二进制代码漏洞静态检测研究

发布时间：2018-05-26 01:29

本文选题：漏洞检测 + 静态分析　；参考：《华侨大学》2017年硕士论文

【摘要】：软件漏洞会增加网络安全事件,基于源码的检测在过去十年已经引起安全研究人员的广泛关注了,并在此基础上实现了很多源码漏洞检测工具,检测效果明显。近几年各种商业软件频繁地爆出漏洞,严重影响到企业的安全,因此第三方应用程序的安全受到越来越多的重视。与高级语言漏洞检测相比,二进制代码由于缺乏程序属性信息且机器码指令相对高级语言更难以理解,因此对二进制代码的检测要困难的多,目前国内外关于这项研究还处于起步阶段。在现有的二进制代码漏洞检测方法中,动态检测是在程序运行时进行检查,往往需要消耗大量CPU资源,自动化程度低。与动态检测相比,静态检测不需要执行程序,而是通过模拟程序执行流程来遍历代码,可以检测程序所有路径,能够在程序执行前检测漏洞,而且不用消耗大量CPU资源,自动化程度高。本文采用静态分析方法,对现代处理器指令集的语义进行分析。将二进制代码转换成更易于理解和分析的中间表示语言,再应用源码分析技术检测转换后的中间表示语言,同时针对现有中间表示语言的不足,本文重新设计了一种易于分析的中间表示语言,并以此中间语言作为检测目标,抽象解释理论作为检测方法,应用抽象域分层的方法提高检测精度,最终实现了二进制代码漏洞静态检测系统Binana。Binana可以检测包括Windows、Linux以及ARM平台的应用程序或者核心组件漏洞,目前已经验证了大量的已知漏洞并且还发现了1个0day漏洞。此外,本文还以Binana作为辅助分析工具,静态分析较大规模的应用软件,并在此基础上检测较大规模程序的漏洞。本文最后通过对不同类型的RTF文档漏洞进行检测,并与现有方法和工具进行对比,验证系统的有效性和实用性。
[Abstract]:Software vulnerability will increase network security incidents. The detection based on source code has attracted the attention of security researchers in the past ten years. On this basis, a lot of source code vulnerability detection tools have been implemented, and the detection effect is obvious. In recent years, a variety of commercial software frequently explodes vulnerabilities, which seriously affect the security of enterprises, so the security of third-party applications has been paid more and more attention. Compared with high-level language vulnerability detection, binary code is much more difficult to detect because it lacks program attribute information and machine code instructions are more difficult to understand than high-level language. At present, this research is still in its infancy at home and abroad. In the existing binary code vulnerability detection methods, dynamic detection is to check while the program is running. It often consumes a lot of CPU resources, and the degree of automation is low. Compared with dynamic detection, static detection does not need to execute the program, but traverses the code by simulating the program execution flow. It can detect all paths of the program, detect the vulnerability before the program executes, and do not consume a lot of CPU resources. High degree of automation. This paper uses static analysis method to analyze the semantics of instruction set of modern processor. The binary code is converted into an intermediate representation language that is easier to understand and analyze, and the source code analysis technology is applied to detect the converted intermediate representation language. At the same time, the deficiency of the existing intermediate representation language is pointed out. In this paper, a new intermediate representation language is redesigned, which is easy to analyze. The intermediate language is used as the detection target, the abstract interpretation theory is used as the detection method, and the detection accuracy is improved by using the method of abstract domain stratification. Finally the binary code vulnerability static detection system Binana.Binana can detect applications or core component vulnerabilities including Windows Linux and ARM platform. At present a large number of known vulnerabilities have been verified and a 0day vulnerability has been discovered. In addition, this paper uses Binana as the assistant analysis tool to analyze the large scale application software statically, and on this basis, detects the flaw of the larger scale program. Finally, by detecting different types of RTF document vulnerabilities and comparing them with existing methods and tools, this paper verifies the effectiveness and practicability of the system.
【学位授予单位】：华侨大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TP309

【参考文献】