Please wait a minute...
 首页  期刊介绍 期刊订阅 联系我们 横山亮次奖 百年刊庆
 
最新录用  |  预出版  |  当期目录  |  过刊浏览  |  阅读排行  |  下载排行  |  引用排行  |  横山亮次奖  |  百年刊庆
清华大学学报(自然科学版)  2016, Vol. 56 Issue (1): 28-34    DOI: 10.16511/j.cnki.qhdxxb.2016.23.006
  信息安全 本期目录 | 过刊浏览 | 高级检索 |
基于污点分析和符号执行的漏洞签名生成方法
辛伟, 时志伟, 郝永乐, 董国伟
中国信息安全测评中心, 北京 100085
Approach ofgenerating vulnerability signature based on taint analysis and symbolic execution
XIN Wei, SHI Zhiwei, HAO Yongle, DONG Guowei
China Information Technology Security Evaluation Center, Beijing 100085, China
全文: PDF(1152 KB)  
输出: BibTeX | EndNote (RIS)      
摘要 漏洞签名是指触发程序漏洞的输入的集合, 利用漏洞签名对程序输入进行过滤是一种有效的保护漏洞程序的方法。该文主要研究漏洞签名的生成技术, 提出了一种有效的基于污点分析和符号执行的漏洞签名生成方法, 它通过污点信息传播定位输入中的与触发漏洞相关的字节, 然后, 通过符号执行得到路径约束, 并通过约束求解得到最终的漏洞签名。基于开源项目Pin和Z3, 该文构建了基于污点分析和符号执行的漏洞签名生成原型系统TASEVS, 并对漏洞程序进行了验证。实验结果表明, TASEVS能有效地生成漏洞签名。
服务
把本文推荐给朋友
加入引用管理器
E-mail Alert
RSS
作者相关文章
辛伟
时志伟
郝永乐
董国伟
关键词 二进制程序漏洞签名污点分析符号执行约束求解    
Abstract:A vulnerability signature matches a set of inputs which trigger software vulnerability. Application of vulnerability signature to input filtering is one of the most popular and effective defense mechanisms for protecting vulnerable programs against exploits. A method for generating vulnerability signature was developed using taint analysis and symbolic execution. The method locates bytes in input that direct execution to vulnerable points using taint analysis. Path constraints are generated via dynamic symbolic execution with the final vulnerability signature obtained through constraint solving.A proof-of-concept system, TASEVS, was implemented based on instrumentation tool Pin and constraint solver Z3. Experimental results show that the TASEVS can effectively generate vulnerability signature.
Key wordsbinary-executable-oriented software    vulnerability signature    taint analysis    symbolic execution    constraint solving
收稿日期: 2014-10-28      出版日期: 2016-01-29
ZTFLH:  TP309  
引用本文:   
辛伟, 时志伟, 郝永乐, 董国伟. 基于污点分析和符号执行的漏洞签名生成方法[J]. 清华大学学报(自然科学版), 2016, 56(1): 28-34.
XIN Wei, SHI Zhiwei, HAO Yongle, DONG Guowei. Approach ofgenerating vulnerability signature based on taint analysis and symbolic execution. Journal of Tsinghua University(Science and Technology), 2016, 56(1): 28-34.
链接本文:  
http://jst.tsinghuajournals.com/CN/10.16511/j.cnki.qhdxxb.2016.23.006  或          http://jst.tsinghuajournals.com/CN/Y2016/V56/I1/28
  图1 基于漏洞签名的输入过滤过程示意图
  图2 污点分析过程示意图
  图3 符号执行源代码
  图4 符号执行生成路径约束示意图
  图5 实现方法原理图
  图6 漏洞程序
  表1 实验结果
[1] 吴世忠, 刘晖, 郭涛, 等. 信息安全漏洞分析基础 [M]. 北京: 科学出版社, 2013.WU Shizhong, LIU Hui, GUO Tao, et al. Fundamentals of information security vulnerability analysis [M]. Beijing: Science Press, 2013. (in Chinese)
[2] Moore D, Paxson V, Savage S, et al. Inside the slammer worm [C]//Proceedings of IEEE Security and Privacy. New York, USA: IEEE Press, 2003: 33-39.
[3] 严俊, 郭涛, 阮辉, 等. JUTA: 一个Java 自动化单元测试工具 [J]. 计算机研究与发展, 2010, 47(10): 1840-1848.YAN Jun, GUO Tao, RUAN Hui, et al. JUTA: An automated unit testing framework for Java [J]. Journal of Computer Research and Development, 2010, 47(10): 1840-1848. (in Chinese)
[4] Song D, Brumley D, Yin M, et al. BitBlaze: A new approach to computer security via binary analysis [C]//Proceedings of the 4th International Conference on Information Systems Security. New York, USA: ACM Press, 2008: 147-162.
[5] Déjà vu Security. Peach[Z/OL]. (2014-10-10). http://peachfuzzer.com/.
[6] Pedram A. Sulley[Z/OL].(2014-10-10). http://code.google.com/p/sulley/.
[7] Wang H, Guo C, Simon D. Shield: Vulnerability-driven network filters for preventing known vulnerability exploits [C]//Proceedings of the 2004 ACM SIGCOMM Conference. Chicago, USA: ACM, 2004: 193-204.
