计算机科学

计算机科学 ›› 2024, Vol. 51 ›› Issue (2): 352-358.doi: 10.11896/jsjkx.221200136

• 信息安全 • 上一篇    下一篇

结合模糊测试和动态分析的内存安全漏洞检测

马莺姿, 陈哲, 殷家乐, 毛瑞琪   

  1. 南京航空航天大学计算机科学与技术学院 南京211100
  • 收稿日期:2022-12-23 修回日期:2023-04-21 出版日期:2024-02-15 发布日期:2024-02-22
  • 通讯作者: 陈哲(zhechen@nuaa.edu.cn)
  • 作者简介:(18864820270@163.com)
  • 基金资助:
    国家自然科学基金(62172217);国家自然科学基金委员会-中国民航局民航联合研究基金(U1533130);中央高校基本科研业务费人工智能+专项(NZ2020019)

Memory Security Vulnerability Detection Combining Fuzzy Testing and Dynamic Analysis

MA Yingzi, CHEN Zhe, YIN Jiale, MAO Ruiqi   

  1. College of Computer Science and Technology,Nanjing University of Aeronautics and Astronautics,Nanjing 211100,China
  • Received:2022-12-23 Revised:2023-04-21 Online:2024-02-15 Published:2024-02-22
  • About author:MA Yingzi,born in 1996,postgraduate.Her main research interests include ve-rification of software and model che-cking.CHEN Zhe,born in 1981,associate professor,is a member of CCF(No.22234M).His main research interests include verification of software,software engineering and network security.
  • Supported by:
    National Natural Science Foundation of China(62172277),Joint Research Funds of National Natural Science-Foundation of China and Civil Aviation Administration of China(U1533130) and Fundamental Research Funds of AI for the Central Universities of Ministry of Education of China(NZ2020019).

PDF (PC)

1517

摘要: C语言因其在运行速度及内存控制方面的优势而被广泛应用于系统软件和嵌入式软件的开发。指针的强大功能使得它可以直接对内存进行操作,然而C语言并未提供对内存安全性的检测,这就使得指针的使用会导致内存泄露、缓冲区溢出、多次释放等内存错误,有时这些错误还会造成系统崩溃或内部数据破坏等的致命伤害。当前已存在多种能够对C程序进行内存安全漏洞检测的技术。其中动态分析技术通过插桩源代码来实现对C程序的运行时内存安全检测,但是只有当程序执行到错误所在路径时才能发现错误,因此它依赖于程序的输入;而模糊测试是一种通过向程序提供输入并监视程序运行结果来发现软件漏洞的方法,但是无法检测出没有导致程序崩溃的内存安全性错误,也无法提供错误所在位置等详细信息。除此之外,由于C语言的语法比较复杂,在对一些大型复杂项目进行分析时,动态分析工具经常无法正确处理一些不常见的特定结构,导致插桩失败或者插桩后的程序无法被正确编译。针对上述问题,通过将动态分析技术与模糊测试技术结合,并对已有方法进行改进后,提出了一种能够对包含特定结构的C程序进行内存安全检测的方法。文中进行了可靠性和性能的实验,结果表明,在增加对C语言中特定结构的处理方法之后,能对包含C语言中特定结构的程序进行内存安全检测,并且结合模糊测试技术后具有更强的漏洞检测能力。

关键词: 内存安全, 源代码插桩, 动态分析, 模糊测试, 内存错误

Abstract: C language is widely used in the development of system software and embedded software due to its high speed and precise control of memory through pointers,and is one of the most popular programming languages.The power of pointers makes it possible to operate directly on memory.However,C does not provide detection of memory security,which makes the use of poin-ters can lead to memory errors like memory leaks,buffer overflows,multiple releases,and sometimes these errors can cause fatal damage such as system crashes or internal data corruption.At present,there are some techniques that can detect memory security vulnerabilities in C programs.Among them,dynamic analysis technique can detect memory safety of C programs at runtime by staking the source code,but it can only find the error when the program executes to the path where the error is located,so it relies on the program’s input. While fuzzy testing is a method to find software vulnerabilities by providing input to the program and monitoring the program’s operation results,but it cannot detect memory safety errors that do not cause the program to crash,nor can it provide detailed information such as the location of the error.It also does not provide detailed information such as the location of the error.In addition,due to the complex grammar of the C language,dynamic analysis tools often fail to correctly handle some uncommon specific structures when analyzing large and complex projects,resulting in stubbing failures or stubbed programs not being compiled correctly.To address these problems, this paper proposes a method that can detect the memory safety of C programs containing specific structures by combining dynamic analysis techniques with fuzzy testing techniques and improving existing methods.The reliability and performance experiments show that with the addition of C-specific structures,the memory safety of programs containing C-specific structures can be detected,and the combination of the fuzzy testing technique can have stronger vulnerability detection capability.

Key words: Memory safety, Source-level instrumentation, Dynamic analysis, Fuzzing, Memory errors

中图分类号: 

  • TP311
[1]RITCHIE D M.The development of the C language[J].ACM Sigplan Notices,1993,28(3):201-208.
[2]LI Y,TAN W,LV Z,et al.PACMem:Enforcing Spatial and Temporal Memory Safety via ARM Pointer Authentication[C]//Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security.2022:1901-1915.
[3]GAO F,WANG Y,CHEN T,et al.Static Checking of Array Index Out-of-Bounds Defects in C Programs Based on Taint Analysis[J].Journal of Software,2021,11(2):121-147.
[4]XU S,HUANG W,LIE D.In-Fat pointer:Hardware-assisted tagged-pointer spatial memory safety defense with subobject granularity protection[C]//Proceedings of the 26th ACM International Conference on Architectural Support for Programming Languages and Operating Systems.2021:224-240.
[5]BABATI B,PATAKI N.Comprehensive performance analysisof C++ smart pointers[J].Pollack Periodica,2017,12(3):157-166.
[6]CHEN Z,WANG C,YAN J,et al.Runtime detection of memory errors with smart status[C]//Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis.2021:296-308.
[7]ZHU X,WEN S,CAMTEPE S,et al.Fuzzing:a survey for roadmap[J].ACM Computing Surveys(CSUR),2022,54(11s):1-36.
[8]LIANG H,PEI X,JIA X,et al.Fuzzing:State of the art[J].IEEE Transactions on Reliability,2018,67(3):1199-1218.
[9]CHEN C,CUI B,MA J,et al.A systematic review of fuzzing techniques[J].Computers & Security,2018,75:118-137.
[10]KLEES G,RUEF A,COOPER B,et al.Evaluating fuzz testing[C]//Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security.2018:2123-2138.
[11]ZALEWSKI M.Technical “whitepaper” for afl-fuzz[J/OL].URl:http://lcamtuf.coredump.cx/afl/technical details.txt,2014.
[12]WANG Y,CUI B.The Study and Realization of a Binary-Based Address Sanitizer Based on Code Injection[C]//International Conference on Innovative Mobile and Internet Services in Ubi-quitous Computing.Cham:Springer,2020:125-134.
[13]NAGARAKATTE S,ZHAO J,MARTIN M M K,et al.Soft-Bound:Highly compatible and complete spatial memory safety for C[C]//Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation.2009:245-258.
[14]NAGARAKATTE S,ZHAO J,MARTIN M M K,et al.CETS:compiler enforced temporal safety for C[C]//Proceedings of the 2010 International Symposium on Memory Management.2010:31-40.
[15]ROBSON D,STRAZDINS P.Parallelisation of the valgrind dynamic binary instrumentation framework[C]//2008 IEEE International Symposium on Parallel and Distributed Processing with Applications.IEEE,2008:113-121.
[16]CHEN Z,WU J,ZHANG Q,et al.A dynamic analysis tool for memory safety based on smart status and source-level instrumentation[C]//Proceedings of the ACM/IEEE 44th International Conference on Software Engineering:Companion Procee-dings.2022:6-10.
[17]CHEN Z,YAN J,KAN S,et al.Detecting memory errors atruntime with source-level instrumentation[C]//Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis.2019:341-351.
[18]CHEN Z,YAN J,LI W,et al.Poster:Runtime Verification of Memory Safety via Source Transformation[C]//2018 IEEE/ACM 40th International Conference on Software Engineering:Companion(ICSE-Companion).IEEE,2018:264-265.
[19]KRONSER A.Common vulnerabilities and exposures:Analy-zing the development of computer security threats[D].Helsinki,Finland:University of Helsinki,2020.
[20]PHAM V,DANG T.Cvexplorer:Multidimensional visualization for common vulnerabilities and exposures[C]//2018 IEEE International Conference on Big Data(Big Data).IEEE,2018:1296-1301.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发