基于动态二进制分析平台的协议逆向解析技术研究
|
摘要
协议逆向解析技术在协议安全性分析、网络应用程序漏洞挖掘、入侵检测等方面都具有重要的应用价值,对其进行深入研究具有十分重要的意义。
论文首先介绍了协议逆向解析的概念、应用领域及研究现状,分析了已有研究成果存在的不足。在此基础上,实现了一种基于动态二进制分析平台的协议逆向解析方法。该方法的主要思想是:利用动态二进制分析平台对网络应用程序进行解释执行,并在执行过程中,根据动态二进制分析平台的扩展机制,对程序进行动态插装分析,从而准确获取协议消息处理过程中程序的执行轨迹;通过对记录的轨迹信息进行分析处理,解析得到协议消息格式。为此,本文研究并实现了以下技术:
设计了污点源动态识别技术,通过对程序中网络API函数执行情况的实时监控,定位程序接收到的协议数据,将其标记为污点源;实现了基于程序动态插装的轨迹实时获取技术,能够准确获取协议消息的处理轨迹,并将ETW(Event Tracing for Windows)机制用于轨迹信息的实时存储;研究并实现了基于DynamoRIO的动态污点分析技术,以记录的轨迹信息为基础,对其进行动态污点分析,提取出协议消息的具体处理信息,生成协议数据处理的污点传播树;最终根据制定的协议字段逆向解析策略,解析得到协议消息的主要字段格式,如分隔符、关键词、长度域与目标域等。
论文最后设计并实现了一套基于DynamoRIO的协议逆向解析原型系统(命名为UNPRE),并分别以文本协议和二进制协议为例对原型系统进行了测试,将测试结果与Wireshark的解析结果进行了对比。结果表明,UNPRE对协议格式的逆向解析结果正确,能如实地反映协议消息的主要字段格式。
Protocol reverse parsing technology has important application value in many fields, such as security analysis of protocols, vulnerability discovering of network applications, intrusion detection and so on. Thus, it is of great significance to do further research on it.
This thesis firstly introduced the concept and the application fields as well as the research status of protocol reverse parsing technology, analyzed the shortcomings of the existing research results. Then, a protocol reverse parsing approach based on dynamic binary analysis platform was implemented. The main idea of this approach is: simulating the execution of network application program with the dynamic binary analysis platform, during the executing process, the target program was instrumented dynamically using the extension interface of the analysis platform. Then, the main formats of the protocol messages can be extracted by analyzing the executing traces of the network applications while processing the received protocol data. So, the following techniques were designed and implemented.
In this thesis, a taint source auto-identification technology was firstly presented to dynamically locate the received protocol data and tag it as taint source by monitoring the executions of the program’s network APIs. Then, a new trace tracking technique based on dynamic program instrumentation was proposed to obtain the protocol data’s real-time processing trace, and the ETW (Event Tracing for Windows) mechanism was introduced to store the trace information with high efficiency. After that, the dynamic taint analysis technology based on DynamoRIO was designed and implemented to distill the protocol data’s processing details and generate its taint propagation tree with the recorded trace information. Finally, the designed parsing strategies of protocol fields were applied to parse the main protocol fields with the obtained processing details, such as separators, keywords, length fields, target fields, and so on.
In the end, this thesis designed and implemented a prototype system (named as UNPRE) for protocol reverse parsing under DynamoRIO,and the test results of both text protocol and binary protocol for the prototype system were presented. The comparison results of the test results with the outputs of Wireshark showed the correctness of protocol formats parsed by UNPRE, and many main protocol fields can be parsed correctly using UNPRE.
论文首先介绍了协议逆向解析的概念、应用领域及研究现状,分析了已有研究成果存在的不足。在此基础上,实现了一种基于动态二进制分析平台的协议逆向解析方法。该方法的主要思想是:利用动态二进制分析平台对网络应用程序进行解释执行,并在执行过程中,根据动态二进制分析平台的扩展机制,对程序进行动态插装分析,从而准确获取协议消息处理过程中程序的执行轨迹;通过对记录的轨迹信息进行分析处理,解析得到协议消息格式。为此,本文研究并实现了以下技术:
设计了污点源动态识别技术,通过对程序中网络API函数执行情况的实时监控,定位程序接收到的协议数据,将其标记为污点源;实现了基于程序动态插装的轨迹实时获取技术,能够准确获取协议消息的处理轨迹,并将ETW(Event Tracing for Windows)机制用于轨迹信息的实时存储;研究并实现了基于DynamoRIO的动态污点分析技术,以记录的轨迹信息为基础,对其进行动态污点分析,提取出协议消息的具体处理信息,生成协议数据处理的污点传播树;最终根据制定的协议字段逆向解析策略,解析得到协议消息的主要字段格式,如分隔符、关键词、长度域与目标域等。
论文最后设计并实现了一套基于DynamoRIO的协议逆向解析原型系统(命名为UNPRE),并分别以文本协议和二进制协议为例对原型系统进行了测试,将测试结果与Wireshark的解析结果进行了对比。结果表明,UNPRE对协议格式的逆向解析结果正确,能如实地反映协议消息的主要字段格式。
Protocol reverse parsing technology has important application value in many fields, such as security analysis of protocols, vulnerability discovering of network applications, intrusion detection and so on. Thus, it is of great significance to do further research on it.
This thesis firstly introduced the concept and the application fields as well as the research status of protocol reverse parsing technology, analyzed the shortcomings of the existing research results. Then, a protocol reverse parsing approach based on dynamic binary analysis platform was implemented. The main idea of this approach is: simulating the execution of network application program with the dynamic binary analysis platform, during the executing process, the target program was instrumented dynamically using the extension interface of the analysis platform. Then, the main formats of the protocol messages can be extracted by analyzing the executing traces of the network applications while processing the received protocol data. So, the following techniques were designed and implemented.
In this thesis, a taint source auto-identification technology was firstly presented to dynamically locate the received protocol data and tag it as taint source by monitoring the executions of the program’s network APIs. Then, a new trace tracking technique based on dynamic program instrumentation was proposed to obtain the protocol data’s real-time processing trace, and the ETW (Event Tracing for Windows) mechanism was introduced to store the trace information with high efficiency. After that, the dynamic taint analysis technology based on DynamoRIO was designed and implemented to distill the protocol data’s processing details and generate its taint propagation tree with the recorded trace information. Finally, the designed parsing strategies of protocol fields were applied to parse the main protocol fields with the obtained processing details, such as separators, keywords, length fields, target fields, and so on.
In the end, this thesis designed and implemented a prototype system (named as UNPRE) for protocol reverse parsing under DynamoRIO,and the test results of both text protocol and binary protocol for the prototype system were presented. The comparison results of the test results with the outputs of Wireshark showed the correctness of protocol formats parsed by UNPRE, and many main protocol fields can be parsed correctly using UNPRE.
引文
[1]谢希仁著.计算机网络[M].北京:电子工业出版社,2004-02: 25.
[2] Paolo Milani Comparetti, Gilbert Wondracek, Christopher Kruegel et al. Prospex: Protocol Speci?cation Extraction. In Proceedings of the 30th IEEE Symposium on Security and Privacy[C], Oakland, USA, Sept. 2009, 110-125.
[3] M. Sutton. Fuzzing: Brute Force Vulnerability Discovery[M]. USA: Addison-Wesley, 2007: 21.
[4]陈建敏.基于符号化执行的Fuzzing测试集动态生成技术研究[D].郑州:解放军信息工程大学硕士学位论文,2009-04.
[5] S.A. Baset and H.Schulzrinne. An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol[A]. In Proceedings of the 2006 IEEE Information conference[C], 2006.
[6] Greg Hoglund. Runtime Decompilation The“GreyBox”process for Exploiting Software [EB/OL]. http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-hoglund.pdf, 2003-08.
[7] Lanzi, L. Martignoni, M. Monga, and R. Paleari. A Smart Fuzzer for x86 Executables. In 29th International Conference on Software Engineering Workshops[C], Minneapolis, 2007.
[8] Michael Mai. Dynamic Protocol Analysis for Network Intrusion Detection Systems[D]. Abgabedatum: TECHNISCHE UNIVERSIT AT MUNCHEN INSTITUT FUR INFORMATIK, 2005-09-15.
[9] H. Dreger, A. Feldmann, M. Mai, V. Paxson, and R. Sommer. Dynamic Application-Layer Protocol Analysis for Network Intrusion Detection[A]. In proceedings of the 2006 USENIX Security Symposium, Vancouver, Canada, 2006-07.
[10] Microsoft. Microsoft安全公告MS08-067[EB/OL]. http://www.microsoft.com/china/ technet/security/bulletin/MS08-067.mspx, 2008-10-23.
[11] Zhiqiang Lin, Xuxian Jiang, Dongyan Xu et al. Automatic Protocol Format Reverse Engineering Through Context-Aware Monitored Execution[A]. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08)[C], Feb. 2008.
[12] Andrew Tridgell.How Samba WasWritten[EB/OL]. http://samba.org/ftp/tridge/misc/ French_cafe.txt, August 2003.
[13] Marshall Beddoe.The Protocol Informatics Project[EB/OL]. http://www.4tphi.net/~awalters/ PI/PI.html,2004.
[14] W. Cui, J. Kannan, and H. J. Wang. Discoverer: Automatic Protocol Reverse Engineering from Network Traces[A]. In Proceedings of the 16th USENIX Security Symposium (Security’07)[C], Boston, MA, 2007-08.
[15] N. Borisov, D. Brumley, H. J. Wang et al. A generic application-level protocol analyzer and its language[A]. In Proceedings of the 14h Symposium on Network and Distributed System Security (NDSS)[C], 2007.
[16] Juan Caballero, Heng Yin, Zhenkai Liang et al.Polyglot:Automatic Extraction of Protocol Format using Dynamic Binary Analysis[A]. In Proceedings of the 14th ACM Conference on Computer and Communications Security(CCS’07)[C], Virginia, USA,2007.
[17] W. Cui, M. Peinado, K. Chen, H. J. Wang, and L. Irun-Briz. Tupni: Automatic Reverse Engineering of Input Formats[A].In Proceedings of the 15th ACM Conferences on Computer and Communication Security (CCS’08)[C], Virginia, USA. October 27–31, 2008.
[18] Z. Wang, X. Jiang, W. Cui et al. ReFormat:Automatic Reverse Engineering of Encrypted Messages[R]. NC State University, 2008.
[19] G. Wondracek, P. M. Comparetti, C. Kruegel et al. Automatic Network Protocol Analysis[A].In Proceedings of the15th Annual Network and Distributed System Security Symposium (NDSS’08)[C], Feb. 2008.
[20] Juan Caballero, Pongsin Poosankam, Christian Kreibich et al. Bidirectional Protocol Reverse Engineering: Message Format Extraction and Field Semantics Inference[EB/OL]. http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-57.html, 2009-05-05.
[21] Mark E. DeYoung. Dynamic Protocol Reverse Engineering A Grammatical Inference Approach[D]. DEPARTMENT OF THE AIR FORCE, AIR UNIVERSITY.USA, 2008.
[22] Microsoft. ETW Tracing[EB/OL]. http://msdn.microsoft.com/en-us/library/ms751538.aspx, 2009-01-29.
[23] T.R. Leek, G.Z. Baker, R.E. Brown et al. Coverage Maximization Using Dynamic Taint Tracing[R], Lincoln Laboratory, MASSACHUSETTS INSTITUTE OF TECHNOLOGY LEXINGTON, MASSACHUSETTS, 2007-03-28(1112).
[24] Guru Venkataramani, Ioannis Doudalis, Yan Solihin et al. FlexiTaint: A Programmable Accelerator for Dynamic Taint Propagation[A]. In proceedings of the 14th International Symposium on High-Performance Computer Architecture (HPCA-14), 2008-02.
[25] Derek L. Bruening. Efficient, Transparent, and Comprehensive Runtime Code Manipulation[D]. MIT. http://www.cag.lcs.mit.edu/dynamorio/, 2004-09.
[26] Nicholas Nethercote. Dynamic Binary Analysis and Instrumentation or Building Tools is Easy[D]. University of Cambridge, http://www. burningcutlery.com/derek/docs/phd.pdf. 2004-11-01.
[27]张敏.生物序列比对算法研究现状与展望[J].大连大学学报,2004, 25(4): 76-78.
[28] M.Sc. Sequence Alignment Algorithms[S].Advanced Computing, http://www.ks.uiuc.edu/ Training/Tutorials/science/bioinformatics-tutorial/, 2003.
[29] Needleman SB, Wunsch CD. A general method applicable to the search for similarities in the amino acid sequence of two proteins[J]. Journal of Molecular Biology, 1970, 48(3): 443–453.
[30] Smith, T.F and Waterman, M.S. Identification of common molecular subsequences[J]. Journal of Molecular Biology, 1981, 147: 195-197.
[31] Internet Activities Board. RFC 1001-Protocol standard for a NetBIOS service on a TCP/UDP transport: Concepts and methods[EB/OL]. 1987-03.
[32] Wireshark: The World’s Most Popular Network Protocol Analyzer. http://www.Wireshark. org/.
[33]熊小兵.Windows下可执行文件的指令级跟踪与回放技术研究[D].解放军信息工程大学硕士学位论文,2009-04.
[34] Bob Cmelik, David Keppel. Shade: a fast instruction-set simulator for execution profiling [EB/OL]. http://www.cs.ubc.ca/~norm/cs538a/cmelik93shade.pdf, 2004-10-22.
[35] S. Bhlakrishnan. Framework for instruction-level tracing and analysis of programs[EB/OL]. http://www.cs.purdue.edu/homes/xyzhang/fall07/Papers/wenke.pdf, 2006-03-22.
[36] Nicholas Nethercote, Julian Seward. Valgrind: A Framework for Heavyweight Dynamic Binary Instrumentation[EB/OL]. http://valgrind.org/docs/valgrind2007.pdf, 2007-06-11.
[37] Chi-Keung Luk. Pin: building customized program analysis tools with dynamic instrumenta- tion[EB/OL]. http://www.cs.virginia.edu/papers/p190-luk.pdf, 2005-06-12.
[38] N. Nethercote and J. Fitzhardinge. Bounds-checking entire programs without recompiling[C]. In Proceedings of SPACE 2004. Venice, Italy, 2004-01.
[39] N. Nethercote and A. Mycroft. Redux: A dynamic data?ow tracer[J]. Electronic Notes in Theoretical Computer Science, 2003, 89(2).
[40] J. Seward and N. Nethercote. Using Valgrind to Detect Unde?ned Value Errors with Bit-Precision[C]. In proceedings of USENIX Annual Technical Conference. 2005, 17-30.
[41] Newsome J. and Song D., Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software[C]. In Proceedings of the 12th Annual Network and Distributed System Security Symposium, San Diego, California, 2005-02.
[42] V. Bala, Dynamo: A transparent dynamic optimization system[C]. In Proceedings of PLDI. 2000:1-12.
[43] Kim Hazelwood Cettei. Code Cache Management in Dynamic Optimization Systems[D]. Harvard University, http://www.eecs.harvard.edu/hube/publications/ khc-thesis.pdf, 2004, 13-86.
[44]李佳静、王铁磊、韦韬、凤旺森、邹维.一种多项式时间的路径敏感的污点分析方法[J].计算机学报,2009, 32(9): 1845-1854.
[45] Shankar U, Talwar K, Foster J S, Wagner D. Detecting format string vulnerabilities with type qualifiers[A]. In proceedings of the 10th USENIX Security Synposium[C]. Washington, D.C, USA, 2001:201-220.
[46] Egele M, Kruegel C, Kirda E, Yin H, Song D. Dynamic spyware analysis[A]. In proceedings of the 2007 USENIX Annual Technical Conference[C]. Santa Clara, CA, 2007: 233-346.
[47] U. Shankar, K. Talwar, J.S. Foster et al. Detecting format string vulnerabilities with type quali?ers[A]. In proceedings of the 10th conference on USENIX Security Symposium[C], 2001.
[48] Hyung Chan Kim, Angelos D. Keromytis, Michael Covington et al. Capturing Information Flow with Concatenated Dynamic Taint Analysis[A]. In proceedings of the 2009 International Conference on Availability, Reliability and Security[C]. 2009, 355-362.
[49] Yu Zhu, Jaeyeon Jung, Dawn Song et al. Privacy Scope: A Precise Information Flow Tracking System For Finding Application Leaks[R]. http://www.eecs.berkeley.edu/Pubs/ TechRpts/2009/EECS-2009-145.html, University of California, Berkeley, UCB/EECS- 2009-145, 2009-10-27.
[50] Microsoft. Using MOF Files[EB/OL]. http://technet.microsoft.com/en-us/library/cc180827. aspx, 2009-01-20.
[51]张银奎著.软件调试[M].北京:电子工业出版社,2008:193-226.
[52]陈恺,冯登国,苏璞睿.基于延后策略的动态多路径分析方法[J].计算机学报,2010, 33(3).
[53] Dan Kaminsky, Justin Ferguson, Jason Larsen et al. Reverse Engineering Code with IDA Pro[M]. USA: Syngress Publishing, Inc. 2008, 2-7.
[54] Chris Eagle著,石华耀、段桂菊译.IDA Pro权威指南[M].北京:人民邮电出版社, 2010: 23-29.
[55] Peter Silberman. Loop Detection[J]. Informative Information for the Uninformed http://www.uninformed.org/?v=1&a=2&t=pdf, 2005(1).
[2] Paolo Milani Comparetti, Gilbert Wondracek, Christopher Kruegel et al. Prospex: Protocol Speci?cation Extraction. In Proceedings of the 30th IEEE Symposium on Security and Privacy[C], Oakland, USA, Sept. 2009, 110-125.
[3] M. Sutton. Fuzzing: Brute Force Vulnerability Discovery[M]. USA: Addison-Wesley, 2007: 21.
[4]陈建敏.基于符号化执行的Fuzzing测试集动态生成技术研究[D].郑州:解放军信息工程大学硕士学位论文,2009-04.
[5] S.A. Baset and H.Schulzrinne. An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol[A]. In Proceedings of the 2006 IEEE Information conference[C], 2006.
[6] Greg Hoglund. Runtime Decompilation The“GreyBox”process for Exploiting Software [EB/OL]. http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-hoglund.pdf, 2003-08.
[7] Lanzi, L. Martignoni, M. Monga, and R. Paleari. A Smart Fuzzer for x86 Executables. In 29th International Conference on Software Engineering Workshops[C], Minneapolis, 2007.
[8] Michael Mai. Dynamic Protocol Analysis for Network Intrusion Detection Systems[D]. Abgabedatum: TECHNISCHE UNIVERSIT AT MUNCHEN INSTITUT FUR INFORMATIK, 2005-09-15.
[9] H. Dreger, A. Feldmann, M. Mai, V. Paxson, and R. Sommer. Dynamic Application-Layer Protocol Analysis for Network Intrusion Detection[A]. In proceedings of the 2006 USENIX Security Symposium, Vancouver, Canada, 2006-07.
[10] Microsoft. Microsoft安全公告MS08-067[EB/OL]. http://www.microsoft.com/china/ technet/security/bulletin/MS08-067.mspx, 2008-10-23.
[11] Zhiqiang Lin, Xuxian Jiang, Dongyan Xu et al. Automatic Protocol Format Reverse Engineering Through Context-Aware Monitored Execution[A]. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08)[C], Feb. 2008.
[12] Andrew Tridgell.How Samba WasWritten[EB/OL]. http://samba.org/ftp/tridge/misc/ French_cafe.txt, August 2003.
[13] Marshall Beddoe.The Protocol Informatics Project[EB/OL]. http://www.4tphi.net/~awalters/ PI/PI.html,2004.
[14] W. Cui, J. Kannan, and H. J. Wang. Discoverer: Automatic Protocol Reverse Engineering from Network Traces[A]. In Proceedings of the 16th USENIX Security Symposium (Security’07)[C], Boston, MA, 2007-08.
[15] N. Borisov, D. Brumley, H. J. Wang et al. A generic application-level protocol analyzer and its language[A]. In Proceedings of the 14h Symposium on Network and Distributed System Security (NDSS)[C], 2007.
[16] Juan Caballero, Heng Yin, Zhenkai Liang et al.Polyglot:Automatic Extraction of Protocol Format using Dynamic Binary Analysis[A]. In Proceedings of the 14th ACM Conference on Computer and Communications Security(CCS’07)[C], Virginia, USA,2007.
[17] W. Cui, M. Peinado, K. Chen, H. J. Wang, and L. Irun-Briz. Tupni: Automatic Reverse Engineering of Input Formats[A].In Proceedings of the 15th ACM Conferences on Computer and Communication Security (CCS’08)[C], Virginia, USA. October 27–31, 2008.
[18] Z. Wang, X. Jiang, W. Cui et al. ReFormat:Automatic Reverse Engineering of Encrypted Messages[R]. NC State University, 2008.
[19] G. Wondracek, P. M. Comparetti, C. Kruegel et al. Automatic Network Protocol Analysis[A].In Proceedings of the15th Annual Network and Distributed System Security Symposium (NDSS’08)[C], Feb. 2008.
[20] Juan Caballero, Pongsin Poosankam, Christian Kreibich et al. Bidirectional Protocol Reverse Engineering: Message Format Extraction and Field Semantics Inference[EB/OL]. http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-57.html, 2009-05-05.
[21] Mark E. DeYoung. Dynamic Protocol Reverse Engineering A Grammatical Inference Approach[D]. DEPARTMENT OF THE AIR FORCE, AIR UNIVERSITY.USA, 2008.
[22] Microsoft. ETW Tracing[EB/OL]. http://msdn.microsoft.com/en-us/library/ms751538.aspx, 2009-01-29.
[23] T.R. Leek, G.Z. Baker, R.E. Brown et al. Coverage Maximization Using Dynamic Taint Tracing[R], Lincoln Laboratory, MASSACHUSETTS INSTITUTE OF TECHNOLOGY LEXINGTON, MASSACHUSETTS, 2007-03-28(1112).
[24] Guru Venkataramani, Ioannis Doudalis, Yan Solihin et al. FlexiTaint: A Programmable Accelerator for Dynamic Taint Propagation[A]. In proceedings of the 14th International Symposium on High-Performance Computer Architecture (HPCA-14), 2008-02.
[25] Derek L. Bruening. Efficient, Transparent, and Comprehensive Runtime Code Manipulation[D]. MIT. http://www.cag.lcs.mit.edu/dynamorio/, 2004-09.
[26] Nicholas Nethercote. Dynamic Binary Analysis and Instrumentation or Building Tools is Easy[D]. University of Cambridge, http://www. burningcutlery.com/derek/docs/phd.pdf. 2004-11-01.
[27]张敏.生物序列比对算法研究现状与展望[J].大连大学学报,2004, 25(4): 76-78.
[28] M.Sc. Sequence Alignment Algorithms[S].Advanced Computing, http://www.ks.uiuc.edu/ Training/Tutorials/science/bioinformatics-tutorial/, 2003.
[29] Needleman SB, Wunsch CD. A general method applicable to the search for similarities in the amino acid sequence of two proteins[J]. Journal of Molecular Biology, 1970, 48(3): 443–453.
[30] Smith, T.F and Waterman, M.S. Identification of common molecular subsequences[J]. Journal of Molecular Biology, 1981, 147: 195-197.
[31] Internet Activities Board. RFC 1001-Protocol standard for a NetBIOS service on a TCP/UDP transport: Concepts and methods[EB/OL]. 1987-03.
[32] Wireshark: The World’s Most Popular Network Protocol Analyzer. http://www.Wireshark. org/.
[33]熊小兵.Windows下可执行文件的指令级跟踪与回放技术研究[D].解放军信息工程大学硕士学位论文,2009-04.
[34] Bob Cmelik, David Keppel. Shade: a fast instruction-set simulator for execution profiling [EB/OL]. http://www.cs.ubc.ca/~norm/cs538a/cmelik93shade.pdf, 2004-10-22.