[8] Borisov N, Brumley D. Ageneric application-level protocol parser analyzer and its language [C]//Proceedings of the 14th Annual Network and Distributed System Security Symposium. San Diego, USA: The Internet Society, 2007: 89-95.
[9] Song D, Brumley D, Yin M, et al. BitBlaze: A new approach to computer security via binary analysis [C]//Proceedings of the 4th International Conference on Information Systems Security. New York, USA: ACM Press, 2008: 147-162.
[10] Costa M, Crowcroft J, Castro M. Vigilante: End-to-end containment of internet worms [C]//Proceedings of the 20th ACM Symposium on Operating System Principles. Chicago, USA: ACM, 2005: 133-147.
[11] Brumley D, Wang H, Song D. Creating vulnerability signatures using weakest pre-conditions [C]//Proceedings of IEEE Computer Security Foundations. Venice, Italy: IEEE Press, 2007: 311-325.
[12] Costa M, Castro M, Zhou L. Bouncer: Securing software by blocking bad input [C]//Proceedings of ACM Symposium on Operating Systems Principles. Chicago, USA: ACM, 2007: 117-130.
[13] Cui W, Peinado M, Wang H. Shieldgen: Automatic data patch generation for unknown vulnerabilities with informed probing [C]//Proceedings of IEEE Symposium on Security and Privacy. Berkeley, USA: IEEE Press, 2007: 252-266.
[14] Newsome J, Dawn S. Vulnerability-specific execution filtering for exploit prevention on commodity software [C]//Proceedings of the 13th Annual Network and Distributed System Security Symposium. San Diego, USA: The Internet Society, 2006: 1-14.
[15] Paxson V. Bro: A system for detecting network intruders in real-time [C]//Proceedings of the 7th USENIX Security Symposium. San Antonio, Texas, 1998.
[16] Schear N, Albrecht D, Borisov N. High-speed matching of vulnerability signatures [C]//Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection. Berlin, Germany: Springer, 2008: 155-174.
[17] Li Z, Xia G, Gao H, et al. NetShield: Massive semantics-based vulnerability signature matching for high-speed networks [J]. ACM Sigcomm Computer Communication Review, 2010, 40(4): 279-290.
[18] Denning D. Alattice model of secure information flow [C]//Proceedings of Communications of the ACM. Chicago, USA: ACM, 1976: 236-243.
[19] Schwartz E, Avgerinos T, Brumley D. All you ever wanted to know about dynamic taint analysis and forward symbolic execution [C]//Proceedings of IEEE Symposium on Security and Privacy. New York, USA: IEEE Press, 2010: 317-331.
[20] Lam M, Martin M, Livshits B. Securing web applications with static and dynamic information flow tracking [C]//Proceedings of the 2008 ACM SIGPLANSymposium on Partial Evaluation and Semantics-based Program Manipulation. Chicago, USA: ACM, 2008: 3-12.
[21] Newsome J, Song D. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software [C]//Proceedings of the 2007 International Symposium on Software Testing and Analysis. New York, USA: ACM, 2005: 104-123.
[22] Drewry W, Ormandy T. Flayer: Exposing application internals [C]//Proceedings of USENIX Workshop on Offensive Technologies. Berkeley, USA: ACM, 2007: 1-9.
[23] King J. Symbolic execution and program testing [J]. Communications of the ACM, 1976, 19(7): 385-394.
[24] Gallaire H. Logic programming: Future developments [C]//IEEE Symposium on Logic Programming. Boston, USA: IEEE Press, 1985: 88-96.
[25] Barrett C, Sebastiani R, Seshia S, et al. Handbook of Satisfiability [M]. Amsterdam: IOS Press, 2009.Vijay G. STP[EB/OL]. (2014-10-10). http://people.csail.mit.edu/Vganesh/STP_files/stp.html.
[26] Vijay G. STP[EB/OL]. (2014-10-10). http://people.csail.mit.edu/Vganesh/STP_files/stp.html.
[27] Moura L, Bjorner N. Z3: An efficient SMT solver [M]//Tools and Algorithms for the Construction and Analysis of Systems. Berlin, Germany: Springer, 2008: 337-340.
[1] 崔宝江, 王福维, 郭涛, 柳本金. 基于污点信息的函数内存模糊测试技术研究[J]. 清华大学学报(自然科学版), 2016, 56(1): 7-13.
[2] 肖奇学, 陈渝, 戚兰兰, 郭世泽, 史元春. 堆分配大小可控的检测与分析[J]. 清华大学学报(自然科学版), 2015, 55(5): 572-578.
[3] 李京哲, 梁彬, 游伟, 王鹏, 石文昌. 基于控制依赖分析的Android远程控制类恶意软件检测[J]. 清华大学学报(自然科学版), 2014, 54(1): 8-13.
[4] 梁洪亮, 阳晓宇, 董钰, 张普含, 刘书昌. 并行化智能模糊测试[J]. 清华大学学报(自然科学版), 2014, 54(1): 14-19.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
版权所有 © 《清华大学学报(自然科学版)》编辑部
本系统由北京玛格泰克科技发展有限公司设计开发 技术支持:support@magtech.com.cn