二进制应用程序漏洞挖掘技术研究
|
摘要
随着信息技术的发展,计算机软件在经济、医疗、国防等各个领域发挥着关键作用。在此情形下,软件安全作为信息系统的基本属性,成为影响国计民生的问题之一。近年来,虽然各大软件厂商都积极在产品的研发阶段采用“安全开发生命周期”,软件开发人员的安全编码意识较前些年相比也有显著提高,但软件复杂度和代码量的不断提高,决定了无法彻底杜绝漏洞的出现。这无疑使攻击者有机可乘——利用软件漏洞发起的“高级持续威胁”攻击事件层出不穷,使网络安全面临严峻的威胁。尽早发现并及时修补软件漏洞,对保护互联网用户的个人信息安全和维护国家安全都有积极地促进作用。软件漏洞挖掘技术也因此成为安全研究领域备受关注的热点课题之一。
根据研究对象的不同,软件漏洞挖掘技术可分为两类:一类是针对开放源代码软件进行源代码级别的漏洞检测;一类是针对闭源软件进行二进制级别的漏洞检测。由于大多数软件厂商出于对自身商业利益和知识产权的保护,并不向开发社区和安全研究社区开放其产品的源代码。而且源代码在被编译的过程中,可能会由于编译器不当的编译优化,生成存在安全缺陷的二进制代码。基于上述原因,面向二进制的漏洞挖掘技术是当前研究的主流方向。
与源代码级别的漏洞挖检测比,二进制级别的漏洞检测面临以下难点:
(1)信息缺乏。虽然可以对二进制文件进行反汇编得到汇编代码,但仍然缺乏变量类型信息,数据结构信息以及程序的语义信息。特别是间接跳转和指针别名问题,给二进制级别的漏洞检测带来极大的挑战。
(2)x86指令复杂。基于x86结构的指令集指令类型繁多,不同指令的操作数数目不同,且往往单条指令会对多个操作数产生影响。这会对二进制级别程序分析的精确性产生一定影响。
本文围绕二进制应用程序漏洞挖掘着一课题,深入研究了以下问题:(1)二进制动态插装平台PIN插件开发技术;(2)基于PIN的模糊测试用例集优化技术;(3)基于XML的漏洞模式形式化描述技术;(4)离线细粒度污点分析技术;(5)基于污点分析的智能Fuzzing系统的设计。
Along with the development of information technology,sofrware plays an important role in many areas such as economic,medical,national defense. In such a case,security which is the basic property of information system has an effect on national welfare and people's livehood.In recent years,although many software vendors has actively adopted Security Development Lifecycle that's proposed by Microsoft,and more and more programmers developed the sense of secure coding.But software's complextity and amount of code determined essentially vulnerabilities can not be completely eliminated from software.There is no doubt that it gives the attackers oppurtunities,network faces severe threats due to Advanced Pesistent Threat lauched by exploiting software vulnerabilities.Discovering vulnerabilities as early as possible,and patching them in time will not only enhance the personal information security but also national security. So the technology of bug hunting is one of the most interested theme in the field of security research.
Vernerability discovering technology can be classified into two kinds: source-code-oriented vulnerability detection and binary-code-oriented vulnerability dectection.Because many software vendors don not release their products with source code for commercial interest and intellectual property reason.And in the process of compiling,in case of compiler's impoper optimization,defective binary code will be generated.Because of the above reasons,binary-code-oriented detection is the mainstream method.
Comparing with source-code-oriented vulnerability detection,binary-code-oriented vulnerability detection faced with following challenges:
Lack of informatiomalthough assembly code can be acquired by disassembling the binary file,information such as variable data type,data structure, syntactic and semantic is still missing.Especially indirect jump and pointer alias make binary code analysis tougher.
The complexity of x86instructions setthera are various type of instruction in x86instruction set,and different instruction has different amount of operands.What's more,a single instruction usually has and effect on multiple operands.
This dissertation focuses on binary-executable-oriendted vulnerability detection techniques,makes in-depth on the following issue:(1)the development technique of binary instrument framework PIN's plugin(2)the optimization of fuzzing test cases set technique based on PIN(3)the formal description of vulnerability pattern based on XML(4)offline fine-graind taint anlaysis technique;(5)the design and impletation.
