CN119669092B - Method and device for using COM technology software for fuzzy test - Google Patents
Method and device for using COM technology software for fuzzy testInfo
- Publication number
- CN119669092B CN119669092B CN202411853229.XA CN202411853229A CN119669092B CN 119669092 B CN119669092 B CN 119669092B CN 202411853229 A CN202411853229 A CN 202411853229A CN 119669092 B CN119669092 B CN 119669092B
- Authority
- CN
- China
- Prior art keywords
- software
- test
- com
- program
- tested
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a method for fuzzing test by using COM technology software, which firstly requires the software to be fuzzed to realize the following interfaces by using COM technology: and starting a COM interface of the software. And a COM interface for accepting input. The method has the advantages that the method can remarkably improve the test efficiency, only the first round of test and the restarting of the program are needed when the program is abnormal, the time of each round of test is greatly shortened, and the method can remarkably improve the development efficiency of fuzzy test software. The COM interface provided by the tested software is used for calling, the process of constructing binary function interface parameters in the traditional fuzzy test method is not needed, and the complexity of the fuzzy test software can be remarkably reduced. The method has the advantage of good reusability, and for different tested software, only codes of a COM interface calling part are changed, so that the method can be quickly transplanted to different tested software for testing.
Description
Technical Field
The application relates to the technical field of computers, in particular to a method and a device for using COM (COM) technical software in fuzzy test.
Background
Component object model (COM: component Object Model) technology an object-oriented programming technology, developed by microsoft, is mainly used to create and use reusable software components. These components can be accessed and used by different programming languages and applications to enable module communication between cross-languages, cross-processes. Popular Office software gold mountain software WPS Office, microsoft Office, libreOffice, and forever Office all use COM technology.
Fuzzy test is a software testing technique, which is commonly used to detect security holes of software or computer systems. The core idea is to input random data generated automatically or semi-automatically into a program and monitor program exceptions, such as crashes, assertion (assertion) failures, to discover possible program errors, such as memory leaks. Popular fuzzy test methods use code coverage based methods to guide the generation of test samples.
The breakpoint instrumentation technique is a method for collecting code coverage, and refers to a technique for inserting breakpoints or instrumentation codes at specific locations (such as the entry, the exit, or the key statement of a key function) in program codes, and counting code coverage by running the program and recording the execution of the breakpoints or instrumentation codes. During the running process of the program, each time the inserted breakpoint or stub codes are executed, a corresponding recording mechanism is triggered to record the executed information of the next code. Finally, by counting recorded execution information, the execution coverage rate of the code, that is, the proportion of the number of executed code lines to the total number of code lines, can be obtained. The technology can help developers to know the test coverage condition of codes and find out the code areas which are not fully tested, so that the test cases are improved, and the code quality and reliability are improved.
The Harness program refers to a specific applet or tool in the fuzzy test technology, and is designed to trigger and call the function requiring fuzzy test in the tested program. The Harness program contains functions as objective functions that are critical parts of the fuzzy test procedure to be tested. Briefly, harness is a key component in fuzzy testing that is responsible for converting random or variant data inputs generated by a fuzzifier into a format that can be understood and processed by a program under test, thereby triggering a potential vulnerability or error of the program.
The current academia and industry methods for fuzzy test software of Office software using COM technology are as follows:
(1) A method for testing a binary interface of tested software. The method comprises the following steps:
1) The target program is determined.
2) Attack surface analysis.
3) And writing a Harness program, namely a custom section of program, for calling a binary interface of the tested software.
4) The Harness program is started.
5) A debugger is used to attach to the harress program.
6) And inputting the tested sample into a Harness program, and calling a tested software binary interface by the Harness program to analyze the tested sample.
7) Detecting whether the Harness program is abnormal, if so, collecting abnormal information, terminating the tested software process, and executing the step 4), otherwise, executing the step 8).
8) And collecting the execution information of the tested software, and adding the modified test sample into the test set if the tested software generates a new execution state.
(2) The method for the overall fuzzy test of the tested software. The method comprises the following steps:
1) The debugger is used to start the tested software to transfer the tested sample path to the tested software.
2) The software under test parses the test sample.
3) Detecting whether the tested software is abnormal, if so, collecting abnormal information, and stopping the tested software process, executing step 1), otherwise, executing step 4).
