CN103440201A - Dynamic taint analysis device and application thereof to document format reverse analysis - Google Patents
Dynamic taint analysis device and application thereof to document format reverse analysis Download PDFInfo
- Publication number
- CN103440201A CN103440201A CN201310400437XA CN201310400437A CN103440201A CN 103440201 A CN103440201 A CN 103440201A CN 201310400437X A CN201310400437X A CN 201310400437XA CN 201310400437 A CN201310400437 A CN 201310400437A CN 103440201 A CN103440201 A CN 103440201A
- Authority
- CN
- China
- Prior art keywords
- stain
- file
- data
- dynamic
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention relates to a dynamic taint analysis device and application of the dynamic taint analysis device to document format reverse analysis, wherein the dynamic taint analysis device comprises a dynamic instrumentation executive logging module and a static snapshoot analysis taint tracking module, wherein the dynamic instrumentation executive logging module is used for calling and executing a tested program by using a binary program instrumentation platform, monitoring opening, analyzing and closing behaviors of a data document including original taint data in a process of executing the tested program, and acquiring snapshoot logs of all command processes, context information and memory access information in the process of executing the tested program according to the process of executing the tested program; the static snapshoot analysis taint tracking module is used for analyzing the snapshoot logs and simulating replay execution of a progress according to information obtained by analysis and recording processing and spread information of original taint data in the data document to obtain a taint data stream path. According to the dynamic taint analysis device, I/O (Input/Output), time and space overhead of dynamic taint analysis in a dynamic execution process can be reduced, an extended instruction set can be supported, and the continuity and incidence relation of original taint data can be obtained.
Description
Technical field
The present invention relates to dynamic stain analytical technology, particularly relate to a kind of improved dynamic stain analytical equipment and the application of this improved dynamic stain analytical equipment in grey box file layout resolving inversely technology.
Background technology
Substantially the thought that realizes of stain analysis is: be the stain data by all input data scalings, and follow the tracks of the flow path of these stain data in program process, afterwards, analyze accordingly on the basis of flow path.
At present, the stain analysis is divided into usually for the dynamic stain analysis of binary code and static stain analysis, and dynamic stain analysis wherein is research hot topic nearly ten years.
Existing dynamic stain analysis mainly contains two kinds of implementations: a kind of is based on total system virtual machine implementation, carry out the stain analysis by inside or external plug-in code, as the stain analysis module based on BitBlaze project performance analysis TEMU virtual machine, Panorama instrument based on the QEMU virtual machine and the efficient Minemu instrument etc. of having integrated own simulator; Another kind is based on existing binary program pitching pile platform implementation, writes the pitching pile plug-in code data stream of one process is followed the tracks of; As the TaintCheck instrument based on the Valgrind platform, TaintTrace instrument and the libdft based on the Pin platform and TaintReplayer instrument etc. based on the DynamoRIO platform.
Realize that based on binary program pitching pile platform the implementation procedure of dynamic stain analysis generally includes two parts content, i.e. the service portion of the monitor portion of Dynamic Execution and stain data message.The monitor portion of Dynamic Execution is towards when operation logic, comprises that monitoring to data input channel is to identify original stain position and size, and the impact on the flow direction of contamination data stream on the instruction that relates to the stain data; The service portion of stain data message is towards when operation storage, before being included in each instruction and carrying out, and all contaminated data acquisitions in current internal memory and register, and, according to the tainting logic of instruction, after instruction is carried out, upgrade this data acquisition.Because above-mentioned two partial contents have the high degree of coupling, therefore, existing dynamic stain analytic system is carried out often storage and renewal, the definition of stain information and is safeguarded the stain state of all internal storage datas and register in the dynamic test implementation, comprise that whether contaminated and pollution source are which input bytes etc., and after program is carried out disposable output stain data stream.
Because stain analysis itself can reflect the processing behavior that program is carried out the input data all sidedly, and the information such as the semantic information of program, the type of inputting data and form have implicitly been comprised, therefore, can carry out to the stain analysis result data mining processing of statistical procedures and semantic-based information fully.
At present, occurred some recent studies ons of analyzing based on stain both at home and abroad, for example, agreement has been carried out to format analysis, based on the stain analysis result, the network data newspaper agreement of the application program that sends receiving network data has been carried out to format analysis; Again for example, the variable existed in the binary program data is excavated, with the information such as position, type and semanteme that obtain variable; Again for example, by the structure to the input data and agreement etc., fullyed understand, can the make of the input data of fuzz testing be instructed, thereby can, in the randomness that guarantees fuzz testing, avoid in the fuzz testing can't covering due to the blindness of input data the shortcoming of darker execution route.
The inventor finds in realizing process of the present invention: the partial information that mainly rests on so far the stain stay of two nights that limitedly utilizes the specific function parameter related in the stain analysis that is applied to of carrying out the input data structure analysis based on the stain analysis result, and do not take full advantage of the global path information of stain data dissemination, and research object also is mainly the comparatively simple private network data pack protocol of structure, and for the more privately owned file layout of facing in fuzz testing, because its complicacy and diversity do not have corresponding achievement in research.
In addition, also there are some problems in existing dynamic stain analytical technology, as:
1, excessive expense.Binary program pitching pile platform is being introduced outside intrinsic expense, the stain analysis logic need to be remembered stain propagated state, and pursuing instruction ground pitching pile analysis context state and interior access value etc. by state, these can additionally introduce a lot of operation time and space expense; Can there be because of the total system simulation problem of inefficiency in the implementation of virtual machine.
2, lack the expansion instruction set support.For reducing development difficulty, dynamically the stain analytic system tends to select to translate and carry out instruction analysis based on existing intermediate language, by the end of so far, this dependence makes the dynamic stain analytic system that there is no moulding can support the analysis of XMM or SSE family expansion instruction set, and these instructions main code that a large amount of large scale business software (as Microsoft Office) executing datas are processed exactly.
3, there is the I/O bottleneck.For the record of tainting result, usually need in the test analysis process, necessary information be write in journal file or database, can there be a large amount of magnetic disc i/o operations in this, and this is a very large expense.If the information category recorded in the minimizing daily record, the routing information that can make dynamic stain follow the tracks of can't reduce, thereby makes dynamic stain analysis tool lose its availability, and dynamically the stain analysis result does not have reusability yet.
Because the problem that existing dynamic stain analysis and application thereof exist, the inventor is based on being engaged in this type of product design manufacture abundant practical experience and professional knowledge for many years, and the utilization of cooperation scientific principle, positive research and innovation in addition, to founding a kind of dynamic stain analytical equipment and the application in the file layout resolving inversely thereof, can solve problem and the existing problem of the application based on the stain analysis result that existing dynamic stain analytical technology self exists, make it have more practicality.Through continuous research and design, and, after repeatedly studying sample and improving, finally create the present invention who has practical value.
Summary of the invention
The object of the invention is to, overcome problem and the existing existing problem of application based on the stain analysis result that existing dynamic stain analytical technology self exists, and provide a kind of improved dynamic stain analytical equipment and the application in the file layout resolving inversely thereof, problem to be solved is, reduce dynamic stain analysis I/O operation to storage resources in the Dynamic Execution process, reduce time overhead and space expense, and can support expansion instruction set, in addition, can also obtain by the relevance of utilizing the dynamic stain data dissemination path in dynamic stain analysis continuity and the incidence relation of original stain data self.
Purpose of the present invention and solve its technical matters and can adopt following technical scheme to realize.
A kind of dynamic stain analytical equipment proposed according to the present invention, mainly comprise: dynamic pitching pile executive logging module, for utilizing binary program pitching pile platform invoke and carrying out tested program, behavior is opened, resolves and closed to the data file that monitoring includes original stain data in the tested program implementation, and obtain according to the implementation of described tested program the snapshot log that includes whole instruction flows, contextual information and internal storage access information in the tested program implementation; Static snapshot is resolved the stain tracking module, for resolving described snapshot log, and carry out according to the playback of resolving the information simulation process obtained, and in process playback implementation, record the processing of the original stain data in described data file and diffuse information, to obtain complete stain data flow path.