根据研究对象的不同,软件漏洞挖掘技术可分为两类:一类是针对开放源代码软件进行源代码级别的漏洞检测;一类是针对闭源软件进行二进制级别的漏洞检测。由于大多数软件厂商出于对自身商业利益和知识产权的保护,并不向开发社区和安全研究社区开放其产品的源代码。而且源代码在被编译的过程中,可能会由于编译器不当的编译优化,生成存在安全缺陷的二进制代码。基于上述原因,面向二进制的漏洞挖掘技术是当前研究的主流方向。
与源代码级别的漏洞挖检测比,二进制级别的漏洞检测面临以下难点:
(1)信息缺乏。虽然可以对二进制文件进行反汇编得到汇编代码,但仍然缺乏变量类型信息,数据结构信息以及程序的语义信息。特别是间接跳转和指针别名问题,给二进制级别的漏洞检测带来极大的挑战。
(2)x86指令复杂。基于x86结构的指令集指令类型繁多,不同指令的操作数数目不同,且往往单条指令会对多个操作数产生影响。这会对二进制级别程序分析的精确性产生一定影响。
本文围绕二进制应用程序漏洞挖掘着一课题,深入研究了以下问题:(1)二进制动态插装平台PIN插件开发技术;(2)基于PIN的模糊测试用例集优化技术;(3)基于XML的漏洞模式形式化描述技术;(4)离线细粒度污点分析技术;(5)基于污点分析的智能Fuzzing系统的设计。
Along with the development of information technology,sofrware plays an important role in many areas such as economic,medical,national defense. In such a case,security which is the basic property of information system has an effect on national welfare and people's livehood.In recent years,although many software vendors has actively adopted Security Development Lifecycle that's proposed by Microsoft,and more and more programmers developed the sense of secure coding.But software's complextity and amount of code determined essentially vulnerabilities can not be completely eliminated from software.There is no doubt that it gives the attackers oppurtunities,network faces severe threats due to Advanced Pesistent Threat lauched by exploiting software vulnerabilities.Discovering vulnerabilities as early as possible,and patching them in time will not only enhance the personal information security but also national security. So the technology of bug hunting is one of the most interested theme in the field of security research.
Vernerability discovering technology can be classified into two kinds: source-code-oriented vulnerability detection and binary-code-oriented vulnerability dectection.Because many software vendors don not release their products with source code for commercial interest and intellectual property reason.And in the process of compiling,in case of compiler's impoper optimization,defective binary code will be generated.Because of the above reasons,binary-code-oriented detection is the mainstream method.
Comparing with source-code-oriented vulnerability detection,binary-code-oriented vulnerability detection faced with following challenges:
Lack of informatiomalthough assembly code can be acquired by disassembling the binary file,information such as variable data type,data structure, syntactic and semantic is still missing.Especially indirect jump and pointer alias make binary code analysis tougher.
The complexity of x86instructions setthera are various type of instruction in x86instruction set,and different instruction has different amount of operands.What's more,a single instruction usually has and effect on multiple operands.
This dissertation focuses on binary-executable-oriendted vulnerability detection techniques,makes in-depth on the following issue:(1)the development technique of binary instrument framework PIN's plugin(2)the optimization of fuzzing test cases set technique based on PIN(3)the formal description of vulnerability pattern based on XML(4)offline fine-graind taint anlaysis technique;(5)the design and impletation.
引文
[1]崔宝江 郭鹏飞 王建新.基于符号执行与实际执行的二进制代码执行路径分析[J].清华大学学报自然科学版(增刊)2009年S2期.
[2]崔宝江梁晓兵王建新.基于整数遗传算法的整数溢出漏洞检测技术研究[J].第三届信息安全漏洞分析与风险评估大会
[3]文伟平 吴兴丽 蒋建春.2009.软件安全漏洞挖掘的研究思路及发展趋势[J].信息网络安全.2009(10):78-80.
