Computer Science ›› 2018, Vol. 45 ›› Issue (5): 5-14, 23.doi: 10.11896/j.issn.1002-137X.2018.05.002

Previous Articles     Next Articles

Review of Crash Exploitability Analysis Methods

ZHANG Jing, ZHOU An-min, LIU Liang, JIA Peng and LIU Lu-ping   

  • Online:2018-05-15 Published:2018-07-25

Abstract: Fuzzing technology is the main technology used in the current stage of vulnerability mining,and currently the majority of software vulnerabilities are discovered by using this technology.However,one of the main problems about Fuzzing technology is that it will produce a large number of crash samples,and how to quickly analyze these crash samples is the main problem of using Fuzzing technology for vulnerability mining work.This paper focused on the researches of crash exploitability.Firstly,it summarized the causes of crash and discussed the development status of its analytical technology,and then it seriously analyzed four effective methods of crash availability judgment by using dynamic taint analysis,symbol execution and other techniques.Finally,it compared the differences between the four methods,and explored the future development direction and trend of the crash exploitability analysis techniques.

Key words: Crash analysis,Exploitable determination,Taint analysis,Symbolic execution

[1] LAI Y P,HSIA P L.Using the vulnerability information of computer systems to improve the network security [J].Computer Communications,2007,30(9):2032-2047.
[2] TAKANEN A,DEMOTT J,MILLER C.Fuzzing for software security testing and quality assurance[M].Artech House,2008.
[3] ZHANG X,LI Z J.Survey of Fuzz Testing Technology [J].Computer Science,2016,43(5):1-8.(in Chinese) 张雄,李舟军.模糊测试技术研究综述[J].计算机科学,2016,43(5):1-8.
[4] LIU Y,XIE J J,ZHANG C R,et al.Crash analysis for off-by-one stack based buffer overflow [J].Computer Engineering & Design,2015,36(12):3172-3182.(in Chinese) 刘渊,谢家俊,张春瑞,等.单字节栈溢出的分析[J].计算机工程与设计,2015,36(12):3178-3182.
[5] NETHERCOTE N,SEWARD J.Valgrind :A Program Supervision Framework [J].Electronic Notes in Theoretical Computer Science,2003,89(2):44-66.
[6] SEREBRYANY K,BRUENING D,POTAPENKO A,et al.Address Sanitizer:a fast address sanity checker[C]∥Usenix Conference on Technical Conference.Berkeley:USENIX Association,2012:28.
[7] PENG J S,WANG Q X,OUYANG Y J.Exploitable Inference Based on space-time analysis of pointers [J].Application Research of Computers,2016,33(5):1504-1508.(in Chinese) 彭建山,王清贤,欧阳永基.基于指针时空分析的软件异常可利用性判定[J].计算机应用研究,2016,33(5):1504-1508.
[8] MICROFOST.The History of the !exploitable Crash Analyzer[EB/OL].
[9] MILLER C,CABALLERO J,BERKELEY U,et al.Crash ana-lysis with BitBlaze [J].Revista Mexicana De Sociología,2010,44(1):81-117.
[11] ZHANG P,WU J,XIN W,et al.Program Crash Analysis Based on Taint Analysis[C]∥International Conference on P2P.New York:IEEE,2015:492-498.
[12] KROHNHANSEN H.Program crash analysis:evaluation and application of current methods [D].Norway:University of Oslo,2012.
[13] WU S Z.Review and Outlook of information security vulnerabi-lity analysis [J].Journal of Tsinghua University (Science and Technology),2009(S2):2065-2072.(in Chinese) 吴世忠.信息安全漏洞分析回顾与展望[J].清华大学学报(自然科学版),2009(S2):2065-2072.
[14] LASK J,STANLEY M.Dynamic Program Analysis[M]∥Software Verification and Analysis.London:Springer.2009:368.
[15] NOH M S,NA J B,JUNG G U,et al.A Study on MS Crash Ana-lyzer [J].Kips Transactions on Computer & Communication Systems,2013,2(9):399-404.
[16] LI L,JUST J E,SEKAR R.Online Signature Generation forWindows Systems[C]∥Computer Security Applications Con-ference.New York:IEEE Computer Society,2009:289-298.
[17] Microsoft.!exploitable Crash Analyzer.MSEC Debugger Extensions.
[18] SONG D.WebBlaze:New Techniques and Tools for Web Security & BitBlaze:Computer Security via Binary Analysis .
[19] CHEN K M,LIU Z T,REN C S.Design and Implement of User-Oriented Intermediate Language in Decompilation System [J].Mini-Micro System,2002,23(10):1173-1176.(in Chinese) 陈凯明,刘宗田,任传胜.逆编译中面向用户的中间语言设计和实现[J].小型微型计算机系统,2002,23(10):1173-1176.
[20] SONG D,BRUMLEY D,YIN H,et al.BitBlaze:A New Approach to Computer Security via Binary Analysis [C]∥Information Systems Security,International Conference(Iciss 2008).New Zealand:DBLP,2008:1-25.
