CN105138914B - A kind of software security detection method for code reuse programming - Google Patents
A kind of software security detection method for code reuse programming Download PDFInfo
- Publication number
- CN105138914B CN105138914B CN201510467987.2A CN201510467987A CN105138914B CN 105138914 B CN105138914 B CN 105138914B CN 201510467987 A CN201510467987 A CN 201510467987A CN 105138914 B CN105138914 B CN 105138914B
- Authority
- CN
- China
- Prior art keywords
- code
- basic function
- attack
- code snippet
- current
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
Five stages are reported for the software security detection method of code reuse programming, including command sequence dis-assembling, collection basic function code snippet, attack code generation, attack code record and software security;In the command sequence dis-assembling stage, dis-assembling is carried out to the byte sequence before return instruction;Basic function code snippet collection phase, its command sequence for inputting to collect on last stage;Whether decision instruction sequence belongs to certain basic function, the command sequence for belonging to basic function, is collected as the code snippet of the basic function;Attack code generation phase, according to the code snippet of predefined attack each basic function of form assembly, attack code, the code snippet for including side effect in attack code are generated, its side effect is eliminated using side effect dispelling tactics, it is ensured that the normal realization of attack code function;Attack code records the stage, and the attack code for successfully eliminating side effect recorded in corresponding test result file.
Description
Technical field
The present invention relates to software security detection, whether more particularly to a kind of inspection software, which is vulnerable to code reuse programming, is attacked
The software security detection method hit.
Background technology
The characteristics of variation and automation is presented currently for the attack pattern of software so that system and software security by
Serious challenge.With the deployment of defensive measure on an operating system such as DEP and address randomization, traditional generation
Code injection attacks are no longer valid.And code reuse programming does not need injection attacks code, by generation present in target program
Chip segment is multiplexed so as to implement to attack, and can be bypassed these Prevention-Security technologies, computer system security be caused sternly
The threat of weight.Therefore, carry out that there is very real meaning, Ke Yiyou for the safety detection of code reuse programming to software
The attack of code reuse programming is alleviated on effect ground, improves the safe mass of software.
The present invention proposes a kind of software security detection method for code reuse programming.Collect and deposited in program to be detected
Code snippet, according to multiple combinations rule combined code fragment generate attack code, realize the detection of various attacks behavior,
The security of many-sided inspection software.In attack code generating process, add to (can be to program with side effect code snippet
State produce operation bidirectional) use, improve generation attack code success rate, so as to more fully and exactly detect it is soft
The possibility that part is utilized or attacked, improve the software security for code reuse programming.
The content of the invention
In order to more efficiently generate attack code, detection for the software security of code reuse programming, mesh of the present invention
Be to provide it is a kind of introduce side effect code snippet, the method that the software security for code reuse programming is detected.Receive
Collect the code snippet of a variety of basic functions present in program to be detected, the code snippet that these are collected into is as attack code
The Candidate Set of generation;Combined according to predefined various attacks template (i.e. code snippet rule of combination) each basic in Candidate Set
Function code fragment, generate attack code;Each attack code of generation is recorded, reports that safety present in program to be detected is hidden
Suffer from.By in attack code generating process introduce side effect code snippet, so as to be effectively improved attack code generation into
Power, improve the accuracy of safety detection.
The technical scheme is that:A kind of software security detection method for code reuse programming, including sequence of instructions
Row dis-assembling, collect basic function code snippet, attack code generation, attack code record and software security report etc. 5
Stage.In the command sequence dis-assembling stage, dis-assembling is carried out to the byte sequence before return instruction.Due to the instruction of x86 platforms
Intensive, a byte sequence may correspond to a variety of dis-assembling results, i.e. multiple instruction sequence.Basic function code snippet is collected
Stage, its command sequence for inputting to collect on last stage.Whether decision instruction sequence belongs to certain basic function.For belonging to
The command sequence of basic function, it is collected as the code snippet of the basic function.Attack code generation phase, according to
The code snippet of predefined attack each basic function of form assembly, generates attack code.For making in attack code comprising secondary
Code snippet, its side effect is eliminated using side effect dispelling tactics, it is ensured that the normal realization of attack code function.Attack generation
In the code record stage, the attack code for successfully eliminating side effect recorded in corresponding test result file.Software security report
In the announcement stage, the attack code recorded in each test result file is exported, report potential in user's program to be detected can be achieved respectively
The multiplexing code (i.e. attack code) of kind attack, with the potential potential safety hazard of evaluation software.
The key operation of the present invention is as follows:
(1) search of return instruction.The return instruction existing for search in the executable section of program to be detected;
(2) byte sequence dis-assembling.Reverse dis-assembling is carried out to the byte sequence before return instruction, until dis-assembling is complete
Into.Dis-assembling result is multiple instruction sequence;
(3) basic function code snippet is collected.A variety of basic functions are predefined in the present invention.For the instruction being collected into
Sequence, solving checking using semantic resolution device, whether it belongs to certain basic function.If belonged to, using command sequence as the base
The code snippet of this function is collected, the corresponding code snippet collection of each basic function;
(4) code snippet distributes.Various attacks template is predefined in the present invention, attack template is by basic function sentence structure
Into every basic function sentence has corresponding basic function code snippet collection.Each attack template is traveled through, for attacking template
In every basic function sentence, the code snippet of search operation number matching is concentrated from corresponding basic function code snippet.Often
Bar basic function sentence corresponds to the code snippet of multiple matchings, and these code snippets form the distribution code of the basic function sentence
Fragment collection.
(5) attack code generates.Each bar basic function sentence in traversal attack template, from every basic function sentence
Distribute code snippet and concentrate one code snippet of selection.Every kind of combination of the code snippet of these selections, form an attack generation
Code.Concentrated due to the distribution code snippet of every basic function sentence and include multiple code snippets, so attack code presence is more
Kind code snippet combination, i.e., each attack template can generate multiple attack codes.Wherein, side effect is used to judge, be fixed
The operations such as justice-collected using chain, side effect elimination and attack code record;
(6) side effect judges.The code snippet in attack code is traveled through, each code snippet is judged by definition-using chain
Whether side effect is carried;
(7) definition-collected using chain.Data flow in analytical attack code between each code snippet, collect attack code
Present in definition-use chain;
(8) side effect eliminates.For side effect code snippet present in attack code, using the generation for introducing basic function
Chip segment eliminates to its side effect, so as to ensure that attack code normally performs;
(9) attack code records.The details for the attack code for successfully eliminating side effect be recorded into corresponding test
In destination file.
(10) software security is reported.The attack code in each test result file is exported, reports user's program to be detected
In potential code reuse is threatened and all kinds of attacks are realized in program to be detected possibility, effective detection software is present
Potential safety hazard.
The invention has the advantages that semantic resolution device is used when judging whether code snippet belongs to specific basic function
The method of solution, manual analysis complicated order sequence is avoided, the code snippet that can not be manually collected into can be collected into, improved
The quantity that basic function code snippet is collected.In attack code generation phase, introduce side effect code snippet and provide elimination pair
Effect strategy eliminates its side effect, improves attack code generation success rate.The attack template of definition covers various attacks row
For from many aspects for the potential safety hazard of code reuse attack existing for inspection software.Compared to conventional technology, energy of the present invention
The potential safety hazard of the programming class of code reuse present in software is more precisely detected out, programming raising software is improved will pass through
Safe mass.
Brief description of the drawings
Fig. 1 is directed to the software security overhaul flow chart of code reuse programming;
Fig. 2 return instruction search routine figures;
Fig. 3 byte sequence dis-assembling flow charts;
Fig. 4 basic functions code snippet collects flow chart;
Fig. 5 code snippet allocation process diagrams;
Fig. 6 attack code product process figures;
Fig. 7 side effect decision flow charts;
Fig. 8 defines-used chain and collects flow chart;
Fig. 9 side effects eliminate flow chart;
Figure 10 attack codes record flow chart;
Figure 11 software securities report flow chart.
Specific implementation method
Fig. 1 is the overview flow chart of this software security detection method.The input of this method is program to be detected, and output is
The attack code that can be potentially utilized in program to be detected by attacker.Collected first in the executable section of program to be detected each
The code snippet of basic function;Then each basic function code snippet being collected into according to predefined attack form assembly, it is raw
Into attack code;Due to adding side effect code snippet in attack code generating process, so being needed after attack code generation
Side effect elimination is carried out using side effect dispelling tactics to side effect code snippet in attack code;If generation in attack code
Chip segment side effect eliminates successfully, then the attack code can use, and recorded in corresponding test result file;Finally export each survey
Attack code in test result file, report and code programming potential safety hazard is multiplexed present in user's program to be detected.
Fig. 2 is the flow chart of return instruction search, searches for return instruction present in the executable section of program to be detected.Make
With following data structure:ELF file header data structures, the base attribute of whole file, wherein member variable program header table are described
Skew is the deviant of program header table hereof;Program header table, with array form storage program head data structure;Program header number
According to structure, each segment information of program is described, includes Authorization Attributes (readable, writeable and executable), program header skew and program header
The member variables such as size.
Step 20 is initial actuating.Step 21 obtains the skew of program header table from program ELF file headers.Step 22 is from program
Program fetch head is present procedure head in order in head table.Step 23 judges whether present procedure head is executable section, i.e. program header
Whether Authorization Attributes are equal to executable in structure.If it is, jump to step 24;Otherwise step 22 is jumped to.Step 24 will
Program header skew in present procedure head is assigned to executable section start offset, offsets with program header size by program header and assigns
It is worth and terminates to offset to executable section.Step 25 setting pointer is initialized as the start offset of executable section.Step 26 judges pointer
Whether the byte of sensing is return instruction.If it is, jump to step 27;Otherwise step 28 is jumped to.Step 27 refers to return
Byte sequence before order carries out dis-assembling operation, collects command sequence.Idiographic flow is as shown in figure 3, input is return instruction
Byte sequence before.Step 28 sets pointer offset to next byte.Step 29, which judges whether pointer offset is more than, to be held
Row section terminates to offset.If it is, jump to step 2a;Otherwise step 26 is jumped to.Step 2a is done state.
Fig. 3 is the flow chart of byte sequence dis-assembling, and dis-assembling is carried out to the byte sequence before return instruction.Input is
Byte sequence before return instruction.Output is the command sequence being collected into after dis-assembling.Because the instruction of x86 platforms is intensive
Property, byte sequence is corresponded to a variety of dis-assembling command sequence results, stored using tree.Use following data structure:
The data structure of instruction, based on the data structure of INSTRUCTION structures in LIBDASM, to store dis-assembling instruction
Command information, mainly comprising member variables such as instruction type, source operand set and destination operand set.Wherein, source operates
Manifold closes all source operands used comprising instruction, is stored with chain sheet form;Destination operand set includes instruction modification
All purposes operand, stored with chain sheet form.The data structure of operand, the number based on OPERAND structures in LIBDASM
According to structure, to the operand information of store instruction, mainly comprising operand type, addressing system, operand authority and operation
The member variables such as number size.Wherein operand type includes register, internal memory and immediate;Operand authority include reading and writing and
Perform.The data structure of tree interior joint, mainly include instruction, command offsets, father node pointer and child node pointer number
The member variables such as group.Instruction is stored with instructions data structures;Father node pointer points to father node, child node array of pointers includes
Each pointer points to child node.During dis-assembling, it is 20 to set instruction most long word joint number.The present invention is anti-using LIBDASM
Assembler carries out dis-assembling to byte sequence.LIBDASM provides interface function get_instruction functions, after dis-assembling
Command information is stored in INSTRUCTION structures.Input is input byte sequence and INSTRUCTION structures, is exported
Be instruction byte number, 0 represent byte sequence can not dis-assembling be effective instruction.
Step 30 is initial actuating.Step 31 creates node data structures, and initialization member variable instruction is return instruction,
Command offsets are that return instruction is offset in executable section.Its root node for being tree is set and the node is added to team
In row.It is present node that step 32 takes out head of the queue node from queue.Step 33 sets the relative skew of variable pos initialization to work as
Skew of the front nodal point in executable section, it is 1 to set variable len.Step 34 judges whether len is more than instruction most long word joint number.
If it is, jump to step 39;Otherwise step 35 is jumped to.Step 35 carries out dis-assembling using LIBDASM, and dis-assembling scope is
From the byte sequence of skew (pos-len) to (pos-1).Step 36 judges according to get_instruction functions returning result
Whether byte sequence is effective instruction.If it is, jump to step 37;Otherwise step 38 is jumped to.Step 37 is to byte sequence
Dis-assembling result is stored using the data structure of instruction, and creates the child node that node data structures are added to present node
In.Then new node is added in queue.Len is carried out step 38 plus 1 operation, then branches to step 34 and re-executes step
Rapid 34 action.Step 39 judges whether queue is empty.If it is, jump to step 3a;Otherwise step 32 is jumped to.Step 3a is
Done state.
Fig. 4 is the flow chart for collecting basic function code snippet, and whether decision instruction sequence belongs to basic function and to category
The code snippet of corresponding basic function is collected as in the command sequence of basic function.Input is command sequence and basic function table.
The offspring's chip segment that is finished is collected into code snippet chained list corresponding to each basic function.Code snippet is referred to returning
Make the command sequence of ending.Program state={ general register, segment register, command register, internal memory }.Use following data
Structure:Basic function table, each predefined basic function is stored with array form.The data structure of basic function, to retouch
The information of basic function is stated, mainly comprising basic function classification, basic function expression formula, source operand type, destination operand
The member variable such as type and code snippet chained list.Wherein, basic function classification includes biography value between register assignment, register, read
Internal memory, write the operation of arithmetical logic between internal memory, register, in the arithmetical logic operation that destination operand is internal memory, source operand are
The arithmetical logic deposited is operated, flag bit is set, controlling stream shifts, system is called;Basic function expression formula is the shape with expression formula
Formula describes the operation of the basic function;Source operand type is source operand type in the basic function expression formula;Purpose operates
Several classes of types are destination operand types in the basic function expression formula;Code snippet storage of linked list meets the code of the basic function
Fragment.The data structure of code snippet, to store the code snippet of each basic function, mainly comprising command sequence, basic
The member variables such as functional category, function input operand, fuction output operand and address.Wherein, every in command sequence
Instruction is stored using instructions data structures;Fuction output operand is the destination operand of basic function expression formula, with operand
Data structure storage;Function input operand is the source operand of basic function expression formula, is stored with operand data structure;Ground
Location is address of the code snippet in program to be detected.