[4]刘杰王嘉捷魏强王清贤.2010.基于危险函数逼近的漏洞检测技术研究[C].第三届信息安全漏洞分析与风险评估大会
[5]王金锭王嘉捷.程绍银蒋凡.2010.基于统一中间表示的软件漏洞挖掘系统[C].第三届信息安全漏洞分析与风险评估大会
[6]林锦滨张晓菲张晖.符号执行技术研究[EB/OL].2009
[7]李根.基于动态测试用例生成的二进制软件缺陷自动发掘技术研究[D].国防科学技术大学.2010.
[8]于璐沈毅.Fuzzing测试中样本优化算法的分析与改进[J].计算机安全.2011(4)
[9]王金锭.二进制程序漏洞挖掘技术的研究与工具实现[D].中国科学技术大学.2011
[10]杨俊.基于函数摘要的二进制漏洞挖掘技术研究[D].中国科学技术大学.2011
[11]陈建敏,舒辉,熊小兵.基于符号执行的Fuzzing测试方法[J].计算机工程.2009年11月
[12]王铁磊.面向二进制程序的漏洞挖掘关键技术研究[D].北京:北京大学,2011
[13]徐有福,文伟平,万正苏.基于漏洞模型的安全漏洞挖掘方法研究[J].信息网络安全,2011,8:72——75
[14]王金锭.二进制程序漏洞挖掘技术的研究与工具实现[D].合肥:中国科学技术大学,2011
[15]忽朝俭,李舟军,郭涛,时志伟.写污点值到污点地址漏洞模式检测[J].计算机研究与发展,2011,48(8):1455-1463
[16]Molnar D Wagner D. Catchconv:Symbolic Execution and Runtime Type Inference for Integer Conversion Errors[Z]. [S.1.]:UC Berkeley EECS 2007.
[17]Tielei Wang Tao Wei Guofei Gu Wei Zou, TaintScope:A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection, the 31st IEEE Symposium on Security & Privacy(S&P 2010) The Claremont Resort Oakland California USA May 16-19 2010 Accepted
[18]Tielei Wang Tao Wei Zhiqiang Lin Wei Zou, IntScope:Automatically Detecting Integer Overflow Vulnerability in X86 Binary Using Symbolic Execution, the 16th Network and Distributed System Security Symposium (NDSS'09), San Diego CA February 2009
[19]Ping Chen Hao Han Yi Wang Xiaobin Shen Xinchun Yin Bing Mao and Li Xie. IntFinder:Automatically Detecting Integer Bugs in x86 Binary Program the INFORMATION A N D COMMUNICATIONS SECURITY 2009 Volume 5927/2009
[20]Y. Xie A. Chou and D. Engler. Archer:using symbolic path-sensitive analysis to detect memory access errors. SIG-SOFT Sofrw. Eng. Notes 28(5):327-336 2003.
[21]Newsome J. Dynamic Taint Analysis:Automatic Detection Analysis and Signature Generation of Exploit Attacks on Commodity Software[C]//Proceedings of the 12th Annual Network and Distributed System Security Symposium. San Diego California USA:[s. n.] 2005.
[22]Thomas Dullien and Sebastian Porst.REIL:Aplatform-independent intermediate representation of disassembled code for static code analysis.
[23]Z. Lin X. Zhang and D. Xu. Convicting exploitable software vulnerabilities:An efficient input provenance based approach. In Proceedings of the 38th Annual IEEE/IFIP International Conference on Dependable Systems and Networks(DSN'08) Anchorage Alaska USA June 2008.
[24]C. Cadar D. Dunbar and D. Engler. Klee:Unassisted and automatic generation of high-coverage tests for complex systems programs. In USENIX Symposium on Operating Systems Design and Implementation (OSDI'08) San Diego CA 2008.
[25]K. Sen D. Marinov and G. Agha. Cute:a concolic unit testing engine for c. In Proceedings of the 10th European software engineering conference held jointly with 13th ACM SIGSOFT international symposium on Foundations of software engineering pages 263-272 2005.
[2]崔宝江梁晓兵王建新.基于整数遗传算法的整数溢出漏洞检测技术研究[J].第三届信息安全漏洞分析与风险评估大会
[3]文伟平 吴兴丽 蒋建春.2009.软件安全漏洞挖掘的研究思路及发展趋势[J].信息网络安全.2009(10):78-80.
[4]刘杰王嘉捷魏强王清贤.2010.基于危险函数逼近的漏洞检测技术研究[C].第三届信息安全漏洞分析与风险评估大会
[5]王金锭王嘉捷.程绍银蒋凡.2010.基于统一中间表示的软件漏洞挖掘系统[C].第三届信息安全漏洞分析与风险评估大会
[6]林锦滨张晓菲张晖.符号执行技术研究[EB/OL].2009
[7]李根.基于动态测试用例生成的二进制软件缺陷自动发掘技术研究[D].国防科学技术大学.2010.
[8]于璐沈毅.Fuzzing测试中样本优化算法的分析与改进[J].计算机安全.2011(4)
[9]王金锭.二进制程序漏洞挖掘技术的研究与工具实现[D].中国科学技术大学.2011
[10]杨俊.基于函数摘要的二进制漏洞挖掘技术研究[D].中国科学技术大学.2011
[11]陈建敏,舒辉,熊小兵.基于符号执行的Fuzzing测试方法[J].计算机工程.2009年11月
[12]王铁磊.面向二进制程序的漏洞挖掘关键技术研究[D].北京:北京大学,2011
[13]徐有福,文伟平,万正苏.基于漏洞模型的安全漏洞挖掘方法研究[J].信息网络安全,2011,8:72——75
[14]王金锭.二进制程序漏洞挖掘技术的研究与工具实现[D].合肥:中国科学技术大学,2011
[15]忽朝俭,李舟军,郭涛,时志伟.写污点值到污点地址漏洞模式检测[J].计算机研究与发展,2011,48(8):1455-1463
[16]Molnar D Wagner D. Catchconv:Symbolic Execution and Runtime Type Inference for Integer Conversion Errors[Z]. [S.1.]:UC Berkeley EECS 2007.
[17]Tielei Wang Tao Wei Guofei Gu Wei Zou, TaintScope:A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection, the 31st IEEE Symposium on Security & Privacy(S&P 2010) The Claremont Resort Oakland California USA May 16-19 2010 Accepted
[18]Tielei Wang Tao Wei Zhiqiang Lin Wei Zou, IntScope:Automatically Detecting Integer Overflow Vulnerability in X86 Binary Using Symbolic Execution, the 16th Network and Distributed System Security Symposium (NDSS'09), San Diego CA February 2009
[19]Ping Chen Hao Han Yi Wang Xiaobin Shen Xinchun Yin Bing Mao and Li Xie. IntFinder:Automatically Detecting Integer Bugs in x86 Binary Program the INFORMATION A N D COMMUNICATIONS SECURITY 2009 Volume 5927/2009
[20]Y. Xie A. Chou and D. Engler. Archer:using symbolic path-sensitive analysis to detect memory access errors. SIG-SOFT Sofrw. Eng. Notes 28(5):327-336 2003.
[21]Newsome J. Dynamic Taint Analysis:Automatic Detection Analysis and Signature Generation of Exploit Attacks on Commodity Software[C]//Proceedings of the 12th Annual Network and Distributed System Security Symposium. San Diego California USA:[s. n.] 2005.
[22]Thomas Dullien and Sebastian Porst.REIL:Aplatform-independent intermediate representation of disassembled code for static code analysis.
[23]Z. Lin X. Zhang and D. Xu. Convicting exploitable software vulnerabilities:An efficient input provenance based approach. In Proceedings of the 38th Annual IEEE/IFIP International Conference on Dependable Systems and Networks(DSN'08) Anchorage Alaska USA June 2008.
[24]C. Cadar D. Dunbar and D. Engler. Klee:Unassisted and automatic generation of high-coverage tests for complex systems programs. In USENIX Symposium on Operating Systems Design and Implementation (OSDI'08) San Diego CA 2008.
[25]K. Sen D. Marinov and G. Agha. Cute:a concolic unit testing engine for c. In Proceedings of the 10th European software engineering conference held jointly with 13th ACM SIGSOFT international symposium on Foundations of software engineering pages 263-272 2005.
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |