Java本机接口的启发式模糊测试生成器

Proceedings of the 2nd ACM SIGSOFT International Workshop on Software Qualities and Their Dependencies Pub Date : 2019-08-26 DOI:10.1145/3340495.3342749

Jinjing Zhao, Yan Wen, Xiang Li, Ling Pang, Xiaohui Kuang, Dongxia Wang

{"title":"Java本机接口的启发式模糊测试生成器","authors":"Jinjing Zhao, Yan Wen, Xiang Li, Ling Pang, Xiaohui Kuang, Dongxia Wang","doi":"10.1145/3340495.3342749","DOIUrl":null,"url":null,"abstract":"It is well known that once a Java application uses native C/C++ methods through the Java Native Interface (JNI), any security guarantees provided by Java might be invalidated by the native methods. So any vulnerability in this trusted native code can compromise the security of the Java program. Fuzzing test is an approach to software testing whereby the system being tested is bombarded with inputs generated by another program. When using fuzzer to test JNI programs, how to accurately reach the JNI functions and run through them to find the sensitive system APIs is the pre-condition of the test. In this paper, we present a heuristic fuzz generator method on JNI vulnerability detection based on the branch predication information of program. The result in the experiment shows our method can use less fuzzing times to reach more sensitive windows APIs in Java native code.","PeriodicalId":237309,"journal":{"name":"Proceedings of the 2nd ACM SIGSOFT International Workshop on Software Qualities and Their Dependencies","volume":"47 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-08-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":"{\"title\":\"A heuristic fuzz test generator for Java native interface\",\"authors\":\"Jinjing Zhao, Yan Wen, Xiang Li, Ling Pang, Xiaohui Kuang, Dongxia Wang\",\"doi\":\"10.1145/3340495.3342749\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"It is well known that once a Java application uses native C/C++ methods through the Java Native Interface (JNI), any security guarantees provided by Java might be invalidated by the native methods. So any vulnerability in this trusted native code can compromise the security of the Java program. Fuzzing test is an approach to software testing whereby the system being tested is bombarded with inputs generated by another program. When using fuzzer to test JNI programs, how to accurately reach the JNI functions and run through them to find the sensitive system APIs is the pre-condition of the test. In this paper, we present a heuristic fuzz generator method on JNI vulnerability detection based on the branch predication information of program. The result in the experiment shows our method can use less fuzzing times to reach more sensitive windows APIs in Java native code.\",\"PeriodicalId\":237309,\"journal\":{\"name\":\"Proceedings of the 2nd ACM SIGSOFT International Workshop on Software Qualities and Their Dependencies\",\"volume\":\"47 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2019-08-26\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"2\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the 2nd ACM SIGSOFT International Workshop on Software Qualities and Their Dependencies\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/3340495.3342749\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2nd ACM SIGSOFT International Workshop on Software Qualities and Their Dependencies","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3340495.3342749","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 2

摘要

众所周知，一旦Java应用程序通过Java本机接口(Java native Interface, JNI)使用本机C/ c++方法，Java提供的任何安全保证都可能被本机方法失效。因此，这个受信任的本机代码中的任何漏洞都可能危及Java程序的安全性。模糊测试是一种软件测试方法，通过这种方法，被测试的系统被另一个程序生成的输入轰炸。在使用fuzzer对JNI程序进行测试时，如何准确到达JNI功能并通过它们找到敏感的系统api是测试的前提条件。本文提出了一种基于程序分支预测信息的JNI漏洞检测的启发式模糊生成器方法。实验结果表明，我们的方法可以使用更少的模糊时间来达到Java本机代码中更敏感的windows api。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

A heuristic fuzz test generator for Java native interface

It is well known that once a Java application uses native C/C++ methods through the Java Native Interface (JNI), any security guarantees provided by Java might be invalidated by the native methods. So any vulnerability in this trusted native code can compromise the security of the Java program. Fuzzing test is an approach to software testing whereby the system being tested is bombarded with inputs generated by another program. When using fuzzer to test JNI programs, how to accurately reach the JNI functions and run through them to find the sensitive system APIs is the pre-condition of the test. In this paper, we present a heuristic fuzz generator method on JNI vulnerability detection based on the branch predication information of program. The result in the experiment shows our method can use less fuzzing times to reach more sensitive windows APIs in Java native code.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Proceedings of the 2nd ACM SIGSOFT International Workshop on Software Qualities and Their Dependencies

自引率

0.00%

发文量