摘要
针对二进制代码的污点分析方法在软件逆向工程、漏洞分析及恶意代码检测等方面具有重大的意义.目前,大多数污点分析方法不支持浮点指令,执行效率较低,且传播的精度也不够高.提出并实现了一种基于执行踪迹离线索引的污点分析方法,以字节为粒度,且支持污点标签.提出执行踪迹离线索引的生成及查询算法,通过离线索引可跳过与污点数据无关的指令,提高污点分析的效率.首次描述并解决了即时翻译执行导致的污点丢失问题.使用污点标签以标识污点的来源和位置.提出较完善的污点传播算法,支持浮点指令,以尽可能精确地刻画污点信息从源操作数传递到目的操作数的过程.实现了灵活的可配置机制,用户可通过黑名单动态地引入污点数据.将提出的方法应用到漏洞检测的场景中,使用12个真实的软件漏洞作为测试样本集,将该方法与TEMU作对比实验,实验结果表明:该方法具备较强的漏洞检测能力,可验证的漏洞数比TEMU更多,且其平均执行效率比TEMU高5倍.
Taint analysis method in binary code plays an important role in reverse engineering, malicious code detecting and vulnerabilities analysis. Currently, most of taint analysis methods fail to operate float point instruction, and they do not propagate taints accurately and efficiently enough. In the paper, a taint analysis method is implemented based on offline indices of instruction trace, which are byte-grained and utilize taint tags. A generation and query algorithm of offline indices is also presented. Instructions unrelated to taint data are skipped with offline indices, which improves the efficiency of taint analysis. The taint loss problem resulted from real time translation is described and solved for the first time. Taint tags are utilized to denote where the taint data is derived. A more complete taint propagation algorithm, which could operate float point instructions and insure the taint data flow from source operands into the destination operands precisely, is also presented. Flexible user-configuration mechanism is implemented to produce taint data on the fly with black list. The proposed method is applied in vulnerabilities detecting and evaluated with 12 vulnerabilities as test cases. The experimental result shows that this taint analysis method is able to detect more vulnerabilities than TEMU, and is 5 times faster in average.
出处
《软件学报》
EI
CSCD
北大核心
2017年第9期2388-2401,共14页
Journal of Software
基金
国家自然科学基金(61502536)
国家高技术研究发展计划(863)(2015AA016004)~~
关键词
污点分析
离线索引
指令踪迹
漏洞检测
taint analysis
offline indices
instruction trace
vulnerabilities detecting
