WANG Lin-Zhang , CHEN Kai , WANG Ji
2018, 29(5):1177-1178. DOI: 10.13328/j.cnki.jos.005509
Abstract:
SHAO Si-Hao , GAO Qing , MA Sen , DUAN Fu-Yao , MA Xiao , ZHANG Shi-Kun , HU Jin-Hua
2018, 29(5):1179-1198. DOI: 10.13328/j.cnki.jos.005504
Abstract:First,in this paper,the breadth and risk of buffer overflow vulnerabilities are introduced.Then,from the aspect of how to exploit a buffer overflow vulnerability,an overview is provided on the definition of buffer overflow vulnerabilities,memory organization in operation systems,and classification of buffer overflow attacks.Based on the research,buffer overflow analysis technologies are classified into three categories:automatic detection,automatic repair,and run-time protection.Each types of technologies are introduced,analyzed and discussed according to the classification.Finally,three possible research directions in the field of buffer overflow vulnerability analysis are discussed:(1) analyzing binary code;(2) using machine learning algorithms;(3) combining multiple technologies for analysis.
LI Zan , BIAN Pan , SHI Wen-Chang , LIANG Bin
2018, 29(5):1199-1212. DOI: 10.13328/j.cnki.jos.005505
Abstract:In recent years,taking the known vulnerable function as the criteria to retrieve the similar implementation has been proven to be an effective vulnerabilities detection method.However,a vulnerable function often contains some statements that are irrelevant to the vulnerability of interest,which may heavily interfere with the similarity computation and lead to false positives and false negatives.This paper presents an approach to improve the precision of the retrieval-based vulnerabilities detection by leveraging the patch of the vulnerable function.The program slicing technique is adopted to exclude irrelevant statements from the original vulnerable function according to the patch.A denoised feature vector is generated from the obtained slice and is used to search the potential unknown vulnerabilities in the code base.This approach has been applied to some real-world projects.Experimental results show that the approach can effectively reduce the interference of irrelevant statements and improve the detection precision.Three confirmed unknown vulnerabilities are successfully detected from the projects.
HU Hao , YE Run-Guo , ZHANG Hong-Qi , CHANG De-Xian , LIU Yu-Ling , YANG Ying-Jie
2018, 29(5):1213-1229. DOI: 10.13328/j.cnki.jos.005507
Abstract:In order to reflect the dynamic change of vulnerability security risk over time in an information system,this paper developed a life cycle stochastic model based on the absorbing Markov.The prior historical vulnerability information is used as the input.Then the state transition probability matrix of vulnerability life cycle is constructed.Specifically,the state evolution process is simulated in the dimension of time using matrix deduction.Meanwhile,the common vulnerability scoring system (CVSS) is utilized to measure the threat impact of vulnerabilities in the network system.Furthermore,a quantitative risk method to measure security vulnerability in terms of time dimension is provided to analyze some probability evolution rules with respect to the states of vulnerability life cycle.Finally,the exploits by the ransomware "WannaCry" in a typical APT attack scenario are taken as an example to verify the rationality and validity of the presented model and method.
SHEN Wei-Jun , TANG En-Yi , CHEN Zhen-Yu , CHEN Xin , LI Bin , ZHAI Juan
2018, 29(5):1230-1243. DOI: 10.13328/j.cnki.jos.005503
Abstract:Vulnerability detection is an important way of improving the security of software.However,the development of the Internet makes it possible for hackers to attack software systems with new techniques.This paper focuses on a new kind of vulnerability that relates to numerical stability.It poses new threat to software security as hackers are able to bypass security protection by the new kind of vulnerability,and numerical analysis is difficult to detect such a vulnerability.In the paper,the vulnerability related to numerical stability is defined from the perspective of software behavior variation caused by numerical errors,and an automatic detection approach is proposed.The approach combines the static analysis and symbolic execution,and detects the vulnerability by three steps:symbolic extraction,static attack analysis,and dynamic attack verification with high precision values.This new approach is evaluated on a few famous open source projects.The results show that the proposed approach effectively detects the vulnerabilities related to numerical stability hidden in the real-world projects.
GAO Zhi-Wei , JI Wei-Xing , SHI Jian-Jun , WANG Yi-Zhuo , GAO Yu-Jin , LIAO Xin-Yi , LUO Hui , SHI Feng
2018, 29(5):1244-1257. DOI: 10.13328/j.cnki.jos.005506
Abstract:Resource leak is an important software defect that affects the quality and reliability of software and may cause program abnormality or even system crash.Static analysis is an effective defect detection method which can identify potential resource leaks in source code or executable binary.However,as the scale of programs increases,the complexity of accurate resource leak detection rises exponentially,thereby making it difficult to meet the demand of just-in-time defect detection for large practical applications.In this paper,an incremental static resource leak detection algorithm is proposed for large-scale source code projects.The algorithm supports inter-procedural flow sensitive resource leak detection that allows developers to observe the impact of their changes immediately.Starting from the modified functions,this approach narrows down the scope of resource leak detection by generating method closures and performing points-to analysis to analyze hundreds of thousands of lines of source code in seconds.Experimental results show that the algorithm completes defect detection within 10s with a high accuracy on more than 90% of the tests,which makes it possible for just-in-time resource leak detection for practical applications.
YANG Mei-Fang , HUO Wei , ZOU Yan-Yan , YIN Jia-Wei , LIU Bao-Xu , GONG Xiao-Rui , JIA Xiao-Qi , ZOU Wei
2018, 29(5):1258-1274. DOI: 10.13328/j.cnki.jos.005499
Abstract:Fuzzing is an effective vulnerability discovery technology.In order to solve the inefficiency problem caused by blind mutation in fuzzing,safety engineers need to customize fuzzer from all aspects,such as input characteristics,mutation method,seed samples screening,abnormal samples found and analysis,which will result in huge expenditure.To meet the need of low cost customization and high scalability of the universal fuzzer (i.e.fuzzer that supports multi-type input formats and softwares),this paper first proposes a programmable fuzzing framework.Based on the framework,the only thing safety engineers need to do is writing directive programs when they want to customize fuzzing.It can sharply improve the efficiency of developing fuzzer without reducing effectiveness of fuzzing.The framework contains a set of fuzzing primitives,fuzzing directive specification (FDS) and FDS parser.Fuzzing primitives which involve mutation,monitoring and guiding are basic statements of directive program.FDS and FDS parser can support writing and parsing directive programs,as well as generating fuzzers.Based on the implementation of a prototype framework called Puzzer,safety engineers can accomplish core functions and cover 87.8% of total basic operations of five mainstream fuzzers with only about 54 lines of code.A fuzzer which has equivalent function of AFL can be accomplished using Puzzer to achieve the same effectiveness with only 51 lines of code.
HUO Wei , DAI Ge , SHI Ji , GONG Xiao-Rui , JIA Xiao-Qi , SONG Zhen-Yu , LIU Bao-Xu , ZOU Wei
2018, 29(5):1275-1287. DOI: 10.13328/j.cnki.jos.005501
Abstract:Fuzzing is widely used for browser vulnerability mining,and one of the key factors determining its effectiveness is the test pattern written by the tester.Considering that the test pattern is written with high cost and short survival time,in this article,an automatic construction of fuzzy tester based on pattern-generation is presented.By analyzing the known vulnerability samples and extracting the test pattern automatically,the traditional mutation strategy is then applied to each module in the pattern to complete the automatic generation of the abnormal samples.Experimental results show that in average it takes only 11.168 seconds to finish the automatic construction of 1 089 different fuzzy testers based on 1 089 known vulnerabilities for five browsers,which has much lower time-consumption than that required by testers themselves.Applying on IE 10,IE11 and Firefox 54.0 Web browser with randomly selected 10 fuzzy testers,the new method discovered a total of 57 different bugs,including a high-risk unknown vulnerability.This demonstrates that this method has better capability at finding the unknown vulnerability.
ZHANG Xing , FENG Chao , LEI Jing , TANG Chao-Jing
2018, 29(5):1288-1302. DOI: 10.13328/j.cnki.jos.005493
Abstract:GUI program's idle state usually causes low efficiency of fuzzing test.This paper tries to solve idle state detecting problem based on function trace by nature language processing method.It first analyzes the difficulties that traditional program analysis method faces in idle state detection,and then proposes an idle state detecting method based on Bi-Gram module and statistical analysis.Bi-Gram algorithm transforms the function trace of the GUI program to probabilistic characteristics sequence,then segregates the idle state probabilistic characteristics sequence from prgram's probabilistic characteristics by variance characteristics in idle state probabilistic characteristics sequence.The algoritnm finally extracts idle state features which applied to the real-time idle state detecting algorithm.Experiments of source code and binary program show that the new method is more efficient and accurate than traditional method.
SHA Le-Tian , XIAO Fu , YANG Hong-Ke , YU Hui , WANG Ru-Chuan
2018, 29(5):1303-1317. DOI: 10.13328/j.cnki.jos.005498
Abstract:Cloud computing provides great convenience for people's daily life,however,it also introduces huge security threats via related technology.Recently more and more vulnerabilities have been discovered for virtualization in IaaS of cloud platform,and it can be viewed as a difficult problem to discover DDoS and Escape vulnerabilities in virtualization mechanism.In this paper,some known bugs are analyzed for related platforms,target test case sets are extracted and extended,and randomized fuzzing test is designed and accomplished.In addition,an automatic prediction is proposed based on gray Markova model,via which the direction of fuzzing test can be supervised and adjusted in real time,and self-adapting fuzzing test can be achieved for virtualization platform.Finally,a prototype,called VirtualFuzz,is designed and accomplished in this paper.Experiment data demonstrates DDoS and Escape vulnerabilities can be discovered effectively in the new method.Out of 24 test cases acquired,18 known cases are evaluated and 6 unknown cases are discovered.Moreover,3 vulnerability authentications are obtained by CVE,while the optimized results for efficiency are emphasized via comparison between VirtualFuzz and other Fuzzing tools.
2018, 29(5):1318-1332. DOI: 10.13328/j.cnki.jos.005502
Abstract:With its ubiquity,the Android system offers more and more functions.One of the important features is the accessibility service,which was introduced in Android 1.6 and optimized in Android 4.0 and above.With the accessibility service,applications can retrieve active window information,such as the text contents and users input,and can communicate with applications' window automatically,for example,getting the button content and then clicking it.However,these advanced features,when being abused,will bring mobile users considerable safety threats.This work carries out research into this system service,analyzing possible ways of being abused and their causes from system API design.The paper then proposes and implements a new system called Tassel,based on the decentralized information flow control mechanism,to make the service API usage securer.The new system tags,tracks and controls the accessibility service handling as well as the accessibility event.This system is evaluated to show that it can prevent accessibility service from being abused,and meanwhile,it does not impact the system normal functions as well as the performance.
WANG Xin-Ran , LIU Yu-Tao , CHEN Hai-Bo
2018, 29(5):1333-1347. DOI: 10.13328/j.cnki.jos.005496
Abstract:Return-Oriented programming (ROP),in which attackers corrupt program stack in order to hijack the control flow of the program,is a popular way to attack memory corruption bugs.Control flow integrity (CFI) is a popular approach which thwarts attackers tampering with execution flow,in a way that enforces the legal targets of each indirect branches.While published CFI approaches mainly focus on protecting user programs,the OS kernel is still vulnerable to various attacks such as return-oriented rootkits (ROR),which can launch ROP attacks in vulnerable kernel modules,is able to execute arbitrary code in kernel.Compared with traditional user-level ROP,ROR is more dangerous because it happens in kernel space.According to Linux CVE from 2014 to 2016,76% of kernel bugs appear in kernel module and almost all of the published attacks happen in kernel modules,which infers that kernel modules happen to be the most dangerous area in the kernel space.However currently there are still very few number of kernel-level CFI protection mechanisms,and all of the existing ones require source-code level modification and kernel recompilation,which restricts the usage scenarios of the commodity systems.Facing off these problems,this paper proposes to leverage Intel processor trace (IPT),and presents the first system which can prevent against ROP attacks in kernel modules base on virtualization without relying on the source code of kernel and kernel modules.The evaluation proves the precision,transparency and efficiency of the new system.
YE Cong-Cong , LI Guo-Qiang , CAI Hong-Ming , GU Yong-Gen
2018, 29(5):1348-1359. DOI: 10.13328/j.cnki.jos.005500
Abstract:Blockchain is the basic technology of bitcoin,which is a decentralized peer-to-peer transaction system.Blockchain consists of distributed storage,peer-to-peer transfer,consensus mechanism and encryption algorithm.The security of blockchain is always the focus of people's attention.Many researches use mathematic methods to analyze the impact of each attack in blockchain,however the types of attacks in blockchain have not been fully identified.Evaluating the security of blockchain by analyzing the impact of each attack separately is incomplete.In this paper,a method is proposed to detect and evaluate the security of each state in blockchain by simulating blockchain's process.This simulation method uses two strategies,attacking algorithm and honest algorithm,to get all states of blockchain including attacking states.When a block contains illusory transactions connecting with more than six blocks,the state of blockchain is regarded as attacking state and others are called honest state.According to simulating process,the probability that honest state becomes attacking state is analyzed.When the probability exceeds a high value,people will get a warning,they can wait a longer time to accept the transactions in order to defend being attacked and improve the security of blockchain.Some experiments are also carried out to measure this method and various forms are used to analyze the results that show the method is correct and feasible.
YANG Dong , SHI Hao , DONG Wei , LIU Zong-Lin , ZHOU Ge
2018, 29(5):1360-1378. DOI: 10.13328/j.cnki.jos.005508
Abstract:The defects of the software and hardware in unmanned aerial system and external malicious attack pose a great threat to the security and safety of UAS.Due to the complex running environment of UAS,many factors are difficult to predict accurately in the development process.Therefore,it is of great significance to adopt an effective runtime security and safety guarantee mechanism.This paper proposes a UAS security and safety threat detection method based on runtime verification.Firstly,after analyzing a variety of security and safety threats that UAS may encounter,the paper defines the threats in discrete-time MTL and presents the corresponding UAS-DL language to describe the security and safety monitoring specification.Then an automatic generation algorithm of security and safety threat monitor is introduced based on the alternating automaton,and security and safety monitoring of multi-UAS is implemented by parameterization method.In order to improve the accuracy of the detection,the method of combining runtime verification with Bayesian network inference is also studied.The experiment is carried out with the actual UAS development simulation platform Ardupilot,and monitors are deployed on the field-programmable gate array (FPGA) hardware independently to avoid excessive usage of UAS computing resources.Experimental results show that the proposed method can effectively detect the security and safety threats of UAS.
2018, 29(5):1379-1391. DOI: 10.13328/j.cnki.jos.005497
Abstract:To shorten the application development time,many Android developers include third-party SDKs in their apps.Third party SDKs are toolkits developed by third-party service companies such as advertising platforms,data providers,social network,and map service providers.These third party SDKs have become an important part of the Android ecosystem.If an SDK contains security vulnerabilities,all the apps that include it would become vulnerable,which severely affects the security of the Android ecosystem.To address this issue,this work selects 129 popular third-party SDK in the market and makes comprehensive analysis of their security.In order to improve the accuracy of the analysis,demo apps of third-party SDKs are taken as analysis object,and certain effective Android-app analysis methods (such as static taint tracking,dynamic taint tracking and dynamic binary instrumentation) and analysis tools (such as flowdroid and droidbox) are employed.The result shows that more than 60% of the collected third-party SDKs contain various of vulnerabilities (e.g.misuse of HTTP,misuse of SSL/TLS,abuse of sensitive permissions,identification,vulnerabilities brought by the local server,information leakage through logging,mistakes of applications developers),which is a threat to the related applications and the users of these applications.
WANG Chi-Heng , CHEN Jing , SU Han , HE Kun , DU Rui-Ying
2018, 29(5):1392-1409. DOI: 10.13328/j.cnki.jos.005494
Abstract:As an important channel for mobile marketing,mobile advertising has become more and more popular among app developers.However,in pursuit of targeted ads delivery and other illegal tactics,mobile ads may introduce serious threat to users' privacy and property.Recently,many researches have paid attention on the threat of advertisement platforms,advertisement providers,and mobile apps,though few studies put focus on the security of advertisement network.In this paper,based on the automatic analysis of host app's permissions,a man-in-the-middle (MITM) attack scheme is proposed to inject malicious code into the ads' traffic.Through analyzing network traffic,this method can identify the name of host app and extract the permissions from the official app market.Moreover,it also extracts the device information such as system version and sensors,which is helpful to excavate the loophole of corresponding WebView.To generate the attack code automatically,a capability description language (CDL),which can describe the attacker's ability in a standardized format,is also developed.The distribution of loopholes among different Android versions are studied.Experimental results show that the proposed attack scheme can affect many apps,and the attack cases also illustrate the feasibility of this work.In the end,several protection methods and security enhance schemes,including host app name confusion,ads content integrity check,and the remission technologies of MITM attacks,are put forward.
ZHANG Wei-Feng , LIU Rui-Cheng , XU Lei
2018, 29(5):1410-1421. DOI: 10.13328/j.cnki.jos.005495
Abstract:Web Trojan is a form of attack that inserts an attacking script into the Web page,and by exploiting the vulnerabilities of browsers and their plug-ins,it causes the victim's system silently download and install malicious programs.Based on dynamic program analysis and machine learning method,this paper proposes a method of detecting Trojans based on dynamic behavior analysis.Firstly,the behaviors of the attack scripts on the landing page,including the dynamic function execution,the dynamic generation function execution,the script insertion,the page insertion and the URL jump,are monitored.Then these behaviors are extracted according to a set of rules.The associated string operation records are also processed as features.Next,for the use of heap malicious operation (the shellcode behavior),a feature indicating the heap risk is proposed.Finally,500 web samples from Alexa and VirusShare are collected as data sets,and a classifier is trained by machine learning method.The experimental results show that compared with the existing methods,the presented method has high accuracy (96.94%) and can effectively prevent interference of code obfuscation (lower false positive rate of 6.1% and false negative rate of 1.3%).
ZHANG Li , PU Meng-Yuan , LIU Yi-Jun , TIAN Jia-Hao , YUE Tao , JIANG Jing
2018, 29(5):1422-1450. DOI: 10.13328/j.cnki.jos.005520
Abstract:To depict,understand,evaluate,predict,control,manage or enhance software-related artifacts,researchers and practitioners often rely on empirical methods.Empirical methods have been widely used in software engineering,and they are attracting increasing attention over the years.By conducting a systematic mapping,this paper aims to provide a literature survey of 250 papers published in a typical journal-Empirical Software Engineering,from January 2013 to June 2017.With qualitative and quantitative analysis,this survey reveals the commonly used empirical research methods,research purposes,and the application of the methods in subfields of software engineering,including the solved problems and some new features.The findings also cover the use of open source projects,data source,data collection methods and commonly used mathematical statistics methods.Finally,this paper illustrates validity threats and discusses the future work,opportunity and some open issues of empirical research in the era of big data.
DAI Fei , CHEN Feng-Qiang , MO Qi , WANG Wei , LI Tong , LIANG Zhi-Hong
2018, 29(5):1451-1470. DOI: 10.13328/j.cnki.jos.005382
Abstract:That peers are generated by projection from choreographies is known as the first step in checking choreographies' realizability.However,the projection approaches proposed by the existing literature have not considered the behavioral influence of invisible action τ.This leads to behavior inconsistency between choreography and the generated peers.This paper proposes a projection approach based on Petri nets,which allows us to 1) generate the peers defined by interaction Petri nets with τ through action projection from a choreography defined by an interaction Petri net,2) develop four types of tau deletion rules to selectively delete τ of interaction Petri nets,and 3) specify the behavior consistency between choreography and the generated peers to check whether two Petri nets meet the weak simulation.Moreover,the correctness of these four types of tau deletion rules is proved.Experimental results show that the projection approach can ensure the behavior consistency between choreography and peers.
ZHENG Guang-Yuan , LIU Xia-Bi , HAN Guang-Hui
2018, 29(5):1471-1514. DOI: 10.13328/j.cnki.jos.005519
Abstract:Computer aided detection/diagnosis (CAD) can improve the accuracy of diagnosis,reduce false positive,and provide decision supports for doctors.The main purpose of this paper is to analyze the latest development of computer aided diagnosis tools.Focusing on the top four fatal cancer's incidence positions,major recent publications on CAD applications in different medical imaging areas are reviewed in this survey according to different imaging techniques and diseases.Further more,multidimentional analysis is made on the researches from image data sets,algorithms and evaluation methods.Finally,existing problems,research trend and development direction in the field of medical image CAD system are discussed.