{"title":"回收测试用例以检测安全漏洞","authors":"João Antunes, N. Neves","doi":"10.1109/ISSRE.2012.3","DOIUrl":null,"url":null,"abstract":"The design of new protocols and features, e.g., in the context of organizations such as the IETF, produces a flow of novel standards and amendments that lead to ever changing implementations. These implementations can be difficult to test for security vulnerabilities because existing tools often lag behind. In the paper, we propose a new methodology that addresses this issue by recycling test cases from several sources, even if aimed at distinct protocols. It resorts to protocol reverse engineering techniques to build parsers that are capable of extracting the relevant payloads from the test cases, and then applies them to new test cases tailored to the particular features that need to be checked. An evaluation with 10 commercial and open-source testing tools and a large set of FTP vulnerabilities shows that our approach is able to get better or equal vulnerability coverage than the original tools. In a more detailed experiment with two fuzzers, our solution showed an improvement of 19% on vulnerability coverage when compared with the two combined fuzzers, being capable of finding 25 additional vulnerabilities.","PeriodicalId":172003,"journal":{"name":"2012 IEEE 23rd International Symposium on Software Reliability Engineering","volume":"80 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2012-11-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"7","resultStr":"{\"title\":\"Recycling Test Cases to Detect Security Vulnerabilities\",\"authors\":\"João Antunes, N. Neves\",\"doi\":\"10.1109/ISSRE.2012.3\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The design of new protocols and features, e.g., in the context of organizations such as the IETF, produces a flow of novel standards and amendments that lead to ever changing implementations. These implementations can be difficult to test for security vulnerabilities because existing tools often lag behind. In the paper, we propose a new methodology that addresses this issue by recycling test cases from several sources, even if aimed at distinct protocols. It resorts to protocol reverse engineering techniques to build parsers that are capable of extracting the relevant payloads from the test cases, and then applies them to new test cases tailored to the particular features that need to be checked. An evaluation with 10 commercial and open-source testing tools and a large set of FTP vulnerabilities shows that our approach is able to get better or equal vulnerability coverage than the original tools. In a more detailed experiment with two fuzzers, our solution showed an improvement of 19% on vulnerability coverage when compared with the two combined fuzzers, being capable of finding 25 additional vulnerabilities.\",\"PeriodicalId\":172003,\"journal\":{\"name\":\"2012 IEEE 23rd International Symposium on Software Reliability Engineering\",\"volume\":\"80 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2012-11-27\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"7\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2012 IEEE 23rd International Symposium on Software Reliability Engineering\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ISSRE.2012.3\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2012 IEEE 23rd International Symposium on Software Reliability Engineering","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ISSRE.2012.3","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Recycling Test Cases to Detect Security Vulnerabilities
The design of new protocols and features, e.g., in the context of organizations such as the IETF, produces a flow of novel standards and amendments that lead to ever changing implementations. These implementations can be difficult to test for security vulnerabilities because existing tools often lag behind. In the paper, we propose a new methodology that addresses this issue by recycling test cases from several sources, even if aimed at distinct protocols. It resorts to protocol reverse engineering techniques to build parsers that are capable of extracting the relevant payloads from the test cases, and then applies them to new test cases tailored to the particular features that need to be checked. An evaluation with 10 commercial and open-source testing tools and a large set of FTP vulnerabilities shows that our approach is able to get better or equal vulnerability coverage than the original tools. In a more detailed experiment with two fuzzers, our solution showed an improvement of 19% on vulnerability coverage when compared with the two combined fuzzers, being capable of finding 25 additional vulnerabilities.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