During whether decision instruction sequence belongs to basic function use Binary analysis platform BAP in TOIL and
TOPREDICATE instruments and Z3 solvers (the semantic resolution device chosen in the present invention).TOIL is realized the table of bytes of instruction
Show and be converted into BAP intermediate representation language BIL.BIL uses SSA forms, the operation that description instruction performs.TOIL inputs are ELF texts
Part, the initial address of instruction and end address, output are the BIL formatted files of instruction.TOPREDICATE is realized BIL forms
File translations are SMT-LIB2 language.SMT-LIB2 is the general pattern of the input of SMT solvers, covers assignment, arithmetic sum logic
Deng operation.TOPREDICATE inputs are BIL formatted files and customized postcondition, and output is the SMT-LIB2 of conversion
Formatted file.Z3 solvers realize the solution to SMT-LIB2 formatted files.Input is SMT-LIB2 formatted files, and output is that have
One of effect, invalid and uncertain three kinds of states.Emulate functions realize that the simulation to instruction performs in XEN.Input is instruction
Program state before execution, output are the program states after instruction performs.In XEN, program state is with x86_emulate_
Ctxt structures store.
Step 40 is initial actuating.It is current basic function that step 41 takes basic function in order from basic function table.
Step 42 is assigned to each register and internal memory member variable in program state input using rand functions generation random value.Step
43 are performed by emulate function pairs command sequence simulation in XEN, obtain the program state output after command sequence performs.Step
Whether the member variable of the rapid input of 44 detection program state and program state output meets the basic function table of current basic function
Up to formula.If it is, jump to step 45;Otherwise step 49 is jumped to.Step 45 is by instrument TOIL in BAP by command sequence
Byte stream is converted into BIL intermediate representation language, while generates BIL expressions for the basic function expression formula of current basic function.Step
Rapid 46 represent the BIL of command sequence and basic function expression formula by instrument TOPREDICATE in BAP to be converted into SMT-
LIB2.The basic function expression formula of step 47 decision instruction sequence and current basic function whether there is equivalence, i.e. Z3 outputs
Result whether be effective.If it is, jump to step 48;Otherwise step 49 is jumped to.Step 48 creates code snippet data
Structure store code fragment, and be added in the code snippet chained list of current basic function.Step 49 judges that basic function table is
It is no to have taken.If it is, jump to step 4a;Otherwise step 41 is jumped to.Step 4a is done state.
Fig. 5 is the flow chart of code snippet distribution, for the code of each basic function sentence distribution matching in attack template
Fragment.Input is sensitive operation and basic function table.The offspring's chip segment that is finished is assigned to each basic training in attack template
In the distribution code snippet chained list of energy sentence.Sensitive operation is that attacker writes the attack that multiplexing code is intended to realize, this
Invention presets that any internal memory is write, function call and system call three kinds of sensitive operations, i.e. sensitive operation collection={ internal memory is write, function
Call, system is called }.Each sensitive operation corresponds to multiple predefined attack templates.Attack template is compiled by basic function sentence
Write, be basic function statement sequence.Use data below structure:Sensitive operation table, each sensitive operation is stored with array form;
The data structure of sensitive operation, include attack template chained list and sensitive operation title member variable.Wherein, template chained list is attacked to use
To store each attack template corresponding to sensitive operation, the member that the entitled sensitive operation of sensitive operation is concentrated.Attack template
Data structure, include basic function sentence linked list.Wherein, basic function sentence linked list storage basic function statement sequence.Substantially
The data structure of function sentence, mainly comprising basic function classification, function input operand and fuction output operand, distribution generation
The member variable such as chip segment chained list and the next basic function sentence pointer of sensing.Wherein, distribute code snippet storage of linked list with
The code snippet that basic function sentence matches.
Step 50 is to start to act.Step 51 takes first attack template to work as from the attack template chained list of sensitive operation
Preceding attack template.It is current that step 52 takes first basic function sentence from the basic function sentence linked list of current attack template
Basic function sentence.It is current basic function that step 53 takes basic function in order from basic function table.Step 54 judges to work as
Whether the basic function classification of preceding basic function sentence and current basic function is identical.If it is, jump to step 56;Otherwise jump
Go to step 55.Step 55 judges whether basic function table takes.If it is, jump to step 5f;Otherwise step 53 is jumped to.
It is current code fragment that step 56 takes first code snippet from the code snippet chained list of current basic function.Step 57 judges
Whether the fuction output operand of current code fragment is identical with basic function statement function output operand.If it is, redirect
To step 58;Otherwise step 5a is jumped to.Step 58 judge current code fragment function input operand whether with basic training
Energy statement function input operand is identical.If it is, jump to step 59;Otherwise step 5a is jumped to.Step 59 creates code
The data structure storage current code fragment of fragment, and be added in the distribution code snippet chained list of basic function sentence.Step
It is current code fragment that 5a takes next code snippet from the code snippet chained list of current basic function.Step 5b judges current
Whether code snippet is empty.If it is, jump to step 5c;Otherwise step 57 is jumped to.Step 5c judges current basic function
Whether the distribution code snippet chained list in sentence is empty.If it is, jump to step 5f;Otherwise step 5d is jumped to.Step 5d
It is current basic function sentence that next basic function sentence is taken from the basic function sentence linked list of current attack template.Step
5e judges whether current basic function sentence is empty.If it is, jump to step 5f;Otherwise step 52 is jumped to.Step 5f from
It is current attack template that next attack template is taken in attack template chained list.Step 5g judges whether current attack template is empty.
If it is, jump to step 5h;Otherwise step 51 is jumped to.Step 5h is done state.
Fig. 6 is the flow chart of attack code generation, combines code snippet corresponding to each basic function sentence, generation attack
Code.Input is basic function sentence linked list, code snippet chained list and sensitive operation.Wherein, code snippet chained list is initialized as
Sky, to store attack code corresponding to attack template.Side effect elimination is carried out using attack code as input after being finished,
And the attack code for successfully eliminating side effect recorded in corresponding test result file.
Step 60 is to start to act.Step 61 judges whether the basic function sentence linked list of input is empty.If it is, redirect
To step 6a;Otherwise step 62 is jumped to.Step 62 takes first basic function sentence to work as from basic function sentence linked list
Preceding sentence.It is current code fragment that step 63 takes first code snippet from the distribution code snippet chained list of current statement.Step
Current code fragment is added to code snippet chained list afterbody by rapid 64.Step 65 takes next basic function sentence of current statement
For follow-up sentence.Step 66 antithetical phrase attack template carries out attack code generation, and idiographic flow is as shown in fig. 6, parameter is with follow-up
Sentence is the basic function sentence linked list and code snippet chained list of start node.Step 67 deletes the generation of code snippet chained list afterbody
Chip segment.It is current code fragment that step 68 takes next code snippet from the distribution code snippet chained list of current statement.Step
Rapid 69 judge whether current code fragment is empty.If it is, jump to step 6d;Otherwise step 64 is jumped to.Step 6a is to life
Into code snippet chained list in code snippet caused by side effect eliminated, idiographic flow as shown in fig. 7, input be generation
Code snippet chained list, output be whether eliminate side effect success.Step 6b judges attack code side effect according to returning result
Whether elimination succeeds.If it is, jump to step 6c;Otherwise step 6d is jumped to.Step 6c records to attack code.Tool
Body flow is as shown in Figure 10, and input is successfully to eliminate the code snippet chained list and sensitive operation of side effect.Step 6d is end shape
State.
Fig. 7 is the flow chart that side effect judges, judges that each code snippet whether there is side effect in attack code.Input
It is code snippet chained list (i.e. attack code) and basic function table.Export to eliminate side effect success or eliminating side effect failure.
Step 70 is to start to act.It is current code fragment that step 71 takes first code snippet from code snippet chained list.Step 72
It is present instruction that first instruction is taken from the command sequence of current code fragment.Step 73 is from definition-using being taken in chain chained list
First definition-the use of chain being current definition-uses chain.Definition-use the generation idiographic flow of chain chained list as shown in figure 8, defeated
Enter for code snippet chained list, export as definition-use chain chained list.Step 74 judges whether present instruction destroys and currently defines-make
With chain, i.e., the destination operand set of present instruction whether comprising current definition-use operand in chain structure body.If
It is to jump to step 75;Otherwise step 77 is jumped to.Step 75 eliminates side effect using side effect dispelling tactics.Idiographic flow
As shown in figure 9, input is current code fragment, current definition-using chain, code snippet chained list and basic function table, output is
Eliminate side effect success or eliminate side effect failure.The result that step 76 eliminates process return according to side effect judges code snippet
Whether side effect eliminates success.If it is, jump to step 77;Otherwise step 7d is jumped to.Step 77 is from definition-use chain chain
Chain of making a definition-use is taken in table as current definition-use chain.Step 78 judges whether current definition-using chain is empty.Such as
Fruit is to jump to step 79;Otherwise step 73 is jumped to.Step 79 removes an instruction from current code fragment command sequence
For present instruction.Step 7a judges whether present instruction is empty.If it is, jump to step 7b;Otherwise step 74 is jumped to.Step
It is current code fragment that rapid 7b takes next code snippet from code snippet chained list.Whether step 7c judges current code fragment
For sky.If it is, jump to step 7d;Otherwise step 71 is jumped to.Step 7d is done state.
Fig. 8 is the flow chart for collecting definition-use chain, collects definition-use chain present in attack code.Input is generation
Chip segment chained list (i.e. attack code), output are definition-use chain chained list.Program state element belongs to program state set
Element.When program state element be a code snippet GA fuction output operand (GA realize function define the program
State elements) and be that (function that GB is realized has used the journey for the function input operand of another code snippet GB after GA
Sequence state elements), and the program state element is not the fuction output operand of the arbitrary code fragment between GA and GB, that
It is a definition-use chain for the program state element from GA to GB.GA is the defining point of the program state element, and GB is this
The point of use of program state element.Use following data structure:Definition-use chain chained list, stores the definition-use being collected into
Chain.Definition-and using the data structure of chain, mainly include defining point code snippet, point of use code snippet and program state element.
Step 80 is initial actuating.It is current code fragment that step 81 takes first code snippet from code snippet chained list.Step 82
It is follow-up that first current code fragment is taken from the child list using the next code snippet of current code fragment as start node
Code snippet.Step 83 judges whether follow-up code snippet is empty.If it is, jump to step 89;Otherwise step 84 is jumped to.
Step 84 judges whether current code fragment fuction output operand is identical with follow-up code snippet fuction output operand.If
It is to jump to step 89;Otherwise step 85 is jumped to.Step 85 judges that the function input set of operands of follow-up code snippet is closed
It is no to include current code fragment fuction output operand.If it is, jump to step 86;Otherwise step 87 is jumped to.Step 86
Establishment definition-use chain data structure, defining point code snippet is current code fragment, and point of use code snippet is follow-up code
Fragment, new definition-is added to definition using chain-and uses chain chained list afterbody.Step 87 is from next with current code fragment
Code snippet is that next current code fragment is taken in the child list of start node is follow-up code snippet.Step 88 judges follow-up
Whether code snippet is empty.If it is, jump to step 89;Otherwise step 84 is jumped to.Step 89 is from code snippet chained list
It is current code fragment to take next code snippet.Step 8a judges whether current code fragment is empty.If it is, jump to step
Rapid 8b;Otherwise step 81 is jumped to.Step 8b is done state, and definition-collected using chain is finished.
Fig. 9 is the flow chart for eliminating side effect, eliminates the side effect for the code snippet that side effect in attack code be present.It is defeated
Enter is side effect code snippet, definition-use chain, code snippet chained list (i.e. attack code) and basic function table.Output is to disappear
Except side effect success or eliminate side effect failure.Step 90 is to start to act.Code piece of the step 91 from register assignment function
It is current code fragment that first code snippet is taken in section chained list.Step 92 judges the fuction output operand of current code fragment
Whether with definition-using chain operand it is identical.If it is, jump to step 93;Otherwise step 96 is jumped to.Step 93 ought
Preceding code snippet is added in code snippet chained list, after being inserted into side effect code snippet.Step 94 judges current code fragment
Whether side effect is produced.If it is, jump to step 95;Otherwise step 98 is jumped to, side effect is returned and eliminates successfully.Judge to work as
Whether preceding code snippet produces side effect, and idiographic flow is as shown in fig. 7, input is code snippet chained list and points to current code piece
The pointer of section.Step 95 deletes current code fragment from code snippet chained list.Generation of the step 96 from register assignment function
It is current code fragment that next code snippet is taken in chip segment chained list.Step 97 judges whether current code fragment is empty.Such as
Fruit is jump procedure 98, and side effect eliminates failure;Otherwise step 91 is jumped to.Step 98 is done state.
Figure 10 is the flow chart of attack code record, and the attack code for successfully eliminating side effect recorded into corresponding test
In destination file.Input is code snippet chained list (attack code for successfully eliminating side effect) and sensitive operation.It is each sensitive
The corresponding test result file of operation (the entitled corresponding sensitive operation name of test result file), phase is recorded by attack code
In the test result file answered.Step 100 is to start to act.Step 101 is found correspondingly according to the sensitive operation name of sensitive operation
Sensitive operation file.It is current code fragment that step 102 takes first code snippet from code snippet chained list.Step 103
Current code fragment address, basic function classification and command sequence assembly code are write in file.Step 104 is from code snippet
It is current code fragment that next code snippet is taken in chained list.Step 105 judges whether current code fragment is empty.If it is,
Jump to step 106;Otherwise step 102 is jumped to.Step 106 represents done state.
