基于执行踪迹离线索引的污点分析方法研究

doi:10.13328/j.cnki.jos.005179

微信服务号

微信订阅号

2025年4月14日 6:11 星期一

首页 > 过刊浏览>2017年第28卷第9期 >2388-2401. DOI:10.13328/j.cnki.jos.005179

PDF HTML阅读 XML下载导出引用引用提醒

基于执行踪迹离线索引的污点分析方法研究
DOI:
                        10.13328/j.cnki.jos.005179
                    
CSTR:
                        
                    
作者:
                        马金鑫马金鑫
中国信息安全测评中心, 北京 100085
在期刊界中查找
在百度中查找
在本站中查找
李舟军李舟军
北京航空航天大学 计算机学院, 北京 100191
在期刊界中查找
在百度中查找
在本站中查找
张涛张涛
中国信息安全测评中心, 北京 100085
在期刊界中查找
在百度中查找
在本站中查找
沈东沈东
北京航空航天大学 计算机学院, 北京 100191
在期刊界中查找
在百度中查找
在本站中查找
章张锴章张锴
北京航空航天大学 计算机学院, 北京 100191
在期刊界中查找
在百度中查找
在本站中查找

                    
作者单位:
作者简介:
通讯作者:
中图分类号:
基金项目:国家自然科学基金（61502536）；国家高技术研究发展计划（863）（2015AA016004）

Taint Analysis Method Based on Offline Indices of Instruction Trace

Author:

MA Jin-Xin
MA Jin-Xin
China Information Technology Security Evaluation Center, Beijing 100085, China
在期刊界中查找
在百度中查找
在本站中查找
LI Zhou-Jun
LI Zhou-Jun
School of Computer Science & Engineering, Beihang University, Beijing 100191, China
在期刊界中查找
在百度中查找
在本站中查找
ZHANG Tao
ZHANG Tao
China Information Technology Security Evaluation Center, Beijing 100085, China
在期刊界中查找
在百度中查找
在本站中查找
SHEN Dong
SHEN Dong
School of Computer Science & Engineering, Beihang University, Beijing 100191, China
在期刊界中查找
在百度中查找
在本站中查找
ZHANG Zhang-Kai
ZHANG Zhang-Kai
School of Computer Science & Engineering, Beihang University, Beijing 100191, China
在期刊界中查找
在百度中查找
在本站中查找

Affiliation:

Fund Project:

National Natural Science Foundation of China (61502536); National High Technology Research and Development Program of China (863) (2015AA016004)

摘要

图/表

访问统计

参考文献 [27]

相似文献 [20]

引证文献

资源附件

文章评论

摘要:

针对二进制代码的污点分析方法在软件逆向工程、漏洞分析及恶意代码检测等方面具有重大的意义.目前，大多数污点分析方法不支持浮点指令，执行效率较低，且传播的精度也不够高.提出并实现了一种基于执行踪迹离线索引的污点分析方法，以字节为粒度，且支持污点标签.提出执行踪迹离线索引的生成及查询算法，通过离线索引可跳过与污点数据无关的指令，提高污点分析的效率.首次描述并解决了即时翻译执行导致的污点丢失问题.使用污点标签以标识污点的来源和位置.提出较完善的污点传播算法，支持浮点指令，以尽可能精确地刻画污点信息从源操作数传递到目的操作数的过程.实现了灵活的可配置机制，用户可通过黑名单动态地引入污点数据.将提出的方法应用到漏洞检测的场景中，使用12个真实的软件漏洞作为测试样本集，将该方法与TEMU作对比实验，实验结果表明：该方法具备较强的漏洞检测能力，可验证的漏洞数比TEMU更多，且其平均执行效率比TEMU高5倍.

关键词:污点分析;离线索引;指令踪迹;漏洞检测

Abstract:

Taint analysis method in binary code plays an important role in reverse engineering, malicious code detecting and vulnerabilities analysis. Currently, most of taint analysis methods fail to operate float point instruction, and they do not propagate taints accurately and efficiently enough. In the paper, a taint analysis method is implemented based on offline indices of instruction trace, which are byte-grained and utilize taint tags. A generation and query algorithm of offline indices is also presented. Instructions unrelated to taint data are skipped with offline indices, which improves the efficiency of taint analysis. The taint loss problem resulted from real time translation is described and solved for the first time. Taint tags are utilized to denote where the taint data is derived. A more complete taint propagation algorithm, which could operate float point instructions and insure the taint data flow from source operands into the destination operands precisely, is also presented. Flexible user-configuration mechanism is implemented to produce taint data on the fly with black list. The proposed method is applied in vulnerabilities detecting and evaluated with 12 vulnerabilities as test cases. The experimental result shows that this taint analysis method is able to detect more vulnerabilities than TEMU, and is 5 times faster in average.

