Abstract
Software Fuzzing technology is widely used in automated software vulnerability mining. In order to improve efficiency, various techniques such as symbolical execution and taint tracking have been applied to software Fuzzing. Due to the lack of uniform and standardized test samples, researchers can only use existing software for testing. Therefore, there are sample differences when compared with existing technologies, and it is impossible to accurately measure the advantages and disadvantages of different technologies. In this paper, we propose a source-based software vulnerability auto-generation technology, through the analysis of the source code structure characteristics, to find the potential vulnerability insertion point, combined with known types of vulnerabilities, and automatically insert the vulnerability into the source code. We selected some open source projects such as coreutils as the test target, and inserted multiple vulnerabilities in the source code. We create a basis of judgement by providing a standardized sample of vulnerability programs.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Chena, C., Cui, B., Ma, J., Wu, R.: A systematic review of fuzzing technology (2017)
Godefroid, P., Kiezun, A., Levin, M.Y.: Grammar-based whitebox fuzzing (2008)
Stephens, N., Grosen, J., Salls, C., Dutcher, A., Wang, R., Corbetta, J., Shoshitaishvili, Y., Kruegel, C., Vigna, G.: Driller: augmenting fuzzing through selective symbolic execution (2016)
Rawat, S., Jain, V., Kumar, A., Cojocar, L., Giuffrida, C., Bos, H.: VUzzer: application-aware evolutionary fuzzing (2017)
Wang, T., Wei, T., Gu, G., Zou, W.: TaintScope: a checksum-aware directed fuzzing tool for automatic software vulnerability detection (2010)
Böhme, M., Pham, V.-T., Roychoudhury, A.: Coverage-based Greybox Fuzzing as Markov Chain (2017)
Aleph, O.: Smashing the stack for fun and profit. Phrack 7(49), November 1996
Dietz, W., Li, P., Regehr, J., Adve, V.: Understanding integer overflow in C/C++. In: International Conference on Software Engineering (ICSE) (2012)
Wang, X., Chen, H., Cheung, A., Jia, Z., Zeldovich, Z., Kaashoek, M.F.: Undefined behavior: what happened to my code? In Asia-Pacific Workshop on Systems (APSYS) (2012)
Cadar, C., Dunbar, D., Engler, D.: KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: Usenix Conference on Operating Systems Design and Implementation, pp. 209–224. USENIX Association (2009)
Serebryany, K., Bruening, D., Potapenko, A., et al.: AddressSanitizer: a fast address sanity checker. In: USENIX Annual Technical Conference, pp. 309–318 (2012)
Godefroid, P., Levin, M.Y., Molnar, D.: SAGE: Whitebox Fuzzing for Security Testing (2006)
Dolan-Gavitt, B., Huliny, P., Kirdaz, E., Leeky, T., Mambrettiz, A., Robertsonz, W., Ulrichy, F., Whelan, R.: LAVA: large-scale automated vulnerability addition. In: 2016 IEEE Symposium on Proceedings of the Security and Privacy (SP) (2016)
Wilander, J., Kamkar, M.: A comparison of publicly available tools for static intrusion prevention. In: Proceedings of the 7th Nordic Workshop on Secure IT Systems (2002)
Zitser, M., Lippmann, R., Leek, T.: Testing static analysis tools using exploitable buffer overflows from open source code. In: Proceedings of the 12th ACM SIGSOFT Twelfth International Symposium on Foundations of Software Engineering, SIGSOFT ‘04/FSE-12, New York, NY, USA, pp. 97–106. ACM (2004)
Kass, M.: NIST software assurance metrics and tool evaluation (SAMATE) project. In: Workshop on the Evaluation of Software Defect Detection Tools (2005)
Shiraishi, S., Mohan, V., Marimuthu, H.: Test suites for benchmarks of static analysis tools. In: Proceedings of the 2015 IEEE International Symposium on Software Reliability Engineering, ISSRE 2015 (2015)
Acknowledgments
Thanks Chen Chen, Baojiang Cui, Zijian Li for the reference during the research process and the preparation of the paper.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Yang, J., Zhou, P., Ni, Y. (2019). ASVG: Automated Software Vulnerability Sample Generation Technology Based on Source Code. In: Barolli, L., Leu, FY., Enokido, T., Chen, HC. (eds) Advances on Broadband and Wireless Computing, Communication and Applications. BWCCA 2018. Lecture Notes on Data Engineering and Communications Technologies, vol 25. Springer, Cham. https://doi.org/10.1007/978-3-030-02613-4_28
Download citation
DOI: https://doi.org/10.1007/978-3-030-02613-4_28
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-02612-7
Online ISBN: 978-3-030-02613-4
eBook Packages: EngineeringEngineering (R0)