Please wait a minute...
 首页  期刊介绍 期刊订阅 联系我们 横山亮次奖 百年刊庆
 
最新录用  |  预出版  |  当期目录  |  过刊浏览  |  阅读排行  |  下载排行  |  引用排行  |  横山亮次奖  |  百年刊庆
清华大学学报(自然科学版)  2015, Vol. 55 Issue (5): 572-578    
  计算机科学与技术 本期目录 | 过刊浏览 | 高级检索 |
堆分配大小可控的检测与分析
肖奇学1,3, 陈渝1, 戚兰兰2, 郭世泽3, 史元春1
1. 清华大学 计算机科学与技术系, 北京 100084;
2. 解放军电子工程学院 网络工程系, 合肥 230037;
3. 北方电子设备研究所, 北京 100191
Detection and analysis of size controlled heap allocation
XIAO Qixue1,3, CHEN Yu1, QI Lanlan2, GUO Shize3, SHI Yuanchun1
1. Department of Computer Science and Technology, Tsinghua University, Beijing 10084, China;
2. Department of Networks, Electronic Engineering Institute of PLA, Hefei 230037, China;
3. North Electronic Equipment Research Institute, Beijing 100191, China
全文: PDF(1083 KB)  
输出: BibTeX | EndNote (RIS)      
摘要 不当内存操作一直是引发软件漏洞的主要原因之一。堆分配大小可控(CMA)是指当动态内存分配的关键参数可以被外界输入控制时, 恶意用户可以通过精心构造输入数据导致非预期的内存分配。该文讨论了CMA可能引发的相关安全问题和CMA的检测方法。该CMA检测方法主要通过结合静态路径分析和路径导向符号执行技术的优势, 系统地检测目标代码中的CMA问题。在经典的符号执行引擎KLEE的基础上, 实现了CMA检测原型系统SCAD; 通过对Linux系统常用的工具程序Coreutils进行测试, SCAD发现了10个CMA相关的问题, 其中3个属于未公开漏洞。实验结果表明:SCAD的导向路径搜索算法与KLEE提供的8个路径搜索算法相比具有明显优势; 针对内存分配相关的代码, SCAD的导向符号执行相比传统的符号执行引擎具有更高的代码覆盖率。
服务
把本文推荐给朋友
加入引用管理器
E-mail Alert
RSS
作者相关文章
肖奇学
陈渝
戚兰兰
郭世泽
史元春
关键词 漏洞分析符号执行内存分配堆分配大小可控    
Abstract:Improper memory operations are one of the main causes of software vulnerabilities. This study analyzes controlled memory allocation (CMA) errors which occur when key elements of the memory allocation method are affected by elaborately designed input data. This paper presents a CMA detection approach that uses static analyzes and optimized symbolic execution with a path-guided algorithm. These algorithms are combined with a state-of-the-art symbolic execution engine named KLEE in a CMA detection tool. The tool was tested on commonly used applications like Coreutils, where it found 10 CMA related bugs including 3 previously unknown bugs. Tests show that the tool's path guided searcher reaches an assigned target faster and with more paths than the other path searchers provided by KLEE. The tool executes faster for memory allocation related code with better coverage than conventional symbolic execution engines.
Key wordsvulnerability analysis    symbolic execution    memory allocation    size controlled heap allocation
收稿日期: 2015-02-03      出版日期: 2015-08-04
ZTFLH:  TP311.11  
通讯作者: 史元春,教授,E-mail:shiyc@tsinghua.edu.cn     E-mail: shiyc@tsinghua.edu.cn
引用本文:   
肖奇学, 陈渝, 戚兰兰, 郭世泽, 史元春. 堆分配大小可控的检测与分析[J]. 清华大学学报(自然科学版), 2015, 55(5): 572-578.
XIAO Qixue, CHEN Yu, QI Lanlan, GUO Shize, SHI Yuanchun. Detection and analysis of size controlled heap allocation. Journal of Tsinghua University(Science and Technology), 2015, 55(5): 572-578.
链接本文:  
http://jst.tsinghuajournals.com/CN/  或          http://jst.tsinghuajournals.com/CN/Y2015/V55/I5/572
  图1 CMA 示例代码
  图2 SCAD 系统总体架构
  表1 不同路径搜索算法首次到达时间
  表2 使用不同路径搜索算法检测split中CMA 的详细信息
[1] Aleph O. Smashing the stack for fun and profit [J]. Phrack Magazine, 1996, 49:14-16.
[2] 吴世忠, 郭涛, 董国伟, 等. 软件漏洞分析技术进展 [J]. 清华大学学报 (自然科学版). 2012, 52(10): 1309-1319.WU Shizhong, GUO Tao, DONG Guowei, et al. Software vulnerability analyses: A road map [J]. Journal of Tsinghua University (Science and Technology). 2012, 52(10): 1309-1319. (in Chinese)
[3] National Vulnerability Database. Statistics results [EB/OL]. [2013-12-30]. http://web.nvd.nist.gov/view/vuln/statistics-results.
[4] 王铁磊.面向二进制程序的漏洞挖掘关键技术研究 [D]. 北京:北京大学, 2011WANG Tielei. Research on Binary-Executable-Oriented Software Vulnerability Detection [D]. Beijing: Peking University, 2011. (in Chinese).
[5] MITRE. Vulnerability Description in CVE Database [EB/OL]. [2014-12-30]. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160.
[6] Vanegue J. Zero-sized heap allocations vulnerability analysis [C]//WOOT 10 Proceedings of the 4th USENIX conference on Offensive technologies. Washington DC, USA: USENIX Association, 2010:1-8.
[7] Klocwork. Klocwork Insight [EB/OL]. [2014-12-30]. http://www.klockwork.com/.
[8] Chess B, West J. Secure programming with Static Analysis [M]. Upper Saddle River, NJ, USA: Pearson Education, 2007.
[9] Rebert A, Cha S K, Avgerinos T, et al. Optimizing seed selection for fuzzing [C]//Proceedings of the USENIX Security Symposium. San Diego, CA, USA: USENIX Association, 2014: 861-875.
[10] Schwartz E J, Avgerinos T, Brumley D. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask) [C]//Security and Privacy (SP), 2010 IEEE Symposium on. Oakland,CA,USA: IEEE, 2010: 317-331.
[11] King J C. Symbolic execution and program testing [J]. Communications of the ACM, 1976, 19(7): 385-394.
[12] Cadar C, Dunbar D, Engler D R. KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs [C]//The 8th USENIX Symposium on Operating Systems Design and Implementation. San Diego, USA: OSDI, 2008: 209-224.
[13] Haller I, Slowinska A, Neugschwandtner M, et al. Dowsing for overflows: A guided fuzzer to find buffer boundary violations [C]//Proceedings of the USENIX Security Symposium. Washington DC, USA: USENIX Association, 2013: 49-64.
[14] Avgerinos T, Cha S K, Hao B L T, et al. AEG: Automatic exploit generation [C]//The 18th Annual Network and Distributed System Security Symposium. San Diego, CA, USA: The Internet Society, 2011, 59-66.
[15] Godefroid P, Levin M Y, Molnar D A. Automated whitebox fuzz testing [C]//The 15th Annual Network and Distributed System Security Symposium. San Diego, CA, USA: The Internet Society, 2008, 151-166.
[16] Bounimova E, Godefroid P, Molnar D. Billions and billions of constraints: Whitebox fuzz testing in production [C]//Proceedings of the 2013 International Conference on Software Engineering. San Francisco, CA, USA: IEEE Press, 2013: 122-131.
[17] Ma K K, Phang K Y, Foster J S, et al. Directed symbolic execution [C]//The 18th International Symposium, SAS 2011. Venice, Italy: Springer Science & Business Media, 2011: 95-111.
[18] Zamfir C, Candea G. Execution synthesis: A technique for automated software debugging [C]//Proceedings of the 5th European conference on Computer systems. Paris, France: ACM, 2010: 321-334.
[19] Jin W, Orso A. BugRedux: reproducing field failures for in-house debugging [C]//Proceedings of the 34th International Conference on Software Engineering. Zurich, Switzerland: IEEE Press, 2012: 474-484.
[20] Marinescu P D, Cadar C. KATCH: High-coverage testing of software patches [C]//Proceedings of the 9th Joint Meeting on Foundations of Software Engineering. Saint Petersburg, Russian Federation: ACM, 2013: 235-245.
[21] Cui H, Hu G, Wu J, et al. Verifying systems rules using rule-directed symbolic execution [C]//International Conference on Architectural Support for Programming Languages and Operating Systems. Houston, TX, USA: ACM, 2013: 329-342.
[22] LLVM Project. The LLVM compiler infrastructure [EB/OL]. [2013-11-20]. http://llvm.org.
[23] Brumley D, Jager I, Avgerinos T, et al. BAP: A binary analysis platform [C]//Computer aided verification. Snowbird, UT, USA: Springer Berlin Heidelberg, 2011: 463-469.
[24] Chipounov V, Candea G. Enabling sophisticated analyses of x86 binaries with RevGen [C]//Proceedings of the 2011 IEEE/IFIP 41st International Conference on Dependable Systems and Networks Workshops. Hong Kong, China: IEEE Computer Society, 2011: 211-216.
[25] Chipounov V, Kuznetsov V, Candea G. S2E: A platform for in-vivo multi-path analysis of software systems [C]//Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS). New York, NY, USA: ACM, 2011: 265-278.
[26] Chipounov V, Kuznetsov V, Candea G. The S2E platform: Design, implementation, and applications [J]. ACM Transactions on Computer Systems (TOCS), 2012: 30(1), 2.
[27] Valiant Xiao. Bug report[EB/OL]. [2014-12-30].http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16855.
[1] 韩心慧, 魏爽, 叶佳奕, 张超, 叶志远. 二进制程序中的use-after-free漏洞检测技术[J]. 清华大学学报(自然科学版), 2017, 57(10): 1022-1029.
[2] 伊胜伟, 张翀斌, 谢丰, 熊琦, 向憧, 梁露露. 基于Peach的工业控制网络协议安全分析[J]. 清华大学学报(自然科学版), 2017, 57(1): 50-54.
[3] 马金鑫, 张涛, 李舟军, 张江霄. Fuzzing过程中的若干优化方法[J]. 清华大学学报(自然科学版), 2016, 56(5): 478-483.
[4] 辛伟, 时志伟, 郝永乐, 董国伟. 基于污点分析和符号执行的漏洞签名生成方法[J]. 清华大学学报(自然科学版), 2016, 56(1): 28-34.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
版权所有 © 《清华大学学报(自然科学版)》编辑部
本系统由北京玛格泰克科技发展有限公司设计开发 技术支持:support@magtech.com.cn