(3.238.186.43) 您好!臺灣時間:2021/03/05 21:46
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果

詳目顯示:::

我願授權國圖
: 
twitterline
研究生:劉世淳
研究生(外文):Liu, Shih-Tsun
論文名稱:基於覆蓋率指引網頁後端的模糊測試
論文名稱(外文):Coverage Guided Fuzzing in Python-Based Web Server
指導教授:黃世昆黃世昆引用關係
指導教授(外文):Huang, Shih-Kun
口試委員:黃世昆楊明豪黃俊穎
口試委員(外文):Huang, Shih-Kun
口試日期:2019-05-24
學位類別:碩士
校院名稱:國立交通大學
系所名稱:資訊科學與工程研究所
學門:工程學門
學類:電資工程學類
論文種類:學術論文
論文出版年:2019
畢業學年度:107
語文別:中文
論文頁數:32
中文關鍵詞:網頁後端軟體測試模糊測試
外文關鍵詞:webpythonFuzzing
相關次數:
  • 被引用被引用:0
  • 點閱點閱:56
  • 評分評分:系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
近年來網頁技術的成熟與普遍應用,不論前後端分離的網頁架構或線上服務,都會運用具有表現層狀態傳輸(Representational State Transfer,REST)之應用程式介面(Application Programming Interface,API),當作與伺服器溝通的橋樑。此介面卻也成為網頁漏洞的攻擊入口,因此這樣的環境下進行有效率的軟體測試是不可或缺的一環。
模糊測試 (Fuzz testing) 為目前被廣為運用、進行軟體漏洞發掘的方法,主要概念是不斷的向受測目標輸入不同的資料,觀察是否會產生異常或程式崩潰(Crash)的情形。模糊測試中常被使用的工具為American Fuzzy Lop(AFL),可透過觀察受測程式覆蓋率來指引AFL到達更深入的區域,改善傳統模糊測試覆蓋率偏低的問題。
本論文運用AFL於RESTful API 測試,透過程式碼覆蓋情形的指引來有效的提高測試的整體覆蓋率,並比較不具覆蓋率指引的方法效率。數據顯示,覆蓋率指引的測試效率有顯著提升。同時也產出程序崩潰的情形,可更進一步觀察該崩潰的情形是否能作為惡意利用的目標。
Web application technologies are getting more popular for recent years. They often use Representational State Transfer (REST) based Application programming interface (API) for communication between server and client for web applications designed in a separating front-end and back-end style or an online service. However, due to the large adoptions, RESTful API can also be exploited by malicious users. To prevent from this kind of threats, efficient software testing is an indispensable way to discover potential defects earlier.
Fuzz testing is an efficient way for vulnerability discovery. The fuzzer keeps providing different inputs to a target program, including invalid, unexpected or random data. During the testing, fuzzer will monitor the run time status to observe if there are any abnormal activities or program crashes occurred. One of the famous tools for fuzz testing is American Fuzzy Lop (AFL). It uses the edge coverage observed from the program to guide the inputs to a deeper region of the program. By this strategy, AFL successfully improves the low coverage problem in traditional fuzzers.
In our work, we adopt AFL to test RESTful API servers. We use the edge coverage collected from the target program to improve the entire coverage. We compare with other fuzzers without coverage guided capability. The results reveal significant improvement. If a program crash occurred, we could analysis the crash situation to figure out whether it could be exploited by a malicious user.
