Software vulnerabilities are the root cause of various information security incidents while dynamic taint analysis is an emerging program analysis technique. In this paper, to maximize the use of the technique to dete...Software vulnerabilities are the root cause of various information security incidents while dynamic taint analysis is an emerging program analysis technique. In this paper, to maximize the use of the technique to detect software vulnerabilities, we present SwordDTA, a tool that can perform dynamic taint analysis for binaries. This tool is flexible and extensible that it can work with commodity software and hardware. It can be used to detect software vulnerabilities with vulnerability modeling and taint check. We evaluate it with a number of commonly used real-world applications. The experimental results show that SwordDTA is capable of detecting at least four kinds of softavare vulnerabilities including buffer overflow, integer overflow, division by zero and use-after-free, and is applicable for a wide range of software.展开更多
Static analysis is often impeded by malware obfuscation techniques,such as encryption and packing,whereas dynamic analysis tends to be more resistant to obfuscation by leveraging concrete execution information.Unfortu...Static analysis is often impeded by malware obfuscation techniques,such as encryption and packing,whereas dynamic analysis tends to be more resistant to obfuscation by leveraging concrete execution information.Unfortunately,malware can employ evasive techniques to detect the analysis environment and alter its behavior accordingly.While known evasive techniques can be explicitly dismantled,the challenge lies in generically dismantling evasions without full knowledge of their conditions or implementations,such as logic bombs that rely on uncertain conditions,let alone unsupported evasive techniques,which contain evasions without corresponding dismantling strategies and those leveraging unknown implementations.In this paper,we present Antitoxin,a prototype for automatically exploring evasive malware.Antitoxin utilizes multi-path exploration guided by taint analysis and probability calculations to effectively dismantle evasive techniques.The probabilities of branch execution are derived from dynamic coverage,while taint analysis helps identify paths associated with evasive techniques that rely on uncertain conditions.Subsequently,Antitoxin prioritizes branches with lower execution probabilities and those influenced by taint analysis for multi-path exploration.This is achieved through forced execution,which forcefully sets the outcomes of branches on selected paths.Additionally,Antitoxin employs active anti-evasion countermeasures to dismantle known evasive techniques,thereby reducing exploration overhead.Furthermore,Antitoxin provides valuable insights into sensitive behaviors,facilitating deeper manual analysis.Our experiments on a set of highly evasive samples demonstrate that Antitoxin can effectively dismantle evasive techniques in a generic manner.The probability calculations guide the multi-path exploration of evasions without requiring prior knowledge of their conditions or implementations,enabling the dismantling of unsupported techniques such as C2 and significantly improving efficiency compared to linear ex展开更多
Proprietary(or semi-proprietary)protocols are widely adopted in industrial control systems(ICSs).Inferring protocol format by reverse engineering is important for many network security applications,e.g.,program tests ...Proprietary(or semi-proprietary)protocols are widely adopted in industrial control systems(ICSs).Inferring protocol format by reverse engineering is important for many network security applications,e.g.,program tests and intrusion detection.Conventional protocol reverse engineering methods have been proposed which are considered time-consuming,tedious,and error-prone.Recently,automatical protocol reverse engineering methods have been proposed which are,however,neither effective in handling binary-based ICS protocols based on network traffic analysis nor accurate in extracting protocol fields from protocol implementations.In this paper,we present a framework called the industrial control system protocol reverse engineering framework(ICSPRF)that aims to extract ICS protocol fields with high accuracy.ICSPRF is based on the key insight that an individual field in a message is typically handled in the same execution context,e.g.,basic block(BBL)group.As a result,by monitoring program execution,we can collect the tainted data information processed in every BBL group in the execution trace and cluster it to derive the protocol format.We evaluate our approach with six open-source ICS protocol implementations.The results show that ICSPRF can identify individual protocol fields with high accuracy(on average a 94.3%match ratio).ICSPRF also has a low coarse-grained and overly fine-grained match ratio.For the same metric,ICSPRF is more accurate than AutoFormat(88.5%for all evaluated protocols and 80.0%for binary-based protocols).展开更多
In recent years,Android applications have caused personal privacy leaks frequently.In order to analyze the malicious behavior,taint analysis technology can be used to track the API call chain,build a control-flow grap...In recent years,Android applications have caused personal privacy leaks frequently.In order to analyze the malicious behavior,taint analysis technology can be used to track the API call chain,build a control-flow graph of function,and determine whether there is a security risk.However,with the continuous escalation of offensive and defensive confrontation of source code,more and more applications use reinforcement technology to prevent security practitioners from performing reverse analysis,therefore it is impossible to analyze function-behavior from the source code.Thus,we design a framework of taint analysis that applied to the Android applications,which automatically unpacks the Android APKs,restores the real source code of the App,performs taint analysis,and generates a control-flow graph of function.Experimental tests showed that the system can cope with the current mainstream reinforcement technology and restore the real Dex file quickly.Simultaneously,compared with the number of nodes before packing,the generated control-flow graph had an explosive increase,which effectively assisted manual analysis of App with the privacy leakage behaviors.展开更多
Smart contract has greatly improved the services and capabilities of blockchain,but it has become the weakest link of blockchain security because of its code nature.Therefore,efficient vulnerability detection of smart...Smart contract has greatly improved the services and capabilities of blockchain,but it has become the weakest link of blockchain security because of its code nature.Therefore,efficient vulnerability detection of smart contract is the key to ensure the security of blockchain system.Oriented to Ethereum smart contract,the study solves the problems of redundant input and low coverage in the smart contract fuzz.In this paper,a taint analysis method based on EVM is proposed to reduce the invalid input,a dangerous operation database is designed to identify the dangerous input,and genetic algorithm is used to optimize the code coverage of the input,which construct the fuzzing framework for smart contract together.Finally,by comparing Oyente and ContractFuzzer,the performance and efficiency of the framework are proved.展开更多
The Integer-Overflow-to-Buffer-Overflow(IO2BO)vulnerability has been widely exploited by attackers to cause severe damages to computer systems.Automatically identifying this kind of vulnerability is critical for softw...The Integer-Overflow-to-Buffer-Overflow(IO2BO)vulnerability has been widely exploited by attackers to cause severe damages to computer systems.Automatically identifying this kind of vulnerability is critical for software security.Despite many works have been done to mitigate integer overflow,existing tools either report large number of false positives or introduce unacceptable time consumption.To address this problem,in this article we present a static analysis framework.It first constructs an inter-procedural call graph and utilizes taint analysis to accurately identify potential IO2BO vulnerabilities.Then it uses a light-weight method to further filter out false positives.Specifically,it generates constraints representing the conditions under which a potential IO2BO vulnerability can be triggered,and feeds the constraints to SMT solver to decide their satisfiability.We have implemented a prototype system ELAID based on LLVM,and evaluated it on 228 programs of the NIST’s SAMATE Juliet test suite and 14 known IO2BO vulnerabilities in real world.The experiment results show that our system can effectively and efficiently detect all known IO2BO vulnerabilities.展开更多
Grey-box fuzzing is an effective technology to detect software vulnerabilities,such as memory corruption.Previous fuzzers in detecting memory corruption bugs either use heavy-weight analysis,or use techniques which ar...Grey-box fuzzing is an effective technology to detect software vulnerabilities,such as memory corruption.Previous fuzzers in detecting memory corruption bugs either use heavy-weight analysis,or use techniques which are not customized for memory corruption detection.In this paper,we propose a novel memory bug guided fuzzer,ovAFLow.To begin with,we broaden the memory corruption targets where we frequently identify bugs.Next,ovAFLow utilizes light-weight and effective methods to build connections between the fuzzing inputs and these corruption targets.Based on the connection results,ovAFLow uses customized techniques to direct the fuzzing process closer to memory corruption.We evaluate ovAFLow against state-of-the-art fuzzers,including AFL(american fuzzy lop),AFLFast,FairPuzz,QSYM,Angora,TIFF,and TortoiseFuzz.The evaluation results show better vulnerability detection ability of ovAFLow,and the performance overhead is acceptable.Moreover,we identify 12 new memory corruption bugs and two CVEs(common vulnerability exposures)with the help of ovAFLow.展开更多
Smart contract has greatly improved the services and capabilities of blockchain,but it has become the weakest link of blockchain security because of its code nature.Therefore,efficient vulnerability detection of smart...Smart contract has greatly improved the services and capabilities of blockchain,but it has become the weakest link of blockchain security because of its code nature.Therefore,efficient vulnerability detection of smart contract is the key to ensure the security of blockchain system.Oriented to Ethereum smart contract,the study solves the problems of redundant input and low coverage in the smart contract fuzz.In this paper,a taint analysis method based on EVM is proposed to reduce the invalid input,a dangerous operation database is designed to identify the dangerous input,and genetic algorithm is used to optimize the code coverage of the input,which construct the fuzzing framework for smart contract together.Finally,by comparing Oyente and ContractFuzzer,the performance and efficiency of the framework are proved.展开更多
Exploitability assessment of vulnerabilities is important for both defenders and attackers.The ultimate way to assess the exploitability is crafting a working exploit.However,it usually takes tremendous hours and sign...Exploitability assessment of vulnerabilities is important for both defenders and attackers.The ultimate way to assess the exploitability is crafting a working exploit.However,it usually takes tremendous hours and significant manual efforts.To address this issue,automated techniques can be adopted.Existing solutions usually explore in depth the crashing paths,i.e.,paths taken by proof-of-concept(PoC)inputs triggering vulnerabilities,and assess exploitability by finding exploitable states along the paths.However,exploitable states do not always exist in crashing paths.Moreover,existing solutions heavily rely on symbolic execution and are not scalable in path exploration and exploit generation.In this paper,we propose a novel solution to generate exploit for userspace programs or facilitate the process of crafting a kernel UAF exploit.Technically,we utilize oriented fuzzing to explore diverging paths from vulnerability point.For userspace programs,we adopt a control-flow stitching solution to stitch crashing paths and diverging paths together to generate exploit.For kernel UAF,we leverage a lightweight symbolic execution to identify,analyze and evaluate the system calls valuable and useful for exploiting vulnerabilities.We have developed a prototype system and evaluated it on a set of 19 CTF(capture the flag)programs and 15 realworld Linux kernel UAF vulnerabilities.Experiment results showed it could generate exploit for most of the userspace test set,and it could also facilitate security mitigation bypassing and exploitability evaluation for kernel test set.展开更多
The Integer-Overflow-to-Buffer-Overflow(IO2BO)vulnerability has been widely exploited by attackers to cause severe damages to computer systems.Automatically identifying this kind of vulnerability is critical for softw...The Integer-Overflow-to-Buffer-Overflow(IO2BO)vulnerability has been widely exploited by attackers to cause severe damages to computer systems.Automatically identifying this kind of vulnerability is critical for software security.Despite many works have been done to mitigate integer overflow,existing tools either report large number of false positives or introduce unacceptable time consumption.To address this problem,in this article we present a static analysis framework.It first constructs an inter-procedural call graph and utilizes taint analysis to accurately identify potential IO2BO vulnerabilities.Then it uses a light-weight method to further filter out false positives.Specifically,it generates constraints representing the conditions under which a potential IO2BO vulnerability can be triggered,and feeds the constraints to SMT solver to decide their satisfiability.We have implemented a prototype system ELAID based on LLVM,and evaluated it on 228 programs of the NIST’s SAMATE Juliet test suite and 14 known IO2BO vulnerabilities in real world.The experiment results show that our system can effectively and efficiently detect all known IO2BO vulnerabilities.展开更多
Exploitability assessment of vulnerabilities is important for both defenders and attackers.The ultimate way to assess the exploitability is crafting a working exploit.However,it usually takes tremendous hours and sign...Exploitability assessment of vulnerabilities is important for both defenders and attackers.The ultimate way to assess the exploitability is crafting a working exploit.However,it usually takes tremendous hours and significant manual efforts.To address this issue,automated techniques can be adopted.Existing solutions usually explore in depth the crashing paths,i.e.,paths taken by proof-of-concept(PoC)inputs triggering vulnerabilities,and assess exploitability by finding exploitable states along the paths.However,exploitable states do not always exist in crashing paths.Moreover,existing solutions heavily rely on symbolic execution and are not scalable in path exploration and exploit generation.In this paper,we propose a novel solution to generate exploit for userspace programs or facilitate the process of crafting a kernel UAF exploit.Technically,we utilize oriented fuzzing to explore diverging paths from vulnerability point.For userspace programs,we adopt a control-flow stitching solution to stitch crashing paths and diverging paths together to generate exploit.For kernel UAF,we leverage a lightweight symbolic execution to identify,analyze and evaluate the system calls valuable and useful for exploiting vulnerabilities.We have developed a prototype system and evaluated it on a set of 19 CTF(capture the flag)programs and 15 realworld Linux kernel UAF vulnerabilities.Experiment results showed it could generate exploit for most of the userspace test set,and it could also facilitate security mitigation bypassing and exploitability evaluation for kernel test set.展开更多
基于流和上下文敏感的SSA(static single assignment)信息流分析技术,提出了一种细粒度、可扩展的污点传播检测方法.利用控制流和数据流的相关信息,跟踪污染数据及其传播路径,可以检测缓冲区溢出、格式化串漏洞等程序脆弱性.分析过程在...基于流和上下文敏感的SSA(static single assignment)信息流分析技术,提出了一种细粒度、可扩展的污点传播检测方法.利用控制流和数据流的相关信息,跟踪污染数据及其传播路径,可以检测缓冲区溢出、格式化串漏洞等程序脆弱性.分析过程在潜在问题点自动插装动态验证函数,在无需用户干预的情况下保证了程序的运行时安全.在GCC编译器的基础上实现了分析系统,实验结果表明,该方法具有较高的精确度和时空效率.展开更多
基金Supported by the National High Technology Research and Development Program of China(863 Program)(2012AA012902)the“HGJ”National Major Technological Projects(2013ZX01045-004)
文摘Software vulnerabilities are the root cause of various information security incidents while dynamic taint analysis is an emerging program analysis technique. In this paper, to maximize the use of the technique to detect software vulnerabilities, we present SwordDTA, a tool that can perform dynamic taint analysis for binaries. This tool is flexible and extensible that it can work with commodity software and hardware. It can be used to detect software vulnerabilities with vulnerability modeling and taint check. We evaluate it with a number of commonly used real-world applications. The experimental results show that SwordDTA is capable of detecting at least four kinds of softavare vulnerabilities including buffer overflow, integer overflow, division by zero and use-after-free, and is applicable for a wide range of software.
基金supported in part by the National Natural Science Foundation of China(Grant No.62272181)
文摘Static analysis is often impeded by malware obfuscation techniques,such as encryption and packing,whereas dynamic analysis tends to be more resistant to obfuscation by leveraging concrete execution information.Unfortunately,malware can employ evasive techniques to detect the analysis environment and alter its behavior accordingly.While known evasive techniques can be explicitly dismantled,the challenge lies in generically dismantling evasions without full knowledge of their conditions or implementations,such as logic bombs that rely on uncertain conditions,let alone unsupported evasive techniques,which contain evasions without corresponding dismantling strategies and those leveraging unknown implementations.In this paper,we present Antitoxin,a prototype for automatically exploring evasive malware.Antitoxin utilizes multi-path exploration guided by taint analysis and probability calculations to effectively dismantle evasive techniques.The probabilities of branch execution are derived from dynamic coverage,while taint analysis helps identify paths associated with evasive techniques that rely on uncertain conditions.Subsequently,Antitoxin prioritizes branches with lower execution probabilities and those influenced by taint analysis for multi-path exploration.This is achieved through forced execution,which forcefully sets the outcomes of branches on selected paths.Additionally,Antitoxin employs active anti-evasion countermeasures to dismantle known evasive techniques,thereby reducing exploration overhead.Furthermore,Antitoxin provides valuable insights into sensitive behaviors,facilitating deeper manual analysis.Our experiments on a set of highly evasive samples demonstrate that Antitoxin can effectively dismantle evasive techniques in a generic manner.The probability calculations guide the multi-path exploration of evasions without requiring prior knowledge of their conditions or implementations,enabling the dismantling of unsupported techniques such as C2 and significantly improving efficiency compared to linear ex
基金supported by the National Natural Science Foundation of China(No.61833015)。
文摘Proprietary(or semi-proprietary)protocols are widely adopted in industrial control systems(ICSs).Inferring protocol format by reverse engineering is important for many network security applications,e.g.,program tests and intrusion detection.Conventional protocol reverse engineering methods have been proposed which are considered time-consuming,tedious,and error-prone.Recently,automatical protocol reverse engineering methods have been proposed which are,however,neither effective in handling binary-based ICS protocols based on network traffic analysis nor accurate in extracting protocol fields from protocol implementations.In this paper,we present a framework called the industrial control system protocol reverse engineering framework(ICSPRF)that aims to extract ICS protocol fields with high accuracy.ICSPRF is based on the key insight that an individual field in a message is typically handled in the same execution context,e.g.,basic block(BBL)group.As a result,by monitoring program execution,we can collect the tainted data information processed in every BBL group in the execution trace and cluster it to derive the protocol format.We evaluate our approach with six open-source ICS protocol implementations.The results show that ICSPRF can identify individual protocol fields with high accuracy(on average a 94.3%match ratio).ICSPRF also has a low coarse-grained and overly fine-grained match ratio.For the same metric,ICSPRF is more accurate than AutoFormat(88.5%for all evaluated protocols and 80.0%for binary-based protocols).
基金supported by Beijing Natural Science Foundation(No.4214061)。
文摘In recent years,Android applications have caused personal privacy leaks frequently.In order to analyze the malicious behavior,taint analysis technology can be used to track the API call chain,build a control-flow graph of function,and determine whether there is a security risk.However,with the continuous escalation of offensive and defensive confrontation of source code,more and more applications use reinforcement technology to prevent security practitioners from performing reverse analysis,therefore it is impossible to analyze function-behavior from the source code.Thus,we design a framework of taint analysis that applied to the Android applications,which automatically unpacks the Android APKs,restores the real source code of the App,performs taint analysis,and generates a control-flow graph of function.Experimental tests showed that the system can cope with the current mainstream reinforcement technology and restore the real Dex file quickly.Simultaneously,compared with the number of nodes before packing,the generated control-flow graph had an explosive increase,which effectively assisted manual analysis of App with the privacy leakage behaviors.
基金This work is supported by the National Key R&D Program of China(2017YFB0802703)Major Scientific and Technological Special Project of Guizhou Province(20183001)+2 种基金Open Foundation of Guizhou Provincial Key VOLUME XX,2019 Laboratory of Public Big Data(2018BDKFJJ014)Open Foundation of Guizhou Provincial Key Laboratory of Public Big Data(2018BDKFJJ019)Open Foundation of Guizhou Provincial Key Laboratory of Public Big Data(2018BDKFJJ022).
文摘Smart contract has greatly improved the services and capabilities of blockchain,but it has become the weakest link of blockchain security because of its code nature.Therefore,efficient vulnerability detection of smart contract is the key to ensure the security of blockchain system.Oriented to Ethereum smart contract,the study solves the problems of redundant input and low coverage in the smart contract fuzz.In this paper,a taint analysis method based on EVM is proposed to reduce the invalid input,a dangerous operation database is designed to identify the dangerous input,and genetic algorithm is used to optimize the code coverage of the input,which construct the fuzzing framework for smart contract together.Finally,by comparing Oyente and ContractFuzzer,the performance and efficiency of the framework are proved.
基金This research was supported in part by the National Natural Science Foundation of China(Grant No.61802394,U1836209)Foundation of Science and Technology on Information Assurance Laboratory(No.KJ-17-110)+1 种基金National Key Research and Development Program of China(2016QY071405)Strategic Priority Research Program of the CAS(XDC02040100,XDC02030200,XDC02020200).
文摘The Integer-Overflow-to-Buffer-Overflow(IO2BO)vulnerability has been widely exploited by attackers to cause severe damages to computer systems.Automatically identifying this kind of vulnerability is critical for software security.Despite many works have been done to mitigate integer overflow,existing tools either report large number of false positives or introduce unacceptable time consumption.To address this problem,in this article we present a static analysis framework.It first constructs an inter-procedural call graph and utilizes taint analysis to accurately identify potential IO2BO vulnerabilities.Then it uses a light-weight method to further filter out false positives.Specifically,it generates constraints representing the conditions under which a potential IO2BO vulnerability can be triggered,and feeds the constraints to SMT solver to decide their satisfiability.We have implemented a prototype system ELAID based on LLVM,and evaluated it on 228 programs of the NIST’s SAMATE Juliet test suite and 14 known IO2BO vulnerabilities in real world.The experiment results show that our system can effectively and efficiently detect all known IO2BO vulnerabilities.
基金supported by the National High-Level Personnel for Defense Technology Program of China under Grant No.2017-JCJQ-ZQ-013the National Natural Science Foundation of China under Grant Nos.61902405 and 61902412+2 种基金the Natural Science Foundation of Hunan Province of China under Grant No.2021JJ40692the Parallel and Distributed Processing Research Foundation under Grant No.6142110190404and the Research Project of National University of Defense Technology under Grant Nos.ZK20-09 and ZK20-17.
文摘Grey-box fuzzing is an effective technology to detect software vulnerabilities,such as memory corruption.Previous fuzzers in detecting memory corruption bugs either use heavy-weight analysis,or use techniques which are not customized for memory corruption detection.In this paper,we propose a novel memory bug guided fuzzer,ovAFLow.To begin with,we broaden the memory corruption targets where we frequently identify bugs.Next,ovAFLow utilizes light-weight and effective methods to build connections between the fuzzing inputs and these corruption targets.Based on the connection results,ovAFLow uses customized techniques to direct the fuzzing process closer to memory corruption.We evaluate ovAFLow against state-of-the-art fuzzers,including AFL(american fuzzy lop),AFLFast,FairPuzz,QSYM,Angora,TIFF,and TortoiseFuzz.The evaluation results show better vulnerability detection ability of ovAFLow,and the performance overhead is acceptable.Moreover,we identify 12 new memory corruption bugs and two CVEs(common vulnerability exposures)with the help of ovAFLow.
基金supported by Major Scientific and Technological Special Project of Guizhou Province(20183001)Exploration and Practice on the Education Mode for Engineering Students Based on Technology,Literature and art Inter-disciplinary Integration with the Internet+Background(022150118004/001)+2 种基金Open Foundation of Guizhou Provincial Key Laboratory of Public Big Data(2018BDKFJJ014)Open Foundation of Guizhou Provincial Key Laboratory of Public Big Data(2018BDKFJJ019)Open Foundation of Guizhou Provincial Key Laboratory of Public Big Data(2018BDKFJJ022).
文摘Smart contract has greatly improved the services and capabilities of blockchain,but it has become the weakest link of blockchain security because of its code nature.Therefore,efficient vulnerability detection of smart contract is the key to ensure the security of blockchain system.Oriented to Ethereum smart contract,the study solves the problems of redundant input and low coverage in the smart contract fuzz.In this paper,a taint analysis method based on EVM is proposed to reduce the invalid input,a dangerous operation database is designed to identify the dangerous input,and genetic algorithm is used to optimize the code coverage of the input,which construct the fuzzing framework for smart contract together.Finally,by comparing Oyente and ContractFuzzer,the performance and efficiency of the framework are proved.
基金This work is supported by the Key Laboratory of Network Assessment Technology,Chinese Academy of Sciences and Beijing Key Laboratory of Network Security and Protection Technology,as well as Beijing Municipal Science and Technology Project(No.Z181100002718002)National Natural Science Foundation of China(No.61572481 and 61602470,61772308,61472209,61502536,and U1736209)and Young Elite Scientists Sponsorship Program by CAST(No.2016QNRC001).
文摘Exploitability assessment of vulnerabilities is important for both defenders and attackers.The ultimate way to assess the exploitability is crafting a working exploit.However,it usually takes tremendous hours and significant manual efforts.To address this issue,automated techniques can be adopted.Existing solutions usually explore in depth the crashing paths,i.e.,paths taken by proof-of-concept(PoC)inputs triggering vulnerabilities,and assess exploitability by finding exploitable states along the paths.However,exploitable states do not always exist in crashing paths.Moreover,existing solutions heavily rely on symbolic execution and are not scalable in path exploration and exploit generation.In this paper,we propose a novel solution to generate exploit for userspace programs or facilitate the process of crafting a kernel UAF exploit.Technically,we utilize oriented fuzzing to explore diverging paths from vulnerability point.For userspace programs,we adopt a control-flow stitching solution to stitch crashing paths and diverging paths together to generate exploit.For kernel UAF,we leverage a lightweight symbolic execution to identify,analyze and evaluate the system calls valuable and useful for exploiting vulnerabilities.We have developed a prototype system and evaluated it on a set of 19 CTF(capture the flag)programs and 15 realworld Linux kernel UAF vulnerabilities.Experiment results showed it could generate exploit for most of the userspace test set,and it could also facilitate security mitigation bypassing and exploitability evaluation for kernel test set.
基金supported in part by the National Natural Science Foundation of China(Grant No.61802394,U1836209)Foundation of Science and Technology on Information Assurance Laboratory(No.KJ-17-110)+1 种基金National Key Research and Development Program of China(2016QY071405)Strategic Priority Research Program of the CAS(XDC02040100,XDC02030200,XDC02020200).
文摘The Integer-Overflow-to-Buffer-Overflow(IO2BO)vulnerability has been widely exploited by attackers to cause severe damages to computer systems.Automatically identifying this kind of vulnerability is critical for software security.Despite many works have been done to mitigate integer overflow,existing tools either report large number of false positives or introduce unacceptable time consumption.To address this problem,in this article we present a static analysis framework.It first constructs an inter-procedural call graph and utilizes taint analysis to accurately identify potential IO2BO vulnerabilities.Then it uses a light-weight method to further filter out false positives.Specifically,it generates constraints representing the conditions under which a potential IO2BO vulnerability can be triggered,and feeds the constraints to SMT solver to decide their satisfiability.We have implemented a prototype system ELAID based on LLVM,and evaluated it on 228 programs of the NIST’s SAMATE Juliet test suite and 14 known IO2BO vulnerabilities in real world.The experiment results show that our system can effectively and efficiently detect all known IO2BO vulnerabilities.
基金supported by the Key Laboratory of Network Assessment TechnologyChinese Academy of Sciences and Beijing Key Laboratory of Network Security and Protection Technology+2 种基金Beijing Municipal Science and Technology Project(No.Z181100002718002)National Natural Science Foundation of China(No.61572481 and 61602470,61772308,61472209,61502536,and U1736209)Young Elite Scientists Sponsorship Program by CAST(No.2016QNRC001).
文摘Exploitability assessment of vulnerabilities is important for both defenders and attackers.The ultimate way to assess the exploitability is crafting a working exploit.However,it usually takes tremendous hours and significant manual efforts.To address this issue,automated techniques can be adopted.Existing solutions usually explore in depth the crashing paths,i.e.,paths taken by proof-of-concept(PoC)inputs triggering vulnerabilities,and assess exploitability by finding exploitable states along the paths.However,exploitable states do not always exist in crashing paths.Moreover,existing solutions heavily rely on symbolic execution and are not scalable in path exploration and exploit generation.In this paper,we propose a novel solution to generate exploit for userspace programs or facilitate the process of crafting a kernel UAF exploit.Technically,we utilize oriented fuzzing to explore diverging paths from vulnerability point.For userspace programs,we adopt a control-flow stitching solution to stitch crashing paths and diverging paths together to generate exploit.For kernel UAF,we leverage a lightweight symbolic execution to identify,analyze and evaluate the system calls valuable and useful for exploiting vulnerabilities.We have developed a prototype system and evaluated it on a set of 19 CTF(capture the flag)programs and 15 realworld Linux kernel UAF vulnerabilities.Experiment results showed it could generate exploit for most of the userspace test set,and it could also facilitate security mitigation bypassing and exploitability evaluation for kernel test set.
文摘基于流和上下文敏感的SSA(static single assignment)信息流分析技术,提出了一种细粒度、可扩展的污点传播检测方法.利用控制流和数据流的相关信息,跟踪污染数据及其传播路径,可以检测缓冲区溢出、格式化串漏洞等程序脆弱性.分析过程在潜在问题点自动插装动态验证函数,在无需用户干预的情况下保证了程序的运行时安全.在GCC编译器的基础上实现了分析系统,实验结果表明,该方法具有较高的精确度和时空效率.