Key words:taint analysis;offline indices;instruction trace;vulnerabilities detecting

参考文献

[1] Mei H, Wang QX, Zhang L, Wang J. Software analysis:A road map. Chinese Journal of Computers, 2009,32(9):1697-1710(in Chinese with English abstract).[doi:10.3724/SP.J.1016.2009.01697]

[2] Luk C, Cohn R, Muth R, Harish P, Klauser A, Lowney G, Wallace S, Reddi VJ, Hazelwood K. Pin:Building customized program analysis tools with dynamic instrumentation. In:Proc. of the ACM Conf. on Programming Language Design and Implementation. New York:ACM Press, 2005. 190-200.[doi:10.1145/1065010.1065034]

[3] Lueck G, Patil H, Pereira C. PinADX:An interface for customizable debugging with dynamic instrumentation. In:Proc. of the IEEE/ACM Int'l Symp. on Code Generation and Optimization. New York:ACM Press, 2012. 114-123.[doi:10.1145/2259016. 2259032]

[4] Roy A, Hand S, Harris T. Hybrid binary rewriting for memory access instrumentation. In:Proc. of the 7th ACM SIGPLAN/SIGOPS Int'l Conf. on Virtual Execution Environments. New York:ACM Press, 2011. 227-238.[doi:10.1145/1952682.1952711]

[5] Skaletsky A, Devor T, Chachmon N, Cohn R, Hazelwood K, Vladimirov V, Bach M. Dynamic program analysis of microsoft windows applications. In:Proc. of the Int'l Symp. on Performance Analysis of Software and Systems. Timisoara:IEEE, 2010. 389-400.[doi:10.1109/ISPASS.2010.5452079]

[6] Patil H, Pereira C, Stallcup M, Lueck G, Cownie J. PinPlay:A framework for deterministic replay and reproducible analysis of parallel programs. In:Proc. of the 8th Annual IEEE/ACM Int'l Symp. on Code Generation and Optimization. New York:ACM Press, 2010. 1020-1034.[doi:10.1145/1772954.1772958]

[7] Song D, Brumley D, Yin H, Caballero J, Jager I, Kang MG, Liang ZK, Newsome J, Poosankam P, Saxena P. BitBlaze:A new approach to computer security via binary analysis. In:Proc. of Int'l Conf. on Information Systems Security. Hyderabad:Springer-Verlag, 2008. 1-25.[doi:10.1007/978-3-540-89862-7_1]

[8] Brumley D, Poosankam P, Song D, Zheng J. Automatic patch-based exploit generation is possible:Techniques and implications. In:Proc. of the IEEE Symp. on Security and Privacy. California:IEEE, 2008. 78-102.[doi:10.1109/SP.2008.17]

[9] Yin H, Liang Z, Song D. HookFinder:Identifying and understanding malware hooking behaviors. In:Proc. of the 15th Annual Network and Distributed System Security Symp. San Diego:Internet Society, 2008. 103-119.

[10] Caballero J, Yin H, Liang Z, Song D. Polyglot:Automatic extraction of protocol message format using dynamic binary analysis. In:Proc. of the 14th ACM Conf. on Computer and Communications Security. New York:ACM Press, 2007. 567-581.[doi:10.1145/1315245.1315286]

[11] Yin H, Song D, Egele M, Kruegel C, Kirda E. Panorama:Capturing system-wide information flow for malware detection and analysis. In:Proc. of the ACM Conf. on Computer and Communication Security. New York:ACM Press, 2007. 103-119.[doi:10.1145/1315245.1315261]

[12] Kang M, Poosankam P, Yin H. Renovo:A hidden code extractor for packed executables. In:Proc. of the 5th ACM Workshop on Recurring Malcode. New York:ACM Press, 2007. 327-341.[doi:10.1145/1314389.1314399]

[13] Ma JX, Li ZJ, Hu CJ, Zhang JX, Guo T. Research of array type abstraction reconstruction in binary code. Journal of Tsinghua University:Science and Technology, 2012,10(1):1329-1334(in Chinese with English abstract).[doi:10.16511/j.cnki.qhdxxb.2012. 10.003]

[14] Ma JX, Li ZJ, Hu CJ, Zhang JX, Guo T. A reconstruction method of type abstraction in binary code. Journal of Computer Research and Development, 2013,50(11):2418-2428(in Chinese with English abstract).

