摘要： 在分析库函数安全性的基础上，提出基于库函数动态跟踪的Fuzzing测试方法，通过动态跟踪目标程序对不安全库函数的调用，并在输入数据中搜索匹配函数调用参数，以此来准确定位错误注入点。设计并实现了基于该方法的测试工具，经过对漏洞软件测试的对比实验，验证了该方法的有效性和高效性。

关键词: 漏洞挖掘, Fuzzing技术, 不安全函数, 动态跟踪

Abstract: On the basis of the security analysis of library functions, this paper proposes a Fuzzing test approach based on dynamic tracking of library functions. It can dynamic track target program calls to unsafe library functions, and can locate the fault injection point accurately by searching and matching call parameters in the input data. A testing tool which is designed and implemented according to the method is compared with other two tools in a testing experiment on the software with vulnerabilities. The approach is verified to be effective and highly efficient by the experiment.

Key words: vulnerability exploiting, Fuzzing technology, unsafe function, dynamic tracking

中图分类号: 

• TP311