[go: up one dir, main page]

CN105740149B - The software security detection method combined based on Vulnerability Model and semiology analysis - Google Patents

The software security detection method combined based on Vulnerability Model and semiology analysis Download PDF

Info

Publication number
CN105740149B
CN105740149B CN201610067441.2A CN201610067441A CN105740149B CN 105740149 B CN105740149 B CN 105740149B CN 201610067441 A CN201610067441 A CN 201610067441A CN 105740149 B CN105740149 B CN 105740149B
Authority
CN
China
Prior art keywords
symbolic
vulnerability
program
execution
constraints
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201610067441.2A
Other languages
Chinese (zh)
Other versions
CN105740149A (en
Inventor
魏强
曹琰
柳晓龙
武泽慧
任开磊
王允超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
PLA Information Engineering University
Original Assignee
PLA Information Engineering University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by PLA Information Engineering University filed Critical PLA Information Engineering University
Priority to CN201610067441.2A priority Critical patent/CN105740149B/en
Publication of CN105740149A publication Critical patent/CN105740149A/en
Application granted granted Critical
Publication of CN105740149B publication Critical patent/CN105740149B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Prevention of errors by analysis, debugging or testing of software
    • G06F11/3668Testing of software
    • G06F11/3672Test management
    • G06F11/3692Test management for test results analysis
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Prevention of errors by analysis, debugging or testing of software
    • G06F11/3668Testing of software
    • G06F11/3672Test management
    • G06F11/3676Test management for coverage analysis
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Prevention of errors by analysis, debugging or testing of software
    • G06F11/3668Testing of software
    • G06F11/3672Test management
    • G06F11/3688Test management for test execution, e.g. scheduling of test suites

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

本发明涉及一种基于脆弱性模型和符号执行结合的软件安全检测方法,包含:将程序与外部环境所交互的输入测试数据符号化;确定符号执行的符号变量,开始符号执行与实际执行,符号执行收集路径约束条件,获取输入与程序运行路径的对应关系信息;根据路径约束条件,查看是否有可能触发漏洞的代码区域,计算能够驱使程序引导到该代码区域的约束条件,并根据漏洞模型,计算可能触发漏洞的约束条件;调用STP约束求解器计算可能触发漏洞的路径约束条件,得到可能触发漏洞的输入数据;得到新的输入数据载入待测程序进行新一轮测试。本发明能够在深层次分析程序路径直达危险代码区域,并生成较为准确的测试输入数据,触发检测程序漏洞,提高软件安全性。

The invention relates to a software security detection method based on a combination of a vulnerability model and symbolic execution, which includes: symbolizing the input test data interacted between a program and an external environment; determining symbolic variables for symbolic execution, starting symbolic execution and actual execution, and symbolizing Execute the collection path constraints to obtain the corresponding relationship information between the input and the program running path; according to the path constraints, check whether there is a code area that may trigger a vulnerability, calculate the constraints that can drive the program to the code area, and according to the vulnerability model, Calculate the constraints that may trigger vulnerabilities; call the STP constraint solver to calculate the path constraints that may trigger vulnerabilities, and obtain input data that may trigger vulnerabilities; get new input data and load it into the program under test for a new round of testing. The invention can analyze the program path directly to the dangerous code area at a deep level, generate relatively accurate test input data, trigger the detection of program loopholes, and improve software security.

Description

基于脆弱性模型和符号执行结合的软件安全检测方法A Software Security Detection Method Based on the Combination of Vulnerability Model and Symbolic Execution

技术领域technical field

本发明涉及计算机软件安全性测试技术领域,特别涉及一种基于脆弱性模型和符号执行结合的软件安全检测方法。The invention relates to the technical field of computer software security testing, in particular to a software security testing method based on the combination of vulnerability model and symbolic execution.

背景技术Background technique

软件分析是测试软件脆弱性、软件恶意行为等安全性问题的基础。为了应对软件脆弱性带来的安全风险,研究人员开展了对软件脆弱性分析技术的研究。现有的技术已经能够在一定程度上发现并修补某些脆弱性,为软件安全运行提供重要支撑。为了弥补传统模糊测试带来的盲目性和测试覆盖率低等问题,不少研究者开始将符号执行技术应用于脆弱性挖掘过程中。符号执行是一种信息流分析技术,它在程序执行过程中以符号输入代替实际输入,将程序变量符号化,并在分析中通过插桩不断收集路径约束条件,通过约束求解器生成测试用例以发现软件存在的脆弱性,有可能成为解决软件自动化测试问题的核心方法。Software analysis is the basis for testing security issues such as software vulnerability and software malicious behavior. In order to deal with the security risks brought by software vulnerabilities, researchers have carried out research on software vulnerability analysis techniques. Existing technologies have been able to discover and repair certain vulnerabilities to a certain extent, providing an important support for the safe operation of software. In order to make up for the blindness and low test coverage caused by traditional fuzz testing, many researchers began to apply symbolic execution technology to the vulnerability mining process. Symbolic execution is an information flow analysis technique, which replaces actual input with symbolic input during program execution, symbolizes program variables, continuously collects path constraints through instrumentation during analysis, and generates test cases through constraint solver to Discovering the vulnerability of software may become the core method to solve the problem of software automation testing.