Figure 11 is the flow chart of software security report, and what is recorded in test result file corresponding to output sensitive operation attacks
Hit code information.Input is test result file.Output test result attack code information in file after being finished.Step
110 be to start to act.Step 111 outputs test result filename, i.e. sensitive operation name.Step 112 is taken in test result file
The first behavior current line.Step 113 judges whether current line is empty.If it is, jump to step 116;Otherwise step is jumped to
Rapid 114.The attack code information that step 114 output current line preserves.Step 115 takes next behavior in test result file to work as
Move ahead.Step 116 is done state.
Claims (10)
- A kind of 1. software security detection method for code reuse programming, it is characterized in that including command sequence dis-assembling, base This function code fragment is collected, attack code generates, attack code record and software security report five stages;In the command sequence dis-assembling stage, dis-assembling is carried out to the byte sequence before return instruction;Basic function code snippet collection phase, its command sequence for inputting to collect on last stage;Whether decision instruction sequence Belong to certain basic function, the command sequence for belonging to basic function, carried out as the code snippet of the basic function Collect;Attack code generation phase, according to the code snippet of predefined attack each basic function of form assembly, generation attack generation Code, the code snippet for including side effect in attack code, its side effect is eliminated using side effect dispelling tactics, it is ensured that attack The normal realization of code function;Attack code records the stage, and the attack code for successfully eliminating side effect recorded in corresponding test result file;The software security report stage, the attack code recorded in each test result file is exported, report user's program to be detected In potentially can be achieved various attacks multiplexing code be attack code, with the potential potential safety hazard of evaluation software;Key operation step is as follows:(1)The search of return instruction, the return instruction existing for search in the executable section of program to be detected;(2)Byte sequence dis-assembling, reverse dis-assembling is carried out to the byte sequence before return instruction, until dis-assembling is completed; Dis-assembling result is multiple instruction sequence;(3)Basic function code snippet is collected, and predefines a variety of basic functions;For the command sequence being collected into, using semanteme Solver solves checking, and whether it belongs to certain basic function;If belonged to, the code using command sequence as the basic function Fragment is collected, the corresponding code snippet collection of each basic function;(4)Code snippet distributes;Predefined various attacks template, attack template are made up of basic function sentence, every basic training Corresponding basic function code snippet collection be present in energy sentence;Each attack template is traveled through, it is basic for every in attack template Function sentence, the code snippet of search operation number matching is concentrated from corresponding basic function code snippet;Every basic function language The code snippet of the corresponding multiple matchings of sentence, these code snippets form the distribution code snippet collection of the basic function sentence;(5)Attack code generates;Each bar basic function sentence in traversal attack template, from the distribution of every basic function sentence Code snippet concentrates one code snippet of selection;Every kind of combination of the code snippet of these selections, form an attack code;By Concentrated in the distribution code snippet of every basic function sentence and include multiple code snippets, so attack code has Multiple Code Fragment combination mode, i.e., each attack template can generate multiple attack codes;Wherein, side effect judgement, definition-use to be used Chain is collected, side effect elimination and attack code record operate;(6)Side effect judges;The code snippet in attack code is traveled through, whether each code snippet is judged by definition-using chain With side effect;(7)Definition-collected using chain;Data flow in analytical attack code between each code snippet, collect and deposited in attack code Definition-use chain;(8)Side effect eliminates;For side effect code snippet present in attack code, using the code piece for introducing basic function Section eliminates to its side effect, so as to ensure that attack code normally performs;(9)Attack code records;The details for the attack code for successfully eliminating side effect be recorded into corresponding test result In file;(10)Software security is reported;The attack code in each test result file is exported, reports in user's program to be detected and dives Code reuse threaten and the possibility realized in program to be detected of all kinds of attacks, effective detection software is existing to pacify Full hidden danger.
- 2. software security detection method according to claim 1, it is characterized in that operating procedure(1)The search of return instruction In flow, following data structure is used:ELF file header data structures, the base attribute of whole file, wherein member variable are described The skew of program header table is the deviant of program header table hereof;Program header table, with array form storage program head data structure; Program header data structure, describe each segment information of program, comprising readable, writeable and executable Authorization Attributes, program header skew and Program header size member variable;It is specific as follows:Step 20 is initial actuating;Step 21 obtains the skew of program header table from program ELF file headers;Step 22 Program fetch head is present procedure head in order from program header table;Step 23 judges whether present procedure head is executable section, i.e., Whether Authorization Attributes are equal to executable in program header structure;If it is, jump to step 24;Otherwise step 22 is jumped to;Step Program header skew in present procedure head is assigned to executable section start offset by rapid 24, by program header skew and program header size And be assigned to executable section and terminate to offset;Step 25 setting pointer is initialized as the start offset of executable section;Step 26 is sentenced Whether the byte that severed finger pin points to is return instruction;If it is, jump to step 27;Otherwise step 28 is jumped to;Step 27 is right Byte sequence before return instruction carries out dis-assembling operation, collects command sequence;Idiographic flow is as shown in figure 3, input is to return Refer to the byte sequence before order;Step 28 sets pointer offset to next byte;Step 29 judges whether pointer offset is big Terminate to offset in executable section;If it is, jump to step 2a;Otherwise step 26 is jumped to;Step 2a is done state;Operating procedure(2)In the flow of byte sequence dis-assembling, dis-assembling is carried out to the byte sequence before return instruction;Input Byte sequence before being return instruction;Output is the command sequence being collected into after dis-assembling;Because the instruction of x86 platforms is intensive Property, byte sequence is corresponded to a variety of dis-assembling command sequence results, stored using tree;Use following data structure: The data structure of instruction, based on the data structure of INSTRUCTION structures in LIBDASM, to store dis-assembling instruction Command information, mainly comprising instruction type, source operand set and destination operand set member's variable;Wherein, source operand All source operands that set uses comprising instruction, stored with chain sheet form;Destination operand set includes the institute of instruction modification Purposeful operand, stored with chain sheet form;The data structure of operand, the data based on OPERAND structures in LIBDASM Structure, to the operand information of store instruction, mainly comprising operand type, addressing system, operand authority and operand Size member variable;Wherein operand type includes register, internal memory and immediate;Operand authority includes reading and writing and execution; The data structure of tree interior joint, mainly include instruction, command offsets, father node pointer and child node array of pointers member Variable;Instruction is stored with instructions data structures;Each pointer that father node pointer points to father node, child node array of pointers includes Point to child node;During dis-assembling, it is 20 to set instruction most long word joint number;Using LIBDASM disassemblers to syllable sequence Row carry out dis-assembling;LIBDASM provides interface function get_instruction functions, and command information after dis-assembling is stored in In INSTRUCTION structures;Input is input byte sequence and INSTRUCTION structures, and output is to instruct byte number, 0 Represent byte sequence can not dis-assembling be effective instruction;It is specific as follows:Step 30 is initial actuating;Step 31 creates node data structures, and initialization member variable instruction is return Instruction, command offsets are that return instruction is offset in executable section;Its root node for being tree is set and adds the node Enter into queue;It is present node that step 32 takes out head of the queue node from queue;Step 33 sets variable pos initialization relatively inclined The skew for being present node in executable section is moved, it is 1 to set variable len;Step 34 judges whether len is more than instruction most long word Joint number;If it is, jump to step 39;Otherwise step 35 is jumped to;Step 35 carries out dis-assembling, dis-assembling using LIBDASM Scope is the byte sequence from skew pos-len to pos-1;Step 36 is sentenced according to get_instruction function returning results Whether disconnected byte sequence is effective instruction;If it is, jump to step 37;Otherwise step 38 is jumped to;Step 37 is to syllable sequence Row dis-assembling result is stored using the data structure of instruction, and creates the son section that node data structures are added to present node Point in;Then new node is added in queue;Len is carried out step 38 plus 1 operation, then branches to step 34 and re-executes Step 34 acts;Step 39 judges whether queue is empty;If it is, jump to step 3a;Otherwise step 32 is jumped to;Step 3a For done state.
