Memory Security Vulnerability Detection Combining Fuzzy Testing and Dynamic Analysis
C language is widely used in the development of system software and embedded software due to its high speed and pre-cise control of memory through pointers,and is one of the most popular programming languages.The power of pointers makes it possible to operate directly on memory.However,C does not provide detection of memory security,which makes the use of poin-ters can lead to memory errors like memory leaks,buffer overflows,multiple releases,and sometimes these errors can cause fatal damage such as system crashes or internal data corruption.At present,there are some techniques that can detect memory security vulnerabilities in C programs.Among them,dynamic analysis technique can detect memory safety of C programs at runtime by staking the source code,but it can only find the error when the program executes to the path where the error is located,so it relies on the program's input.While fuzzy testing is a method to find software vulnerabilities by providing input to the program and monitoring the program's operation results,but it cannot detect memory safety errors that do not cause the program to crash,nor can it provide detailed information such as the location of the error.It also does not provide detailed information such as the loca-tion of the error.In addition,due to the complex grammar of the C language,dynamic analysis tools often fail to correctly handle some uncommon specific structures when analyzing large and complex projects,resulting in stubbing failures or stubbed programs not being compiled correctly.To address these problems,this paper proposes a method that can detect the memory safety of C programs containing specific structures by combining dynamic analysis techniques with fuzzy testing techniques and improving existing methods.The reliability and performance experiments show that with the addition of C-specific structures,the memory safety of programs containing C-specific structures can be detected,and the combination of the fuzzy testing technique can have stronger vulnerability detection capability.
万方数据
维普