4) Collecting the execution information of the tested software, if the tested software generates a new execution state,
The modified test sample is added to the test set.
In the conventional fuzzy test method (1), it may take the most time to write the harress program, especially when a fuzzy test is to be performed on a large application program. The Harness step is written as in FIG. 1. Parameters of binary interface functions are often needed to be constructed when a Harness program is written, each parameter can depend on a plurality of objects inside the program, and the reverse program is needed to construct the objects on which the parameters depend. The time spent in this process is few days, more weeks, and the workload is very high. The problems of long development period and great development difficulty of the fuzzy test program in the traditional fuzzy test method are caused.
In the conventional fuzzy test method (2), each shared library of the program loader needs to be started to initialize when each round of test starts, and when the test ends, the tested program is closed, which takes a long time, for example, about 20 seconds for one test of the WPS Office and Microsoft Office programs. This results in the problem of low test efficiency in the conventional fuzzy test method, and cannot meet the performance requirements for using COM technology software.
In summary, the existing fuzzy test method has the problems of long development period, high development difficulty and low test efficiency of the fuzzy test program.
Disclosure of Invention
The application aims to provide a method and a device for fuzzing software using a COM technology, which are used for solving the problems of long development period, high development difficulty and low fuzzing efficiency of a fuzzing program when the software using the COM technology is fuzzed currently, and the method and the device have the following specific scheme that:
In a first aspect, the present application provides a method for fuzzing using COM technology software, comprising:
(1) Starting tested software by using a COM interface of the fuzzy tested software;
(2) Attaching to the software under test using a debugger;
(3) Generating a test sample according to the variation of the test set;
(4) Using a COM interface of fuzzy test software to input a test sample;
(5) Waiting for the COM interface of the fuzzy test software to return, detecting whether the software is abnormal, if so, collecting abnormal information, terminating the tested software process, and executing the step (1), otherwise, executing the step (6);
(6) And collecting the execution information of the tested software, and adding the test sample into the test set if the tested software generates a new execution state.
Wherein step (1) starts software using a COM interface, including starting software under test using Dispatch, dispatchEx functions of the client class of the win32COM library of Python (the client class of the win32COM library is a standard library of Python for interacting with COM components; the Dispatch function may dynamically create an instance of a COM object according to a specified program identifier or class identifier and may call the interface to which the object is exposed; the DispatchEx function is similar to the Dispatch function for creating and connecting to a COM object, while providing more flexible object initialization options allowing additional parameters to be specified when creating a COM object, thereby controlling the creation behavior of the object.)
The debugger in the step (2) refers to software which has the functions of reading and writing the process memory of the tested software and detecting whether the tested software has abnormal functions or not,
In step (3), generating a test sample according to the variation set, including randomly or orderly taking out a test sample from the test set, randomly modifying or strategically modifying the test sample, wherein strategically modifying includes modifying a field of the file or deleting a specific area of the file according to the structure of the file,
The step (4) of inputting the test sample through the COM interface comprises the steps of obtaining the COM object example of the program through calling the function of the client class in the win32COM library of Python, modifying the properties of the COM object or calling the interface function provided by the COM object to input the test sample,
The abnormal state of the program in the step (5) comprises the process crash of the tested software, the COM interface function of the tested software is not ended for a long time,
The software to be tested in the step (6) includes coverage rate of program execution, execution time of the program, etc., and the new execution state of the software to be tested includes that the coverage rate of program execution is changed.
In a second aspect, the present application provides an apparatus for fuzzing test using COM technology software, as shown in fig. 2, comprising:
(1) The server module is used for generating a variation test sample at the beginning of the test and providing a transmission channel for the client module, receiving the result of submitting the current round of test sample example of the client module after the test is completed, judging whether an abnormality exists or whether a new execution state exists according to the submitted result, and performing corresponding processing.
