臺灣博碩士論文加值系統

網路應用已成為日常不可或缺的一部分，但這些應用系統若被有心者入侵利用，卻可能造成安全性的威脅。因此，尋找與修復弱點、以避免被利用，為當務之急。模糊測試是目前被廣泛運用找尋軟體漏洞的方法，可藉由變異種子測資來有效找尋軟體的弱點。這些方法對 Web 瀏覽器而言仍有不足之處，我們於是提出 DOM 模糊測試排程法(簡稱 SDF)，整合多種瀏覽器的測試工具與稱為 BFF 的排程模糊測試框架。我們也提出一個新的機率模式，改善種子選擇與動態變異過程，更有效地產生更多失控的測資。實驗顯示，SDF 生成的失控測資數量，與比較對象衡量，多達2.27倍。我們也在Windows7環境下發現二十三個可脅迫的失控測資。顯示一個較佳的排程法及架構，可改善瀏覽器的模糊測試效能。

Internet applications have made our daily life fruitful. However, they also cause many security problems if these applications are leveraged by intruders. Thus, it is important to find and fix vulnerabilities timely to prevent application vulnerabilities from being exploited. Fuzz testing is a popular methodology that effectively finds vulnerabilities in application programs with seed input mutation. However, it is not a satisfied solution for the web browsers. In this work, we propose a solution, called scheduled DOM fuzzing (SDF), which integrates several related browser fuzzing tools and the fuzzing framework called BFF. To explore more crash possibilities, we revise the browser fuzzing architecture and schedule seed input selection and mutation dynamically. We also propose two probability computing methods in scheduling mechanism which tries to improve the performance by determining which combinations of seed and mutation would produce more crashes. Our experiments show that SDF is 2.27 time more efficient in terms of the number of crashes and vulnerabilities found at most. SDF also has the capacity for finding 23 exploitable crashes in Windows 7 within five days. The experimental results reveals that a good scheduling method for seed and mutations in browser fuzzing is able to find more exploitable crashes than fuzzers with the fixed seed input.

List of Figures v
List of Tables vi
Chapter 1 Introduction 1
Chapter 2 Background 5
2.1 Black-Box Fuzzing 5
2.2 Improvement of black-box fuzzing: schedule 6
2.3 Browser fuzzing 6
Chapter 3 Problem Statement 9
3.1 Terminology and Assumptions 9
3.2 Problem Statement 9
Chapter 4 Scheduled DOM Fuzzing 11
Chapter 5 Implementation 16
Chapter 6 Results 18
Chapter 7 Conclusions 23
References 24

[1] R. Langner, "Stuxnet: Dissecting a cyberwarfare weapon," Security &; Privacy, IEEE, vol. 9, pp. 49-51, 2011.
[2] R. Sherstobitoff and M. Itai Liba, "Dissecting Operation Troy: Cyberespionage in South Korea," ed: McAfee White Paper, 2013.
[3] W. A. Arbaugh, W. L. Fithen, and J. McHugh, "Windows of vulnerability: A case study analysis," Computer, vol. 33, pp. 52-59, 2000.
[4] L. F. B. P. Miller, and B. So, "An empirical study of the reliability of UNIX utilities," Communications of the ACM, vol. 33, pp. 32-44, 1990.
[5] M. Sutton, A. Greene, and P. Amini, Fuzzing: brute force vulnerability discovery: Pearson Education, 2007.
[6] B. Liu, L. Shi, Z. Cai, and M. Li, "Software vulnerability discovery techniques: A survey," in Multimedia Information Networking and Security (MINES), 2012 Fourth International Conference on, 2012, pp. 152-156.
[7] S.-K. Huang, M.-H. Huang, P.-Y. Huang, C.-W. Lai, H.-L. Lu, and W.-M. Leong, "CRAX: Software Crash Analysis for Automatic Exploit Generation by Modeling Attacks as Symbolic Continuations," in Software Security and Reliability (SERE), 2012 IEEE Sixth International Conference on, 2012, pp. 78-87.
[8] A. Rebert, S. K. Cha, T. Avgerinos, J. Foote, D. Warren, G. Grieco, et al., "Optimizing seed selection for fuzzing," in Proceedings of the USENIX Security Symposium, 2014, pp. 861-875.
[9] The ZZUF fuzzer. Available: http://caca.zoy.org/wiki/zzuf
[10] W. Dorman, "CERT Basic Fuzzing Framework," 2010.
[11] Failure Observation Engine (FOE). Available: http://www.cert.org/vulnerability-analysis/tools/foe.cfm?
[12] S. K. C. M. Woo, S. Gottlieb, and D. Brumley, "Scheduling black-box mutational fuzzing," in Proceedings of the 2013 ACM SIGSAC conference on Computer &; communications security, pp. 511-522, 2013.
[13] Symantec, "Internet Security Threat Report 2014," 2014.
[14] Bf3. Available: http://www.aldeid.com/wiki/Bf3
[15] M. Zalewski. (2011). crossfuzz. Available: http://lcamtuf.blogspot.tw/2011/01/announcing-crossfuzz-potential-0-day-in.html
[16] R. Valotta, "Taking Browsers Fuzzing To The Next (DOM) Level," 2011.
[17] W3C. Document Object Model (DOM) Technical Reports. Available: http://www.w3.org/DOM/DOMTR
[18] S. D. Cook and J. S. Brown, "Bridging epistemologies: The generative dance between organizational knowledge and organizational knowing," Organization science, vol. 10, pp. 381-400, 1999.
[19] A. Aphale. Introduction to browser fuzzing. Available: http://www.slideshare.net/null0x00/introduction-to-browser-fuzzing
[20] Microsoft. !exploitable Crash Analyzer - MSEC Debugger Extensions. Available: https://msecdbg.codeplex.com/