符号执行技术可以有效引导输入数据进入待测程序的某个区域,而后仍然使用模糊器,在局部范围生成多个样本进行安全测试,虽然在进入某个特定区域的效率已经大大提高,但是在脆弱性挖掘方面仍存在不足。Symbolic execution technology can effectively guide the input data into a certain area of the program to be tested, and then still use the fuzzer to generate multiple samples in a local area for security testing. Although the efficiency of entering a specific area has been greatly improved, it is vulnerable to There are still deficiencies in gender mining.

发明内容Contents of the invention

针对现有技术中的不足,本发明提供一种基于脆弱性模型和符号执行结合的软件安全检测方法,利用符号执行和脆弱性模型匹配相结合,使得生成的测试数据不仅能够快速到达某个待测程序点,而且触发脆弱性的效率更高。Aiming at the deficiencies in the prior art, the present invention provides a software security detection method based on the combination of vulnerability model and symbolic execution, using the combination of symbolic execution and vulnerability model matching, so that the generated test data can not only quickly reach a certain test program points, and the efficiency of triggering vulnerabilities is higher.

按照本发明所提供的设计方案,一种基于脆弱性模型和符号执行结合的软件安全检测方法,包含如下步骤:According to the design scheme provided by the present invention, a software security detection method based on the combination of vulnerability model and symbolic execution includes the following steps:

步骤1.将输入数据载入待测程序,输入数据驱动待测程序执行,进行异常检测;Step 1. Load the input data into the program under test, and the input data drives the execution of the program under test to detect abnormalities;

步骤2.判断是否达到程序路径覆盖率要求,若满足,则结束测试,否则,进入步骤3;Step 2. Determine whether the program path coverage requirement is met, and if so, end the test, otherwise, enter step 3;

步骤3.将输入数据符号化,确定输入点和输入数据大小,标记符号执行中的符号变量,并将这些符号变量定义为原始符号变量集合,符号变量包含原始符号变量和中间符号变量,中间符号变量是原始符号变量表达式表示的符号变量,程序开始符号执行与实际执行,符号执行收集路径约束条件,获取输入点与程序运行路径的对应关系,根据程序跳转点对符号变量的约束,建立程序路径约束条件;Step 3. Symbolize the input data, determine the input point and the size of the input data, mark the symbolic variables in the symbolic execution, and define these symbolic variables as a set of original symbolic variables, the symbolic variables include the original symbolic variables and intermediate symbolic variables, intermediate symbols The variable is the symbolic variable represented by the original symbolic variable expression. When the program starts symbolic execution and actual execution, symbolic execution collects path constraints, obtains the corresponding relationship between input points and program running paths, and establishes according to the constraints of program jump points on symbolic variables. Program path constraints;

步骤4.根据步骤3中收集的路径约束条件,查看路径中是否有触发脆弱性的代码区域,并根据路径引导算法计算驱使程序引导到该代码区域的约束条件;同时,根据缓冲区溢出脆弱性特点,对安全脆弱性形式化建模,通过脆弱性模型与路径约束条件的匹配,计算触发脆弱性的约束条件;Step 4. According to the path constraints collected in step 3, check whether there is a code area that triggers the vulnerability in the path, and calculate the constraints that drive the program to the code area according to the path guidance algorithm; at the same time, according to the buffer overflow vulnerability Features, formalize the modeling of security vulnerabilities, and calculate the constraints that trigger the vulnerability by matching the vulnerability model with the path constraints;

步骤5.调用STP约束求解器,对步骤4中的约束条件进行求解,获取新的测试用的输入数据,跳转至步骤1中执行。Step 5. Call the STP constraint solver to solve the constraints in step 4, obtain new input data for testing, and jump to step 1 for execution.

上述的,步骤3中的输入点为程序获取输入数据的输入函数调用处,同时为符号执行的起始点。As mentioned above, the input point in step 3 is the input function call where the program obtains input data, and is also the starting point of symbolic execution.

上述的,步骤3中输入数据读入到内存后,程序进入执行状态,对于即将执行的每一句指令,首先判断是否涉及符号变量操作,若涉及符号变量操作,则进行符号执行,否则只需实际执行,以保持和符号执行同步即可;步骤3中的程序路径约束条件即为原始符号变量和中间符号变量建立的方程组。As mentioned above, after the input data in step 3 is read into the memory, the program enters the execution state. For each instruction to be executed, it is first judged whether symbolic variable operations are involved. If symbolic variable operations are involved, symbolic execution is performed; Execution is sufficient to maintain synchronization with symbolic execution; the program path constraints in step 3 are the equations set up by the original symbolic variables and intermediate symbolic variables.

