计算机科学 ›› 2018, Vol. 45 ›› Issue (5): 5-14.doi: 10.11896/j.issn.1002-137X.2018.05.002

• 综述 • 上一篇    下一篇

Crash可利用性分析方法研究综述

张婧,周安民,刘亮,贾鹏,刘露平   

  1. 四川大学电子信息学院 成都610065,四川大学电子信息学院 成都610065,四川大学电子信息学院 成都610065,四川大学电子信息学院 成都610065,四川大学电子信息学院 成都610065
  • 出版日期:2018-05-15 发布日期:2018-07-25

Review of Crash Exploitability Analysis Methods

ZHANG Jing, ZHOU An-min, LIU Liang, JIA Peng and LIU Lu-ping   

  • Online:2018-05-15 Published:2018-07-25

摘要: Fuzzing技术是现阶段用于漏洞挖掘的主流技术,目前绝大多数的软件漏洞都是利用该技术发现的。但是Fuzzing技术存在的一个主要问题是其会产生大量的crash样本,如何对这些crash样本进行快速的分析分类,是当前基于Fuzzing技术进行漏洞挖掘工作所面临的主要问题。针对crash可利用性分析的研究,首先,总结了导致程序crash的原因并对其分析技术发展的现状进行了概述;其次,着重分析了当前利用动态污点分析和符号执行等技术进行crash可利用性判定的4种有效分析方法;最后,对比了这4种方法之间的差异,并探讨了crash可利用性分析技术未来的发展方向及趋势。

关键词: Crash分析,可利用性判定,污点分析,符号执行

Abstract: Fuzzing technology is the main technology used in the current stage of vulnerability mining,and currently the majority of software vulnerabilities are discovered by using this technology.However,one of the main problems about Fuzzing technology is that it will produce a large number of crash samples,and how to quickly analyze these crash samples is the main problem of using Fuzzing technology for vulnerability mining work.This paper focused on the researches of crash exploitability.Firstly,it summarized the causes of crash and discussed the development status of its analytical technology,and then it seriously analyzed four effective methods of crash availability judgment by using dynamic taint analysis,symbol execution and other techniques.Finally,it compared the differences between the four methods,and explored the future development direction and trend of the crash exploitability analysis techniques.

Key words: Crash analysis,Exploitable determination,Taint analysis,Symbolic execution