摘要 I
Abstract II
致謝 III
List of Contents IV
List of Figures VI
List of Tables VII
1. Introduction 1
2. Background 3
2.1 模糊測試 (Fuzz Testing) 3
2.2 American Fuzzy Lop (AFL) 4
2.2.1 AFL Fuzzing strategy 6
2.2.2 AFL persistent mode 6
2.3 Python-afl 7
2.4 RESTful API 7
2.5 Swagger 8
3. Method 10
3.1 Overview 10
3.2 Structure 11
3.3 Python-web-afl 12
3.4 Internal 13
3.4.1 Swagger document parsing 13
3.4.2 Code insertion 14
4. Evaluation 17
4.1 Seed selection 17
4.2 UTF-8 20
4.3 Iot-Agent 21
4.4 Open Source server 24
5. Related work 26
5.1 REST-ler 26
5.2 Node.Fz 26
5.3 Slowfuzz 27
5.4 RESTful API Testing 27
5.5 Open Source Tools and Others 27
6. Conclusion 29
7. Future work 30
8. References 31
[1] american fuzzy lop. Available: http://lcamtuf.coredump.cx/afl/
[2] flask. Available: http://flask.pocoo.org/
[3] python-afl. Available: https://github.com/jwilk/python-afl
[4] PyJFuzz. Available: https://github.com/mseclab/PyJFuzz
[5] V. Atlidakis, P. Godefroid, and M. J. a. p. a. Polishchuk, "REST-ler: Automatic Intelligent REST API Fuzzing," 2018.
[6] Libfuzzer. Available: http://llvm.org/docs/LibFuzzer.html
[7] Regexor. Available: https://github.com/0xSobky/Regaxor
[8] M. Böhme, V.-T. Pham, and A. Roychoudhury, "Coverage-based greybox fuzzing as markov chain," in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 2016, pp. 1032-1043: ACM.
[9] M. Böhme, V.-T. Pham, M.-D. Nguyen, and A. Roychoudhury, "Directed greybox fuzzing," in Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, 2017, pp. 2329-2344: ACM.
[10] N. Stephens et al., "Driller: Augmenting Fuzzing Through Selective Symbolic Execution," in NDSS, 2016, vol. 16, pp. 1-16.
[11] beesly. Available: https://github.com/bincyber/beesly
[12] msa-geocoder. Available: https://github.com/TheMicroservicesAgency/msa-geocoder
[13] guessit-rest. Available: https://github.com/guessit-io/guessit-rest
[14] Swagger Petstore. Available: https://petstore.swagger.io/
[15] elc_api. Available: https://github.com/EarthLifeConsortium/elc_api
[16] Swagger. Available: https://swagger.io/
[17] J. Davis, A. Thekumparampil, and D. Lee, "Node. fz: Fuzzing the server-side event-driven architecture," in Proceedings of the Twelfth European Conference on Computer Systems, 2017, pp. 145-160: ACM.
[18] T. Petsios, J. Zhao, A. D. Keromytis, and S. Jana, "Slowfuzz: Automated domain-independent detection of algorithmic complexity vulnerabilities," in Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, 2017, pp. 2155-2168: ACM.
[19] C.-A. Staicu and M. Pradel, "Freezing the web: A study of redos vulnerabilities in javascript-based web servers," in 27th {USENIX} Security Symposium ({USENIX} Security 18), 2018, pp. 361-376.
[20] S. K. Chakrabarti and P. Kumar, "Test-the-rest: An approach to testing restful web-services," in 2009 Computation World: Future Computing, Service Computation, Cognitive, Adaptive, Content, Patterns, 2009, pp. 302-308: IEEE.
[21] A. J. A. T. o. S. E. Arcuri and Methodology, "RESTful API Automated Test Case Generation with EvoMaster," vol. 28, no. 1, p. 3, 2019.
[22] TnT-Fuzzer. Available: https://github.com/Teebytes/TnT-Fuzzer
[23] APIFuzzer. Available: https://github.com/KissPeter/APIFuzzer
[24] sulley. Available: https://github.com/OpenRCE/sulley
[25] Burp Suite. Available: https://portswigger.net/burp
[26] Astra. Available: https://github.com/flipkart-incubator/Astra
[27] Fuzzapi. Available: https://github.com/Fuzzapi/fuzzapi
連結至畢業學校之論文網頁點我開啟連結
註: 此連結為研究生畢業學校所提供,不一定有電子全文可供下載,若連結有誤,請點選上方之〝勘誤回報〞功能,我們會盡快修正,謝謝!
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top
系統版面圖檔 系統版面圖檔