(2) The client module is divided into 2 sub-modules, namely a tracker sub-module and a pile inserting sub-module. The device comprises a server module, a plug sub-module, a test module and a pile inserting sub-module, wherein the plug sub-module is mainly responsible for starting tested software and the pile inserting sub-module in the first round of test, restarting the tested software and the pile inserting sub-module in the abnormal state of the tested program, pulling a test sample of the first round from the server module in the beginning of test and inputting the test sample into the tested program, simultaneously informing the pile inserting sub-module to begin collecting the running information of the tested program, informing the pile inserting sub-module to end the collection of the running information of the tested program after the COM interface of the input sample returns, and uploading the running information of the tested program to the server module. The pile inserting sub-module is mainly responsible for collecting the running information of the tested program and judging whether the tested program is abnormal or not.
An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the method of using COM technology software for a fuzzy test when executing the program.
A computer readable storage medium having stored thereon computer instructions which when executed by a processor implement the method of using COM technology software for a fuzzy test.
Compared with the prior art, the invention has the following advantages:
(1) The method uses the COM interface of the tested software to realize the function of starting the tested software and analyzing the test sample, thereby replacing the step of writing a Harness program by the traditional fuzzy test method, and can realize the same function as the Harness program by writing a plurality of lines of codes by using the win32COM library of Python, and the example codes are seen in the specific implementation mode, thereby greatly reducing the development period and the development difficulty of the fuzzy test program.
(2) In the conventional fuzzy test, a Harness program is started in each round of test, and a dynamic link library of the tested software is loaded so as to call a binary interface of the tested software to analyze a test sample. The method only needs to restart the program when the first round of test and the program are abnormal, thereby greatly shortening the time of each round of test.
Taking Excel software of fuzzy test WPS Office as an example, the test environment is as follows:
The test environment is configured as follows:
windows 11 operating system
Intel i7-13700K CPU
32G DDR4 memory
Each round of testing using the conventional fuzzy test method (2) requires 20s, wherein the initialization time of the software under test is 7-10 seconds. The average test time per round is 5s by using the method, and the test efficiency is increased by 400%.
The traditional fuzzy test method (1) cannot be compared because of the excessive difficulty in writing the Harness program.
Drawings
FIG. 1 is a diagram showing the steps of writing a Harness program in a conventional fuzzy test
FIG. 2 is a flow chart of a method implementation of the present application for fuzzing using COM technology software;
FIG. 3 shows a method of using COM technology software for fuzzy testing fuzz according to the present application
Excel in WPS Office is an example implementation architecture diagram.
Detailed Description
The core of the application is to provide a method, a device and equipment for using COM technical software in fuzzy test, which are used for calling a COM interface of a tested program without constructing complex parameters and repeatedly starting the tested software, thereby reducing the complexity and development difficulty of the fuzzy test program and improving the efficiency of the fuzzy test.
In order to better understand the aspects of the present application, the present application will be described in further detail with reference to the accompanying drawings and detailed description. It will be apparent that the described embodiments are only some, but not all, embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
The present application is described below by taking Excel in fuzzy test WPS Office as an example, with reference to fig. 3. The specific implementation architecture is as follows:
The server module is developed based on the django web framework of Python. The server module implements three interfaces:
(1) The get_summary/interface is used for the user to show fuzzy test running state information such as test round number, test time, average test time per round, etc.
(2) Tracer/get_sample_path/interface is used for the client to obtain the information of the test sample of the present round, and the client module can transmit the test sample from the server module through ftp according to the sample information.
(3) Tracer/submit_res/interface is used for the client module to upload the execution information of the test sample of the present round.
The server module also provides an ftp service for clients to download test samples and upload the running state of the round program.
The tracker sub-module in the client module starts the tested software based on Python development using the win32com library of Python and inputs test samples into the tested software. The example Python code for starting the software under test and inputting the test sample to the software under test is as follows:
from time import sleep
import win32com.client
# Create KET.application application instance
wps_excel=win32com.client.Dispatch("KET.Application")
# Setting display UI
wps_excel.Visible=True
# Open file
workbook=wps_excel.Workbooks.Open(r"path\to\1.xls")
Closing workbook after 5 seconds of # show
sleep(5)
workbook.Close()
# Exit KET application instance
Wps_excel. Quick () runs the code described above, i.e. starts excel and opens an excel file in excel, exiting after 5 seconds of presentation.
The instrumentation sub-module is modified based on open source software mesos, and mesos is a piece of software that uses breakpoint instrumentation techniques to collect program information.
The specific implementation steps are as follows:
(1) The tracker sub-module starts the software under test using the COM interface of the software under test.
