中央高校基本科研业务费专项资金(19QD22)


Crash Input Classification Method Combined with Dynamic Link Library Information
Author:
  • 摘要
    • | |
  • 访问统计
    • |
  • 参考文献 [29]
    • |
  • 相似文献 [20]
    • | | |
  • 文章评论
    摘要:

    软件崩溃是一种严重的软件缺陷, 可导致软件终止运行. 因此, 对软件崩溃的测试在软件迭代的过程中极为重要. 近年来, 模糊测试技术(如AFL)由于可以自动化生成大量的测试输入来触发软件崩溃, 被广泛用于软件测试中. 然而, 通过该技术产生的导致软件崩溃的测试输入中, 大部分崩溃的触发原因都是重复的, 因此软件开发人员需要对测试输入进行分类, 带来了许多冗余工作. 目前, 测试输入分类已经有很多自动化方法, 主要包括基于程序修复的分类算法和基于软件崩溃信息的分类算法. 前者通过对程序在语义上进行分析, 在运行时通过在程序中替换修复模板后重新运行测试输入, 进而对输入分类. 因为此方法需要人为地对于软件崩溃编写修复模板, 所以其分类的效率与修复模板的质量存在很大联系; 且由于需要先修复崩溃、再对崩溃做分类, 影响了软件崩溃的修复效率. 采用后者的思想, 提出了一种轻量而高效的利用软件崩溃信息的测试输入分类算法CICELY. 其在软件崩溃点堆栈信息分类的算法基础上, 在分析软件崩溃点堆栈时引入了动态链接库信息, 通过区分系统动态链接库与用户动态链接库, 结合用户代码位置信息, 得到用户关注的函数集合, 以在分类时以用户函数为基准对崩溃进行界定. 最后, 分别将CICELY与几种基于程序修复的分类算法和基于软件崩溃信息的流行分类工具进行了比较, 实验测试的数据集共计19个项目、42组测试集. 在与基于软件崩溃信息的分类工具Honggfuzz, CERT BFF在相同数据集上比较时, CICELY在分类结果的组数上比上述二者减少了2112.89%和135.05%, 说明CICELY在同类算法上的实验效果有较大提升, 具有更高的精确性. 在与基于程序修复的分类算法“语义崩溃分类”用其论文中提供的测试数据集进行比较时, CICELY比“语义崩溃分类”的分组结果差4.42%; 在由对应了多个崩溃的测试输入所组成的测试集上实验时, CICELY比“语义崩溃分类”分组的重复度高了3%. 但是语义崩溃分类只能对于空指针解引用和缓冲区溢出这两种崩溃输入导致的崩溃进行分类, CICELY不受这样的限制.

    Abstract:

    Software crash is a kind of serious software flaw, which can lead to software crashes. Therefore, testing for software crashes is extremely important in the process of software iteration. In recent years, since a large number of test inputs can be automatically generated to trigger software crashes, fuzzing techniques (such as AFL) are widely used in software testing. Nevertheless, most of root causes of crashes that are generated by this technique are same. In this case, software developers have to classify the test inputs one by one, which brings a lot of redundant work. At present, there are many automated methods for testing input classification, mainly including classification algorithms based on program repair and classification algorithms based on software crash information. The former analyzes the program semantics, and re-runs the test input after replacing the repair templates in the program at runtime, and then classifies the inputs. Since this method requires the preparation of repair templates to be completed artificially, the efficiency of its classification is closely related to the quality of the repair templates. At the same time, the repair efficiency of the software has been greatly affected due to the need to repair the crash and classify the crash. Since certain advantages of the latter, this study proposes a lightweight and efficient test inputs classification algorithm, which uses software crash information. Based on the algorithm of software crash point stack information classification, this study introduces dynamic link library information in analyzing CICELY. By distinguishing system dynamic link library from user dynamic link library and combining with location information of user codes, this study gets the set of functions that are focused by programmers to define the crash based on the user function in the classification. In the end, this study also compares CICELY with some existing classification tools based on program repair and software crash information. The experimental test data sets total 19 projects, and 42 test sets. When comparing with other classification tools, Honggfuzz and CERT BFF, whose main classification algorithms are based on software crash information on the same data set, the numbers of classification results of the two are 2112.89% and 135.05% worse than that of CICELY, proving that the experimental effect of CICELY is greatly improved and has higher accuracy compared with similar algorithms. Compared with the classification algorithm "Semantic Crash Bucketing" based on program repair using the test data set provided in their article, CICELY is worse than it by 4.42%. When using the test set consisting of test inputs corresponding to multiple crashes, CICELY got 3% higher repeatability than it. However, Semantic Crash Bucketing can only classify crashes caused by two kinds of crash inputs, null pointer dereference and buffer overflow, while CICELY is not subject to such restrictions.

    参考文献
    [1] Kim J, Wrote; Ye LL, Trans. Fatal Bugs:Disasters and Revelations from Software Defects. Beijing:Post & Telecom Press, 2014(in Chinese).
    [2] Klees G, Ruef A, Cooper B, et al. Evaluating fuzz testing. In:Proc. of the 2018 ACM SIGSAC Conf. on Computer and Communications Security. 2018. 2123-2138.
    [3] CERT bff. 2021. https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=507974
    [4] Google/Honggfuzz:Security Oriented Software Fuzzer. Supports evolutionary, feedback-driven fuzzing based on code coverage (sw and hw based). 2021. https://github.com/google/Honggfuzz
    [5] Van Tonder R, Kotheimer J, Le Goues C. Semantic crash bucketing. In:Proc. of the 33rd IEEE/ACM Int'l Conf. on Automated Software Engineering (ASE). IEEE, 2018. 612-622.
    [6] American fuzzy lop. 2021. https://lcamtuf.coredump.cx/afl/
    [7] Böhme M, Pham VT, Nguyen MD, et al. Directed greybox fuzzing. In:Proc. of the 2017 ACM SIGSAC Conf. on Computer and Communications Security. 2017. 2329-2344.[doi:10.1109/TSE.2019.2941681]
    [8] Pham VT, Böhme M, Santosa AE, et al. Smart greybox fuzzing. IEEE Trans. on Software Engineering, 2021, 47(9):1980-1997.
    [9] Dhaliwal T, Khomh F, Zou Y. Classifying field crash reports for fixing bugs:A case study of mozilla firefox. In:Proc. of the 201127th IEEE Int'l Conf. on Software Maintenance (ICSM). IEEE, 2011. 333-342.
    [10] Kim S, Zimmermann T, Nagappan N. Crash graphs:An aggregated view of multiple crashes to improve crash triage. In:Proc. of the 2011 IEEE/IFIP 41st Int'l Conf. on Dependable Systems & Networks (DSN). IEEE, 2011. 486-493.
    [11] Dang Y, Wu R, Zhang H, et al. Rebucket:A method for clustering duplicate crash reports based on call stack similarity. In:Proc. of the 201234th Int'l Conf. on Software Engineering (ICSE). IEEE, 2012. 1084-1093.
    [12] Golagha M, Lehnhoff C, Pretschner A, et al. Failure clustering without coverage. In:Proc. of the 28th ACM SIGSOFT Int'l Symp. on Software Testing and Analysis. 2019. 134-145.
    [13] Chen Y, Groce A, Zhang C, et al. Taming compiler fuzzers. In:Proc. of the 34th ACM SIGPLAN Conf. on Programming Language Design and Implementation. 2013. 197-208.
    [14] Pham VT, Khurana S, Roy S, et al. Bucketing failing tests via symbolic analysis. In:Proc. of the Int'l Conf. on Fundamental Approaches to Software Engineering. Springer, 2017. 43-59.
    [15] Castelluccio M, Sansone C, Verdoliva L, et al. Automatically analyzing groups of crashes for finding correlations. In:Proc. of the 201711th Joint Meeting on Foundations of Software Engineering. 2017. 717-726.
    [16] Qian R, Yu Y, Park W, et al. Debugging crashes using continuous contrast set mining. In:Proc. of the 42nd ACM/IEEE Int'l Conf. on Software Engineering:Software Engineering in Practice. 2020. 61-70.
    [17] Khomh F, Chan B, Zou Y, et al. An entropy evaluation approach for triaging field crashes:A case study of mozilla firefox. In:Proc. of the 201118th Working Conf. on Reverse Engineering. IEEE, 2011. 261-270.
    [18] Kim D, Wang X, Kim S, et al. Which crashes should i fix first? Predicting top crashes at an early stage to prioritize debugging efforts. IEEE Trans. on Software Engineering, 2011, 37(3):430-447.[doi:10.1109/TSE.2011.20]
    [19] Wu RX, Wen M, Cheung SC, et al. ChangeLocator:Locate crash-inducing changes based on crash reports. Empir. Softw. Eng., 2018, 23(5):2866-2900.
    [20] Guo ZQ, Li YH, Ma WWY, et al. Boosting crash-inducing change localization with rank- performance-based feature subset selection. Empirical Software Engineering, 2020, 25(3):1905-1950.
    [21] SQLite home page. 2021. https://www.sqlite.org/index.html
    [22] Pwndbg. 2021. https://github.com/pwndbg/pwndbg
    [23] Public vulnerabilities discovered using bff-tools-vulwiki. 2021. https://vuls.cert.org/confluence/display/tools/Public+Vulnerabilities+Discovered+Using+BFF
    [24] OSS-fuzz-google's continuous fuzzing service for open source software. 2021. https://google.github.io/oss-fuzz/
    [25] Woo M, Cha SK, Gottlieb S, et al. Scheduling black-box mutational fuzzing. In:Proc. of the 2013 ACM SIGSAC Conf. on Computer & Communications Security. 2013. 511-522.
    [26] SquaresLab/Semanticcrashbucketing. 2021. https://github.com/squaresLab/SemanticCrashBucketing
    [27] Valgrind documentation. Valgrind Documentation, 2021. https://www.valgrind.org/docs/manual/valgrind_manual.pdf
    附中文参考文献
    [1] 金钟河, 著, 叶蕾蕾, 译. 致命Bug:软件缺陷的灾难与启示. 北京:人民邮电出版社, 2016.
    引证文献
    网友评论
    网友评论
    分享到微博
    发 布
引用本文

王文祥,高庆,许可,张世琨.一种结合动态链接库信息的崩溃输入分类方法.软件学报,2023,34(4):1594-1612

复制
相关视频

分享
文章指标
  • 点击次数:
  • 下载次数:
  • HTML阅读次数:
  • 引用次数:
历史
  • 收稿日期:2021-08-17
  • 最后修改日期:2021-12-07
  • 在线发布日期: 2023-04-04
  • 出版日期: 2023-04-06
文章二维码
友情链接:中国科学院软件研究所中国计算机学会中国科学院国家自然科学基金委员会CCF数字图书馆Int'l J of Softw Info计算机系统应用
您是第19922949位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号