上述的,步骤4中缓冲区溢出脆弱性中对安全脆弱性形式化建模包含对缓冲区内容进行符号化,对缓冲区大小进行符号化,及对已使用长度进行符号化,并建立指针变量和缓冲区的映射关系,通过符号化方式检测缓冲区溢出脆弱性。As mentioned above, the formal modeling of the security vulnerability in the buffer overflow vulnerability in step 4 includes symbolizing the buffer content, symbolizing the buffer size, symbolizing the used length, and establishing a pointer variable The mapping relationship with the buffer, through the symbolic way to detect buffer overflow vulnerability.

上述的,步骤4中还包含根据整型溢出脆弱性特点进行形式化建模,将整型溢出脆弱性抽象为source-sink问题,计算触发脆弱性的约束条件。As mentioned above, step 4 also includes formal modeling based on the characteristics of the integer overflow vulnerability, abstracting the integer overflow vulnerability into a source-sink problem, and calculating the constraints that trigger the vulnerability.

本发明的有益效果:Beneficial effects of the present invention:

1、本发明针对目前符号执行在特定安全脆弱性类型检测方面缺乏针对性的问题,对缓冲区溢出脆弱性和整型溢出脆弱性进行形式化建模,在脆弱性检测方面结合脆弱性模型,利用符号执行和约束求解技术,使得生成的测试数据不仅能够快速到达某个待测程序点,而且触发脆弱性的效率更高,实现高效的软件安全脆弱性检测。1. The present invention aims at the problem that the current symbolic execution lacks pertinence in the detection of specific security vulnerability types, formalizes the buffer overflow vulnerability and the integer overflow vulnerability, and combines the vulnerability model in the vulnerability detection aspect, Using symbolic execution and constraint solving technology, the generated test data can not only quickly reach a certain program point to be tested, but also trigger vulnerabilities more efficiently, realizing efficient software security vulnerability detection.

2、本发明综合利用符号执行技术和脆弱性模型相匹配的优势,在深层次分析程序路径的基础上,生成较为准确的测试输入数据,触发及检测程序脆弱性,为提高软件安全性提供帮助。2. The present invention comprehensively utilizes the advantages of symbolic execution technology and vulnerability model matching, and generates relatively accurate test input data on the basis of in-depth analysis of program paths, triggers and detects program vulnerabilities, and provides help for improving software security .

附图说明:Description of drawings:

图1为本发明的流程示意图;Fig. 1 is a schematic flow sheet of the present invention;

图2为实施例二中的缓冲区符号化表示示意图;Fig. 2 is a schematic representation of the symbolic representation of the buffer zone in Embodiment 2;

图3为实施例二中的整型溢出脆弱性模型示意图。FIG. 3 is a schematic diagram of the integer overflow vulnerability model in the second embodiment.

具体实施方式:detailed description:

下面结合附图和技术方案对本发明作进一步详细的说明,并通过优选的实施例详细说明本发明的实施方式,但本发明的实施方式并不限于此。The present invention will be described in further detail below in conjunction with the accompanying drawings and technical solutions, and the implementation of the present invention will be described in detail through preferred embodiments, but the implementation of the present invention is not limited thereto.

实施例一,参见图1所示,一种基于脆弱性模型和符号执行结合的软件安全检测方法,包含如下步骤:Embodiment 1, referring to Figure 1, a software security detection method based on the combination of vulnerability model and symbolic execution, comprising the following steps:

步骤1.将输入数据载入待测程序,输入数据驱动待测程序执行,进行异常检测;Step 1. Load the input data into the program under test, and the input data drives the execution of the program under test to detect abnormalities;

步骤2.判断是否达到程序路径覆盖率要求,若满足,则结束测试,否则,进入步骤3;Step 2. Determine whether the program path coverage requirement is met, and if so, end the test, otherwise, enter step 3;

步骤3.将输入数据符号化,确定输入点和输入数据大小,标记符号执行中的符号变量,并将这些符号变量定义为原始符号变量集合,符号变量包含原始符号变量和中间符号变量,中间符号变量是原始符号变量表达式表示的符号变量,程序开始符号执行与实际执行,符号执行收集路径约束条件,获取输入点与程序运行路径的对应关系,根据程序跳转点对符号变量的约束,建立程序路径约束条件;Step 3. Symbolize the input data, determine the input point and the size of the input data, mark the symbolic variables in the symbolic execution, and define these symbolic variables as a set of original symbolic variables, the symbolic variables include the original symbolic variables and intermediate symbolic variables, intermediate symbols The variable is the symbolic variable represented by the original symbolic variable expression. When the program starts symbolic execution and actual execution, symbolic execution collects path constraints, obtains the corresponding relationship between input points and program running paths, and establishes according to the constraints of program jump points on symbolic variables. Program path constraints;

步骤4.根据步骤3中收集的路径约束条件,查看路径中是否有触发脆弱性的代码区域,并根据路径引导算法计算驱使程序引导到该代码区域的约束条件;同时,根据缓冲区溢出脆弱性特点,对安全脆弱性形式化建模,通过脆弱性模型与路径约束条件的匹配,计算触发脆弱性的约束条件;Step 4. According to the path constraints collected in step 3, check whether there is a code area that triggers the vulnerability in the path, and calculate the constraints that drive the program to the code area according to the path guidance algorithm; at the same time, according to the buffer overflow vulnerability Features, formalize the modeling of security vulnerabilities, and calculate the constraints that trigger the vulnerability by matching the vulnerability model with the path constraints;

步骤5.调用STP约束求解器,对步骤4中的约束条件进行求解,获取新的测试用的输入数据,跳转至步骤1中执行。Step 5. Call the STP constraint solver to solve the constraints in step 4, obtain new input data for testing, and jump to step 1 for execution.

实施例二,参见图1~3所示,一种基于脆弱性模型和符号执行结合的软件安全检测方法,包含如下步骤:Embodiment 2, referring to Figures 1-3, a software security detection method based on the combination of vulnerability model and symbolic execution, including the following steps:

步骤1.将输入数据载入待测程序,输入数据驱动待测程序执行,进行异常检测;Step 1. Load the input data into the program under test, and the input data drives the execution of the program under test to detect abnormalities;

步骤2.判断是否达到程序路径覆盖率要求,若满足,则结束测试,否则,进入步骤3;Step 2. Determine whether the program path coverage requirement is met, and if so, end the test, otherwise, enter step 3;

步骤3.将输入数据符号化,确定输入点和输入数据大小,标记符号执行中的符号变量,并将这些符号变量定义为原始符号变量集合,符号变量包含原始符号变量和中间符号变量,中间符号变量是原始符号变量表达式表示的符号变量,程序开始符号执行与实际执行,符号执行收集路径约束条件,获取输入点与程序运行路径的对应关系,根据程序跳转点对符号变量的约束,建立程序路径约束条件,即根据原始符号变量和中间符号变量建立方程组,其中,输入点为程序获取输入数据的输入函数调用处,同时为符号执行的起始点,输入数据读入到内存后,程序进入执行状态,对于即将执行的每一句指令,首先判断是否涉及符号变量操作,若涉及符号变量操作,则进行符号执行,否则只需实际执行,以保持和符号执行同步即可,实际执行是在真实环境下执行,相对于符号执行而言的;Step 3. Symbolize the input data, determine the input point and the size of the input data, mark the symbolic variables in the symbolic execution, and define these symbolic variables as a set of original symbolic variables, the symbolic variables include the original symbolic variables and intermediate symbolic variables, intermediate symbols The variable is the symbolic variable represented by the original symbolic variable expression. When the program starts symbolic execution and actual execution, symbolic execution collects path constraints, obtains the corresponding relationship between input points and program running paths, and establishes according to the constraints of program jump points on symbolic variables. Program path constraints, that is, establish a system of equations based on the original symbolic variables and intermediate symbolic variables, where the input point is the input function call where the program obtains input data, and is also the starting point of symbolic execution. After the input data is read into the memory, the program Enter the execution state, for each instruction to be executed, first judge whether it involves symbolic variable operation, if it involves symbolic variable operation, perform symbolic execution, otherwise it only needs to be actually executed to keep the synchronization with symbolic execution, the actual execution is in Execution in a real environment, as opposed to symbolic execution;

步骤4.根据步骤3中收集的路径约束条件,查看路径中是否有触发脆弱性的代码区域,并根据路径引导算法计算驱使程序引导到该代码区域的约束条件;同时,根据缓冲区溢出脆弱性特点,对安全脆弱性形式化建模,通过脆弱性模型与路径约束条件的匹配,计算触发脆弱性的约束条件,缓冲区溢出脆弱性中对安全脆弱性形式化建模包含对缓冲区内容进行符号化,对缓冲区大小进行符号化,及对已使用长度进行符号化,并建立指针变量和缓冲区的映射关系,通过符号化方式检测缓冲区溢出脆弱性,还包含根据整型溢出脆弱性特点进行形式化建模,将整型溢出脆弱性抽象为source-sink问题,计算触发脆弱性的约束条件;Step 4. According to the path constraints collected in step 3, check whether there is a code area that triggers the vulnerability in the path, and calculate the constraints that drive the program to the code area according to the path guidance algorithm; at the same time, according to the buffer overflow vulnerability Features, formal modeling of security vulnerabilities, through the matching of the vulnerability model and path constraints, calculate the constraints that trigger the vulnerability, the formal modeling of security vulnerabilities in the buffer overflow vulnerability includes the buffer content Symbolization, symbolize the size of the buffer, and symbolize the used length, and establish the mapping relationship between pointer variables and buffers, detect buffer overflow vulnerabilities through symbolic methods, and also include integer overflow vulnerabilities Formal modeling of the characteristics, abstracting the vulnerability of integer overflow into a source-sink problem, and calculating the constraints that trigger the vulnerability;

步骤5.调用STP约束求解器,对步骤4中的约束条件进行求解,获取新的测试用的输入数据,跳转至步骤1中执行。Step 5. Call the STP constraint solver to solve the constraints in step 4, obtain new input data for testing, and jump to step 1 for execution.

脆弱性模型的形式化建模建立方法如下:The formal modeling method of the vulnerability model is as follows:

(一)缓冲区溢出脆弱性模型的建立(1) Establishment of buffer overflow vulnerability model

为了检测缓冲区溢出缺陷,除了对缓冲区的内容进行符号化建模外,还要对缓冲区的大小(size)和已使用长度(length)提供符号化表示。此外,需要在符号执行测试技术的基础上,为指针变量和缓冲区建立映射关系。在符号映射关系δ中,将一个指针变量从其具体地址addr映射到一个三元组(size,len,C)表示的缓冲区,其中size是一个符号表达式,len表示该缓冲区变量分配空间的大小,C是一个符号表达式,表示该缓冲区变量已使用的长度,即该缓冲区变量中终结符’\0’所在位置,值C=C1,C2,...Cn为一个序列,是该缓冲区所存放内容的符号表达,缓冲区变量前v位置进行符号化建模以提高系统的可扩展性。将一个指针变量p表示为一个二元组(addr,off),其中addr是一个无符号长整形数,是该指针变量的地址,off则是p所指向缓冲区中的位置距离该缓冲区起始位置偏移量的符号表达式,δ(addr)返回p所指向的缓冲区b(size,len,C)。图2描述了缓冲区符号化表示示意图。为了在测试过程中通过符号化的方式来检测缓冲区溢出缺陷,需要对该类缺陷定义。In order to detect buffer overflow defects, in addition to symbolic modeling of the contents of the buffer, a symbolic representation of the size (size) and the used length (length) of the buffer is also provided. In addition, it is necessary to establish a mapping relationship between pointer variables and buffers on the basis of symbolic execution testing technology. In the symbolic mapping relationship δ, a pointer variable is mapped from its specific address addr to a buffer represented by a triple (size, len, C), where size is a symbolic expression, and len represents the buffer variable allocation space C is a symbolic expression, indicating the length used by the buffer variable, that is, the position of the terminal symbol '\0' in the buffer variable, and the value C=C 1 , C 2 ,...C n is A sequence is a symbolic expression of the content stored in the buffer, and the v position before the buffer variable is symbolically modeled to improve the scalability of the system. Express a pointer variable p as a tuple (addr, off), where addr is an unsigned long integer, which is the address of the pointer variable, and off is the distance from the buffer pointed to by p to the buffer A symbolic expression for the offset from the starting position, δ(addr) returns the buffer b(size, len, C) pointed to by p. Figure 2 depicts a schematic diagram of the buffer symbolic representation. In order to detect buffer overflow defects in a symbolic way during the test, it is necessary to define this type of defects.

表1缓冲区溢出脆弱性模型Table 1 Buffer overflow vulnerability model

缓冲区buffer zone 溢出条件overflow condition strcpy(pd,ps)strcpy(p d ,p s ) lens-offs>=sized-offd len s -off s >= size d -off d strcat(pd,ps)strcat(p d ,p s ) lens-offs+lend>=sized len s -off s +len d >= size d *pd:=var*pd:=var offd>sized off d > size d

表格中pd=(addrd,offd),bd=(sized,lend,Cd)=d(addrd)≠null,ps=(addrs,offs),bs=(sizes,lens,Cs)=d(addrd)≠null。In the table p d =(addr d ,off d ), b d =(size d ,len d ,C d )=d(addr d )≠null, p s =(addr s ,off s ), b s =( size s ,len s ,C s )=d(addr d )≠null.

(二)整型溢出脆弱性模型的建立(2) Establishment of integer overflow vulnerability model

一旦程序中算术运算、移位运算的结果超出了相应类型的表达能力,就会引起“整数溢出”。近些年来,针对整数溢出脆弱性的攻击越来越多,给信息系统安全带来了很多隐患。整数溢出脆弱性的特点如下:1)调用污点数据引入函数:发生整数溢出操作中,部分操作数和污点数据存在数据依赖关系,而这些污点数据来源于外界可控输入源,例如文件、网络报文、命令行参数等,并且由专门的API函数引入,典型的污点数据引入函数,包括read、fread、recv;2)对污点数据不恰当检查:程序路径上没有检查污点数的范围或者范围检查不完备;3)将溢出结果用于敏感操作:并非所有的整数溢出都会导致安全问题,只有当溢出结果影响了程序的控制流、内存分配、内存访问等操作时,才会进一步引起其他安全问题。Once the results of arithmetic operations and shift operations in the program exceed the expressive capacity of the corresponding type, it will cause "integer overflow". In recent years, there have been more and more attacks on integer overflow vulnerabilities, which have brought many hidden dangers to the security of information systems. The characteristics of integer overflow vulnerability are as follows: 1) Calling tainted data import function: In integer overflow operations, some operands and tainted data have data dependencies, and these tainted data come from external controllable input sources, such as files, network reports, etc. Text, command line parameters, etc., and imported by special API functions, typical tainted data import functions, including read, fread, recv; 2) Improper inspection of tainted data: the program path does not check the range or range check of the number of taints Incomplete; 3) Use overflow results for sensitive operations: Not all integer overflows will cause security issues, only when the overflow results affect the program's control flow, memory allocation, memory access, etc., will further cause other security issues .

因此,可以将整数溢出脆弱性抽象为一种特殊的source-sink问题,如图3所示,在存在整数溢出脆弱性的路径上,首先应该调用污点数据引入函数,即图3中的source节点,常见的污点源包括fread、recv等;其次,这些路径上存在对溢出结果敏感的操作,即图3中的sink节点,例如内存分配函数malloc等;最后,这条路径上的约束条件是自洽、可满足的,即该路径是一条可行路径;此外,路径约束并没有对污点数据做到充分检查,路径上仍然存在导致整数溢出的运算。根据整型溢出脆弱性特点进行形式化建模,将整型溢出脆弱性抽象为source-sink问题,检测整型溢出脆弱性。Therefore, integer overflow vulnerability can be abstracted as a special source-sink problem, as shown in Figure 3, on the path with integer overflow vulnerability, the tainted data introduction function should be called first, that is, the source node in Figure 3 , common taint sources include fread, recv, etc.; secondly, there are operations on these paths that are sensitive to overflow results, that is, the sink node in Figure 3, such as the memory allocation function malloc, etc.; finally, the constraints on this path are self- Consistent and satisfiable, that is, the path is a feasible path; in addition, the path constraint does not fully check the tainted data, and there are still operations that cause integer overflow on the path. Formal modeling is carried out according to the characteristics of integer overflow vulnerability, and integer overflow vulnerability is abstracted as a source-sink problem to detect integer overflow vulnerability.

整型溢出脆弱性建模方法:Integer overflow vulnerability modeling method:

整型溢出抽象模型为六元组:<op,oprand,sign,width,range,result>,The abstract model of integer overflow is a six-tuple: <op, oprand, sign, width, range, result>,

1、含义:1. Meaning:

op:操作符,包括加法、减法、乘法、循环移位、类型转换等操作;op: operator, including operations such as addition, subtraction, multiplication, circular shift, and type conversion;

oprand:源操作数;oprand: source operand;

sign:操作数oprand的符号值,正负或者无符号;sign: the signed value of the operand oprand, positive or negative or unsigned;

width:操作数宽度,包括8bit、16bit、32bit、64bit等;width: Operand width, including 8bit, 16bit, 32bit, 64bit, etc.;

range:触发溢出脆弱性的源操作数取值范围;range: the value range of the source operand that triggers the overflow vulnerability;

result:整型计算结果。result: Integer calculation result.

2、触发整型溢出脆弱性需要同时满足以下约束:2. To trigger the integer overflow vulnerability, the following constraints must be met at the same time:

1)op∈INT_OP操作属于整型运算;1) op∈INT_OP operation belongs to integer operation;

2)oprandrange∈TRIGGER_COND源操作数值能够导致运算出错;2) oprand range ∈ TRIGGER_COND source operand value can cause operation error;

3)oprand<-source源操作数可以被污点源控制;3) oprand<-source source operand can be controlled by taint source;

4)result-sink运算结果可以影响内存敏感访问。4) The result-sink operation result can affect memory-sensitive access.

sign∈{<source_sign,dest_sign>|source_sign,dest_sign∈SIGN}sign∈{<source_sign,dest_sign>|source_sign,dest_sign∈SIGN}

width∈{<source_width,dest_width>|source_width,dest_width∈WIDTH}。width∈{<source_width,dest_width>|source_width,dest_width∈WIDTH}.

本发明并不局限于上述具体实施方式,本领域技术人员还可据此做出多种变化,但任何与本发明等同或者类似的变化都应涵盖在本发明权利要求的范围内。The present invention is not limited to the specific embodiments described above, and those skilled in the art can also make various changes accordingly, but any changes that are equivalent or similar to the present invention should be covered within the scope of the claims of the present invention.

Claims (5)

1.一种基于脆弱性模型和符号执行结合的软件安全检测方法,其特征在于:包含如下步骤:1. A software security detection method based on a combination of vulnerability model and symbolic execution, characterized in that: comprising the following steps: 步骤1.将输入数据载入待测程序,输入数据驱动待测程序执行,进行异常检测;Step 1. Load the input data into the program under test, and the input data drives the execution of the program under test to detect abnormalities; 步骤2.判断是否达到程序路径覆盖率要求,若满足,则结束测试,否则,进入步骤3;Step 2. Determine whether the program path coverage requirement is met, and if so, end the test, otherwise, enter step 3; 步骤3.将输入数据符号化,确定输入点和输入数据大小,标记符号执行中的符号变量,并将这些符号变量定义为原始符号变量集合,符号变量包含原始符号变量和中间符号变量,中间符号变量是原始符号变量表达式表示的符号变量,程序开始符号执行与实际执行,符号执行收集路径约束条件,获取输入点与程序运行路径的对应关系,根据程序跳转点对符号变量的约束,建立程序路径约束条件;Step 3. Symbolize the input data, determine the input point and the size of the input data, mark the symbolic variables in the symbolic execution, and define these symbolic variables as a set of original symbolic variables, the symbolic variables include the original symbolic variables and intermediate symbolic variables, intermediate symbols The variable is the symbolic variable represented by the original symbolic variable expression. When the program starts symbolic execution and actual execution, symbolic execution collects path constraints, obtains the corresponding relationship between input points and program running paths, and establishes according to the constraints of program jump points on symbolic variables. Program path constraints; 步骤4.根据步骤3中收集的路径约束条件,查看路径中是否有触发脆弱性的代码区域,并根据路径引导算法计算驱使程序引导到该代码区域的约束条件;同时,根据缓冲区溢出脆弱性特点,对安全脆弱性形式化建模,通过脆弱性模型与路径约束条件的匹配,计算触发脆弱性的约束条件;Step 4. According to the path constraints collected in step 3, check whether there is a code area that triggers the vulnerability in the path, and calculate the constraints that drive the program to the code area according to the path guidance algorithm; at the same time, according to the buffer overflow vulnerability Features, formalize the modeling of security vulnerabilities, and calculate the constraints that trigger the vulnerability by matching the vulnerability model with the path constraints; 步骤5.调用STP约束求解器,对步骤4中的约束条件进行求解,获取新的测试用的输入数据,跳转至步骤1中执行。Step 5. Call the STP constraint solver to solve the constraints in step 4, obtain new input data for testing, and jump to step 1 for execution. 2.根据权利要求1中所述的基于脆弱性模型和符号执行结合的软件安全检测方法,其特征在于:步骤3中的输入点为程序获取输入数据的输入函数调用处,同时为符号执行的起始点。2. The software security detection method based on the combination of vulnerability model and symbolic execution according to claim 1, characterized in that: the input point in step 3 is the input function call place where the program obtains the input data, and at the same time it is the place where the symbolic execution starting point. 3.根据权利要求1所述的基于脆弱性模型和符号执行结合的软件安全检测方法,其特征在于:步骤3中输入数据读入到内存后,程序进入执行状态,对于即将执行的每一句指令,首先判断是否涉及符号变量操作,若涉及符号变量操作,则进行符号执行,否则只需实际执行,以保持和符号执行同步即可;3. The software security detection method based on the combination of vulnerability model and symbolic execution according to claim 1, characterized in that: after the input data is read into the memory in step 3, the program enters the execution state, and for each instruction to be executed , first determine whether symbolic variable operations are involved, if symbolic variable operations are involved, perform symbolic execution, otherwise only need to actually execute to keep synchronization with symbolic execution; 步骤3中的程序路径约束条件即为原始符号变量和中间符号变量建立方程组。The program path constraints in step 3 are to establish a system of equations for the original symbolic variables and intermediate symbolic variables. 4.根据权利要求1所述的基于脆弱性模型和符号执行结合的软件安全检测方法,其特征在于:步骤4中缓冲区溢出脆弱性中对安全脆弱性形式化建模包含对缓冲区内容进行符号化,对缓冲区大小进行符号化,及对已使用长度进行符号化,并建立指针变量和缓冲区的映射关系,通过符号化方式检测缓冲区溢出脆弱性。4. The software security detection method based on the combination of vulnerability model and symbolic execution according to claim 1, characterized in that: the formal modeling of security vulnerability in the buffer overflow vulnerability in step 4 includes the buffer content Symbolize, symbolize the size of the buffer, and symbolize the used length, and establish the mapping relationship between the pointer variable and the buffer, and detect the vulnerability of buffer overflow through symbolization. 5.根据权利要求1所述的基于脆弱性模型和符号执行结合的软件安全检测方法,其特征在于:步骤4中还包含根据整型溢出脆弱性特点进行形式化建模,将整型溢出脆弱性抽象为source-sink问题,计算触发脆弱性的约束条件。5. The software security detection method based on the combination of vulnerability model and symbolic execution according to claim 1, characterized in that: step 4 also includes formal modeling according to the characteristics of integer overflow vulnerability, and the integer overflow vulnerability The vulnerability is abstracted as a source-sink problem, and the constraints that trigger the vulnerability are calculated.
CN201610067441.2A 2016-01-29 2016-01-29 The software security detection method combined based on Vulnerability Model and semiology analysis Expired - Fee Related CN105740149B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610067441.2A CN105740149B (en) 2016-01-29 2016-01-29 The software security detection method combined based on Vulnerability Model and semiology analysis

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610067441.2A CN105740149B (en) 2016-01-29 2016-01-29 The software security detection method combined based on Vulnerability Model and semiology analysis

Publications (2)

Publication Number Publication Date
CN105740149A CN105740149A (en) 2016-07-06
CN105740149B true CN105740149B (en) 2018-02-16

Family

ID=56247295

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610067441.2A Expired - Fee Related CN105740149B (en) 2016-01-29 2016-01-29 The software security detection method combined based on Vulnerability Model and semiology analysis

Country Status (1)

Country Link
CN (1) CN105740149B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108268371B (en) * 2016-12-30 2021-03-02 南京理工大学 Smart fuzzing method for Android applications
US10642584B2 (en) * 2017-09-01 2020-05-05 Shenzhen Qianhai Sourcebrella Inc. Ltd. Defect detection method, device, system and computer readable medium
CN109117364B (en) * 2018-07-03 2021-06-15 中国科学院信息工程研究所 A target-oriented test case generation method and system
CN109784048B (en) * 2018-12-12 2023-12-01 天航长鹰(江苏)科技有限公司 Method for detecting overflow vulnerability of stack buffer based on program diagram
CN110457208B (en) * 2019-07-16 2023-01-06 百度在线网络技术(北京)有限公司 Symbol execution guiding method, device, equipment and computer readable storage medium
CN110851353B (en) * 2019-10-22 2023-03-31 天津大学 Concurrent program defect positioning method based on Delta debug and constraint solution
CN111124723B (en) * 2019-11-04 2023-04-14 北京轩宇信息技术有限公司 Interrupt-driven program integer overflow model detection method based on interference variables
CN112733150B (en) * 2021-01-12 2021-11-16 哈尔滨工业大学 A method for detecting unknown vulnerabilities in firmware based on vulnerability analysis
CN113741969B (en) * 2021-11-01 2022-03-11 北京鸿渐科技有限公司 Deep structure pointer analysis optimization method for analyzing source library mode defect detector

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102360334A (en) * 2011-10-17 2012-02-22 中国人民解放军信息工程大学 Dynamic and static combined software security test method
CN102789419A (en) * 2012-07-20 2012-11-21 中国人民解放军信息工程大学 Software fault analysis method based on multi-sample difference comparison

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7389223B2 (en) * 2003-09-18 2008-06-17 International Business Machines Corporation Method and apparatus for testing a software program using mock translation input method editor

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102360334A (en) * 2011-10-17 2012-02-22 中国人民解放军信息工程大学 Dynamic and static combined software security test method
CN102789419A (en) * 2012-07-20 2012-11-21 中国人民解放军信息工程大学 Software fault analysis method based on multi-sample difference comparison

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
面向软件脆弱性分析的并行符号执行技术研究;曹琰;《中国博士学位论文全文数据库》;20140115(第1期);全文 *

Also Published As

Publication number Publication date
CN105740149A (en) 2016-07-06

Similar Documents

Publication Publication Date Title
CN105740149B (en) The software security detection method combined based on Vulnerability Model and semiology analysis
Ren et al. Empirical evaluation of smart contract testing: What is the best choice?
CN102622558B (en) Excavating device and excavating method of binary system program loopholes
CN104834859B (en) The dynamic testing method of malicious act in a kind of Android applications
CN115033894B (en) Software component supply chain safety detection method and device based on knowledge graph
Liu et al. Harnessing the power of llm to support binary taint analysis
CN105808430B (en) A kind of multi-semantic meaning dynamic stain analysis method
CN109308415A (en) A binary-oriented fuzzing method and system
CN103294594A (en) Test based static analysis misinformation eliminating method
CN115146282A (en) AST-based source code exception detection method and device
CN101833631A (en) A Dynamic Detection Method for Software Security Vulnerabilities Combined with Pointer Analysis
CN110096433A (en) The method of encryption data is obtained on a kind of iOS platform
CN104462962A (en) Method for detecting unknown malicious codes and binary bugs
CN103049377A (en) Parallel symbolic execution method based on path cluster reductions
CN114389978A (en) Network protocol side channel detection method and system based on static taint analysis
CN110688658A (en) Unknown virus infection tracing method, device and system
Mouzarani et al. A smart fuzzing method for detecting heap-based buffer overflow in executable codes
CN108959936A (en) An Automatic Exploitation Method of Buffer Overflow Vulnerabilities Based on Path Analysis
CN105787369B (en) Android software safety analytical method based on slice measurement
Chen et al. Utilizing Precise and Complete Code Context to Guide LLM in Automatic False Positive Mitigation
CN102789417B (en) Program detecting system and method based on directional symbol execution on mobile intelligent terminal
CN115795489B (en) A method and device for static analysis of software vulnerabilities based on hardware-level process tracking
CN106326123A (en) Method and system for detecting array bound-crossing defect
CN116954707A (en) Reverse analysis method of industrial control protocol based on field symbolic expression
CN116305164A (en) Cross-contract vulnerability detection method and device and electronic equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20180216

Termination date: 20190129

CF01 Termination of patent right due to non-payment of annual fee