(2) The Tracer sub-module starts the pile insertion sub-module.
(3) The instrumentation submodule is attached to the tested program and prepares for the collection of the running information of the tested program.
(4) The client module invokes tracer/get_sample_path/interface to obtain the sample path.
(5) The Tracer submodule informs the pile inserting submodule of collecting coverage rate.
(6) The tracker sub-module opens the sample using the COM interface.
(7) The Tracer submodule notifies the pile inserting submodule to stop collecting coverage rate.
(8) The tracker sub-module invokes the COM interface to close the sample.
(9) The client module submits the tested program running information path.
(10) The server module analyzes the running information of the test program of the current round and performs the next round of test.
While the foregoing has been provided to illustrate the principles and embodiments of the present application, specific examples have been provided herein to assist in understanding the principles and concepts of the application, and are intended to be in the spirit and scope of the application as defined by the appended claims.
Claims (10)
1. A method for fuzzing COM technology software, wherein the software to be fuzzed implements a COM interface for starting the software to be tested and accepting input, the method comprising the steps of:
(1) Starting tested software by using a COM interface of the fuzzy tested software;
(2) Attaching to the software under test using a debugger;
(3) Generating a test sample according to the variation of the test set;
(4) Using a COM interface of fuzzy test software to input a test sample;
(5) Waiting for a COM interface of the fuzzy test software to return a result, detecting whether the software is abnormal, collecting abnormal information if the software is abnormal, terminating the tested software process, and executing the step (1), otherwise executing the step (6);
(6) And collecting the execution information of the tested software, and adding the modified test sample into the test set if the tested software generates a new execution state.
2. A method of fuzzing software using COM technology according to claim 1, wherein step (1) starts the software using COM interface, including starting the software under test using Dispatch, dispatchEx functions of the client class of the win32COM library of Python.
3. A method for fuzzing test using COM technology software according to claim 1, wherein the debugger in step (2) is a software having a function of reading and writing a process memory of the software under test and detecting whether an abnormal function occurs in the software under test.
4. A method according to claim 1, wherein generating test samples from the set of variations in step (3) comprises randomly or sequentially retrieving a test sample from the set of tests, and wherein randomly or strategically modifying the test sample comprises modifying a field of the file or deleting a specific region of the file according to the structure of the file.
5. A method of using COM technology software for fuzzy testing according to claim 1, wherein the step (4) of inputting the test sample through the COM interface includes obtaining the COM object instance of the program by calling the client class function in the win32COM library of Python, and then modifying the COM object attribute or calling the interface function provided by the COM object to input the test sample.
6. A method according to claim 1, wherein the program exception state of step (5) comprises a crash of the software process under test, the COM interface function of the software under test not ending for a long period of time.
7. A method according to claim 1, wherein the software under test execution information in step (6) includes coverage of program execution, and the execution time of the program, and the new execution state of the software under test includes a change in coverage of program execution.
8. An apparatus for fuzzing COM technology software, characterized in that it comprises a means for implementing the fuzzing COM technology software according to any one of claims 1-7
(1) The server module generates a variation test sample at the beginning of the test and provides a transmission channel for the client module, receives the results of the test sample of the client module submitted by the client module after the test is completed, judges whether an abnormality exists or whether a new execution state exists according to the submitted results, and performs corresponding processing, provides a display function so that a user can check the running state of the fuzzy test program, including the number of test rounds, the test time and the average test time of each round,
(2) The client module is divided into 2 sub-modules, namely a tracker sub-module and a stake inserting sub-module, wherein the tracker sub-module is mainly responsible for starting tested software and the stake inserting sub-module in the first round of testing, restarting the tested software and the stake inserting sub-module in the first round of testing, pulling test samples of the round from the server module in the beginning of testing and inputting the test samples into the tested program, simultaneously informing the stake inserting sub-module to start collecting tested program operation information, informing the stake inserting sub-module to end collecting the tested program information after the input sample COM interface returns, and uploading the tested program operation information to the server module, and the stake inserting sub-module is mainly responsible for collecting the tested program operation information and judging whether the tested program is abnormal.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements a method of using COM technology software for fuzzy testing as claimed in any one of the preceding claims 1 to 7 when executing the program.
10. A computer-readable storage medium, having stored thereon computer instructions, which when executed by a processor, implement a method of using COM technology software for fuzzy testing as claimed in any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411853229.XA CN119669092B (en) | 2024-12-16 | 2024-12-16 | Method and device for using COM technology software for fuzzy test |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411853229.XA CN119669092B (en) | 2024-12-16 | 2024-12-16 | Method and device for using COM technology software for fuzzy test |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN119669092A CN119669092A (en) | 2025-03-21 |
| CN119669092B true CN119669092B (en) | 2025-11-28 |
Family
ID=94995496
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202411853229.XA Active CN119669092B (en) | 2024-12-16 | 2024-12-16 | Method and device for using COM technology software for fuzzy test |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN119669092B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115357513A (en) * | 2022-09-06 | 2022-11-18 | 清华大学 | Program fuzzing test method, device, equipment and storage medium |
| CN118965368A (en) * | 2024-08-09 | 2024-11-15 | 东南大学 | A heap vulnerability detection method and system based on improved fuzzy testing |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114328173B (en) * | 2021-10-27 | 2022-08-05 | 清华大学 | Software fuzzing test method and device, electronic equipment and storage medium |
| CN114168459A (en) * | 2021-11-25 | 2022-03-11 | 百度在线网络技术(北京)有限公司 | Service testing method and device, electronic equipment and readable storage medium |
| CN116896453A (en) * | 2023-06-07 | 2023-10-17 | 天津科技大学 | Vulnerability analysis method and system based on evolutionary strategy fuzz testing mutation optimization |
| DE202024102451U1 (en) * | 2024-05-13 | 2024-05-27 | Robert Bosch Gesellschaft mit beschränkter Haftung | Device for testing device software of a device using a fuzzing algorithm |
-
2024
- 2024-12-16 CN CN202411853229.XA patent/CN119669092B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115357513A (en) * | 2022-09-06 | 2022-11-18 | 清华大学 | Program fuzzing test method, device, equipment and storage medium |
| CN118965368A (en) * | 2024-08-09 | 2024-11-15 | 东南大学 | A heap vulnerability detection method and system based on improved fuzzy testing |
Also Published As
| Publication number | Publication date |
|---|---|
| CN119669092A (en) | 2025-03-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8245194B2 (en) | Automatically generating unit test cases which can reproduce runtime problems | |
| Brooks et al. | Automated GUI testing guided by usage profiles | |
| Memon | Automatically repairing event sequence-based GUI test suites for regression testing | |
| US7908590B1 (en) | System and method for automatically creating test cases through a remote client | |
| US9015671B2 (en) | Integrating program construction | |
| US7774757B1 (en) | Dynamic verification of application portability | |
| US20130132933A1 (en) | Automated compliance testing during application development | |
| Nayrolles et al. | JCHARMING: A bug reproduction approach using crash traces and directed model checking | |
| CN111679984B (en) | Performance analysis method and device | |
| US11580228B2 (en) | Coverage of web application analysis | |
| CN106529304A (en) | Android application concurrent vulnerability detection system | |
| CN111258802A (en) | Method for capturing application program crash information and related equipment | |
| CN112612697A (en) | Software defect testing and positioning method and system based on byte code technology | |
| CN119669092B (en) | Method and device for using COM technology software for fuzzy test | |
| US8997048B1 (en) | Method and apparatus for profiling a virtual machine | |
| CN110597705B (en) | Program debugging method and device capable of repeatedly acquiring test data | |
| CN119883932A (en) | Software testing system, method, electronic equipment and storage medium | |
| CN115017059B (en) | Fuzzy test method and system for graphical user interface program | |
| CN117667672A (en) | Python code remote debugging method and system for industrial software | |
| CN113190453B (en) | User interface testing method, device, server and medium | |
| Arcelli et al. | Design pattern detection in java systems: A dynamic analysis based approach | |
| Chen et al. | HmTest: Automated testing of HarmonyOS apps via model-driven navigation and reinforcement learning | |
| Patil | Regression Testing in Era of Internet of Things and Machine Learning | |
| CN116302365B (en) | Method and device for testing data persistence layer, electronic equipment and storage medium | |
| US8898636B1 (en) | Method and apparatus for testing an application running in a virtual machine |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |