Please wait a minute...
 首页  期刊介绍 期刊订阅 联系我们 横山亮次奖 百年刊庆
 
最新录用  |  预出版  |  当期目录  |  过刊浏览  |  阅读排行  |  下载排行  |  引用排行  |  横山亮次奖  |  百年刊庆
清华大学学报(自然科学版)  2017, Vol. 57 Issue (10): 1022-1029    DOI: 10.16511/j.cnki.qhdxxb.2017.25.040
  计算机科学与技术 本期目录 | 过刊浏览 | 高级检索 |
二进制程序中的use-after-free漏洞检测技术
韩心慧1, 魏爽1, 叶佳奕1, 张超2, 叶志远1
1. 北京大学 计算机科学技术研究所, 北京 100080;
2. 清华大学 网络科学与网络空间研究院, 北京 100084
Detect use-after-free vulnerabilities in binaries
HAN Xinhui1, WEI Shuang1, YE Jiayi1, ZHANG Chao2, YE Zhiyuan1
1. Institute of Computer Science and Technology, Peking University, Beijing 100080, China;
2. Institute for Network Science and Cyberspace, Tsinghua University, Beijing 100084, China
全文: PDF(1180 KB)  
输出: BibTeX | EndNote (RIS)      
摘要 Use-after-free漏洞(简称UaF漏洞)是当前最流行的高危内存破坏漏洞。目前针对UaF漏洞的检测工作并不完善,原因是UaF漏洞产生的特征是分配内存、释放内存、使用已释放的内存并按顺序出现,而这3种事件可能出现在程序的任何位置,需要跟踪较长的执行序列并搜索潜在的危险事件序列才能检测到该漏洞,这很大程度上提高了检测的难度。该文针对UaF漏洞,分析了漏洞的产生原因、利用方式、带来的安全威胁以及漏洞检测技术面临的挑战,并设计和实现了一个基于静态分析和动态符号执行的面向二进制文件的UaF漏洞检测系统。经测试,该系统能够检测出已公开的UaF漏洞。通过该系统检测软件中的UaF漏洞,及时对软件进行修复或防护,可以有效提高软件的健壮性,减少UaF漏洞带来的安全隐患。
服务
把本文推荐给朋友
加入引用管理器
E-mail Alert
RSS
作者相关文章
韩心慧
魏爽
叶佳奕
张超
叶志远
关键词 use-after-free静态分析动态符号执行    
Abstract:Use-after-free (UaF) vulnerabilities are one of the most common and risky memory corruption vulnerabilities. However, UaF vulnerabilities are difficult to detect. A UaF vulnerability is triggered if and only if three operations occur on the same memory region, in an order of allocating memory, freeing memory, and using the freed memory. These three operations may be conducted anywhere in the program in any order, so the analysis must track a long execution sequence and search for potential vulnerable event sequences to detect UaF vulnerabilities. This study analyzes the root causes of UaF vulnerabilities, ways to exploit them, the severity of the threat and the challenges in detecting them. A solution is then given based on a static analysis and dynamic symbolic execution to detect UaF vulnerabilities in binaries. Tests show that this solution can detect known vulnerabilities in a benchmark. Thus, this detection system can be used to identify and fix bugs to improve application security.
Key wordsuse-after-free    static analysis    dynamic symbolic execution
收稿日期: 2016-12-19      出版日期: 2017-10-15
ZTFLH:  TP393.08  
引用本文:   
韩心慧, 魏爽, 叶佳奕, 张超, 叶志远. 二进制程序中的use-after-free漏洞检测技术[J]. 清华大学学报(自然科学版), 2017, 57(10): 1022-1029.
HAN Xinhui, WEI Shuang, YE Jiayi, ZHANG Chao, YE Zhiyuan. Detect use-after-free vulnerabilities in binaries. Journal of Tsinghua University(Science and Technology), 2017, 57(10): 1022-1029.
链接本文:  
http://jst.tsinghuajournals.com/CN/10.16511/j.cnki.qhdxxb.2017.25.040  或          http://jst.tsinghuajournals.com/CN/Y2017/V57/I10/1022
  图1 UaF漏洞检测系统整体框架
  图2 二进制文件检测框架
  图3 后向数据流分析算法
  图4 后向数据流分析算法所需定义
  图5 具有释放内存行为的函数检测
  图6 基于IDA 的UaF漏洞分析
  图7 基于S2E的UaF漏洞分析
  图8 链表的节点类型定义
  图9 Shitsco程序中的关键释放函数调用点
[1] 李舟军, 张俊贤, 廖湘科, 等. 软件安全漏洞检测技术[J]. 计算机学报, 2015, 38(4):717-732.LI Zhoujun, ZHANG Junxian, LIAO Xiangke, et al. Survey of software vulnerability detection techniques[J]. Journal of Computers, 2015, 38(4):717-732. (in Chinese)
[2] Afek J, Sharabani A. Dangling pointer-smashing the pointer for fun and profit[J]. A Whitepaper from Watchfire Citado na, 2007, 41(1):1-21.
[3] Corporation M. Common vulnerabilities and exposures (CVE)[Z/OL].[2016-5-10]. http://cve.mitre.org.
[4] Daniel M, Honoroff J, Miller C. Engineering heap overflow exploits with JavaScript[C]//USENIX Workshop on Offensive Technologies. San Jose, CA, USA:USENIX, 2008:1-6.
[5] Sotirov A. Heap feng shui in JavaScript[C]//Black Hat Europe 2013. Amesterdam, Netherlands:Black Hat, 2013:1-20.
[6] Chess B, McGraw G. Static analysis for security[J]. IEEE Security & Privacy, 2004, 2(6):76-79.
[7] Pistoia M, Chandra S, Fink S J, et al. A survey of static analysis methods for identifying security vulnerabilities in software systems[J]. Ibm Systems Journal, 2007, 46(2):265-288.
[8] Cesare S. Bugalyze.com-detecting bugs using decompilation and data flow analysis[C]//Black Hat USA 2013. Las Vegas, NV, USA:Black Hat, 2013:1-9.
[9] Feist J, Mounier L, Potet M L. Statically detecting use after free on binary code[J]. Journal of Computer Virology and Hacking Techniques, 2014, 10(3):211-217.
[10] Dewey D, Reaves B, Traynor P. Uncovering use-after-free conditions in compiled code[C]//201510th International Conference on Availability, Reliability and Security. Reggio Calabria, Italy:IEEE, 2015:90-99.
[11] Caballero J, Grieco G, Marron M, et al. Undangle:Early detection of dangling pointers in use-after-free and double-free vulnerabilities[C]//Proceedings of the 2012 International Symposium on Software Testing and Analysis. Minneapolis, MN, USA:ACM, 2012:133-143.
[12] Hastings R, Joyce B. Purify:Fast detection of memory leaks and access errors[C]//Proceedings of the Winter 1992 USENIX Conference. San Antonio, TX, USA:USENIX, 1991:125-136.
[13] Nethercote N, Seward J. Valgrind:A framework for heavyweight dynamic binary instrumentation[J]. Acm Sigplan Notices, 2007, 42(6):89-100.
[14] Serebryany K, Bruening D, Potapenko A, et al. AddressSanitizer:A fast address sanity checker[C]//2012 USENIX Annual Technical Conference (USENIX ATC 12). Boston, MA, USA:USENIX, 2012:309-318.
[15] Cadar C, Dunbar D, Engler D R. KLEE:Unassisted and automatic generation of high-coverage tests for complex systems programs[C]//8th USENIX Symposium on Operating Systems Design and Implementation. San Diego, CA, USA:USENIX, 2008:209-224.
[16] Eagle C. The IDA Pro Book:The Unofficial Guide to the World's Most Popular Disassembler[M]. San Francisco, CA, USA:No Starch Press, 2011.
[17] 王学, 李学新, 周智鹏, 等. S<sup>2</sup>E测试平台及并行性能分析[J]. 信息网络安全, 2012(7):16-19.WANG Xue, LI Xuexin, ZHOU Zhipeng, et al. Analysis of the software testing platform:S<sup>2</sup>E[J]. Netinfo Security, 2012(7):16-19.(in Chinese)
[1] 李学良, 赵千川, 杨文, Syed Naeem HAIDER. PLC指令表程序的一种语法分析方法及其在代码静态测试上的应用[J]. 清华大学学报(自然科学版), 2021, 61(10): 1159-1165.
[2] 韩心慧, 丁怡婧, 王东祺, 黎桐辛, 叶志远. Android恶意广告威胁分析与检测技术[J]. 清华大学学报(自然科学版), 2016, 56(5): 468-477.
[3] 董国伟, 王眉林, 邵帅, 朱龙华. 基于特征匹配的Android应用漏洞分析框架[J]. 清华大学学报(自然科学版), 2016, 56(5): 461-467.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
版权所有 © 《清华大学学报(自然科学版)》编辑部
本系统由北京玛格泰克科技发展有限公司设计开发 技术支持:support@magtech.com.cn