[35] S. Bhlakrishnan. Framework for instruction-level tracing and analysis of programs[EB/OL]. http://www.cs.purdue.edu/homes/xyzhang/fall07/Papers/wenke.pdf, 2006-03-22.
[36] Nicholas Nethercote, Julian Seward. Valgrind: A Framework for Heavyweight Dynamic Binary Instrumentation[EB/OL]. http://valgrind.org/docs/valgrind2007.pdf, 2007-06-11.
[37] Chi-Keung Luk. Pin: building customized program analysis tools with dynamic instrumenta- tion[EB/OL]. http://www.cs.virginia.edu/papers/p190-luk.pdf, 2005-06-12.
[38] N. Nethercote and J. Fitzhardinge. Bounds-checking entire programs without recompiling[C]. In Proceedings of SPACE 2004. Venice, Italy, 2004-01.
[39] N. Nethercote and A. Mycroft. Redux: A dynamic data?ow tracer[J]. Electronic Notes in Theoretical Computer Science, 2003, 89(2).
[40] J. Seward and N. Nethercote. Using Valgrind to Detect Unde?ned Value Errors with Bit-Precision[C]. In proceedings of USENIX Annual Technical Conference. 2005, 17-30.
[41] Newsome J. and Song D., Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software[C]. In Proceedings of the 12th Annual Network and Distributed System Security Symposium, San Diego, California, 2005-02.
[42] V. Bala, Dynamo: A transparent dynamic optimization system[C]. In Proceedings of PLDI. 2000:1-12.
[43] Kim Hazelwood Cettei. Code Cache Management in Dynamic Optimization Systems[D]. Harvard University, http://www.eecs.harvard.edu/hube/publications/ khc-thesis.pdf, 2004, 13-86.
[44]李佳静、王铁磊、韦韬、凤旺森、邹维.一种多项式时间的路径敏感的污点分析方法[J].计算机学报,2009, 32(9): 1845-1854.
[45] Shankar U, Talwar K, Foster J S, Wagner D. Detecting format string vulnerabilities with type qualifiers[A]. In proceedings of the 10th USENIX Security Synposium[C]. Washington, D.C, USA, 2001:201-220.
[46] Egele M, Kruegel C, Kirda E, Yin H, Song D. Dynamic spyware analysis[A]. In proceedings of the 2007 USENIX Annual Technical Conference[C]. Santa Clara, CA, 2007: 233-346.
[47] U. Shankar, K. Talwar, J.S. Foster et al. Detecting format string vulnerabilities with type quali?ers[A]. In proceedings of the 10th conference on USENIX Security Symposium[C], 2001.
[48] Hyung Chan Kim, Angelos D. Keromytis, Michael Covington et al. Capturing Information Flow with Concatenated Dynamic Taint Analysis[A]. In proceedings of the 2009 International Conference on Availability, Reliability and Security[C]. 2009, 355-362.
[49] Yu Zhu, Jaeyeon Jung, Dawn Song et al. Privacy Scope: A Precise Information Flow Tracking System For Finding Application Leaks[R]. http://www.eecs.berkeley.edu/Pubs/ TechRpts/2009/EECS-2009-145.html, University of California, Berkeley, UCB/EECS- 2009-145, 2009-10-27.
[50] Microsoft. Using MOF Files[EB/OL]. http://technet.microsoft.com/en-us/library/cc180827. aspx, 2009-01-20.
[51]张银奎著.软件调试[M].北京:电子工业出版社,2008:193-226.
[52]陈恺,冯登国,苏璞睿.基于延后策略的动态多路径分析方法[J].计算机学报,2010, 33(3).
[53] Dan Kaminsky, Justin Ferguson, Jason Larsen et al. Reverse Engineering Code with IDA Pro[M]. USA: Syngress Publishing, Inc. 2008, 2-7.
[54] Chris Eagle著,石华耀、段桂菊译.IDA Pro权威指南[M].北京:人民邮电出版社, 2010: 23-29.
[55] Peter Silberman. Loop Detection[J]. Informative Information for the Uninformed http://www.uninformed.org/?v=1&a=2&t=pdf, 2005(1).