[21] NEWSOME J,SONG D.Dynamic taint analysis for automaticdetection,analysis,and signature generation of exploits on commodity software [J].Chinese Journal of Engineering Mathema-tics,2005,29(5):720-724.
[22] WANG X C.Branch Obfuscation with Machine Learning andOne-way Prefix-preserving Encryption Algorithm [D].Tianjin:Nankai University,2015.(in Chinese) 王晓初.结合机器学习与单向保留前缀加密算法的分支混淆方法[D].天津:南开大学,2015.
[23] JACKSON D,ROLLINS E J.Chopping:A Generalization of Slicing .
[24] HAN X,WEN Q,ZHANG Z.A mutation-based fuzz testing approach for network protocol vulnerability detection [C]∥International Conference on Computer Science and Network Techno-logy.New York:IEEE,2013:1018-1022.
[25] YE Y H,WU D Y,CHEN Y.Reverse platform based on fine-grainted taint analysis [J].Computer Engineering and Applications,2012,48(28):90-96.(in Chinese) 叶永宏,武东英,陈扬.一种基于细粒度污点分析的逆向平台[J].计算机工程与应用,2012,48(28):90-96.
[26] BRUMLEY D,POOSANKAM P,SONG D,et al.AutomaticPatch-Based Exploit Generation is Possible:Techniques and Implications [C]∥IEEE Symposium on Security and Privacy,2008(SP 2008).New York:IEEE,2008:143-157.
[27] AVGERINOS T,SANG K C,HAO B L T,et al.AEG:Automatic Exploit Generation [J].Internet Society,2011,57(2).
[28] HUANG S K,LU H L,LEONG W M,et al.CRAXweb:Automatic Web Application Testing and Attack Generation[C]∥IEEE,International Conference on Software Security and Reliability.New York:IEEE Computer Society,2013:208-217.
[29] CHIPOUNOV V,KUZNETSOV V,CANDEA G.S2E:a plat-form for in-vivo multi-path analysis of software systems [C]∥International Conference on Architectural Support for Programming Languages & Operating Systems.New York:ACM,2011:265-278.
[30] SPARKS S,EMBLETON S,CUNNINGHAM R,et al.Automated vulnerability analysis:Leveraging control flow for evolutiona-ry input crafting [C]∥Computer Security Applications Con-ference,2007(ACSAC 2007).New York:IEEE,2007:477-486.
[31] SEN K.Concolic testing [C]∥IEEE/ACM International Conference on Automated Software Engineering.New York:ACM,2007:571-572.
[32] REYNOLDS A,KUNCAK V.On Induction for SMT Solvers [M]∥Lecture Notes in Computer Science.Springer-Verlage Berlin Heidelberg,2015:80-98.
[33] HUANG S K,HUANG M H,HUANG P Y,et al.Software Crash Analysis for Automatic Exploit Generation on Binary Programs [J].IEEE Transactions on Reliability,2014,63(1):270-289.
[35] JEE K,KEMERLIS V P,KEROMYTIS A D,et al.ShadowReplica:efficient parallelization of dynamic data flow tracking [C]∥ACM Sigsac Conference on Computer & Communications Security.New York:ACM,2013:235-246.
[36] REDDI,JANAPA V,ALEX,et al.PIN:a binary instrumenta-tion tool for computer architecture research and education [C]∥Proceedings of the Workshop on Computer Architecture Education.2004.
[37] DU K,KANG F,SHU H,et al.Dynamic Binary Instrumentation Technology Overview [C]∥Proceedings of 2012 National Conference on Information Technology and Computer Sicence.2012.
[39] MA X,WANG J,DONG W.Computing Must and May Alias to Detect Null Pointer Dereference [C]∥International Symposium On Leveraging Applications of Formal Methods,Verification and Validation.Berlin:Springer Berlin Heidelberg,2008:252-261.
[40] BERGSTRA J A,MIDDELBURG C A.Indirect Jumps Improve Instruction Sequence Performance[J].Scientific Annals of Computer Science,2012,22(2):253-265.
[41] GUPTA M K,GOVIL M C,SINGH G,et al.XSSDM:Towards detection and mitigation of cross-site scripting vulnerabilities in web applications [C]∥International Conference on Advances in Computing,Communications and Informatics.New York:IEEE,2015:2010-2015.
[42] CLAUSE J,LI W C,ORSO A .Dytan:a generic dynamic taintanalysis framework [C]∥International Symposium on Software Testing and Analysis.New York:ACM,2007:196-206.
[43] HUANG W.Design of Windows vulnerability exploits feasibility analysis and verification system [D].Beijing:Beijing University of Posts and Telecommunications,2011.(in Chinese) 黄文.Windows漏洞利用可行性分析与验证系统的设计[D].北京:北京邮电大学,2011.
[44] VIGNA G.Static Disassembly and Code Analysis [M]∥Malware Detection.2007:19-41.
[45] LI Z J,ZHANG J X,LIAO X K,et al.Software security vulne-rability detection technology [J].Journal of Computer Science,2015,38(4):717-732.(in Chinese) 李舟军,张俊贤,廖湘科,等.软件安全漏洞检测技术[J].计算机学报,2015,38(4):717-732.

No related articles found!
Full text



[1] . [J]. Computer Science, 2018, 1(1): 1 .
[2] LEI Li-hui and WANG Jing. Parallelization of LTL Model Checking Based on Possibility Measure[J]. Computer Science, 2018, 45(4): 71 -75, 88 .
[3] XIA Qing-xun and ZHUANG Yi. Remote Attestation Mechanism Based on Locality Principle[J]. Computer Science, 2018, 45(4): 148 -151, 162 .
[4] LI Bai-shen, LI Ling-zhi, SUN Yong and ZHU Yan-qin. Intranet Defense Algorithm Based on Pseudo Boosting Decision Tree[J]. Computer Science, 2018, 45(4): 157 -162 .
[5] WANG Huan, ZHANG Yun-feng and ZHANG Yan. Rapid Decision Method for Repairing Sequence Based on CFDs[J]. Computer Science, 2018, 45(3): 311 -316 .
[6] SUN Qi, JIN Yan, HE Kun and XU Ling-xuan. Hybrid Evolutionary Algorithm for Solving Mixed Capacitated General Routing Problem[J]. Computer Science, 2018, 45(4): 76 -82 .
[7] ZHANG Jia-nan and XIAO Ming-yu. Approximation Algorithm for Weighted Mixed Domination Problem[J]. Computer Science, 2018, 45(4): 83 -88 .
[8] WU Jian-hui, HUANG Zhong-xiang, LI Wu, WU Jian-hui, PENG Xin and ZHANG Sheng. Robustness Optimization of Sequence Decision in Urban Road Construction[J]. Computer Science, 2018, 45(4): 89 -93 .
[9] LIU Qin. Study on Data Quality Based on Constraint in Computer Forensics[J]. Computer Science, 2018, 45(4): 169 -172 .
[10] ZHONG Fei and YANG Bin. License Plate Detection Based on Principal Component Analysis Network[J]. Computer Science, 2018, 45(3): 268 -273 .