Approach ofgenerating vulnerability signature based on taint analysis and symbolic execution

doi:10.16511/j.cnki.qhdxxb.2016.23.006

Abstract
Figures/Tables
References
Related Articles
Metrics

Download: PDF(1152 KB)
Export: BibTeX | EndNote | Reference Manager | ProCite | RefWorks

Abstract A vulnerability signature matches a set of inputs which trigger software vulnerability. Application of vulnerability signature to input filtering is one of the most popular and effective defense mechanisms for protecting vulnerable programs against exploits. A method for generating vulnerability signature was developed using taint analysis and symbolic execution. The method locates bytes in input that direct execution to vulnerable points using taint analysis. Path constraints are generated via dynamic symbolic execution with the final vulnerability signature obtained through constraint solving.A proof-of-concept system, TASEVS, was implemented based on instrumentation tool Pin and constraint solver Z3. Experimental results show that the TASEVS can effectively generate vulnerability signature.

Keywords binary-executable-oriented software vulnerability signature taint analysis symbolic execution constraint solving

ZTFLH:

TP309

Issue Date: 15 January 2016

	Service

	E-mail this article
	E-mail Alert
	RSS
	Articles by authors

	XIN Wei
	SHI Zhiwei
	HAO Yongle
	DONG Guowei

Cite this article:

XIN Wei,SHI Zhiwei,HAO Yongle, et al. Approach ofgenerating vulnerability signature based on taint analysis and symbolic execution[J]. Journal of Tsinghua University(Science and Technology), 2016, 56(1): 28-34.

URL:

http://jst.tsinghuajournals.com/EN/10.16511/j.cnki.qhdxxb.2016.23.006 OR http://jst.tsinghuajournals.com/EN/Y2016/V56/I1/28

[1] 吴世忠, 刘晖, 郭涛, 等. 信息安全漏洞分析基础 [M]. 北京: 科学出版社, 2013.WU Shizhong, LIU Hui, GUO Tao, et al. Fundamentals of information security vulnerability analysis [M]. Beijing: Science Press, 2013. (in Chinese)
[2] Moore D, Paxson V, Savage S, et al. Inside the slammer worm [C]//Proceedings of IEEE Security and Privacy. New York, USA: IEEE Press, 2003: 33-39.
[3] 严俊, 郭涛, 阮辉, 等. JUTA: 一个Java 自动化单元测试工具 [J]. 计算机研究与发展, 2010, 47(10): 1840-1848.YAN Jun, GUO Tao, RUAN Hui, et al. JUTA: An automated unit testing framework for Java [J]. Journal of Computer Research and Development, 2010, 47(10): 1840-1848. (in Chinese)
[4] Song D, Brumley D, Yin M, et al. BitBlaze: A new approach to computer security via binary analysis [C]//Proceedings of the 4th International Conference on Information Systems Security. New York, USA: ACM Press, 2008: 147-162.
[5] Déjà vu Security. Peach[Z/OL]. (2014-10-10). http://peachfuzzer.com/.
[6] Pedram A. Sulley[Z/OL].(2014-10-10). http://code.google.com/p/sulley/.
[7] Wang H, Guo C, Simon D. Shield: Vulnerability-driven network filters for preventing known vulnerability exploits [C]//Proceedings of the 2004 ACM SIGCOMM Conference. Chicago, USA: ACM, 2004: 193-204.
[8] Borisov N, Brumley D. Ageneric application-level protocol parser analyzer and its language [C]//Proceedings of the 14th Annual Network and Distributed System Security Symposium. San Diego, USA: The Internet Society, 2007: 89-95.
[9] Song D, Brumley D, Yin M, et al. BitBlaze: A new approach to computer security via binary analysis [C]//Proceedings of the 4th International Conference on Information Systems Security. New York, USA: ACM Press, 2008: 147-162.
[10] Costa M, Crowcroft J, Castro M. Vigilante: End-to-end containment of internet worms [C]//Proceedings of the 20th ACM Symposium on Operating System Principles. Chicago, USA: ACM, 2005: 133-147.
[11] Brumley D, Wang H, Song D. Creating vulnerability signatures using weakest pre-conditions [C]//Proceedings of IEEE Computer Security Foundations. Venice, Italy: IEEE Press, 2007: 311-325.
[12] Costa M, Castro M, Zhou L. Bouncer: Securing software by blocking bad input [C]//Proceedings of ACM Symposium on Operating Systems Principles. Chicago, USA: ACM, 2007: 117-130.
[13] Cui W, Peinado M, Wang H. Shieldgen: Automatic data patch generation for unknown vulnerabilities with informed probing [C]//Proceedings of IEEE Symposium on Security and Privacy. Berkeley, USA: IEEE Press, 2007: 252-266.
[14] Newsome J, Dawn S. Vulnerability-specific execution filtering for exploit prevention on commodity software [C]//Proceedings of the 13th Annual Network and Distributed System Security Symposium. San Diego, USA: The Internet Society, 2006: 1-14.
[15] Paxson V. Bro: A system for detecting network intruders in real-time [C]//Proceedings of the 7th USENIX Security Symposium. San Antonio, Texas, 1998.
[16] Schear N, Albrecht D, Borisov N. High-speed matching of vulnerability signatures [C]//Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection. Berlin, Germany: Springer, 2008: 155-174.
[17] Li Z, Xia G, Gao H, et al. NetShield: Massive semantics-based vulnerability signature matching for high-speed networks [J]. ACM Sigcomm Computer Communication Review, 2010, 40(4): 279-290.
[18] Denning D. Alattice model of secure information flow [C]//Proceedings of Communications of the ACM. Chicago, USA: ACM, 1976: 236-243.
[19] Schwartz E, Avgerinos T, Brumley D. All you ever wanted to know about dynamic taint analysis and forward symbolic execution [C]//Proceedings of IEEE Symposium on Security and Privacy. New York, USA: IEEE Press, 2010: 317-331.
[20] Lam M, Martin M, Livshits B. Securing web applications with static and dynamic information flow tracking [C]//Proceedings of the 2008 ACM SIGPLANSymposium on Partial Evaluation and Semantics-based Program Manipulation. Chicago, USA: ACM, 2008: 3-12.
[21] Newsome J, Song D. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software [C]//Proceedings of the 2007 International Symposium on Software Testing and Analysis. New York, USA: ACM, 2005: 104-123.
[22] Drewry W, Ormandy T. Flayer: Exposing application internals [C]//Proceedings of USENIX Workshop on Offensive Technologies. Berkeley, USA: ACM, 2007: 1-9.
[23] King J. Symbolic execution and program testing [J]. Communications of the ACM, 1976, 19(7): 385-394.
[24] Gallaire H. Logic programming: Future developments [C]//IEEE Symposium on Logic Programming. Boston, USA: IEEE Press, 1985: 88-96.
[25] Barrett C, Sebastiani R, Seshia S, et al. Handbook of Satisfiability [M]. Amsterdam: IOS Press, 2009.Vijay G. STP[EB/OL]. (2014-10-10). http://people.csail.mit.edu/Vganesh/STP_files/stp.html.
[26] Vijay G. STP[EB/OL]. (2014-10-10). http://people.csail.mit.edu/Vganesh/STP_files/stp.html.
[27] Moura L, Bjorner N. Z3: An efficient SMT solver [M]//Tools and Algorithms for the Construction and Analysis of Systems. Berlin, Germany: Springer, 2008: 337-340.

[1]	ZOU Quanchen, ZHANG Tao, WU Runpu, MA Jinxin, LI Meicong, CHEN Chen, HOU Changyu. From automation to intelligence: Survey of research on vulnerability discovery techniques[J]. Journal of Tsinghua University(Science and Technology), 2018, 58(12): 1079-1094.
[2]	LIANG Bin, GONG Weigang, YOU Wei, LI Zan, SHI Wenchang. DTA technique for JavaScript optimizing compilation mode[J]. Journal of Tsinghua University(Science and Technology), 2017, 57(9): 932-938.
[3]	HAN Xinhui, WEI Shuang, YE Jiayi, ZHANG Chao, YE Zhiyuan. Detect use-after-free vulnerabilities in binaries[J]. Journal of Tsinghua University(Science and Technology), 2017, 57(10): 1022-1029.
[4]	CUI Baojiang, WANG Fuwei, GUO Tao, LIU Benjin. Research of taint-analysis based API in-memory fuzzing tests[J]. Journal of Tsinghua University(Science and Technology), 2016, 56(1): 7-13.
[5]	XIAO Qixue, CHEN Yu, QI Lanlan, GUO Shize, SHI Yuanchun. Detection and analysis of size controlled heap allocation[J]. Journal of Tsinghua University(Science and Technology), 2015, 55(5): 572-578.
[6]	Hongliang LIANG, Xiaoyu YANG, Yu DONG, Puhan ZHANG, Shuchang LIU. Parallel smart fuzzing test[J]. Journal of Tsinghua University(Science and Technology), 2014, 54(1): 14-19.
[7]	Jingzhe LI, Bin LIANG, Wei YOU, Peng WANG, Wenchang SHI. Control dependency analyses for detecting remote control Android malware[J]. Journal of Tsinghua University(Science and Technology), 2014, 54(1): 8-13.

Viewed

Full text

Abstract

Cited

Shared

Discussed