[1] LAI Y P,HSIA P L.Using the vulnerability information of computer systems to improve the network security [J].Computer Communications,2007,30(9):2032-2047.
[2] TAKANEN A,DEMOTT J,MILLER C.Fuzzing for software security testing and quality assurance[M].Artech House,2008.
[3] ZHANG X,LI Z J.Survey of Fuzz Testing Technology [J].Computer Science,2016,43(5):1-8.(in Chinese) 张雄,李舟军.模糊测试技术研究综述[J].计算机科学,2016,43(5):1-8.
[4] LIU Y,XIE J J,ZHANG C R,et al.Crash analysis for off-by-one stack based buffer overflow [J].Computer Engineering & Design,2015,36(12):3172-3182.(in Chinese) 刘渊,谢家俊,张春瑞,等.单字节栈溢出的分析[J].计算机工程与设计,2015,36(12):3178-3182.
[5] NETHERCOTE N,SEWARD J.Valgrind :A Program Supervision Framework [J].Electronic Notes in Theoretical Computer Science,2003,89(2):44-66.
[6] SEREBRYANY K,BRUENING D,POTAPENKO A,et al.Address Sanitizer:a fast address sanity checker[C]∥Usenix Conference on Technical Conference.Berkeley:USENIX Association,2012:28.
[7] PENG J S,WANG Q X,OUYANG Y J.Exploitable Inference Based on space-time analysis of pointers [J].Application Research of Computers,2016,33(5):1504-1508.(in Chinese) 彭建山,王清贤,欧阳永基.基于指针时空分析的软件异常可利用性判定[J].计算机应用研究,2016,33(5):1504-1508.
[8] MICROFOST.The History of the !exploitable Crash Analyzer[EB/OL].http://blogs.technet.com/b/srd/archive/2009/04/08/the-history-of-the-exploitable-crash-analyzer/.
[9] MILLER C,CABALLERO J,BERKELEY U,et al.Crash ana-lysis with BitBlaze [J].Revista Mexicana De Sociología,2010,44(1):81-117.
[11] ZHANG P,WU J,XIN W,et al.Program Crash Analysis Based on Taint Analysis[C]∥International Conference on P2P.New York:IEEE,2015:492-498.
[12] KROHNHANSEN H.Program crash analysis:evaluation and application of current methods [D].Norway:University of Oslo,2012.
[13] WU S Z.Review and Outlook of information security vulnerabi-lity analysis [J].Journal of Tsinghua University (Science and Technology),2009(S2):2065-2072.(in Chinese) 吴世忠.信息安全漏洞分析回顾与展望[J].清华大学学报(自然科学版),2009(S2):2065-2072.
[14] LASK J,STANLEY M.Dynamic Program Analysis[M]∥Software Verification and Analysis.London:Springer.2009:368.
[15] NOH M S,NA J B,JUNG G U,et al.A Study on MS Crash Ana-lyzer [J].Kips Transactions on Computer & Communication Systems,2013,2(9):399-404.
[16] LI L,JUST J E,SEKAR R.Online Signature Generation forWindows Systems[C]∥Computer Security Applications Con-ference.New York:IEEE Computer Society,2009:289-298.
[17] Microsoft.!exploitable Crash Analyzer.MSEC Debugger Extensions.http://msecdbg.codeplex.com.
[18] SONG D.WebBlaze:New Techniques and Tools for Web Security & BitBlaze:Computer Security via Binary Analysis .http://bitblaze.cs.berkeley.edu/dragonstar/lec4.pdf.
[19] CHEN K M,LIU Z T,REN C S.Design and Implement of User-Oriented Intermediate Language in Decompilation System [J].Mini-Micro System,2002,23(10):1173-1176.(in Chinese) 陈凯明,刘宗田,任传胜.逆编译中面向用户的中间语言设计和实现[J].小型微型计算机系统,2002,23(10):1173-1176.
[20] SONG D,BRUMLEY D,YIN H,et al.BitBlaze:A New Approach to Computer Security via Binary Analysis [C]∥Information Systems Security,International Conference(Iciss 2008).New Zealand:DBLP,2008:1-25.
[21] NEWSOME J,SONG D.Dynamic taint analysis for automaticdetection,analysis,and signature generation of exploits on commodity software [J].Chinese Journal of Engineering Mathema-tics,2005,29(5):720-724.
[22] WANG X C.Branch Obfuscation with Machine Learning andOne-way Prefix-preserving Encryption Algorithm [D].Tianjin:Nankai University,2015.(in Chinese) 王晓初.结合机器学习与单向保留前缀加密算法的分支混淆方法[D].天津:南开大学,2015.
[23] JACKSON D,ROLLINS E J.Chopping:A Generalization of Slicing .http://www.dtic.mil/dtic/tr/fulltext/U2/a282683.pdf.
[24] HAN X,WEN Q,ZHANG Z.A mutation-based fuzz testing approach for network protocol vulnerability detection [C]∥International Conference on Computer Science and Network Techno-logy.New York:IEEE,2013:1018-1022.
[25] YE Y H,WU D Y,CHEN Y.Reverse platform based on fine-grainted taint analysis [J].Computer Engineering and Applications,2012,48(28):90-96.(in Chinese) 叶永宏,武东英,陈扬.一种基于细粒度污点分析的逆向平台[J].计算机工程与应用,2012,48(28):90-96.
[26] BRUMLEY D,POOSANKAM P,SONG D,et al.AutomaticPatch-Based Exploit Generation is Possible:Techniques and Implications [C]∥IEEE Symposium on Security and Privacy,2008(SP 2008).New York:IEEE,2008:143-157.
[27] AVGERINOS T,SANG K C,HAO B L T,et al.AEG:Automatic Exploit Generation [J].Internet Society,2011,57(2).
[28] HUANG S K,LU H L,LEONG W M,et al.CRAXweb:Automatic Web Application Testing and Attack Generation[C]∥IEEE,International Conference on Software Security and Reliability.New York:IEEE Computer Society,2013:208-217.
[29] CHIPOUNOV V,KUZNETSOV V,CANDEA G.S2E:a plat-form for in-vivo multi-path analysis of software systems [C]∥International Conference on Architectural Support for Programming Languages & Operating Systems.New York:ACM,2011:265-278.
[30] SPARKS S,EMBLETON S,CUNNINGHAM R,et al.Automated vulnerability analysis:Leveraging control flow for evolutiona-ry input crafting [C]∥Computer Security Applications Con-ference,2007(ACSAC 2007).New York:IEEE,2007:477-486.
[31] SEN K.Concolic testing [C]∥IEEE/ACM International Conference on Automated Software Engineering.New York:ACM,2007:571-572.
[32] REYNOLDS A,KUNCAK V.On Induction for SMT Solvers [M]∥Lecture Notes in Computer Science.Springer-Verlage Berlin Heidelberg,2015:80-98.
[33] HUANG S K,HUANG M H,HUANG P Y,et al.Software Crash Analysis for Automatic Exploit Generation on Binary Programs [J].IEEE Transactions on Reliability,2014,63(1):270-289.
[35] JEE K,KEMERLIS V P,KEROMYTIS A D,et al.ShadowReplica:efficient parallelization of dynamic data flow tracking [C]∥ACM Sigsac Conference on Computer & Communications Security.New York:ACM,2013:235-246.
[36] REDDI,JANAPA V,ALEX,et al.PIN:a binary instrumenta-tion tool for computer architecture research and education [C]∥Proceedings of the Workshop on Computer Architecture Education.2004.
[37] DU K,KANG F,SHU H,et al.Dynamic Binary Instrumentation Technology Overview [C]∥Proceedings of 2012 National Conference on Information Technology and Computer Sicence.2012.
[39] MA X,WANG J,DONG W.Computing Must and May Alias to Detect Null Pointer Dereference [C]∥International Symposium On Leveraging Applications of Formal Methods,Verification and Validation.Berlin:Springer Berlin Heidelberg,2008:252-261.
[40] BERGSTRA J A,MIDDELBURG C A.Indirect Jumps Improve Instruction Sequence Performance[J].Scientific Annals of Computer Science,2012,22(2):253-265.
[41] GUPTA M K,GOVIL M C,SINGH G,et al.XSSDM:Towards detection and mitigation of cross-site scripting vulnerabilities in web applications [C]∥International Conference on Advances in Computing,Communications and Informatics.New York:IEEE,2015:2010-2015.
[42] CLAUSE J,LI W C,ORSO A .Dytan:a generic dynamic taintanalysis framework [C]∥International Symposium on Software Testing and Analysis.New York:ACM,2007:196-206.
[43] HUANG W.Design of Windows vulnerability exploits feasibility analysis and verification system [D].Beijing:Beijing University of Posts and Telecommunications,2011.(in Chinese) 黄文.Windows漏洞利用可行性分析与验证系统的设计[D].北京:北京邮电大学,2011.
[44] VIGNA G.Static Disassembly and Code Analysis [M]∥Malware Detection.2007:19-41.
[45] LI Z J,ZHANG J X,LIAO X K,et al.Software security vulne-rability detection technology [J].Journal of Computer Science,2015,38(4):717-732.(in Chinese) 李舟军,张俊贤,廖湘科,等.软件安全漏洞检测技术[J].计算机学报,2015,38(4):717-732.

No related articles found!
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!