结合静态分析与动态符号执行的软件漏洞检测方法

计算机工程与科学

结合静态分析与动态符号执行的软件漏洞检测方法

蔡军，邹鹏，熊达鹏，何骏

（装备学院复杂电子系统仿真实验室，北京 101416）

收稿日期:2015-07-09 修回日期:2015-11-13 出版日期:2016-12-25 发布日期:2016-12-25
基金资助:
国家863计划（2012AA012902）；“核高基”国家科技重大专项基金（2013ZX01045004）

A software vulnerability detection method based on

static analysis and dynamic symbolic execution

CAI Jun,ZOU Peng,XIONG Dapeng,HE Jun

（Science and Technology on Complex Electronic System Simulation Laboratory,Academy of Equipment,Beijing 101416,China）

Received:2015-07-09 Revised:2015-11-13 Online:2016-12-25 Published:2016-12-25

摘要/Abstract

摘要：

动态符号执行是近年来新兴的一种软件漏洞检测方法，它可以为目标程序的不同执行路径自动生成测试用例，从而获得较高的测试代码覆盖率。然而，程序的执行路径很多，且大部分路径都是漏洞无关的，通常那些包含危险函数调用的路径更有可能通向漏洞。提出一种基于静态分析的有导动态符号执行方法，并实现了一个工具原型SAGDSE。该方法通过静态分析识别目标程序中调用危险函数的指令地址，在动态符号执行过程中遇到这些指令地址时收集危险路径约束，再通过约束求解生成走危险路径的测试用例，这些测试用例将更可能触发程序漏洞。实验结果表明了该方法的有效性。

关键词: 软件漏洞检测, 静态分析, 动态符号执行, 危险路径

Abstract:

Dynamic symbolic execution is a software vulnerability detection method emerging in recent years, which can automatically generate test cases for different execution paths of the target program, so it can obtain high test code coverage. However, there are so many execution paths of a program, and most of them are unrelated to vulnerabilities, and those paths containing dangerous function calls are more likely to lead to vulnerabilities. We propose a guided dynamic symbolic execution method based on static analysis, and implement a tool prototype named SAGDSE. This method firstly identifies the program instructions that call dangerous functions via static analysis, and then collects the constraints of dangerous paths during the dynamic symbolic execution process when encountering these instructions. Finally it generates test cases that go through these dangerous paths by solving the constraints. These test cases are more likely to trigger program vulnerabilities. Experimental results verify the effectiveness of the proposed method.

Key words:

software vulnerability detection, static analysis, dynamic symbolic execution, dangerous path

蔡军，邹鹏，熊达鹏，何骏. 结合静态分析与动态符号执行的软件漏洞检测方法[J]. 计算机工程与科学.

CAI Jun,ZOU Peng,XIONG Dapeng,HE Jun.

A software vulnerability detection method based on

static analysis and dynamic symbolic execution

[J]. Computer Engineering & Science.

参考文献［2］

［1］	Wu Shizhong,Guo Tao,Dong Guowei,et al.Software vulnerability analysis techniques［M］.Beijing:Science,2014.(in Chinese)
［2］	Wang Tielei. Research on binaryexecutableoriented software vulnerability detection［D］.Beijing:Peking University,2011.(in Chinese)
［3］	Cadar C,Godefroid P,Khurshid S,et al.Symbolic execution for software testing in practice:Preliminary assessment［C］∥Proc of the 33rd International Conference on Software Engineering,2011:10661071.
［4］	Avgerinos T,Rebert A,Cha S K,et al.Enhancing symbolic execution with veritesting［C］∥Proc of the 36th International Conference on Software Engineering,2014:10831094.
［5］	Sutton M,Greene A,Amini P.Fuzzing:Brute force vulnerability discovery［M］.Upper Saddle River:AddisonWesley Professional Press,2007.
［6］	Takanen A.Fuzzing:The past,the present and the future［C］∥Actes du 7ème Symposium Sur la Sécurité des Technologies de I’information et des Communications (SSTIC),2009:202212.
［7］	Pak B S.Hybrid fuzz testing:Discovering software bugs via fuzzing and symbolic execution［D］.Pittsburgh:Carnegie Mellon University,2012.
［8］	Newsome J,Song D.Dynamic taint analysis for automatic detection,analysis,and signature generation of exploits on commodity software［EB/OL］.［20150709］.http:∥repository.cmu.edu/cgi/viewcontent.cgi?article=1042&context=ece.
［9］	Kang M G,McCamant S,Poosankam P,et al.DTA++:Dynamic taint analysis with targeted controlflow propagation［C］∥Proc of the 18th Annual Network & Distributed System Security Symposium (NDSS),2011:1.
［10］	Kemerlis V P, Portokalidis G, Jee K, et al.libdft:Practical dynamic data flow tracking for commodity systems［J］.Acm Sigplan Notices,2012,47(7):121132.
［11］	Godefroid P,Klarlund N,Sen K.DART:Directed automated random testing［J］. Acm Sigplan Notices,2005,40(6):213223.
［12］	Cadar C,Dunbar D,Engler D R.KLEE:Unassisted and automatic generation of highcoverage tests for complex systems programs［C］∥Proc of the 8th USENIX Symposium on Operating Systems Design and Implementation,2008:209224.
［13］	Sogeti ESEC Lab.Fuzzgrind［EB/OL］.［20150709］.http:∥eseclab.sogeti.com/pages/fuzzgrind.html.
［14］	Martignoni L,McCamant S,Poosankam P,et al.Pathexploration lifting:Hifi tests for lofi emulators［J］. Computer Architecture News,2012,40(1):337348.
［15］	ArmourBrown C,Borntraeger C,Fitzhardinge J,et al.Valgrind［EB/OL］.［20150709］.http:∥valgrind.org/.
［16］	Erdelyi G. IDAPython［EB/OL］.［20150709］.http:∥code.google.com/p/idapython/.
	附中文参考文献：
［1］	吴世忠，郭涛，董国伟，等.软件漏洞分析技术［M］.北京：科学出版社,2014.
［2］	王铁磊.面向二进制程序的漏洞挖掘关键技术研究［D］.北京：北京大学,2011.

[1]	张静1，黄志球1,2，沈国华1,2，喻垚慎1，艾磊1. C程序中的内存泄漏机制分析与检测方法设计[J]. 计算机工程与科学, 2020, 42(05): 776-787.
[2]	贾周阳，廖湘科，刘晓东，李姗姗，周书林，谢欣伟. 基于机器学习的日志函数自动识别方法[J]. 计算机工程与科学, 2017, 39(01): 111-117.
[3]	宋东海，贲可荣，张志祥. 一种基于类的Java多线程程序数据竞争静态检测算法[J]. J4, 2014, 36(02): 233-237.
[4]	秦广赞，郭帆，徐芳，余敏. 一种防SQL注入的静态分析方法[J]. J4, 2013, 35(2): 68-73.
[5]	李锋,文艳军,齐治昌,陆赛因. 基于MYGCC的编程规则检查算法研究[J]. J4, 2012, 34(2): 67-72.
[6]	侯苏宁，陈立前，王昭飞，王戟. 一个面向C和Fortran数值程序的静态分析工具[J]. J4, 2011, 33(3): 94-102.
[7]	冯〓锴,林柏钢. 跨站脚本漏洞的白盒测试框架的设计和实现[J]. J4, 2011, 33(10): 45-50.