Finding Errors in Programs for Processing Graphic Images using the Fuzzing Method

Increasing number of software for automated graphics processing requires effective testing methods. One of these methods is fuzzing, for which it is necessary to determine the most effective algorithms for creating test data in order to increase the number of errors found and minimize hardware resources. The comparison of algorithms for creating test data for finding errors in the executable code of programs designed for processing graphic images is the result of the performed research. Using Bayesian networks to describe fuzzing allows determining the relationships between structural components during testing. Based on the results of the comparison of fuzzing algorithms for creating test data, the most effective algorithms for finding errors in the executable code of programs for processing graphic images have been identified. The performance of the proposed algorithms was tested on a number of existing vulnerabilities classified as CVE (Common Vulnerabilities and Exposures). The processing of the results of experiments on the creation of test data was carried out using the simulation environment, allowing analyzing the testing process step by step. The obtained research results, algorithms for creating test data for finding errors can be used at various stages of software testing

References

[1] Sutton M., Green A., Amini P. Fuzzing. Brute force vulnerability discovery. Addison-Wesley, 2007.

[2] Application Programming Interface (API). tadviser.ru: website. Available at: https://www.tadviser.ru/index.php/Stat’ya:Application_Programming_Interface_(API) (accessed: 12.06.2019) (in Russ.).

[3] CSNC-2017-023: buffer overflow in Mongoose MQTT Broker. seclists.org website. Available at: https://seclists.org/fulldisclosure/2017/Sep/52 (accessed: 12.06.2019).

[4] Craig Y. Flawed MatrixSSL code highlights need for better IoT update practices. tripwire.com: website. Available at: https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/flawed-matrixssl-code-highlights-need-for-better-iot-update-practices (accessed: 12.06.2019).

[5] From fuzzing Apache httpd server to CVE-2017-7668 and a $1500 bounty. animal0day.blogspot.com: website. Available at: https://animal0day.blogspot.com/2017/07/from-fuzzing-apache-httpd-server-to-cve.html (accessed: 12.06.2019).

[6] [openssh-commits] [openssh] 01/01: upstream commit. lists.mindrot.org: website. Available at: https://lists.mindrot.org/pipermail/openssh-commits/2014-November/ 004134.html (accessed: 12.06.2019).

[7] Mozilla NSS: wrong calculation results in mp_div() and mp_exptmod(). blog.fuzzing-project.org: веб-сайт. Available at: https://blog.fuzzing-project.org/37-Mozilla-NSS-Wrong-calculation-results-in-mp_div-and-mp_exptmod.html (accessed: 12.06.2019).

[8] CVE-2018-0101 detail. nvd.nist.gov: website. Available at: https://nvd.nist.gov/vuln/detail/CVE-2018-0101 (accessed: 13.06.2019).

[9] CVE-2017-9845 detail. nvd.nist.gov: website. Available at: https://nvd.nist.gov/vuln/detail/CVE-2017-9845 (accessed: 13.06.2019).

[10] CVE-2017-9843 detail. nvd.nist.gov: website. Available at: https://nvd.nist.gov/vuln/detail/CVE-2017-9843 (accessed: 13.06.2019).

[11] Baybikova T.N. Software pack for digital image processing. Vestnik Moskovskogo finansovo-yuridicheskogo universiteta, 2016, no. 2, pp. 255--266 (in Russ.).

[12] Azarnova T.V., Barkalov S.A., Polukhin P.V. Management of the process of web applications testing by the fuzzing method based on dynamic Bayesov networks. Vestnik Yuzhno-Uralʼskogo gosudarstvennogo universiteta. Seriya: Kompʼyuternye tekhnologii, upravlenie, radioelektronika [Bulletin of the South Ural State University. Series Computer Technology, Aotimatic Control, Radio Electronics], 2017, vol. 17, no. 2, pp. 51--64 (in Russ.). DOI: https://doi.org/10.14529/ctcr170205

[13] Maslennikov E.D., Sulimov V.B. Bayesian network prediction: algorithm and software implementation. Vychislitelʼnye metody i programmirovanie [Numerical Methods and Programming], 2010, no. 11, pp. 94--107 (in Russ.).

[14] Azarnova T.V., Asnina N.G., Proskurin D.K., et al. Bayesian network structure formation of information systems reliability testing process. Vestnik Voronezhskogo gosudarstvennogo universiteta [Bulletin of Voronezh State Technical University], 2017, no. 6, pp. 45--51 (in Russ.).

[15] Toropova A.V. Approaches to the data coherence diagnosis in Bayesian belief network models. Trudy SPIIRAN [SPIIRAS Proceedings], 2015, no. 6, pp. 156--178 (in Russ.).

[16] Poisk voskhozhdeniem k vershine [Hill Climbing]. drakon.su: website. Available at: https://drakon.su/algoritmy/hill-climbing (accessed: 12.06.2019) (in Russ.).

[17] Tsamardinos I., Brown L.E., Aliferis C.F. The max-min hill-climbing Bayesian network structure learning algorithm. Mach. Learn., 2006, vol. 65, no. 1, pp. 31--78. DOI: https://doi.org/10.1007/s10994-006-6889-7

[18] Polukhin P.V. Integration of dynamic Bayesian networks into the process of testing web applications for the purpose of determining the vulnerabilities of interwebsite scripting. Nauchnoe obozrenie, 2014, no. 9, pp. 414--422 (in Russ.).

[19] Dolgov A.I. On applicability of Bayesʼ formula. Vestnik Donskogo gosudarstvennogo tekhnicheskogo universiteta [Vestnik of Don State Technical University], 2015, no. 4, pp. 107--115 (in Russ.). DOI: https://doi.org/10.12737/16076

[20] Lemeshko B.Yu., Postovalov S.N. Limit distributions of the Pearson 2 and likelihood ratio statistics and their dependence on the mode of data grouping. Industrial Laboratory, 1998, vol. 64, no. 5, pp. 344--351.

[21] American fuzzy loop (2.52b). lcamtuf.coredump.cx: website. Available at: https://lcamtuf.coredump.cx/afl (accessed: 13.06.2019).

[22] A general-purpose fuzzer. gitlab.com: website. Available at: https://gitlab.com/akihe/radamsa (accessed: 13.06.2019).

[23] Shoshitaishvili Y., Wang R., Hauser C., et al. Firmalice --- automatic detection of authentication bypass vulnerabilities in binary firmware. Proc. NDSS, 2015. DOI: https://doi.org/10.14722/ndss.2015.23294

[24] Geneticheskiy algoritm. Prosto o slozhnom [Genetic algorithm. Simple answer on complex issue]. habrahabr.ru: website. Available at: https://habrahabr.ru/post/128704 (accessed: 13.06.2019) (in Russ.).

[25] CVE-2017-12983. nvd.nist.gov: website. Available at: https://nvd.nist.gov/vuln/detail/CVE-2017-12983 (accessed: 13.06.2019).

[26] CVE-2016-8684. nvd.nist.gov: website. Available at: https://nvd.nist.gov/vuln/detail/CVE-2016-8684 (accessed: 13.06.2019).

[27] CVE-2016-10095. nvd.nist.gov: website. Available at: https://nvd.nist.gov/vuln/detail/CVE-2016-10095 (accessed: 13.06.2019).

[28] CVE-2012-2849. nvd.nist.gov: website. Available at: https://nvd.nist.gov/vuln/detail/CVE-2012-2849 (accessed: 13.06.2019).

[29] CVE-2011-0205. nvd.nist.gov: website. Available at: https://nvd.nist.gov/vuln/detail/CVE-2011-0205 (accessed: 13.06.2019).