The present invention also proposes a kind of file layout resolving inversely system of analyzing based on dynamic stain, described system comprises above-mentioned dynamic stain analytical equipment, and described system also should comprise: the File Format Analysis module, for according to described stain data flow path, carrying out the data correlation compare of analysis, and the format fields of described data file being carried out to semantic-based according to the result of described data correlation compare of analysis cuts apart, extract the incidence relation of the interfield after described cutting apart according to the function information in described tested program and specific command information.
By technique scheme, dynamic stain analytical equipment of the present invention and the application in the file layout resolving inversely thereof at least have following advantages and beneficial effect: the present invention has effectively reduced dynamic stain analysis I/O operation to storage resources in the Dynamic Execution process, time overhead and space expense have been reduced, and can support expansion instruction set fully, in addition, the present invention can also obtain by the relevance of utilizing the dynamic stain data dissemination path in dynamic stain analysis continuity and the incidence relation of original stain data self, thereby provide a kind of brand-new file layout resolving inversely mode, can carry out resolving inversely to the file layout of privately owned file layout or not full disclosure ins and outs.
Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to better understand technological means of the present invention, and can be implemented according to the content of instructions, and for above and other purpose of the present invention, feature and advantage can be become apparent, below especially exemplified by preferred embodiment, be described in detail as follows.
The accompanying drawing explanation
The schematic diagram of the file layout resolving inversely system of analyzing based on dynamic stain that Fig. 1 is the embodiment of the present invention;
The process flow diagram of the performed operation of dynamic pitching pile executive logging module that Fig. 2 is the embodiment of the present invention;
The static snapshot that Fig. 3 is the embodiment of the present invention is resolved the process flow diagram of the performed operation of stain tracking module;
The process flow diagram of the performed operation of File Format Analysis module that Fig. 4 is the embodiment of the present invention.
Embodiment
The dynamic stain analytical equipment foundation embodiment of the present invention proposed below in conjunction with accompanying drawing and the embodiment of the application in the file layout resolving inversely and feature etc. are elaborated.
The file layout resolving inversely system of analyzing based on dynamic stain of the embodiment of the present invention as shown in Figure 1, file layout resolving inversely system shown in Fig. 1 mainly comprises: dynamic stain analytical equipment and File Format Analysis module (being " File Format Analysis " of Fig. 1 lower right side), and dynamic stain analytical equipment wherein mainly comprises two modules, dynamically pitching pile executive logging module (being " the dynamically pitching pile executive logging " of Fig. 1 upper right side) and static snapshot are resolved stain tracking module (being " static snapshot is resolved stain and followed the tracks of " of Fig. 1 right side central).
It (can be existing binary program pitching pile platform that dynamic pitching pile executive logging module is mainly used in utilizing binary program pitching pile platform, as multiple types of tools based on the Pin platform etc.) call and carry out tested program, and the monitor data file opens, resolves and close behavior in the tested program implementation, include original stain data in above-mentioned data file; Dynamically pitching pile executive logging module obtains snapshot log according to the implementation of tested program, above-mentioned snapshot log is mainly used in the playback of the process of simulating and carries out, hence one can see that, include the various information that can realize that the simulation process is reset and carried out in above-mentioned snapshot log, as the whole instruction flows in the tested program implementation, thread switching and context changed information and internal storage access information etc.
Above-mentioned data file also can be called sample file, and this sample file is the file of being encoded according to the predetermined format standard.Tested program should be carried out dissection process error-free to this sample file.In embodiments of the present invention, at first should be correctly that dynamic pitching pile executive logging module is specified the path of tested program and the path of sample file, like this, dynamically pitching pile executive logging module can utilize binary program pitching pile platform to load the tested program operation, and automatically opens sample file.
Static snapshot is resolved the stain tracking module and is mainly used in resolving the snapshot log that dynamic pitching pile executive logging module produces, and the playback of according to it, resolving the information simulation process obtained is carried out, and in process playback implementation, record in time the processing of the original stain data in above-mentioned data file and diffuse information (as the original stain information in the reading data file, and carry out to instruction one by one the propagation analysis of stain data, record corresponding information simultaneously), to obtain complete stain data flow path.It should be noted that, it is not to realize in the process of dynamically pitching pile executive logging module Dynamic Execution operation that static snapshot is resolved the performed aforesaid operations of stain tracking module.
The process that the playback of above-mentioned simulation process is carried out can be: static snapshot is resolved the stain tracking module, and according to it, the analysis result for the snapshot log of appointment is written into the static information etc. of reflection, fundamental block and instruction, so that the index of simulation process playback procedure, afterwards, static snapshot is resolved the execution flow process of stain tracking module according to the context itemize ground replay process of different threads, reduces the execution of each instruction, in this process, static snapshot is resolved the stain tracking module and need to from the snapshot log parsed, be read corresponding stain data and be written into (comprising original stain data and dynamic stain data), static snapshot is resolved the stain tracking module and is safeguarded stain data acquisition (as the stain data acquisition based on stain data register and stain datarams etc.), in simulation process playback procedure, static snapshot is resolved this stain data acquisition of stain tracking module meeting real-time update, and for each the byte records stain data processing chain information in sample file, with after the simulation process is complete, static snapshot is resolved the stain tracking module can export complete dynamic stain analysis result, this dynamic stain analysis result can be with the formal output of stain data processing chain.
The stain data flow path that the File Format Analysis module is mainly used in producing according to static snapshot parsing stain tracking module is carried out the data correlation compare of analysis, and the format fields of data file being carried out to semantic-based according to the result of data correlation compare of analysis is cut apart, afterwards, the File Format Analysis module extracts the incidence relation (this incidence relation as the field type of each field in sample file etc.) of the interfield after above-mentioned cutting apart according to the function information in tested program and specific command information.
That is to say, the File Format Analysis module is determined the semantic information of stain data flow path according to the dynamic stain analysis result of appointment, and utilize this semantic information to calculate the right similarity of each adjacent byte in sample file, afterwards, the File Format Analysis module calculates minimum point according to all similarities in twos, and this minimum point is the file field border that need to be cut apart; On this basis, can carry out several pattern deduction for all fields in sample file, to check the pattern that can meet the specific fields type in several pattern, thereby just can in the field be partitioned into, calibrate some significant field according to this pattern, and then utilize these significant fields just can infer typical field incidence relation.
Order by above-mentioned three modules is carried out, and the form of given sample file can be carried out to the construction recovery of semantic-based.In addition, by repeating to choose the sample file that comprises different content of the type, and the different tested program of the sample file of selection parsing the type, the file layout (being the file layout of type under sample file) that can obtain the type is as far as possible comprehensively resolved.
The present invention can be called the file layout under sample file grey box file layout.The grey box file layout here refers to, its inherent file structure, by concrete open standardization, only can not get the specific binary program of resolving this kind of file layout.Such file layout privately owned file layout that normally business software adopts; this be because; such file layout is only utilized by specific binary program usually; be not used as standard and standardize, or having had a mind to hide the inner structure of file layout for the protectiveness purpose.In addition, if some file layout has only obtained the open explanation of coarseness, yet its concrete resolving also need file layout is carried out to more fine-grained parsing, the file layout of this type also belongs to the category of grey box file layout.
Seen from the above description, the file layout resolving inversely system based on dynamic stain analysis that the embodiment of the present invention provides also can be called the grey box file layout resolving inversely system based on the dynamic stain analytical framework of off-line type.
It should be noted that in addition, the tested program related in the embodiment of the present invention can be the application program with unique file analytical capabilities on the Windows operating system platform, and the device that embodiment of the present invention provides and system can be applied in Windows operating system; Certainly, the embodiment of the present invention provides device and system also can be applied in other operating system platforms.
Below in conjunction with Fig. 2-4, dynamic pitching pile executive logging module, static snapshot parsing stain tracking module and the performed operation of File Format Analysis module are described in further detail.
Dynamically the performed operating process of pitching pile executive logging module as shown in Figure 2.
Operating process in Fig. 2 mainly comprises following four steps:
Step 2-1, be written into tested program after, whole process is carried out the binary image pitching pile.Concrete, dynamically pitching pile executive logging module can be utilized API (Application Programming Interface, application programming interface) the binary image module in all tested program is written into and a little calls call back function, the sequence number that dynamically title, path, the Pin of pitching pile executive logging module records binary image module are the binary image module assignment and binary image module loading are to low address and the high address of internal memory, and dynamically pitching pile executive logging module can be recorded to foregoing in above-mentioned the 3rd snapshot log.In addition, the operation in this step specifically the executable image monitoring unit in dynamic pitching pile executive logging module carry out.
Step 2-2, whole process are carried out the system call pitching pile.Concrete, dynamically pitching pile executive logging module is inserted call back function to all system call entrances, check that the operating system call number is to determine operating system call function type, if the call function type belongs to the file operation type, the parameter of corresponding function reading, to check that whether this function is to specifying the sample file operation that conducts interviews, if to specifying the sample file operation that conducts interviews (as to open sample file, read in sample file, adjust the sample file pointer and close the operation such as sample file), corresponding operation under dynamic pitching pile executive logging module records, further, if to specifying the operation of reading in of sample file, dynamically pitching pile executive logging module also should record the information of being introduced by original stain data, and start to carry out the TRACE pitching pile.The information of above-mentioned introducing is written into the positional information of internal memory as original stain data, and this positional information can comprise: store the memory address of original stain data, the memory size of storing original stain data and the side-play amount of original stain data in data file etc.The information of above-mentioned introducing can be stored in the second snapshot log.In addition, the operation in this step specifically the system call function monitoring unit in dynamic pitching pile executive logging module carry out.
Step 2-3, in the entrance of TRACE, the fundamental block of all codes in traversal TRACE, to all sequential access to fundamental block carry out pitching pile, for all fundamental blocks that have access to distribute the unique serial number of a sign order, and record the static information of all fundamental blocks that have access to, the static information here can comprise the sequence number of fundamental block, affiliated reflection and affiliated function etc., and these information can be recorded in the first snapshot log.In addition, the operation in this step specifically fundamental block Grain Size Record and the indexing units in dynamic pitching pile executive logging module carry out.
Step 2-4, in fundamental block pitching pile function, travel through all instructions of this fundamental block, judge in this fundamental block the instruction that whether exists internal storage access or condition to carry out type, if there is such instruction, call back function is inserted in instruction place of this type in this fundamental block, so that when follow-up execution, information in the time of can recording all operations, these information comprise that the instruction of internal storage access class in commission carries out the address of memory read-write and condition and carry out the class instruction and whether truly carry out lamp, and these information can be stored in the second snapshot log.In addition, the operation in this step specifically the instruction granularity in dynamic pitching pile executive logging module carry out information recording unit and carry out.
Concrete, above-mentioned steps 2-2 can be refined as following steps again:
Dynamically pitching pile executive logging module (as system call function monitoring unit) is carried out pitching pile to the entrance and exit of all operations system call function, and at the call number of porch decision operation system call function;
If call number is NtCreateFi1e, dynamically pitching pile executive logging module (as system call function monitoring unit) judges whether the filename in the suction parameter of call function is the sample file name of appointment, if the sample file name of appointment, the file object handle spread out of in outlet parameter is recorded in the exit of this operating system call function, this document object handle is stored in the activity file handle queue of internal memory;
If call number is NtReadFile, dynamically pitching pile executive logging module (as system call function monitoring unit) judges whether the file object handle imported in the suction parameter of call function is the specific file object handle (being the specific file object handle of having stored in the activity file handle queue of internal memory) of being stored before, if the specific file object handle stored before, dynamically pitching pile executive logging module (as system call function monitoring unit) is recorded the side-play amount of original stain data in data file that in suction parameter, the represented original stain data that go out are read in buffer zone address and read in, and record the byte number of actual original stain data of reading in from data file spread out of in outlet parameter in exit.Dynamically pitching pile executive logging module (as system call function monitoring unit) above-mentioned original stain data can be read in to buffer zone address, side-play amount in data file of the original stain data of being read in and from data file the byte number of actual original stain data of reading in be recorded in the second snapshot log.In addition, utilize above-mentioned side-play amount can express the byte number length of actual original stain data of reading in from data file;
If call number is NtSetInformationFile, dynamically pitching pile executive logging module (as system call function monitoring unit) judges whether the file object handle imported in suction parameter is the specific file object handle (being the specific file object handle of having stored in the activity file handle queue of internal memory) of being stored before, if the specific file object handle stored before, the file read operation side-play amount of dynamic pitching pile executive logging module (as system call function monitoring unit) adjustment and this specific file object handle record management;
If call number is NtCreateSection, dynamically pitching pile executive logging module (as system call function monitoring unit) judges whether the file object handle imported in suction parameter is the specific file object handle (being the specific file object handle of having stored in the activity file handle queue of internal memory) of being stored before, if the specific file object handle stored before, dynamically pitching pile executive logging module (as system call function monitoring unit) is recorded the memory-mapped object handle spread out of in outlet parameter in exit, and dynamically pitching pile executive logging module (as system call function monitoring unit) can be stored in this memory-mapped object handle in the acquisition document memory mapping object queue in internal memory,
If call number is NtMapViewOfSection, dynamically pitching pile executive logging module (as system call function monitoring unit) judges whether the memory-mapped object handle imported in suction parameter is the memory-mapped object handle (being the memory-mapped object handle of having stored in the activity file memory-mapped object queue of internal memory) of being stored before, if the memory-mapped object handle stored before, dynamically pitching pile executive logging module (as system call function monitoring unit) is recorded the memory address of mapping, length and the corresponding document misregistration amount of mapping; Dynamically pitching pile executive logging module (as system call function monitoring unit) can be stored in the length of the memory address of mapping, mapping and corresponding document misregistration amount in the second snapshot log;
If call number is NtUnmapViewOfSection, dynamically pitching pile executive logging module (as system call function monitoring unit) judges whether the memory mapping object handle imported in suction parameter is the memory-mapped object handle (being the memory-mapped object handle of having stored in the activity file memory-mapped object queue of internal memory) of being stored before, if the memory-mapped object handle stored before, dynamically pitching pile executive logging module (as system call function monitoring unit) is deleted this record (deleting the memory-mapped object handle that this has been stored) from activity file memory-mapped object queue,
If call number is NtClose, dynamically pitching pile executive logging module (as system call function monitoring unit) judges whether the file object handle imported in suction parameter is the specific file object handle (being the specific file object handle of having stored in the activity file handle queue of internal memory) of being stored before, if the specific file object handle stored before, dynamically pitching pile executive logging module (as system call function monitoring unit) is deleted this record (deleting the specific file object handle that this has been stored) from the queue of activity file handle.
Concrete, above-mentioned steps 2-3 can be refined as following steps again:
Step 2-3-1, dynamic pitching pile executive logging module (as fundamental block Grain Size Record and indexing units) are that each thread is set a buffer zone, relevant information when this buffer zone is moved for the fundamental block that records the current execution of this thread, this information can be with the record of the form of queue, and the thread number of relevant information during each fundamental block operation all can be with operation the time starts;
Step 2-3-2, when starting to carry out a fundamental block, dynamically pitching pile executive logging module (as fundamental block Grain Size Record and indexing units) is upgraded the fundamental block sequence number in the buffer memory of corresponding thread;
Step 2-3-3, after fundamental block carry out to finish, dynamically pitching pile executive logging module (as fundamental block Grain Size Record and indexing units) writes all information of the thread number of current thread and buffer memory in the first snapshot log, and the queue of the relevant information while emptying the storage thread operation.
Concrete, above-mentioned steps 2-4 can be refined as following steps again:
During each instruction in carrying out fundamental block, if there is corresponding pitching pile call back function in this instruction, the dynamic relevant information of pitching pile executive logging module (as the instruction granularity is carried out information recording unit) while recording corresponding thread operation (this relevant information is multidate information, as the address of instruction access internal memory etc.); This relevant information can be stored in the second snapshot log;
If there is the read-write operation of internal memory by the instruction of pitching pile, and the internal memory that this instruction is accessed is not in thread stack scope, perhaps this instruction is the instruction of article one access thread stack in the fundamental block at its place, and dynamically pitching pile executive logging module (as the instruction granularity is carried out information recording unit) records the memory address that this instruction is accessed in the second snapshot log;
If the internal memory of being accessed by the instruction of pitching pile is in thread stack scope, and this instruction is not the instruction of accessing for the first time the thread stack in the fundamental block at its place, dynamically pitching pile executive logging module (as the instruction granularity is carried out information recording unit) records the memory address of this this access of instruction with respect to the side-play amount of accessing for the first time the thread stack address in the second snapshot log;
If be that condition is set (SETcc) instruction or moved (CMOVcc) instruction for condition data by the instruction of pitching pile, dynamically pitching pile executive logging module (as the instruction granularity is carried out information recording unit) records the whether actual execution of this instruction in the second snapshot log, if accessed internal memory while carrying out, dynamically pitching pile executive logging module (as the instruction granularity is carried out information recording unit) is recorded the internal storage access address simultaneously in the second snapshot log.
In embodiments of the present invention, dynamically the fundamental block Grain Size Record in pitching pile executive logging module and indexing units, instruction granularity execution information recording unit and system call function monitoring unit can the mode based on Memory Mapping File and its transmit corresponding snapshot log information to the first snapshot log and the second snapshot log, and utilize the method that existing dynamic growth is shone upon the subregion number of pages to increase step by step the volume upper limit of each snapshot log, and when pitching pile recording process end, the size of each snapshot log is adjusted to the real data size.
Static snapshot is resolved the performed operating process of stain tracking module as shown in Figure 3.
Operating process shown in Fig. 3 mainly comprises following three steps:
Step 3-1, static snapshot resolve in first snapshot log of stain tracking module from resolving and the 3rd snapshot log and obtain corresponding static information, as process static information etc., and according to the corresponding process of this static information framework, thread, fundamental block, instruction and for storing the operand type container of static information; Above-mentioned process static information mainly comprises: reflection list, fundamental block list and the list of instruction assembly code etc.; The static information loading unit that operation in this step can specifically be resolved in the stain tracking module by static snapshot is carried out.
Step 3-2, static snapshot are resolved in second snapshot log of stain tracking module from resolving and are obtained corresponding information, and go out according to this information reverting the Dynamic Execution information that tested program is complete, and determine the access act of revision of each instruction to internal memory and register according to Dynamic Execution information and instruction type; The dynamic process playback unit that operation in this step can specifically be resolved in the stain tracking module by static snapshot is carried out;
Step 3-3, static snapshot are resolved the stain tracking module stain data acquisition are safeguarded, at the process playback time, static snapshot is resolved the stain tracking module and is judged whether to exist access, propagation or the elimination of dynamic stain data according to the data flow of every instruction, if exist, upgrade the stain data acquisition, and in recording data files each byte in process is reset as access, propagation and the elimination process of stain data; Above-mentioned stain data acquisition mainly comprises: the side-play amount of original stain data in described data file that the real-time stain state of register, the memory address of storing dynamic stain data and length and the dynamic stain data of storing are corresponding etc.; Above-mentioned renewal stain data acquisition can be: for being written into and unloading behavior and fundamental block act of execution of stain data, directly in the stain data acquisition, carrying out the interpolation of data and eliminate operation; The stain data acquisition record that operation in this step can specifically be resolved in the stain tracking module by static snapshot is carried out with the propagation tracking cell.
In above-mentioned steps 3-3, the detailed process of upgrading the stain data acquisition for the fundamental block act of execution can be refined as following steps again:
Step 3-3-1, read in the thread number in this record, the virtual register state of execution is switched to aforementioned this thread context of having stored;
The static information of step 3-3-2, this fundamental block of index, and be written into the instruction list of fundamental block;
Step 3-3-3, according to the instruction type put in order to each instruction in instruction list, judged;
If instruction contains explicit internal memory operation number or the internal storage access that contains implicit expression, from the queue of the relevant information in current thread when operation of record, eject corresponding information, and reduction memory read-write address;
If instruction access the stain data, the propagation data that continues stain data corresponding to judgement flows to, and upgrades accordingly the stain data acquisition;
If instruction is the LEA instruction, continue judge that whether source operand is the internal memory (can referred to as the stain internal memory) of storage stain data, if the stain internal memory, expression is that stain data are got the operation that location is pointer assignment, carries out independent record;
If instruction is the CMP instruction, and follow-up conditional jump instruction (Jcc) reflects that this compare operation passes through, judge again whether source operand is the stain data, if stain data, further judge whether target operand is the constant data, perhaps whether target operand is the constant data of certain binary image, perhaps whether target operand is the internal memory of global variable data segment (.data section), if one of them, mean it is data verification, corresponding stain data are constant field, carry out independent record;
If the entry instruction that instruction is memset, memcpy or SetFi1ePointer function entrance fundamental block, according to the thread stack address of instruction access, the order that the associative function parameter is stacked and size, the address of the thread stack at the Parameter storage place of expression length or side-play amount in the judgement parameter, if this address is the memory address of stain data, mean that this parameter is the field as the stain data length, carries out independent record;
Step 3-3-4, the stain data access is processed to operation note in the output document (as output journal) of stain data flow path, corresponding to all bytes in sample file, corresponding line item is all arranged in this output journal, each line item is all operations of in the tested program implementation, this byte being processed for the corresponding byte in sample file, all records can form a stain data processing chain, while in output journal, increasing new record, new record can be added on as a node of this stain data processing chain the end of this chain, the information recorded in node comprises: fundamental block number (being the fundamental block sequence number at the instruction place that relates to of present node), timestamp (can represent with the sequence number of fundamental block in total process executive logging of current execution), binary image number (i.e. the binary image sequence number at this fundamental block place) and instruction side-play amount (being the instruction that relates to of present node side-play amount with respect to file header in the binary image file) etc.
The performed operating process of File Format Analysis module as shown in Figure 4.
Operating process shown in Fig. 4 mainly comprises the steps:
Step 4-1, File Format Analysis module (as the file field cutting unit) are written into the static information of reflection, fundamental block and instruction that dynamic pitching pile executive logging module put down in writing, so that index, File Format Analysis module (as the file field cutting unit) is written into static snapshot and resolves the stain data flow path that the stain tracking module generates, i.e. stain data processing chain;
Stain data processing chain corresponding to all adjacent byte in step 4-2, File Format Analysis module (as the file field cutting unit) select progressively sample file, and calculate successively two right node similarities of all nodes of stain data processing chain;
After step 4-3, File Format Analysis module (as the file field cutting unit) are cumulative by the similarity of all nodes of stain data processing chain of two bytes divided by the product of two stain data processing chain length, obtain the average similarity of node, i.e. byte stain data processing chain similarity;
Step 4-4, File Format Analysis module (as the file field cutting unit) according to above-mentioned similarity calculate all adjacent byte except from beginning to end to similarity and last byte and a rear byte ratio to similarity, obtain overall forward direction and backward sequence of ratio values, realize going dimension normalization; File Format Analysis module (as the file field cutting unit) is carried out the threshold value judgement, for example, in two sequence of ratio values, the value of same position is less than 0.75 the minimum point that is similarity curve simultaneously, and this byte, to being the cut-point of two file fields, is cut apart thereby complete file field;
Step 4-5, File Format Analysis module (as the field association mode is inferred unit) are according to the independent record in above-mentioned stain analysis, find the corresponding field that stain that CMP instruction and constant field relatively pass through is processed byte that includes, and it is demarcated as to constant field, i.e. immutable the or field within certain several value set of value;
Step 4-6, File Format Analysis module (as the field association mode is inferred unit) are according to the independent record in above-mentioned stain analysis, find the corresponding field of processing byte as the stain of the length parameter of memset, memcpy that includes, and it is demarcated as to length field, this field is integer, means the length of the stain data field that source buffer zone that these functions point to is stored;
Step 4-7, File Format Analysis module (as the field association mode is inferred unit) are according to the independent record in above-mentioned stain analysis, find the corresponding field of processing byte as the stain of the offset parameter of SetFilePointer that includes, and it is demarcated as to offset field, this field is integer, means the data field side-play amount hereof that destination buffer that these functions point to is stored after follow-up introducing stain data;
Step 4-8, File Format Analysis module (as the field association mode is inferred unit) are according to the independent record in above-mentioned stain analysis, find the corresponding LEA instruction that includes and carry out the field that the stain data are got the stain processing byte of location pointer assignment, the feature of the first byte of the start field of the normally relatively large file minor structure of such pointer assignment (file field group), so can be demarcated as it start field of potential large data structure.
The process concrete, that in fact the process of the calculating stain data processing chain node similarity in above-mentioned steps 4-2 can be given a mark for the foundation semantic information, and full marks are 1.0, this marking process can specifically be refined as following steps:
Step 4-2-1, File Format Analysis module (as the file field cutting unit) judge that whether the timestamp of two nodes is identical;
If both timestamps of step 4-2-2 are identical, whether identically continue the instruction that judgement processes, if instructions that both process are identical, give a mark 1.0, if the instruction that both process is not identical give a mark 0.9; If both timestamps are not identical, can adopt mark subitem accumulation process, continue to judge that whether both timestamps are close, if both timestamps differ within certain threshold range, marking adds 0.2; In addition, in the situation that both timestamps are not identical, also should carry out following step 4-2-3;
Step 4-2-3, File Format Analysis module (as the file field cutting unit) continue to carry out the cumulative operation of following mark, judge whether two node processing instructions belong to Same Function, if belong to Same Function, continue again judgement and come that node processing instruction whether to belong to same fundamental block, if do not belong to same fundamental block give a mark, do not add 0.1; If belong to same fundamental block, continue to judge whether two node processing instructions are same instructions, if not same instruction, marking adds 0.2, if same instruction, marking adds 0.5.
Seen from the above description, the embodiment of the present invention has perfect stain analysis logic.The situation in a plurality of stains source, forms data unit that may cause for arithmetical operation and the instruction of bit arithmetic type, introduced many stains label, and the transmission of supporting many labels, single label are eliminated; In addition, the tainting packing of orders sequence of multiple special role caused has carried out refinement.Supported expansion instruction set, can have been analyzed separate procedure.
In addition, the present invention also has higher execution efficiency.By the stain analytic operation is peeled off as independent module, this framework has promoted the execution efficiency of dynamic test; Simultaneously, because needn't record the stain state set in the Dynamic Execution process, needn't introduce memory headroom mapping array, thereby save greatly space hold, and make the support to 64 programs become possibility.The embodiment of the present invention records snapshot log by introducing the Memory Mapping File and its mode, has basically eliminated the I/O bottleneck problem in dynamic stain analytic process.
Also have, the invention provides a kind of novel file layout inverse algorithm, by fully excavating the semantic information in dynamic stain analysis result, and emphasize similarity and the relevance between data handling procedure, for the file layout resolving inversely provides a kind of brand-new theory hypothesis, this theory hypothesis has passed through to experimental results show that fully.File layout resolving inversely system provided by the invention can make the user obtain the cognition to the file layout of privately owned file layout or not full disclosure ins and outs.
In sum, one aspect of the present invention provides a set of can carry out efficient and analysis result dynamic stain analytical equipment accurately on Windows system platform or other operating system (as Mobile operating system etc.) platform, the snapshot log that dynamic pitching pile executive logging module wherein generates can also, as the reversibility record in manual debugging work, can be triggered the reversely tracing of reason according to snapshot log easily to the exception-triggered point; The stain analysis result that static snapshot is resolved the acquisition of stain tracking module is also the master tool of a lot of other research work, and high-efficiency dynamic stain analytical framework proposed by the invention can provide basic-level support to analyzing large scale business software; On the other hand, the reverse reduction of file layout provided by the invention can be served the fuzz testing based on file structure well, make the test sample book based on variation or the generation of the variation of the fuzz testing based on generating device can there is larger code coverage and darker path coverage, and the Path complexity of stain analysis result itself is also one and can processes for portraying file data the tolerance of complexity, and can instruct the data variation priority of fuzz testing.
The above is only preferred embodiment of the present invention, not the present invention is done to any pro forma restriction, although the present invention discloses as above with preferred embodiment, yet not in order to limit the present invention, any those skilled in the art are not within breaking away from the technical solution of the present invention scope, when the technology contents that can utilize above-mentioned announcement is made a little change or is modified to the equivalent embodiment of equivalent variations, in every case be the content that does not break away from technical solution of the present invention, any simple modification of above embodiment being done according to technical spirit of the present invention, equivalent variations and modification, all still belong in the scope of technical solution of the present invention.
Claims (10)
1. a dynamic stain analytical equipment, is characterized in that, described device comprises:
Dynamic pitching pile executive logging module, for utilizing binary program pitching pile platform invoke and carrying out tested program, behavior is opened, resolves and closed to the data file that monitoring includes original stain data in the tested program implementation, and obtain according to the implementation of described tested program the snapshot log that includes whole instruction flows, contextual information and internal storage access information in the tested program implementation;
Static snapshot is resolved the stain tracking module, for resolving described snapshot log, and carry out according to the playback of resolving the information simulation process obtained, and in process playback implementation, record the processing of the original stain data in described data file and diffuse information, to obtain complete stain data flow path.
2. device as claimed in claim 1, is characterized in that, described dynamic pitching pile executive logging module comprises:
Fundamental block Grain Size Record and indexing units, carry out pitching pile for the instruction sequence fundamental block to single entry single exit, and the assembly code of the include instruction of pitching pile is recorded in the first snapshot log; By described fundamental block serial number, and all fundamental block information recordings that will sequentially carry out in the process flow process are in the first snapshot log;
The instruction granularity is carried out information recording unit, for the instruction that relates to internal storage access is carried out to pitching pile, and during the memory address that the instruction that relates to internal storage access of pitching pile is accessed when carrying out is recorded in the second snapshot log, wherein, when judging the address that accessed memory address is the thread stack, the side-play amount that the memory address of putting down in writing in described the second snapshot log is relative thread stack base address;
System call function monitoring unit, carry out pitching pile for the entrance and exit to tested program, that by the parameter of judgement tested program call function, monitors described data file opens, resolves and close behavior, and the positional information that original stain data are written into to internal memory is recorded in the second snapshot log, wherein said positional information comprises: store the memory address of original stain data, the memory size of storing original stain data and the side-play amount of original stain data in data file;
The executable image monitoring unit, for all loading functions of carrying out binary image of the process space are carried out to pitching pile, and allly carry out the loaded memory headroom scope of binary image, load plot and image file name information recordings in the 3rd snapshot log what monitor.
3. device as claimed in claim 2, is characterized in that, described system call function monitoring unit specifically for:
Operating system call function entrance and exit in the tested program implementation is carried out to pitching pile, and at porch judgement call number;
If call number is NtCreateFile, judge whether the filename in suction parameter is the sample file name of appointment, the sample file name of appointment if, in exit is stored in the activity file handle queue of internal memory by the file object handle spread out of in outlet parameter;
If call number is NtReadFile, judge whether the file object handle imported in suction parameter is the specific file object handle of having stored in the activity file handle queue in internal memory, if, will mean in suction parameter that original stain data are read in buffer zone address and the side-play amount of original stain data in described data file of reading in is recorded in the second snapshot log, and in exit by actual the reading in during byte number is recorded in the second snapshot log from data file spread out of in outlet parameter;
If call number is NtSetInformationFile, judge whether the file object handle imported in suction parameter is the specific file object handle of having stored in the activity file handle queue in internal memory, if so, adjust and record associated file read operation side-play amount with this specific file object handle;
If call number is NtCreateSection, judge whether the file object handle imported in suction parameter is the specific file object handle of having stored in the activity file handle queue in internal memory, if so, in the activity file memory-mapped object queue in exit is stored in internal memory by the memory-mapped object handle spread out of in outlet parameter;
If call number is NtMapViewOfSection, judge whether the memory-mapped object handle imported in suction parameter is the memory-mapped object handle of having stored in the activity file memory-mapped object queue in internal memory, if so, the memory address of mapping, length and corresponding document misregistration amount are recorded in the second snapshot log;
If call number is NtUnmapViewOfSection, judge whether the memory-mapped object handle imported in suction parameter is the memory-mapped object handle of having stored in the activity file memory-mapped object queue in internal memory, if so, from described activity file memory-mapped object queue, delete this record;
If call number is NtClose, judge whether the file object handle imported in suction parameter is the specific file object handle of having stored in the activity file handle queue in internal memory, if so, from the queue of described activity file handle, delete this record.
4. device as claimed in claim 2, it is characterized in that, the mode of each unit based on Memory Mapping File and its in described dynamic pitching pile executive logging module transmitted corresponding SNAPSHOT INFO to described the first snapshot log and the second snapshot log, utilize the method for dynamic growth mapping subregion number of pages to increase step by step the volume upper limit of each snapshot log, and when pitching pile recording process end, the size of each snapshot log is adjusted to the real data size.
5. device as claimed in claim 2, is characterized in that, described static snapshot is resolved the stain tracking module and comprised:
The static information loading unit, for according to resolving the corresponding process of information architecture that obtains, thread, fundamental block, instruction from described the first snapshot log and the 3rd snapshot log and for storing the operand type container of static information;
The dynamic process playback unit, the information reverting obtained for the parsing according to from described the second snapshot log goes out the Dynamic Execution information that tested program is complete, and determine the access act of revision of each instruction to internal memory and register according to described Dynamic Execution information and instruction type, wherein said Dynamic Execution information comprises the traffic flow information of each instruction;
Stain data acquisition record and propagation tracking cell, for safeguarding the stain data acquisition, at the process playback time, judge the access that whether has dynamic stain data according to the data flow of every instruction, propagate and eliminate, if exist, upgrade described stain data acquisition, and record the access as the stain data in process is reset of each byte in described data file, propagate and the elimination process, wherein said stain data acquisition comprises: the real-time stain state of register, the side-play amount of original stain data in described data file corresponding to dynamic stain data of storing the memory address of dynamic stain data and length and storing.
6. device as claimed in claim 5, is characterized in that, described stain data acquisition record with propagate tracking cell specifically for:
The buffer status of each thread is initialized as to dummy status, and initialization stain data acquisition, so that original stain data join in the stain data acquisition;
In the virtual implementation of each thread, every instruction is carried out respectively to the semantic analysis based on instruction type;
If source operand is the register that has comprised the stain attribute tags in current thread register stain state, or include the element in described stain data acquisition, the stain attribute tags that the described source operand of buffer memory is corresponding is source stain label;
If source operand is not comprise register, memory range or the immediate of stain attribute tags in current thread register stain state, source stain label is set for empty;
Judge the instruction type of current execution, if instruction type is the arithmetical operation type, keeps the current stain attribute tags of target operand, otherwise the stain attribute tags of target operand is emptied;
Judgement target operand type, if the target operand type is register type, by source stain label-copying in the stain attribute tags of current thread register stain state;
If the target operand type is type of memory, upgrade the stain data acquisition, described renewal stain data acquisition comprises: the insertion of stain memory address, elimination, intersection of sets collection and union operation.
7. a file layout resolving inversely system of analyzing based on dynamic stain, is characterized in that, described system comprises dynamic stain analytical equipment as described as arbitrary claim in claim 1-6, and described system also comprises:
The File Format Analysis module, for according to described stain data flow path, carrying out the data correlation compare of analysis, and the format fields of described data file being carried out to semantic-based according to the result of described data correlation compare of analysis cuts apart, extract the incidence relation of the interfield after described cutting apart according to the function information in described tested program and specific command information.
8. system as claimed in claim 7, is characterized in that, described File Format Analysis module comprises:
The file field cutting unit, carry out the adjacent byte similarity coupling of semantic-based for the stain treatment scheme sequence of the every byte according to described data file, and stain corresponding to definite adjacent byte processed the similarity of the node in sequence, similarity to described matching result and described node is carried out normalized, and be same field according to the adjacent byte merger that the result after normalized will meet the similarity condition, thereby described data file is cut apart;
The field association mode is inferred unit, whether has the direct relation of instruction granularity or the association of function call parameter granularity for the stain treatment scheme that judges described field, and determines the type of field according to judged result.
9. system as claimed in claim 8, is characterized in that, described file field cutting unit specifically for:
Obtain the stain of adjacent byte in described data file and process path, and obtain the relevant information of each node in described processing path, described relevant information comprises: fundamental block numbering, instruction address, affiliated function, affiliated binary image and timestamp;
All nodes that the stain of adjacent byte is processed in path carry out similarity comparison marking, and described marking is between 0~1, two stains are processed to the similarity total points in path and processed the product of the nodes in path divided by two stains, its result is the sequence node similarity after normalized;
Obtain overall similarity curve according to the sequence node similarity of all adjacent byte in described data file, to remove all sequence node similarities outside two sequence node similarities of head and the tail respectively divided by last similarity and a rear similarity, obtain forward direction sequence of ratio values and backward sequence of ratio values, if forward direction ratio and backward ratio all are less than the first predetermined threshold, determine the minimal value of overall similarity curve, and when in minimal value, corresponding adjacent byte similarity is lower than the second predetermined threshold, determine that corresponding adjacent byte is discontinuous byte, otherwise be same field by corresponding adjacent byte merger.
10. as claim 7 or 8 or 9 described systems, it is characterized in that, the data file that described data file is grey box file layout, the data file of described grey box scheme refers to the not data file of full disclosure of the unexposed or file layout of file layout.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310400437.XA CN103440201B (en) | 2013-09-05 | 2013-09-05 | Dynamically stain analytical equipment and the application in file format resolving inversely thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310400437.XA CN103440201B (en) | 2013-09-05 | 2013-09-05 | Dynamically stain analytical equipment and the application in file format resolving inversely thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103440201A true CN103440201A (en) | 2013-12-11 |
| CN103440201B CN103440201B (en) | 2016-05-18 |
Family
ID=49693892
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310400437.XA Expired - Fee Related CN103440201B (en) | 2013-09-05 | 2013-09-05 | Dynamically stain analytical equipment and the application in file format resolving inversely thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103440201B (en) |
Cited By (29)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103679034A (en) * | 2013-12-26 | 2014-03-26 | 南开大学 | Computer virus analyzing system based on body and virus feature extraction method |
| CN103714288A (en) * | 2013-12-26 | 2014-04-09 | 华中科技大学 | Data stream tracking method |
| CN104750602A (en) * | 2013-12-27 | 2015-07-01 | 阿里巴巴集团控股有限公司 | Dynamic stain data analyzing method and device |
| CN104765687A (en) * | 2015-04-10 | 2015-07-08 | 江西师范大学 | J2EE (Java 2 Enterprise Edition) program bug detection method based on object tracking and taint analysis |
| CN104778419A (en) * | 2015-04-15 | 2015-07-15 | 华中科技大学 | User privacy data protection method based on dynamic data flow tracking under cloud environment |
| CN105653939A (en) * | 2015-07-13 | 2016-06-08 | 哈尔滨安天科技股份有限公司 | Document overflow preventing method and apparatus |
| CN105808576A (en) * | 2014-12-30 | 2016-07-27 | 展讯通信(天津)有限公司 | Data recording system and method |
| CN106599681A (en) * | 2016-12-22 | 2017-04-26 | 北京邮电大学 | Malicious program characteristic extraction method and system |
| CN106778328A (en) * | 2016-11-23 | 2017-05-31 | 中国人民解放军信息工程大学 | A kind of sensitive information security protection method and system |
| CN107066707A (en) * | 2017-03-27 | 2017-08-18 | 中国科学院计算技术研究所 | The adjustable design method for tracing and device of a kind of use snapshot |
| CN107193732A (en) * | 2017-05-12 | 2017-09-22 | 北京理工大学 | A kind of verification function locating method compared based on path |
| CN107239410A (en) * | 2017-05-31 | 2017-10-10 | 上海交通大学 | Bulk memory distribution system and method based on dynamic pitching pile |
| CN107491387A (en) * | 2017-07-18 | 2017-12-19 | 中国人民解放军信息工程大学 | A kind of pass point of documentor and inspection independent positioning method and system |
| CN108255711A (en) * | 2017-12-29 | 2018-07-06 | 湖南优利泰克自动化系统有限公司 | A kind of PLC firmware fuzz testing systems and test method based on stain analysis |
| CN109901987A (en) * | 2017-12-11 | 2019-06-18 | 北京京东尚科信息技术有限公司 | A kind of method and apparatus generating test data |
| CN110213243A (en) * | 2019-05-15 | 2019-09-06 | 浙江大学 | A kind of industrial communication protocol conversed analysis method based on the analysis of dynamic stain |
| CN111027096A (en) * | 2019-12-11 | 2020-04-17 | 支付宝(杭州)信息技术有限公司 | Method and device for detecting leakage channel for private data |
| CN111046396A (en) * | 2020-03-13 | 2020-04-21 | 深圳开源互联网安全技术有限公司 | Web application test data flow tracking method and system |
| CN111913718A (en) * | 2020-06-22 | 2020-11-10 | 西安交通大学 | Binary function differential analysis method based on basic block context information |
| CN111967044A (en) * | 2020-08-13 | 2020-11-20 | 华中科技大学 | Method and system for tracking leaked private data suitable for cloud environment |
| CN113176990A (en) * | 2021-03-25 | 2021-07-27 | 中国人民解放军战略支援部队信息工程大学 | Taint analysis framework and method supporting correlation analysis among data |
| CN113268427A (en) * | 2021-06-15 | 2021-08-17 | 中国电子科技网络信息安全有限公司 | Crash analysis method and system for binary program |
| CN113778838A (en) * | 2020-06-09 | 2021-12-10 | 中国电信股份有限公司 | Binary program dynamic taint analysis method and device |
| CN114020278A (en) * | 2020-07-19 | 2022-02-08 | 腾讯科技(深圳)有限公司 | Data processing method, device, equipment and storage medium |
| CN114741700A (en) * | 2022-03-28 | 2022-07-12 | 中国人民解放军战略支援部队信息工程大学 | Public component library vulnerability availability analysis method and device based on symbolic taint analysis |
| CN115617410A (en) * | 2022-11-01 | 2023-01-17 | 清华大学 | Drive interface identification method, device, equipment and storage medium |
| CN115878498A (en) * | 2023-03-03 | 2023-03-31 | 中国电子科技集团公司第三十研究所 | Key byte extraction method for predicting program behavior based on machine learning |
| CN116108449A (en) * | 2023-01-12 | 2023-05-12 | 清华大学 | Software fuzzy test method, device, equipment and storage medium |
| CN116451228A (en) * | 2023-04-23 | 2023-07-18 | 北京安普诺信息技术有限公司 | Dynamic taint tracking method, device and related online taint propagation analysis system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101238726A (en) * | 2005-08-09 | 2008-08-06 | 夏普株式会社 | Data recording device, data reproduction device, program, and recording medium |
| CN102081719A (en) * | 2009-12-01 | 2011-06-01 | 王伟 | Software security testing system and method based on dynamic taint propagation |
| US20120066698A1 (en) * | 2009-05-20 | 2012-03-15 | Nec Corporation | Dynamic data flow tracking method, dynamic data flow tracking program, and dynamic data flow tracking apparatus |
-
2013
- 2013-09-05 CN CN201310400437.XA patent/CN103440201B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101238726A (en) * | 2005-08-09 | 2008-08-06 | 夏普株式会社 | Data recording device, data reproduction device, program, and recording medium |
| US20120066698A1 (en) * | 2009-05-20 | 2012-03-15 | Nec Corporation | Dynamic data flow tracking method, dynamic data flow tracking program, and dynamic data flow tracking apparatus |
| CN102081719A (en) * | 2009-12-01 | 2011-06-01 | 王伟 | Software security testing system and method based on dynamic taint propagation |
Non-Patent Citations (1)
| Title |
|---|
| 刘涛: "基于动态二进制翻译的逆向调试器的设计与实现", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (50)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103714288A (en) * | 2013-12-26 | 2014-04-09 | 华中科技大学 | Data stream tracking method |
| CN103679034B (en) * | 2013-12-26 | 2016-04-13 | 南开大学 | A kind of computer virus analytic system based on body and feature extracting method thereof |
| CN103714288B (en) * | 2013-12-26 | 2016-05-25 | 华中科技大学 | A kind of data flow tracking |
| CN103679034A (en) * | 2013-12-26 | 2014-03-26 | 南开大学 | Computer virus analyzing system based on body and virus feature extraction method |
| CN104750602A (en) * | 2013-12-27 | 2015-07-01 | 阿里巴巴集团控股有限公司 | Dynamic stain data analyzing method and device |
| CN105808576A (en) * | 2014-12-30 | 2016-07-27 | 展讯通信(天津)有限公司 | Data recording system and method |
| CN105808576B (en) * | 2014-12-30 | 2019-05-28 | 展讯通信(天津)有限公司 | A kind of digital data recording system and method |
| CN104765687B (en) * | 2015-04-10 | 2017-07-21 | 江西师范大学 | The J2EE bug detection methods analyzed based on Object tracking and stain |
| CN104765687A (en) * | 2015-04-10 | 2015-07-08 | 江西师范大学 | J2EE (Java 2 Enterprise Edition) program bug detection method based on object tracking and taint analysis |
| CN104778419A (en) * | 2015-04-15 | 2015-07-15 | 华中科技大学 | User privacy data protection method based on dynamic data flow tracking under cloud environment |
| CN105653939A (en) * | 2015-07-13 | 2016-06-08 | 哈尔滨安天科技股份有限公司 | Document overflow preventing method and apparatus |
| CN106778328A (en) * | 2016-11-23 | 2017-05-31 | 中国人民解放军信息工程大学 | A kind of sensitive information security protection method and system |
| CN106778328B (en) * | 2016-11-23 | 2019-12-10 | 中国人民解放军信息工程大学 | Sensitive information security protection method and system |
| CN106599681A (en) * | 2016-12-22 | 2017-04-26 | 北京邮电大学 | Malicious program characteristic extraction method and system |
| CN107066707A (en) * | 2017-03-27 | 2017-08-18 | 中国科学院计算技术研究所 | The adjustable design method for tracing and device of a kind of use snapshot |
| CN107066707B (en) * | 2017-03-27 | 2019-07-30 | 中国科学院计算技术研究所 | A kind of adjustable design method for tracing and device using snapshot |
| CN107193732A (en) * | 2017-05-12 | 2017-09-22 | 北京理工大学 | A kind of verification function locating method compared based on path |
| CN107193732B (en) * | 2017-05-12 | 2020-12-08 | 北京理工大学 | Verification function positioning method based on path comparison |
| CN107239410A (en) * | 2017-05-31 | 2017-10-10 | 上海交通大学 | Bulk memory distribution system and method based on dynamic pitching pile |
| CN107239410B (en) * | 2017-05-31 | 2020-06-09 | 上海交通大学 | Large-block memory allocation system and method based on dynamic instrumentation |
| CN107491387A (en) * | 2017-07-18 | 2017-12-19 | 中国人民解放军信息工程大学 | A kind of pass point of documentor and inspection independent positioning method and system |
| CN109901987A (en) * | 2017-12-11 | 2019-06-18 | 北京京东尚科信息技术有限公司 | A kind of method and apparatus generating test data |
| CN108255711A (en) * | 2017-12-29 | 2018-07-06 | 湖南优利泰克自动化系统有限公司 | A kind of PLC firmware fuzz testing systems and test method based on stain analysis |
| CN110213243B (en) * | 2019-05-15 | 2020-05-12 | 浙江大学 | Industrial communication protocol reverse analysis method based on dynamic taint analysis |
| WO2020228160A1 (en) * | 2019-05-15 | 2020-11-19 | 浙江大学 | Reverse analysis method for industrial communication protocol based on dynamic taint analysis |
| CN110213243A (en) * | 2019-05-15 | 2019-09-06 | 浙江大学 | A kind of industrial communication protocol conversed analysis method based on the analysis of dynamic stain |
| CN111027096B (en) * | 2019-12-11 | 2022-03-11 | 杭州蚂蚁聚慧网络技术有限公司 | Method and device for detecting leakage channel for private data |
| CN111027096A (en) * | 2019-12-11 | 2020-04-17 | 支付宝(杭州)信息技术有限公司 | Method and device for detecting leakage channel for private data |
| CN111046396B (en) * | 2020-03-13 | 2020-07-17 | 深圳开源互联网安全技术有限公司 | Web application test data flow tracking method and system |
| CN111046396A (en) * | 2020-03-13 | 2020-04-21 | 深圳开源互联网安全技术有限公司 | Web application test data flow tracking method and system |
| CN113778838B (en) * | 2020-06-09 | 2024-01-26 | 中国电信股份有限公司 | Binary program dynamic stain analysis method and device |
| CN113778838A (en) * | 2020-06-09 | 2021-12-10 | 中国电信股份有限公司 | Binary program dynamic taint analysis method and device |
| CN111913718A (en) * | 2020-06-22 | 2020-11-10 | 西安交通大学 | Binary function differential analysis method based on basic block context information |
| CN111913718B (en) * | 2020-06-22 | 2022-02-11 | 西安交通大学 | Binary function differential analysis method based on basic block context information |
| CN114020278A (en) * | 2020-07-19 | 2022-02-08 | 腾讯科技(深圳)有限公司 | Data processing method, device, equipment and storage medium |
| CN111967044A (en) * | 2020-08-13 | 2020-11-20 | 华中科技大学 | Method and system for tracking leaked private data suitable for cloud environment |
| CN111967044B (en) * | 2020-08-13 | 2024-04-19 | 华中科技大学 | Tracking method and system of leaked privacy data suitable for cloud environment |
| CN113176990A (en) * | 2021-03-25 | 2021-07-27 | 中国人民解放军战略支援部队信息工程大学 | Taint analysis framework and method supporting correlation analysis among data |
| CN113176990B (en) * | 2021-03-25 | 2022-10-18 | 中国人民解放军战略支援部队信息工程大学 | Taint analysis framework and method supporting correlation analysis among data |
| CN113268427A (en) * | 2021-06-15 | 2021-08-17 | 中国电子科技网络信息安全有限公司 | Crash analysis method and system for binary program |
| CN113268427B (en) * | 2021-06-15 | 2022-03-29 | 中国电子科技网络信息安全有限公司 | Crash analysis method and system for binary program |
| CN114741700A (en) * | 2022-03-28 | 2022-07-12 | 中国人民解放军战略支援部队信息工程大学 | Public component library vulnerability availability analysis method and device based on symbolic taint analysis |
| CN114741700B (en) * | 2022-03-28 | 2024-05-03 | 中国人民解放军战略支援部队信息工程大学 | Public component library vulnerability availability analysis method and device based on symbolized stain analysis |
| CN115617410A (en) * | 2022-11-01 | 2023-01-17 | 清华大学 | Drive interface identification method, device, equipment and storage medium |
| CN115617410B (en) * | 2022-11-01 | 2023-09-19 | 清华大学 | Drive interface identification method, device, equipment and storage medium |
| CN116108449B (en) * | 2023-01-12 | 2024-02-23 | 清华大学 | Software fuzzy test method, device, equipment and storage medium |
| CN116108449A (en) * | 2023-01-12 | 2023-05-12 | 清华大学 | Software fuzzy test method, device, equipment and storage medium |
| CN115878498A (en) * | 2023-03-03 | 2023-03-31 | 中国电子科技集团公司第三十研究所 | Key byte extraction method for predicting program behavior based on machine learning |
| CN116451228B (en) * | 2023-04-23 | 2023-10-17 | 北京安普诺信息技术有限公司 | Dynamic taint tracking method, device and related online taint propagation analysis system |
| CN116451228A (en) * | 2023-04-23 | 2023-07-18 | 北京安普诺信息技术有限公司 | Dynamic taint tracking method, device and related online taint propagation analysis system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103440201B (en) | 2016-05-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103440201A (en) | Dynamic taint analysis device and application thereof to document format reverse analysis | |
| US9875173B2 (en) | Time travel debugging in managed runtime | |
| CN103678110B (en) | The method and apparatus of amendment relevant information is provided | |
| CN102054149B (en) | Method for extracting malicious code behavior characteristic | |
| US10289541B2 (en) | Source code flow analysis using information retrieval | |
| US7853930B2 (en) | Annotating graphs to allow quick loading and analysis of very large graphs | |
| CN104850411B (en) | Storage system benchmark evaluation program generation method and device | |
| CN102012857B (en) | Device and method for automatically testing web page | |
| CN103399812A (en) | Magnetic disc file operation monitoring system and monitoring method based on Xen hardware virtualization | |
| US20090259664A1 (en) | Infrastructure and Architecture for Development and Execution of Predictive Models | |
| WO2009126280A1 (en) | Infrastructure and architecture for development and execution of predictive models | |
| CN103793432A (en) | Method and device for splitting database reading and writing | |
| CN111782265A (en) | Software resource system based on field level blood relationship and establishment method thereof | |
| CN103077192B (en) | A kind of data processing method and system thereof | |
| CN101183332A (en) | Method and device for automatically generating testing datasets by program content | |
| CN101377806A (en) | Information flow analysis method based on system source code searching concealed channel | |
| US20120185584A1 (en) | Recording application consumption details | |
| US11720422B1 (en) | Unified container for hardware and software binaries | |
| CN201548954U (en) | Device for automatically testing Web page | |
| CN111475150B (en) | Cross-language binding method, device, equipment and storage medium | |
| CN101617293B (en) | Module creating device, module creating method, module creating program, and recording medium where the program is recorded | |
| CN110532535A (en) | A kind of government intelligence list interactive system | |
| CN113805861B (en) | Code generation method based on machine learning, code editing system and storage medium | |
| CN111078905A (en) | Data processing method, device, medium and equipment | |
| US10496524B2 (en) | Separating test coverage in software processes using shared memory |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160518 Termination date: 20160905 |