信息网络安全 ›› 2023, Vol. 23 ›› Issue (8): 1-16.doi: 10.3969/j.issn.1671-1122.2023.08.001

• 等级保护 • 上一篇    下一篇

基于机器学习的模糊测试研究综述

王鹃1,2(), 张冲1,2, 龚家新1,2, 李俊娥1,2   

  1. 1.武汉大学国家网络安全学院,武汉 430072
    2.武汉大学空天信息安全与可信计算教育部重点实验室,武汉 430072
  • 收稿日期:2022-12-16 出版日期:2023-08-10 发布日期:2023-08-08
  • 通讯作者: 王鹃 E-mail:jwang@whu.edu.cn
  • 作者简介:王鹃(1976—),女,湖北,教授,博士,CCF高级会员,主要研究方向为系统和软件安全、可信计算、人工智能应用、云计算、物联网安全|张冲(1997—),男,河南,硕士研究生,主要研究方向为人工智能、漏洞挖掘|龚家新(1999—),男,安徽,硕士研究生,主要研究方向为软件安全、漏洞挖掘|李俊娥(1966—),女,湖北,教授,博士,CCF会员,主要研究方向为软件体系结构和网络安全
  • 基金资助:
    国家自然科学基金(61872430);国家重点研发计划(2020AAA0107700);国家电网有限公司科技项目(520940210009)

Review of Fuzzing Based on Machine Learning

WANG Juan1,2(), ZHANG Chong1,2, GONG Jiaxin1,2, LI Jun’e1,2   

  1. 1. School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China
    2. Key Laboratory of Aerospace Information Security and Trusted Computing of Ministry of Education, Wuhan University, Wuhan 430072, China
  • Received:2022-12-16 Online:2023-08-10 Published:2023-08-08
  • Contact: WANG Juan E-mail:jwang@whu.edu.cn

摘要:

模糊测试是当今比较流行的漏洞挖掘技术之一。传统的模糊测试往往需要大量人工参与,测试周期较长且测试效果依赖于专家经验。近年来,机器学习应用广泛,这为软件安全测试技术注入了新活力。一些研究工作使用机器学习技术对模糊测试过程进行优化和改进,弥补了传统模糊测试技术的诸多缺陷。文章对基于机器学习的模糊测试技术进行了全面分析。首先,总结了常见的漏洞挖掘方法、模糊测试过程与分类以及传统模糊测试技术的不足;然后,从模糊测试的测试用例生成、变异、筛选和调度等角度入手,着重介绍了机器学习方法在模糊测试技术中的应用研究,并结合机器学习和模糊测试实现其他功能的研究工作;最后,基于现有的工作分析总结了目前研究的局限性和面临的挑战,并对该领域未来的发展方向进行了展望。

关键词: 模糊测试, 漏洞挖掘, 机器学习

Abstract:

Fuzzing is one of the most popular vulnerability discovering techniques today. Traditional fuzzing often requires a lot of labor, which increases the application cycle of fuzzing. Besides, expert experience determines the effect of fuzzing. The wide application of machine learning has enabled machine learning techniques to be applied to software security testing. Many research works use machine learning to optimize the fuzzing process, making up for many defects of traditional fuzzing technology. This paper provided a review of fuzzing based on machine learning. Firstly, common vulnerability discovery methods, fuzzing process and classification, and the shortcomings of traditional fuzzing were summarized. Then, from the perspective of test case generation, mutation, screening, and scheduling of fuzzing, this paper focused on the application research of machine learning methods in fuzzing, as well as the research work on combining machine learning and fuzzing to realize other functions. Finally, based on the existing work, this paper analyzed and summarized the limitations and challenges in the current research work, and prospected the future development directions of this field.

Key words: fuzzing, vulnerability discovery, machine learning

中图分类号: