Discovering vulnerabilities in applications of real-world complexity is a daunting task: a vulnerability may affect a single line of code, and yet it compromises the security of the entire application. Even worse, vulnerabilities may manifest only in exceptional circumstances that do not occur in the normal operation of the application. It is widely recognized that state-of-the-art penetration testing tools play a crucial role, and are routinely used, to dig up vulnerabilities. Yet penetration testing is still primarily a human-driven activity, and its effectiveness still depends on the skills and ingenuity of the security analyst driving the tool. In this paper, we propose a technique for the automatic discovery of vulnerabilities in event-based systems, such as web and mobile applications. Our approach is based on a collaborative, co-evolutionary and contract-driven search strategy that iteratively (i) executes a pool of test cases, (ii) identifies the most promising ones, and (iii) generates new test cases from them. The approach makes a synergistic combination of evolutionary algorithms where several "species" contribute to solving the problem: one species, the test species, evolves to find the target test case, i.e., the set of instruction whose execution lead to the vulnerable statement, whereas the other species, called contract species, evolve to select the parameters for the procedure calls needed to trigger the vulnerability. To assess the effectiveness of our approach, we implemented a working prototype and ran it against both a case study and a benchmark web application. The experimental results confirm that our tool automatically discovers and executes a number of injection flaw attacks that are out of reach for state-of-the-art web scanners.

中文翻译：

---

为什么Charles可以进行笔试：漏洞测试的进化方法

在现实世界中复杂的应用程序中发现漏洞是一项艰巨的任务：漏洞可能会影响一行代码，但会损害整个应用程序的安全性。更糟的是，漏洞可能仅在应用程序正常运行中不会出现的特殊情况下才会显现。众所周知，最先进的渗透测试工具在挖掘漏洞方面起着至关重要的作用，并且通常被使用。但是，渗透测试仍然主要还是人为驱动的活动，其有效性仍然取决于驱动该工具的安全分析师的技能和独创性。在本文中，我们提出了一种自动发现基于事件的系统（如Web和移动应用程序）中的漏洞的技术。我们的方法基于协作，协同进化和合同驱动的搜索策略，该策略可迭代（i）执行一组测试用例，（ii）确定最有希望的测试用例，（iii）从中生成新的测试用例。该方法是进化算法的协同组合，其中几个“种类”有助于解决问题：一个种类（测试种类）进化为找到目标测试用例，即指令集，其执行导致易受攻击的语句，而其他种类（称为合同种类）则进化为触发漏洞所需的过程调用选择参数。为了评估我们方法的有效性，我们实施了一个工作原型，并将其与案例研究和基准Web应用程序进行了对比。