漏洞检测 Symbolic execution符号执行是什么(软件漏洞扫描工具)

网友投稿 226 2022-09-11


漏洞检测 Symbolic execution符号执行是什么(软件漏洞扫描工具)

Symbolic execution 符号执行 Symbolic execution (King 1976) is another vulnerability discovery technique that is considered to be very promising. By symbolizing the program inputs, the symbolic execution maintains a set of constraints for each execution path. After the execution, constraint solvers will be used to solve the constraint and determine what inputs cause the execution. Technically, symbolic execution could cover any execution path in a program and has shown good effect in tests of small programs, while there exists many limitations, either. First, the path explosion problem. As with the scale of program grows, the execution states explodes, which exceeds the solving ability of constraint solvers. Selective symbolic execution is proposed as a compromise. Second, the environment interactions. In symbolic execution, when target program execution interacts with components out of the symbolic execution environments, such as system calls, handling signals, etc., consistency problems may arise. Previous work has proved that symbolic execution is still difficult to scale up to large applications (Böhme et al. 2017).   符号执行(King 1976)是另一种发现漏洞的技术,被认为非常有前途。 通过符号化程序输入,符号执行为每个执行路径维护了一组约束。 执行之后,约束求解器将用于求解约束并确定导致执行的输入。   从技术上讲,符号执行可以覆盖程序中的任何执行路径,并且在小型程序的测试中已显示出良好的效果,但也存在许多局限性。 首先,路径爆炸问题。随着程序规模的增长,执行状态会爆炸,这超出了约束求解器的求解能力。提出了选择性的符号执行作为一种折衷方案。 第二,环境的相互作用。在符号执行中,当目标程序执行与符号执行环境之外的组件交互时,例如系统调用,处理信号等,可能会出现一致性问题。 先前的工作证明,符号执行仍然很难扩展到大型应用程序(Böhmeet al.2017)。   Many classes of errors, such as functional correctness bugs, are difficult to find without executing a piece of code. The importance of such testing — combined with the difficulty and poor performance of random and manual approaches — has led to much recent work in using symbolic execution to automatically generate test inputs . At a high-level, these tools use variations on the following idea: Instead of running code on manually- or randomly-constructed input, they run it on symbolic input initially allowed to be “anything.” 在不执行任何代码的情况下,很难找到许多类型的错误,例如功能正确性错误。这种测试的重要性,再加上随机和手动方法的难度和较差的性能,导致了使用符号执行来自动生成测试输入的最新工作。从较高的角度来看,这些工具使用了以下思想的变体:他们不是在手动或随机构造的输入上运行代码,而是在最初允许“任何东西”的符号输入上运行代码。   They substitute program inputs with symbolic values and replace corresponding concrete program operations with ones that manipulate symbolic values. When program execution branches based on a symbolic value, the system (conceptually) follows both branches, on each path maintaining a set of constraints called the path condition which must hold on execution of that path. When a path terminates or hits a bug, a test case can be generated by solving the current path condition for concrete values. Assuming deterministic code, feeding this concrete input to a raw, unmodified version of the checked code will make it follow the same path and hit the same bug. 它们用符号值代替程序输入,并用操纵符号值的操作替换相应的具体程序操作。当程序执行基于符号值进行分支时,系统(从概念上而言)将遵循两个分支,在每个路径上都维护了一组称为路径条件的约束,该约束必须在该路径的执行时保持。当路径终止或遇到错误时,可以通过解决当前路径条件中的具体值来生成测试用例。假设使用确定性代码,将此具体输入提供给未经检查的原始版本的已检查代码,将使其遵循相同的路径并遇到相同的错误。   Results are promising. However, while researchers have shown such tools can sometimes get good coverage and find bugs on a small number of programs, it has been an open question whether the approach has any hope of consistently achieving high coverage on real applications. 结果是有希望的。但是,尽管研究人员已经表明,此类工具有时可以在少数程序上获得良好的覆盖率并发现错误,但该方法是否有希望始终如一地实现对实际应用程序的高覆盖率一直是一个悬而未决的问题。   Two common concerns are (1) the exponential number of paths through code and (2) the challenges in handling code that interacts with its surrounding environment, such as the operating system, the network, or the user (colloquially: “the environment problem”). Neither concern has been much helped by the fact that most past work, including ours, has usually reported results on a limited set of hand-picked benchmarks and typically has not included any coverage numbers. 常见的两个问题是:(1)代码遍历的指数数量;(2)处理与其周围环境(例如,操作系统,网络或用户)交互的代码所面临的挑战(通俗地说:“环境问题” )。大多数过去的工作(包括我们的工作)通常只报告了一组有限的手工基准测试结果,而且通常未包括任何覆盖率数据,因此对这两个问题都没有太大的帮助。


版权声明:本文内容由网络用户投稿,版权归原作者所有,本站不拥有其著作权,亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容,请联系我们jiasou666@gmail.com 处理,核实后本网站将在24小时内删除侵权内容。

上一篇:漏洞分析 dynamic analysis动态分析是什么(漏洞分析报告)
下一篇:Java中实现两个线程交替运行的方法
相关文章

 发表评论

暂时没有评论,来抢沙发吧~