- 3. software security detection method according to claim 1, it is characterized in that operating procedure(3)Collect basic function generation In the flow of chip segment, whether decision instruction sequence belongs to basic function and the command sequence to belonging to basic function is collected as phase Answer the code snippet of basic function;Input is command sequence and basic function table;The offspring's chip segment that is finished is collected into respectively In code snippet chained list corresponding to individual basic function;Code snippet is the command sequence to be ended up with return instruction;Program state= { general register, segment register, command register, internal memory };Use following data structure:Basic function table, with array form Store each predefined basic function;The data structure of basic function, to describe the information of basic function, include basic training Can classification, basic function expression formula, source operand type, destination operand type and code snippet chained list member variable;Wherein, Basic function classification includes biography value, rdma read between register assignment, register, writes arithmetical logic operation, mesh between internal memory, register Operand be internal memory arithmetical logic operation, the operation of arithmetical logic that source operand is internal memory, flag bit set, control circulation Move, system is called;Basic function expression formula is that the operation of the basic function is described in the form of expression formula;Source operand type is Source operand type in the basic function expression formula;Destination operand type is destination operand class in the basic function expression formula Type;Code snippet storage of linked list meets the code snippet of the basic function;The data structure of code snippet, to store each base The code snippet of this function, mainly comprising command sequence, basic function classification, function input operand, fuction output operand With address member variable;Wherein, every instruction in command sequence is stored using instructions data structures;Fuction output operand is The destination operand of basic function expression formula, stored with operand data structure;Function input operand is basic function expression The source operand of formula, stored with operand data structure;Address is address of the code snippet in program to be detected;During whether decision instruction sequence belongs to basic function use Binary analysis platform BAP in TOIL and TOPREDICATE instruments and Z3 semantic resolution devices;TOIL realizes is converted into BAP intermediate representation language by the byte representation of instruction BIL;BIL uses SSA forms, the operation that description instruction performs;TOIL inputs are ELF files, the initial address of instruction and end Address, output are the BIL formatted files of instruction;TOPREDICATE realizes is converted into SMT-LIB2 language by BIL formatted files; SMT-LIB2 is the general pattern of the input of SMT solvers, covers assignment, arithmetic sum logical operation;TOPREDICATE is inputted BIL formatted files and customized postcondition, output are the SMT-LIB2 formatted files of conversion;Z3 semantic resolutions device is realized Solution to SMT-LIB2 formatted files;Input is SMT-LIB2 formatted files, and output is effective, invalid and uncertain three kinds One of state;Emulate functions realize that the simulation to instruction performs in XEN;Input is the program state before instruction performs, and is exported It is the program state after instruction performs;In XEN, program state is stored with x86_emulate_ctxt structures;It is specific as follows:Step 40 is initial actuating;It is current basic that step 41 takes basic function in order from basic function table Function;Each register and internal memory member that step 42 is assigned in program state input using rand functions generation random value becomes Amount;Step 43 is performed by emulate function pairs command sequence simulation in XEN, obtains the program state after command sequence performs Output;Whether the member variable of step 44 detection program state input and program state output meets the basic of current basic function Functional representation;If it is, jump to step 45;Otherwise step 49 is jumped to;Step 45 will be instructed by instrument TOIL in BAP The byte stream of sequence is converted into BIL intermediate representation language, while generates BIL tables for the basic function expression formula of current basic function Show;The BIL of command sequence and basic function expression formula is represented to be converted into by step 46 by instrument TOPREDICATE in BAP SMT-LIB2;The basic function expression formula of step 47 decision instruction sequence and current basic function whether there is equivalence, i.e. Z3 Whether the result of output is effective;If it is, jump to step 48;Otherwise step 49 is jumped to;Step 48 creates code snippet Data structure storage code snippet, and be added in the code snippet chained list of current basic function;Step 49 judges basic function Whether table has taken;If it is, jump to step 4a;Otherwise step 41 is jumped to;Step 4a is done state.
- 4. software security detection method according to claim 1, it is characterized in that operating procedure(4)Code snippet distribution Flow, for the code snippet of each basic function sentence distribution matching in attack template;Input is sensitive operation and basic function Table;The offspring's chip segment that is finished is assigned in attack template in the distribution code snippet chained list of each basic function sentence;It is quick Sense operation be attacker write multiplexing code be intended to realize attack, the present invention preset any internal memory write, function call and System calls three kinds of sensitive operations, i.e. sensitive operation collection={ internal memory is write, function call, and system is called };Each sensitive operation is corresponding Multiple predefined attack templates;Attack template is write by basic function sentence, is basic function statement sequence;Use following number According to structure:Sensitive operation table, each sensitive operation is stored with array form;The data structure of sensitive operation, include attack template Chained list and sensitive operation title member variable;Wherein, template chained list is attacked to store each attack mould corresponding to sensitive operation Plate, the member that the entitled sensitive operation of sensitive operation is concentrated;The data structure of template is attacked, includes basic function sentence linked list; Wherein, basic function sentence linked list storage basic function statement sequence;The data structure of basic function sentence, it is main comprising basic Functional category, function input operand and fuction output operand, distribution code snippet chained list and the next basic function of sensing Sentence pointer member variable;Wherein, the code snippet that code snippet storage of linked list matches with basic function sentence is distributed;Specific as follows, step 50 is to start to act;Step 51 takes first attack mould from the attack template chained list of sensitive operation Plate is current attack template;Step 52 takes first basic function sentence from the basic function sentence linked list of current attack template For current basic function sentence;It is current basic function that step 53 takes basic function in order from basic function table;Step 54 Judge whether the basic function classification of current basic function sentence and current basic function is identical;If it is, jump to step 56; Otherwise step 55 is jumped to;Step 55 judges whether basic function table takes;If it is, jump to step 5f;Otherwise jump to Step 53;It is current code fragment that step 56 takes first code snippet from the code snippet chained list of current basic function;Step Rapid 57 judge whether the fuction output operand of current code fragment is identical with basic function statement function output operand;If It is to jump to step 58;Otherwise step 5a is jumped to;Step 58 judge current code fragment function input operand whether with Basic function statement function input operand is identical;If it is, jump to step 59;Otherwise step 5a is jumped to;Step 59 is created The data structure storage current code fragment of code snippet is built, and is added to the distribution code snippet chained list of basic function sentence In;It is current code fragment that step 5a takes next code snippet from the code snippet chained list of current basic function;Step 5b Judge whether current code fragment is empty;If it is, jump to step 5c;Otherwise step 57 is jumped to;Step 5c judges current Whether the distribution code snippet chained list in basic function sentence is empty;If it is, jump to step 5f;Otherwise step is jumped to 5d;It is current basic function that step 5d takes next basic function sentence from the basic function sentence linked list of current attack template Sentence;Step 5e judges whether current basic function sentence is empty;If it is, jump to step 5f;Otherwise step 52 is jumped to; It is current attack template that step 5f takes next attack template from attack template chained list;Step 5g judges that current attack template is No is sky;If it is, jump to step 5h;Otherwise step 51 is jumped to;Step 5h is done state.
- 5. software security detection method according to claim 1, it is characterized in that operating procedure(5)Attack code generation Flow, code snippet corresponding to each basic function sentence is combined, generate attack code;Input be basic function sentence linked list, Code snippet chained list and sensitive operation;Wherein, code snippet chained list is initialized as sky, to store attack corresponding to attack template Code;After being finished side effect elimination, and the attack code that will successfully eliminate side effect are carried out using attack code as input It recorded in corresponding test result file;Step 60 is to start to act;Step 61 judges whether the basic function sentence linked list of input is empty;If it is, jump to step Rapid 6a;Otherwise step 62 is jumped to;It is current language that step 62 takes first basic function sentence from basic function sentence linked list Sentence;It is current code fragment that step 63 takes first code snippet from the distribution code snippet chained list of current statement;Step 64 Current code fragment is added to code snippet chained list afterbody;After step 65 takes next basic function sentence of current statement to be After sentence;Step 66 antithetical phrase attack template carries out attack code generation, and parameter is the basic training using follow-up sentence as start node Can sentence linked list and code snippet chained list;Step 67 deletes the code snippet of code snippet chained list afterbody;Step 68 is from current language It is current code fragment that next code snippet is taken in the distribution code snippet chained list of sentence;Step 69 judges that current code fragment is No is sky;If it is, jump to step 6d;Otherwise step 64 is jumped to;Step 6a is to the generation in the code snippet chained list of generation Side effect is eliminated caused by chip segment, and input is the code snippet chained list of generation, and output is whether to eliminate side effect success; Whether step 6b judges that attack code side effect eliminates according to returning result and succeeds;If it is, jump to step 6c;Otherwise redirect To step 6d;Step 6c records to attack code;Input is the code snippet chained list for successfully eliminating side effect and sensitive behaviour Make;Step 6d is done state.
- 6. software security detection method according to claim 1, it is characterized in that operating procedure(6)The stream that side effect judges Journey, judge that each code snippet whether there is side effect in attack code;Input is code snippet chained list i.e. attack code and base This menu;Export to eliminate side effect success or eliminating side effect failure;Step 70 is to start to act;Step 71 is from code piece It is current code fragment that first code snippet is taken in section chained list;Step 72 takes first from the command sequence of current code fragment Bar instruction is present instruction;Step 73 from definition-using first definition-using chain is taken in chain chained list be current definition-use Chain;Definition-using chain chained list generation idiographic flow as shown in figure 8, input be code snippet chained list, export as definition-use Chain chained list;Step 74 judges whether present instruction destroys current definition-use chain, i.e. the destination operand set of present instruction is It is no comprising current definition-use chain structure body in operand;If it is, jump to step 75;Otherwise step 77 is jumped to;Step Rapid 75 eliminate side effect using side effect dispelling tactics;Idiographic flow:Input be current code fragment, current definition-using chain, Code snippet chained list and basic function table, output are to eliminate side effect success or eliminate side effect to fail;Step 76 is made according to pair The result returned with elimination process judges whether code snippet side effect eliminates success;If it is, jump to step 77;Otherwise jump Go to step 7d;Step 77 uses chain as current definition-use chain from definition-being made a definition using being taken in chain chained list-;Step 78 judge whether current definition-using chain is empty;If it is, jump to step 79;Otherwise step 73 is jumped to;Step 79 from work as It is present instruction that an instruction is removed in preceding code snippet command sequence;Step 7a judges whether present instruction is empty;If it is, Jump to step 7b;Otherwise step 74 is jumped to;Step 7b takes next code snippet to work as former generation from code snippet chained list Chip segment;Step 7c judges whether current code fragment is empty;If it is, jump to step 7d;Otherwise step 71 is jumped to;Step Rapid 7d is done state.
- 7. software security detection method according to claim 1, it is characterized in that operation(7)Definition-use chain chained list Generation:Input as code snippet chained list, export as definition-use chain chained list;Collection definition-and using in the flow of chain, collection is attacked Hit definition present in code-use chain;Input is code snippet chained list i.e. attack code, and output is definition-use chain chained list; Program state element is the element for belonging to program state set;When program state element is code snippet GA fuction output The function that operand, GA are realized defines the program state element and is the function input of another code snippet GB after GA The function that operand, GB are realized has used the program state element, and the program state element is not appointing between GA and GB Anticipate the fuction output operand of code snippet, then be a definition-use chain for the program state element from GA to GB;GA is The defining point of the program state element, GB are the point of use of the program state element;Use following data structure:Definition-use Chain chained list, store the definition that is collected into-use chain;Definition-use chain data structure, mainly include defining point code snippet, Point of use code snippet and program state element;Step 80 is initial actuating;It is current code fragment that step 81 takes first code snippet from code snippet chained list;Step Rapid 82 take first current code fragment to be from the child list using the next code snippet of current code fragment as start node Follow-up code snippet;Step 83 judges whether follow-up code snippet is empty;If it is, jump to step 89;Otherwise step is jumped to Rapid 84;Step 84 judge current code fragment fuction output operand whether with follow-up code snippet fuction output operand phase Together;If it is, jump to step 89;Otherwise step 85 is jumped to;Step 85 judges the function input operation of follow-up code snippet Manifold closes whether include current code fragment fuction output operand;If it is, jump to step 86;Otherwise step is jumped to 87;Step 86 creates definition-use chain data structure, and defining point code snippet is current code fragment, point of use code snippet For follow-up code snippet, new definition-is added to definition using chain-and uses chain chained list afterbody;Step 87 is from current code The next code snippet of fragment is that next current code fragment is taken in the child list of start node is follow-up code snippet;Step 88 judge whether follow-up code snippet is empty;If it is, jump to step 89;Otherwise step 84 is jumped to;Step 89 is from code It is current code fragment that next code snippet is taken in fragment chained list;Step 8a judges whether current code fragment is empty;If It is to jump to step 8b;Otherwise step 81 is jumped to;Step 8b is done state, and definition-collected using chain is finished.
- 8. software security detection method according to claim 1, it is characterized in that operating procedure(8)Eliminate the stream of side effect Journey, eliminate the side effect for the code snippet that side effect in attack code be present;Input is side effect code snippet, definition-use Chain, code snippet chained list are attack code and basic function table;Output is to eliminate side effect success or eliminate side effect to fail;Step Rapid 90 be to start to act;Step 91 takes first code snippet to work as former generation from the code snippet chained list of register assignment function Chip segment;Step 92 judge current code fragment fuction output operand whether with definition-using chain operand it is identical;Such as Fruit is to jump to step 93;Otherwise step 96 is jumped to;Current code fragment is added in code snippet chained list by step 93, After being inserted into side effect code snippet;Step 94 judges whether current code fragment produces side effect;If it is, jump to step 95;Otherwise step 98 is jumped to, side effect is returned and eliminates successfully;Judge whether current code fragment produces side effect, input is Code snippet chained list and the pointer for pointing to current code fragment;Step 95 deletes current code fragment from code snippet chained list Remove;It is current code fragment that step 96 takes next code snippet from the code snippet chained list of register assignment function;Step 97 judge whether current code fragment is empty;If it is, jump procedure 98, side effect eliminates failure;Otherwise step 91 is jumped to; Step 98 is done state.
- 9. software security detection method according to claim 1, it is characterized in that operating procedure(9)Attack code record In flow, the attack code for successfully eliminating side effect recorded in corresponding test result file;Input is code snippet chain Table, the attack code and sensitive operation for successfully eliminating side effect;Each sensitive operation corresponds to a test result file, test The entitled corresponding sensitive operation name of destination file, attack code recorded in corresponding test result file;Step 100 is to open Initiating is made;Step 101 sensitive operation file according to corresponding to being found the sensitive operation name of sensitive operation;Step 102 is from code piece It is current code fragment that first code snippet is taken in section chained list;Step 103 is by current code fragment address, basic function classification Write with command sequence assembly code in file;Step 104 takes next code snippet to work as former generation from code snippet chained list Chip segment;Step 105 judges whether current code fragment is empty;If it is, jump to step 106;Otherwise step is jumped to 102;Step 106 represents done state.
- 10. software security detection method according to claim 1, it is characterized in that operating procedure(10)Software security report The flow of announcement, export the attack code information recorded in test result file corresponding to sensitive operation;Input is test result text Part;Output test result attack code information in file after being finished;Step 110 is to start to act;Step 111 output test Destination file name, i.e. sensitive operation name;Step 112 takes the first behavior current line in test result file;Step 113 judges to work as Whether move ahead is empty;If it is, jump to step 116;Otherwise step 114 is jumped to;What step 114 output current line preserved attacks Hit code information;Step 115 takes next behavior current line in test result file;Step 116 is done state.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510467987.2A CN105138914B (en) | 2015-08-03 | 2015-08-03 | A kind of software security detection method for code reuse programming |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510467987.2A CN105138914B (en) | 2015-08-03 | 2015-08-03 | A kind of software security detection method for code reuse programming |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105138914A CN105138914A (en) | 2015-12-09 |
CN105138914B true CN105138914B (en) | 2018-02-16 |
Family
ID=54724259
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510467987.2A Active CN105138914B (en) | 2015-08-03 | 2015-08-03 | A kind of software security detection method for code reuse programming |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105138914B (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105825086B (en) * | 2016-03-16 | 2018-07-24 | 西北大学 | A kind of ROP means of defences based on Attack Tree |
CN110515652B (en) * | 2019-08-30 | 2021-10-15 | 腾讯科技(深圳)有限公司 | Code abstract generation method and device and storage medium |
CN113553041B (en) * | 2021-09-22 | 2021-12-10 | 武汉江民网安科技有限公司 | Method, apparatus and medium for generating function code formalized structure in binary program |
CN115017507A (en) * | 2022-07-14 | 2022-09-06 | 北京华云安信息技术有限公司 | Method, device, equipment and storage medium for detecting source code tampering |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102662830A (en) * | 2012-03-20 | 2012-09-12 | 湖南大学 | Code reuse attack detection system based on dynamic binary translation framework |
-
2015
- 2015-08-03 CN CN201510467987.2A patent/CN105138914B/en active Active
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102662830A (en) * | 2012-03-20 | 2012-09-12 | 湖南大学 | Code reuse attack detection system based on dynamic binary translation framework |
Non-Patent Citations (1)
Title |
---|
BIOP:自动构造增强型ROP攻击;邢骁 等;《计算机学报》;20140530;第37卷(第5期);正文第1111-1123页 * |
Also Published As
Publication number | Publication date |
---|---|
CN105138914A (en) | 2015-12-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Quiring et al. | Misleading authorship attribution of source code using adversarial learning | |
CN105138914B (en) | A kind of software security detection method for code reuse programming | |
Caliskan-Islam et al. | De-anonymizing programmers via code stylometry | |
Fass et al. | Jstap: a static pre-filter for malicious javascript detection | |
Wang et al. | Blended, precise semantic program embeddings | |
Muškardin et al. | AALpy: an active automata learning library | |
CN107367686B (en) | A kind of generation method of RTL hardware Trojan horse test vector | |
CN105138335B (en) | A kind of function call path extraction method and device based on controlling stream graph | |
CN106156623B (en) | SQLIA defence methods based on intention | |
CN111475820B (en) | Binary vulnerability detection method, system and storage medium based on executable program | |
CN108563433A (en) | A kind of device based on LSTM auto-complete codes | |
CN102012987A (en) | Automatic behavioural analysis system for binary malicious codes | |
CN108595341A (en) | Automatic example generation method and system | |
CN110245467A (en) | Android application program guard method based on Dex2C and LLVM | |
EP3918494B1 (en) | Systems, methods, and storage media for obfuscating a computer program by representing the control flow of the computer program as data | |
RU2004100525A (en) | METHOD AND SYSTEM FOR RECORDING MACROS IN SYNTAXIS, INDEPENDENT ON THE LANGUAGE | |
CN106055343B (en) | A kind of object code reverse-engineering system based on program evolution model | |
CN116361810A (en) | Intelligent contract vulnerability detection method based on symbol execution | |
JP4951416B2 (en) | Program verification method and program verification apparatus | |
Shrestha et al. | DeepFuzzSL: Generating models with deep learning to find bugs in the Simulink toolchain | |
Meng et al. | Adversarial binaries for authorship identification | |
CN101937395B (en) | Detected object program feature extraction method for vulnerability detection | |
CN108647533A (en) | Security assertions automatic generation method for detecting hardware Trojan horse | |
Klint et al. | Micro-machinations: A DSL for game economies | |
Hang et al. | Malware detection method of android application based on simplification instructions |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |