基于污点指针的二进制代码缺陷检测

doi:liujie710@hotmail.com

计算机工程 ›› 2012, Vol. 38 ›› Issue (24): 46-49. doi: liujie710@hotmail.com

基于污点指针的二进制代码缺陷检测

刘杰 ¹，王嘉捷 ²，欧阳永基 ¹，王清贤 ¹

(1. 国家数字交换系统工程技术研究中心，郑州 450002；2. 中国信息安全测评中心，北京 100085)

收稿日期:2012-03-15 修回日期:2012-04-21 出版日期:2012-12-20 发布日期:2012-12-18
作者简介:刘杰(1986－)，男，博士研究生、CCF会员，主研方向：软件安全分析；王嘉捷，博士；欧阳永基，博士研究生；王清贤，教授
基金资助:
国家“863”计划基金资助项目(2008AA01Z420)

Binary Code Defect Detection Based on Taint Pointer

LIU Jie¹, WANG Jia-jie ², OUYANG Yong-ji¹, WANG Qing-xian ¹

(1. National Digital Switching System Engineering & Technological R&D Center, Zhengzhou 450002, China; 2. China Information Technology Security Evaluation Center, Beijing 100085, China)

Received:2012-03-15 Revised:2012-04-21 Online:2012-12-20 Published:2012-12-18

摘要/Abstract

摘要： 污点指针严重影响二进制代码数据流和控制流的安全。为此，提出一种二进制代码缺陷检测方法。引入指针污点传播规则，结合路径约束条件和边界约束条件得到缺陷引发条件，构造能够引发4类污点指针代码缺陷的输入数据。在Linux系统下实现ELF二进制代码缺陷检测工具，测试结果表明，该方法能降低测试用例生成数量，并发现Linux系统工具的1个虚函数调用控制缺陷和2个指针内存破坏缺陷。

关键词: 污点指针, 污点传播, 符号执行, 边界条件, 缺陷检测, 内存破坏

Abstract: Taint pointers are serious threats to the security of data flow and control flow. A method for binary defect detection is proposed, which is based on dynamic taint propagation, dynamic symbolic execution and bound constraint analysis, including introduction of the pointer propagation rules, generation of trigger condition by combing path constraints with bound constraints. It can generate inputs for four types of code defects caused by taint pointer. Test results show that this method reduces the number of test case generation effectively, and a virtual function call hijack and two pointer memory corruption defects are found in the test of Linux system tools.

Key words: taint pointer, taint propagation, symbolic execution, bound condition, defect detection, memory corruption

中图分类号:

TP311

刘杰, 王嘉捷, 欧阳永基, 王清贤. 基于污点指针的二进制代码缺陷检测[J]. 计算机工程, 2012, 38(24): 46-49.

LIU Jie, WANG Jia-Cha, OU Yang-Yong-Ji, WANG Qing-Xian. Binary Code Defect Detection Based on Taint Pointer[J]. Computer Engineering, 2012, 38(24): 46-49.

http://www.ecice06.com/CN/Y2012/V38/I24/46

参考文献

[1] Slowinska A, Bos H. Pointless Tainting? Evaluating the Practi- cality of Pointer Tainting[C]//Proc. of the 4th ACM European Conference on Computer Systems. New York, USA: ACM Press, 2009.
[2] Slowinska A, Bos H. Pointer Tainting Still Pointless(But We All See the Point of Tainting)[J]. ACM SIGOPS Operating Systems Review, 2010, 44(3): 88-92.
[3] 忽朝俭, 李舟军, 郭涛, 等. 写污点值到污点地址漏洞模式检测[J]. 计算机研究与发展, 2011, 48(8): 1455-1463.
[4] Newsome J, Song D. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software[C]//Proc. of the 12th Annual Network and Distributed System Security Symposium. [S. l.]: Academic Press, 2005.
[5] Drewry W, Ormandy T. Flayer: Exposing Application Inter- nals[C]//Proc. of the 1st USENIX Workshop on Offensive Technologies. Boston, USA: USENIX Association, 2007.
[6] Ganesh V, Leek T, Rinard M. Taint-based Directed Whitebox Fuzzing[C]//Proc. of the 31st International Conference on Software Engineering. Washington D. C., USA: IEEE Computer Society, 2009.
[7] Corina S, Neha R, Visser W. Symbolic Execution with Mixed Concrete-symbolic Solving[C]//Proc. of the 20th International Symposium on Software Testing and Analysis. Toronto, Canada: ACM Press, 2011.
[8] Elkarablieh B, Godefroid P, Levin Y. Precise Pointer Reasoning for Dynamic Test Generation[C]//Proc. of the 8th International Symposium on Software Testing and Analysis. Chicago, USA: ACM Press, 2009.
[9] Nethercote N, Seward J. Valgrind: A Framework for Heavyweight Dynamic Binary Instrumentation[C]//Proc. of ACM SIGPLAN on Programming Language Design and Implementation. New York, USA: ACM Press, 2007.
[10] Ganesh V, Dill D. STP: A Decision Procedure for Bit-vectors and Arrays Computer Aided Verification[C]//Proc. of the 19th International Conference on Computer Aided Verification. Berlin, Germany: Springer-Verlag, 2007.

[1]	张利群, 潘祖烈, 黄晖, 王瑞鹏, 李阳. 基于符号执行的Tcache Poisoning堆漏洞自动验证方法研究[J]. 计算机工程, 2023, 49(6): 24-33.
[2]	戴渭, 陆余良, 朱凯龙. 结合混合符号执行的导向式灰盒模糊测试技术[J]. 计算机工程, 2020, 46(8): 190-196.
[3]	秦彪, 郭帆, 杨晨霞. 一种面向Trace与漏洞验证的污点分析方法[J]. 计算机工程, 2020, 46(5): 157-166.
[4]	张超, 潘祖烈, 樊靖. 基于符号执行的堆溢出fastbin攻击检测方法[J]. 计算机工程, 2020, 46(10): 151-158.
[5]	吴涛, 王伟斌, 于力, 谢蓓敏, 尹维崴, 王洪玉. 轻量级YOLOV3的绝缘子缺陷检测方法[J]. 计算机工程, 2019, 45(8): 275-280.
[6]	邡鑫,史峥. 基于卷积神经网络的晶圆缺陷检测与分类算法[J]. 计算机工程, 2018, 44(8): 218-223.
[7]	韩阳,何博侠,童楷杰,刘辉,孙钧成. 基于Ward反射模型的航天密封圈表面缺陷检测[J]. 计算机工程, 2018, 44(7): 297-302.
[8]	刘玉环,唐庭龙,陈胜勇. 基于词袋特征算法的药品分层缺陷检测[J]. 计算机工程, 2018, 44(6): 249-252,258.
[9]	陈政,方勇,刘亮,左政. 基于动态符号执行的勒索软件检测方法[J]. 计算机工程, 2018, 44(6): 104-110.
[10]	邱洋,王轶骏,薛质. 基于符号执行的Python攻击脚本分析平台[J]. 计算机工程, 2016, 42(11): 139-146.
[11]	牟永敏，李慧丽. 基于函数调用路径的测试用例优先级排序[J]. 计算机工程, 2014, 40(7): 242-246,253.
[12]	史大伟，袁天伟. 一种粗细粒度结合的动态污点分析方法[J]. 计算机工程, 2014, 40(3): 12-17,22.
[13]	唐湘娜, 王耀南. 铁轨表面缺陷的视觉检测与识别算法[J]. 计算机工程, 2013, 39(3): 25-30.
[14]	郭永彩, 邓细凤, 高潮. 基于主成分分析的表面缺陷自动检测算法[J]. 计算机工程, 2013, 39(2): 216-219.
[15]	徐红云，陈志锋. 一种改进的可视化布局算法IGVA[J]. 计算机工程, 2013, 39(12): 298-302.

选择文件类型/文献管理软件名称

选择包含的内容

基于污点指针的二进制代码缺陷检测

Binary Code Defect Detection Based on Taint Pointer

PDF

可视化

被引次数

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

本文评价

模态框（Modal）标题

选择文件类型/文献管理软件名称

选择包含的内容

基于污点指针的二进制代码缺陷检测

Binary Code Defect Detection Based on Taint Pointer

PDF

可视化

被引次数

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

本文评价