[15] Schwartz J, Avgerinos T, Brumley D. All you ever wanted to know about dynamic taint analysis and forward symbolic execution. In:Proc. of the IEEE Security and Privacy Symp. 2010. 723-734.[doi:10.1109/SP.2010.26]

[16] Enck W, Gilbert P, Chun BG, Cox LP, Jung J, McDaniel P, Sheth AN. TaintDroid:An information-flow tracking system for realtime privacy monitoring on smartphones. In:Proc. of the USENIX Symp. on Operating Systems Design and Implementation. Vancouver:USENIX, 2010. 817-822.[doi:10.1145/2619091]

[17] Kang M, McCamant S, Poosankam P, Song D. DTA++:Dynamic taint analysis with targeted control-flow propagation. In:Proc. of the 18th Annual Network and Distributed System Security Symp. San Diego:Internet Society, 2011. 913-926.

[18] Wang TL, Wei T, Gu GF, Zou W. TaintScope:A checksum-aware directed fuzzing tool for automatic software vulnerability. In:Proc. of the 2010 IEEE Symp. on Security and Privacy. California:IEEE, 2010. 497-512.[doi:10.1109/SP.2010.37]

[19] Wang TL, Wei T, Lin ZQ, Zou W. IntScope:Automatically detecting integer overflow vulnerability in x86 binary using symbolic execution. In:Proc. of the 16th Network and Distributed System Security Symp. San Diego:Internet Society, 2010. 333-347.

[20] Hu CJ, Li ZJ, Guo T, Shi ZW. Detecting the vulnerability pattern of writing tainted value to tainted address. Journal of Computer Research and Development, 2011,48(8):1455-1463(in Chinese with English abstract).

[21] Babak Y, Saumya D. Symbolic execution of obfuscated code. In:Proc. of the 22nd ACM SIGSAC Conf. on Computer and Communications Security. New York:ACM Press, 2015. 732-744.[doi:10.1145/2810103.2813663]

[22] Michelle W, David L. IntelliDroid:A targeted input generator for the dynamic analysis of android malware. In:Proc. of the 22nd Network and Distributed System Security Symp. San Diego:Internet Society, 2016. 481-496.

附中文参考文献:

[1] 梅宏,王千祥,张路,王戟.软件分析技术进展.计算机学报,2009,32(9):1697-1710.[doi:10.3724/SP.J.1016.2009.01697]

[13] 马金鑫,忽朝俭, 李舟军,张俊贤, 郭涛.二进制代码中数组类型抽象的重构方法. 清华大学学报:自然科学版,2012,10(1):1329-1334.[doi:10.16511/j.cnki.qhdxxb.2012.10.003]

[14] 马金鑫,李舟军,忽朝俭,张俊贤,郭涛.一种重构二进制代码中类型抽象的方法.计算机研究与发展,2013,50(11):2418-2428.

[20] 忽朝俭,李舟军,郭涛,时志伟.写污点值到污点地址漏洞模式检测.计算机研究与发展,2011,48(8):1455-1463.

引用本文

马金鑫,李舟军,张涛,沈东,章张锴.基于执行踪迹离线索引的污点分析方法研究.软件学报,2017,28(9):2388-2401

复制

文章指标

点击次数:4311
下载次数: 6173
HTML阅读次数: 3119
引用次数: 0

历史

收稿日期:2016-07-07
最后修改日期:2016-11-10
录用日期:
在线发布日期: 2017-09-02
出版日期:

微信服务号

微信订阅号

引用本文

分享

文章指标

历史

文章二维码

微信服务号

微信订阅号

引用本文

分享

微信扫一扫：分享

文章指标

历史

文章二维码