面向工控系统的C语言异常处理路径定向模糊测试方法

doi:10.3969/j.issn.1671-1122.2026.02.003

摘要/Abstract

摘要：

针对工控系统中C语言程序因缺乏统一异常处理机制导致的异常处理漏洞检测难题，文章提出一种面向工控系统的C语言异常处理路径定向模糊测试方法。该方法通过异常测试条件建模与异常处理漏洞检测两个阶段协同工作，提升异常处理相关漏洞的检测能力。在异常测试条件建模阶段，设计软件异常事件导入算法，采用动静结合的间接调用关系分析与异常注入技术，生成异常状态可控的待测试程序；在异常处理漏洞检测阶段，构建多目标定向模糊测试框架 MEFuzz，通过运行前多目标规划与运行时多目标早停算法，动态调节测试资源分配，提高多上下文异常处理路径的探索效率。基于UniBench数据集的实验结果表明，该方法在静态检测准确率（22.22%）与模糊测试漏洞触发总数（294个）上均优于现有工具，改善因子达1.26，能有效提升工控系统C语言程序异常处理路径相关漏洞的检测效果。

关键词: 工控系统, 异常处理路径, 定向模糊测试, 漏洞检测

Abstract:

Aiming at the difficulty in detecting exception handling vulnerabilities in C language programs of industrial control systems due to the lack of a unified exception handling mechanism, this paper proposed a directed fuzz testing method for C language exception handling paths in industrial control systems. The method improved the detection capability of exception handling-related vulnerabilities through the collaborative work of two stages: exception test condition modeling and exception handling vulnerability detection. In the exception test condition modeling stage, a software exception event import algorithm was designed, which combined dynamic-static indirect call relationship analysis and exception injection technology to generate test programs with controllable exception states. In the exception handling vulnerability detection stage, a multi-objective directed fuzz testing framework MEFuzz was constructed, which dynamically adjusted test resource allocation through pre-run multi-objective planning and runtime multi-objective early stopping algorithms to improve the exploration efficiency of multi-context exception handling paths. Experiments based on the UniBench dataset show that this method outperforms existing tools in static detection accuracy (22.22%) and the total number of fuzz testing vulnerability triggers (294), with an improvement factor of 1.26, effectively enhancing the detection effect of vulnerabilities related to exception handling paths in C language programs of industrial control systems.

Key words: industrial control systems, exception handling paths, directed fuzz testing, vulnerability detection

中图分类号:

TP309

陶慈, 陈昊然, 陈平. 面向工控系统的C语言异常处理路径定向模糊测试方法[J]. 信息网络安全, 2026, 26(2): 211-223.

TAO Ci, CHEN Haoran, CHEN Ping. A Directed Fuzz Testing Method for C Language Exception Handling Paths in Industrial Control Systems[J]. Netinfo Security, 2026, 26(2): 211-223.

图/表 10

表1

图1

图2

图3

图4

图5

图6

图7

表2

表3

参考文献 23

[1]	PAKKI A, LU Kangjie. Exaggerated Error Handling Hurts! An In-Depth Study and Contextaware Detection[C]// ACM. The 2020 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2020: 1203-1218.
[2]	LU Kangjie, PAKKI A, WU Qiushi. Automatically Identifying Security Checks for Detecting Kernel Semantic Bugs[C]// Springer. The 24th European Symposium on Research in Computer Security, Luxembourg (Computer Security-ESORICS 2019). Heidelberg: Springer, 2019: 3-25.
[3]	LU Kangjie, PAKKI A, WU Qiushi. Detecting Missing-Check Bugs via Semantic-and Context-Aware Criticalness and Constraints Inferences[C]// USENIX. The 28th USENIX Security Symposium (USENIX Security 19). Berkely: USENIX, 2019: 1769-1786.
[4]	MITRE. CWE-754:Improper Check for Unusual or Exceptional Conditions[EB/OL]. [2025-06-10]. https://cwe.mitre.org/data/definitions/754.html.
[5]	ZHAN Dongyang, YU Xiangzhan, ZHANG Hongli, et al. ErrHunter: Detecting Error-Handling Bugs in the Linux Kernel through Systematic Static Analysis[J]. IEEE Transactions on Software Engineering, 2023, 49(2): 684-698. doi: 10.1109/TSE.2022.3160155 URL
[6]	QASEM A, SHIRANI P, DEBBABI M, et al. Automatic Vulnerability Detection in Embedded Devices and Firmware: Survey and Layered Taxonomies[J]. ACM Computing Surveys, 2021, 54(2): 1-42.
[7]	LU Shenming, ZUO Zhiqiang, WANG Linzhang. Progress in Parallelization of Static Program Analysis[J]. Journal of Software, 2020, 31(5): 1243-1254.
	陆申明, 左志强, 王林章. 静态程序分析并行化研究进展[J]. 软件学报, 2020, 31(5):1243-1254.
[8]	SONNEKALB T, HEINZE T S, MÄDER P. Deep Security Analysis of Program Code: A Systematic Literature Review[EB/OL]. (2022-01-01)[2025-06-10]. https://doi.org/10.1007/s10664-021-1002.
[9]	LIN Guanjun, WEN Sheng, HAN Qinglong, et al. Software Vulnerability Detection Using Deep Neural Networks: A Survey[J]. Proceedings of the IEEE, 2020, 108(10): 1825-1848. doi: 10.1109/PROC.5 URL
[10]	BODDEN E. Inter-Procedural Data-Flow Analysis with IFDS/IDE and Soot[C]// ACM. The ACM SIGPLAN International Workshop on State of the Art in Java Program Analysis. New York: ACM, 2012: 3-8.
[11]	MARJAMÄKI D. Cppcheck: A Tool for Static C/C++ Code Analysis[EB/OL]. [2025-06-10]. https://cppcheck.sourceforge.io.
[12]	Checkmarx. Checkmarx[EB/OL]. [2025-06-10]. https://checkmarx.com/.
[13]	LI Zhen, ZOU Deqing, XU Shouhuai, et al. VulDeePecker: A Deep Learning-Based System for Vulnerability Detection[EB/OL]. (2018-01-05)[2025-06-10]. https://arxiv.org/abs/1801.01681.
[14]	VENKATESH G A. The Semantic Approach to Program Slicing[C]// ACM. The ACM SIGPLAN 1991 Conference on Programming Language Design and Implementation. New York: ACM, 1991: 107-119.
[15]	LI Zhen, ZOU Deqing, XU Shouhuai, et al. SySeVR: A Framework for Using Deep Learning to Detect Software Vulnerabilities[J]. IEEE Transactions on Dependable and Secure Computing, 2022, 19(4): 2244-2258. doi: 10.1109/TDSC.2021.3051525 URL
[16]	CAO Sicong, SUN Xiaobing, BO Lili, et al. MVD: Memory-Related Vulnerability Detection Based on Flow-Sensitive Graph Neural Networks[C]// IEEE. 2022 IEEE/ACM 44th International Conference on Software Engineering(ICSE). New York: IEEE, 2022: 1456-1468.
[17]	AHMADI M, FARKHANI R M, WILLIAMS R, et al. Finding Bugs Using Your Own Code: Detecting Functionally-Similar Yet Inconsistent Code[C]// USENIX. The 30th USENIX Security Symposium (USENIX Security 21). Berkely: USENIX, 2021: 2025-2040.
[18]	ZHU Xiaogang, WEN Sheng, CAMTEPE S, et al. Fuzzing: A Survey for Roadmap[J]. ACM Computing Surveys, 2022, 54: 1-36.
[19]	LIU Peiyu, JI Shouling, ZHANG Xuhong, et al. IFIZZ: Deep-State and Efficient Fault-Scenario Generation to Test Iot Firmware[C]// IEEE. 2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE). New York: IEEE, 2021: 805-816.
[20]	LU Kang jie, HU Hong. Where Does It Go? Refining Indirect-Call Targets with Multi-Layer Type Analysis[C]// ACM. The 2019 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2019: 1867-1881.
[21]	SRIVASTAVA P, NAGY S, HICKS M, et al. One Fuzz Doesn’t Fit All: Optimizing Directed Fuzzing via Target-Tailored Program State Restriction[C]// ACM. The 38th Annual Computer Security Applications Conference. New York: ACM, 2022: 388-399.
[22]	JIA Zhouyang, LI Shanshan, YU Tingting, et al. Detecting Error-Handling Bugs without Error Specification Input[C]// IEEE. 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE). New York: IEEE, 2019: 213-225.
[23]	LI Yuwei, JI Shouling, CHEN Yuan, et al. UNIFUZZ: A Holistic and Pragmatic Metrics-Driven Platform for Evaluating Fuzzers[C]// USENIX. The 30th USENIX Security Symposium (USENIX Security 21). Berkely: USENIX, 2021: 2777-2794.

异常事件状态记录方法	异常状态例子	异常事件触发场景
errno全局变量	ENOMEM	系统内存不足
函数返回值	-1	bind函数绑定套接字失败
函数形参中的指针对象	ferror(File*)!=0	fread将状态存储于FILE* 对象中
某种行为规范	SIGINT	按下Ctrl+C产生信号

被测软件	漏洞数量与准确率	本文方法	EH-Miner	Crix
flvmeta	可疑漏洞数/个	6	4	5
	实际可疑漏洞数/个	2	1	1
	准确率	33.33%	25.00%	20.00%
imginfo	可疑漏洞数/个	2	1	0
	实际可疑漏洞数/个	1	0	无
	准确率	50.00%	0	无
tiffsplit	可疑漏洞数/个	25	11	18
	实际可疑漏洞数/个	3	1	2
	准确率	12.00%	9.09%	11.11%
tcpdump	可疑漏洞数/个	5	2	3
	实际可疑漏洞数/个	2	1	2
	准确率	40.00%	50.00%	66.67%
sqlite3	可疑漏洞数/个	7	3	5
	实际可疑漏洞数/个	2	0	1
	准确率	28.57%	0	20.00%
总计	可疑漏洞数/个	45	21	31
	实际可疑漏洞数/个	10	3	6
	准确率	22.22%	14.29%	19.35%

被测软件	模糊测试方法	触发漏洞总数/个	F
flvmeta	AFL	22	—
	AFL++	23	1.05
	Windranger	25	1.14
	MEFuzz	27	1.23
imginfo	AFL	0	—
	AFL++	0	—
	Windranger	0	—
	MEFuzz	0	—
tiffsplit	AFL	28	—
	AFL++	33	1.18
	Windranger	34	1.21
	MEFuzz	37	1.32
tcpdump	AFL	162	—
	AFL++	195	1.20
	Windranger	174	1.07
	MEFuzz	207	1.28
sqlite3	AFL	21	—
	AFL++	25	1.19
	Windranger	24	1.14
	MEFuzz	23	1.10
总计	AFL	233	—
	AFL++	276	1.18
	Windranger	257	1.10
	MEFuzz	294	1.26