计算机科学 ›› 2018, Vol. 45 ›› Issue (5): 5-14.doi: 10.11896/j.issn.1002-137X.2018.05.002

• 综述 • 上一篇    下一篇

Crash可利用性分析方法研究综述

张婧,周安民,刘亮,贾鹏,刘露平   

  1. 四川大学电子信息学院 成都610065,四川大学电子信息学院 成都610065,四川大学电子信息学院 成都610065,四川大学电子信息学院 成都610065,四川大学电子信息学院 成都610065
  • 出版日期:2018-05-15 发布日期:2018-07-25

Review of Crash Exploitability Analysis Methods

ZHANG Jing, ZHOU An-min, LIU Liang, JIA Peng and LIU Lu-ping   

  • Online:2018-05-15 Published:2018-07-25

摘要: Fuzzing技术是现阶段用于漏洞挖掘的主流技术,目前绝大多数的软件漏洞都是利用该技术发现的。但是Fuzzing技术存在的一个主要问题是其会产生大量的crash样本,如何对这些crash样本进行快速的分析分类,是当前基于Fuzzing技术进行漏洞挖掘工作所面临的主要问题。针对crash可利用性分析的研究,首先,总结了导致程序crash的原因并对其分析技术发展的现状进行了概述;其次,着重分析了当前利用动态污点分析和符号执行等技术进行crash可利用性判定的4种有效分析方法;最后,对比了这4种方法之间的差异,并探讨了crash可利用性分析技术未来的发展方向及趋势。

关键词: Crash分析,可利用性判定,污点分析,符号执行

Abstract: Fuzzing technology is the main technology used in the current stage of vulnerability mining,and currently the majority of software vulnerabilities are discovered by using this technology.However,one of the main problems about Fuzzing technology is that it will produce a large number of crash samples,and how to quickly analyze these crash samples is the main problem of using Fuzzing technology for vulnerability mining work.This paper focused on the researches of crash exploitability.Firstly,it summarized the causes of crash and discussed the development status of its analytical technology,and then it seriously analyzed four effective methods of crash availability judgment by using dynamic taint analysis,symbol execution and other techniques.Finally,it compared the differences between the four methods,and explored the future development direction and trend of the crash exploitability analysis techniques.

Key words: Crash analysis,Exploitable determination,Taint analysis,Symbolic execution

[1] LAI Y P,HSIA P L.Using the vulnerability information of computer systems to improve the network security [J].Computer Communications,2007,30(9):2032-2047.
[2] TAKANEN A,DEMOTT J,MILLER C.Fuzzing for software security testing and quality assurance[M].Artech House,2008.
[3] ZHANG X,LI Z J.Survey of Fuzz Testing Technology [J].Computer Science,2016,43(5):1-8.(in Chinese) 张雄,李舟军.模糊测试技术研究综述[J].计算机科学,2016,43(5):1-8.
[4] LIU Y,XIE J J,ZHANG C R,et al.Crash analysis for off-by-one stack based buffer overflow [J].Computer Engineering & Design,2015,36(12):3172-3182.(in Chinese) 刘渊,谢家俊,张春瑞,等.单字节栈溢出的分析[J].计算机工程与设计,2015,36(12):3178-3182.
[5] NETHERCOTE N,SEWARD J.Valgrind :A Program Supervision Framework [J].Electronic Notes in Theoretical Computer Science,2003,89(2):44-66.
[6] SEREBRYANY K,BRUENING D,POTAPENKO A,et al.Address Sanitizer:a fast address sanity checker[C]∥Usenix Conference on Technical Conference.Berkeley:USENIX Association,2012:28.
[7] PENG J S,WANG Q X,OUYANG Y J.Exploitable Inference Based on space-time analysis of pointers [J].Application Research of Computers,2016,33(5):1504-1508.(in Chinese) 彭建山,王清贤,欧阳永基.基于指针时空分析的软件异常可利用性判定[J].计算机应用研究,2016,33(5):1504-1508.
[8] MICROFOST.The History of the !exploitable Crash Analyzer[EB/OL].http://blogs.technet.com/b/srd/archive/2009/04/08/the-history-of-the-exploitable-crash-analyzer/.
[9] MILLER C,CABALLERO J,BERKELEY U,et al.Crash ana-lysis with BitBlaze [J].Revista Mexicana De Sociología,2010,44(1):81-117.
[11] ZHANG P,WU J,XIN W,et al.Program Crash Analysis Based on Taint Analysis[C]∥International Conference on P2P.New York:IEEE,2015:492-498.
[12] KROHNHANSEN H.Program crash analysis:evaluation and application of current methods [D].Norway:University of Oslo,2012.
[13] WU S Z.Review and Outlook of information security vulnerabi-lity analysis [J].Journal of Tsinghua University (Science and Technology),2009(S2):2065-2072.(in Chinese) 吴世忠.信息安全漏洞分析回顾与展望[J].清华大学学报(自然科学版),2009(S2):2065-2072.
[14] LASK J,STANLEY M.Dynamic Program Analysis[M]∥Software Verification and Analysis.London:Springer.2009:368.
[15] NOH M S,NA J B,JUNG G U,et al.A Study on MS Crash Ana-lyzer [J].Kips Transactions on Computer & Communication Systems,2013,2(9):399-404.
[16] LI L,JUST J E,SEKAR R.Online Signature Generation forWindows Systems[C]∥Computer Security Applications Con-ference.New York:IEEE Computer Society,2009:289-298.
[17] Microsoft.!exploitable Crash Analyzer.MSEC Debugger Extensions.http://msecdbg.codeplex.com.
[18] SONG D.WebBlaze:New Techniques and Tools for Web Security & BitBlaze:Computer Security via Binary Analysis .http://bitblaze.cs.berkeley.edu/dragonstar/lec4.pdf.
[19] CHEN K M,LIU Z T,REN C S.Design and Implement of User-Oriented Intermediate Language in Decompilation System [J].Mini-Micro System,2002,23(10):1173-1176.(in Chinese) 陈凯明,刘宗田,任传胜.逆编译中面向用户的中间语言设计和实现[J].小型微型计算机系统,2002,23(10):1173-1176.
[20] SONG D,BRUMLEY D,YIN H,et al.BitBlaze:A New Approach to Computer Security via Binary Analysis [C]∥Information Systems Security,International Conference(Iciss 2008).New Zealand:DBLP,2008:1-25.
[21] NEWSOME J,SONG D.Dynamic taint analysis for automaticdetection,analysis,and signature generation of exploits on commodity software [J].Chinese Journal of Engineering Mathema-tics,2005,29(5):720-724.
[22] WANG X C.Branch Obfuscation with Machine Learning andOne-way Prefix-preserving Encryption Algorithm [D].Tianjin:Nankai University,2015.(in Chinese) 王晓初.结合机器学习与单向保留前缀加密算法的分支混淆方法[D].天津:南开大学,2015.
[23] JACKSON D,ROLLINS E J.Chopping:A Generalization of Slicing .http://www.dtic.mil/dtic/tr/fulltext/U2/a282683.pdf.
[24] HAN X,WEN Q,ZHANG Z.A mutation-based fuzz testing approach for network protocol vulnerability detection [C]∥International Conference on Computer Science and Network Techno-logy.New York:IEEE,2013:1018-1022.
[25] YE Y H,WU D Y,CHEN Y.Reverse platform based on fine-grainted taint analysis [J].Computer Engineering and Applications,2012,48(28):90-96.(in Chinese) 叶永宏,武东英,陈扬.一种基于细粒度污点分析的逆向平台[J].计算机工程与应用,2012,48(28):90-96.
[26] BRUMLEY D,POOSANKAM P,SONG D,et al.AutomaticPatch-Based Exploit Generation is Possible:Techniques and Implications [C]∥IEEE Symposium on Security and Privacy,2008(SP 2008).New York:IEEE,2008:143-157.
[27] AVGERINOS T,SANG K C,HAO B L T,et al.AEG:Automatic Exploit Generation [J].Internet Society,2011,57(2).
[28] HUANG S K,LU H L,LEONG W M,et al.CRAXweb:Automatic Web Application Testing and Attack Generation[C]∥IEEE,International Conference on Software Security and Reliability.New York:IEEE Computer Society,2013:208-217.
[29] CHIPOUNOV V,KUZNETSOV V,CANDEA G.S2E:a plat-form for in-vivo multi-path analysis of software systems [C]∥International Conference on Architectural Support for Programming Languages & Operating Systems.New York:ACM,2011:265-278.
[30] SPARKS S,EMBLETON S,CUNNINGHAM R,et al.Automated vulnerability analysis:Leveraging control flow for evolutiona-ry input crafting [C]∥Computer Security Applications Con-ference,2007(ACSAC 2007).New York:IEEE,2007:477-486.
[31] SEN K.Concolic testing [C]∥IEEE/ACM International Conference on Automated Software Engineering.New York:ACM,2007:571-572.
[32] REYNOLDS A,KUNCAK V.On Induction for SMT Solvers [M]∥Lecture Notes in Computer Science.Springer-Verlage Berlin Heidelberg,2015:80-98.
[33] HUANG S K,HUANG M H,HUANG P Y,et al.Software Crash Analysis for Automatic Exploit Generation on Binary Programs [J].IEEE Transactions on Reliability,2014,63(1):270-289.
[35] JEE K,KEMERLIS V P,KEROMYTIS A D,et al.ShadowReplica:efficient parallelization of dynamic data flow tracking [C]∥ACM Sigsac Conference on Computer & Communications Security.New York:ACM,2013:235-246.
[36] REDDI,JANAPA V,ALEX,et al.PIN:a binary instrumenta-tion tool for computer architecture research and education [C]∥Proceedings of the Workshop on Computer Architecture Education.2004.
[37] DU K,KANG F,SHU H,et al.Dynamic Binary Instrumentation Technology Overview [C]∥Proceedings of 2012 National Conference on Information Technology and Computer Sicence.2012.
[39] MA X,WANG J,DONG W.Computing Must and May Alias to Detect Null Pointer Dereference [C]∥International Symposium On Leveraging Applications of Formal Methods,Verification and Validation.Berlin:Springer Berlin Heidelberg,2008:252-261.
[40] BERGSTRA J A,MIDDELBURG C A.Indirect Jumps Improve Instruction Sequence Performance[J].Scientific Annals of Computer Science,2012,22(2):253-265.
[41] GUPTA M K,GOVIL M C,SINGH G,et al.XSSDM:Towards detection and mitigation of cross-site scripting vulnerabilities in web applications [C]∥International Conference on Advances in Computing,Communications and Informatics.New York:IEEE,2015:2010-2015.
[42] CLAUSE J,LI W C,ORSO A .Dytan:a generic dynamic taintanalysis framework [C]∥International Symposium on Software Testing and Analysis.New York:ACM,2007:196-206.
[43] HUANG W.Design of Windows vulnerability exploits feasibility analysis and verification system [D].Beijing:Beijing University of Posts and Telecommunications,2011.(in Chinese) 黄文.Windows漏洞利用可行性分析与验证系统的设计[D].北京:北京邮电大学,2011.
[44] VIGNA G.Static Disassembly and Code Analysis [M]∥Malware Detection.2007:19-41.
[45] LI Z J,ZHANG J X,LIAO X K,et al.Software security vulne-rability detection technology [J].Journal of Computer Science,2015,38(4):717-732.(in Chinese) 李舟军,张俊贤,廖湘科,等.软件安全漏洞检测技术[J].计算机学报,2015,38(4):717-732.

No related articles found!
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
[1] 编辑部. 新网站开通,欢迎大家订阅![J]. 计算机科学, 2018, 1(1): 1 .
[2] 雷丽晖,王静. 可能性测度下的LTL模型检测并行化研究[J]. 计算机科学, 2018, 45(4): 71 -75 .
[3] 孙启,金燕,何琨,徐凌轩. 用于求解混合车辆路径问题的混合进化算法[J]. 计算机科学, 2018, 45(4): 76 -82 .
[4] 张佳男,肖鸣宇. 带权混合支配问题的近似算法研究[J]. 计算机科学, 2018, 45(4): 83 -88 .
[5] 伍建辉,黄中祥,李武,吴健辉,彭鑫,张生. 城市道路建设时序决策的鲁棒优化[J]. 计算机科学, 2018, 45(4): 89 -93 .
[6] 史雯隽,武继刚,罗裕春. 针对移动云计算任务迁移的快速高效调度算法[J]. 计算机科学, 2018, 45(4): 94 -99 .
[7] 周燕萍,业巧林. 基于L1-范数距离的最小二乘对支持向量机[J]. 计算机科学, 2018, 45(4): 100 -105 .
[8] 刘博艺,唐湘滟,程杰仁. 基于多生长时期模板匹配的玉米螟识别方法[J]. 计算机科学, 2018, 45(4): 106 -111 .
[9] 耿海军,施新刚,王之梁,尹霞,尹少平. 基于有向无环图的互联网域内节能路由算法[J]. 计算机科学, 2018, 45(4): 112 -116 .
[10] 崔琼,李建华,王宏,南明莉. 基于节点修复的网络化指挥信息系统弹性分析模型[J]. 计算机科学, 2018, 45(4): 117 -121 .