CN105138914B - A kind of software security detection method for code reuse programming - Google Patents

A kind of software security detection method for code reuse programming Download PDF

Info

Publication number
CN105138914B
CN105138914B CN201510467987.2A CN201510467987A CN105138914B CN 105138914 B CN105138914 B CN 105138914B CN 201510467987 A CN201510467987 A CN 201510467987A CN 105138914 B CN105138914 B CN 105138914B
Authority
CN
China
Prior art keywords
code
basic function
attack
code snippet
current
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510467987.2A
Other languages
Chinese (zh)
Other versions
CN105138914A (en
Inventor
曾庆凯
朱晨晖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing University
Original Assignee
Nanjing University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing University filed Critical Nanjing University
Priority to CN201510467987.2A priority Critical patent/CN105138914B/en
Publication of CN105138914A publication Critical patent/CN105138914A/en
Application granted granted Critical
Publication of CN105138914B publication Critical patent/CN105138914B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

Five stages are reported for the software security detection method of code reuse programming, including command sequence dis-assembling, collection basic function code snippet, attack code generation, attack code record and software security;In the command sequence dis-assembling stage, dis-assembling is carried out to the byte sequence before return instruction;Basic function code snippet collection phase, its command sequence for inputting to collect on last stage;Whether decision instruction sequence belongs to certain basic function, the command sequence for belonging to basic function, is collected as the code snippet of the basic function;Attack code generation phase, according to the code snippet of predefined attack each basic function of form assembly, attack code, the code snippet for including side effect in attack code are generated, its side effect is eliminated using side effect dispelling tactics, it is ensured that the normal realization of attack code function;Attack code records the stage, and the attack code for successfully eliminating side effect recorded in corresponding test result file.

Description

A kind of software security detection method for code reuse programming
Technical field
The present invention relates to software security detection, whether more particularly to a kind of inspection software, which is vulnerable to code reuse programming, is attacked The software security detection method hit.
Background technology
The characteristics of variation and automation is presented currently for the attack pattern of software so that system and software security by Serious challenge.With the deployment of defensive measure on an operating system such as DEP and address randomization, traditional generation Code injection attacks are no longer valid.And code reuse programming does not need injection attacks code, by generation present in target program Chip segment is multiplexed so as to implement to attack, and can be bypassed these Prevention-Security technologies, computer system security be caused sternly The threat of weight.Therefore, carry out that there is very real meaning, Ke Yiyou for the safety detection of code reuse programming to software The attack of code reuse programming is alleviated on effect ground, improves the safe mass of software.
The present invention proposes a kind of software security detection method for code reuse programming.Collect and deposited in program to be detected Code snippet, according to multiple combinations rule combined code fragment generate attack code, realize the detection of various attacks behavior, The security of many-sided inspection software.In attack code generating process, add to (can be to program with side effect code snippet State produce operation bidirectional) use, improve generation attack code success rate, so as to more fully and exactly detect it is soft The possibility that part is utilized or attacked, improve the software security for code reuse programming.
The content of the invention
In order to more efficiently generate attack code, detection for the software security of code reuse programming, mesh of the present invention Be to provide it is a kind of introduce side effect code snippet, the method that the software security for code reuse programming is detected.Receive Collect the code snippet of a variety of basic functions present in program to be detected, the code snippet that these are collected into is as attack code The Candidate Set of generation;Combined according to predefined various attacks template (i.e. code snippet rule of combination) each basic in Candidate Set Function code fragment, generate attack code;Each attack code of generation is recorded, reports that safety present in program to be detected is hidden Suffer from.By in attack code generating process introduce side effect code snippet, so as to be effectively improved attack code generation into Power, improve the accuracy of safety detection.
The technical scheme is that:A kind of software security detection method for code reuse programming, including sequence of instructions Row dis-assembling, collect basic function code snippet, attack code generation, attack code record and software security report etc. 5 Stage.In the command sequence dis-assembling stage, dis-assembling is carried out to the byte sequence before return instruction.Due to the instruction of x86 platforms Intensive, a byte sequence may correspond to a variety of dis-assembling results, i.e. multiple instruction sequence.Basic function code snippet is collected Stage, its command sequence for inputting to collect on last stage.Whether decision instruction sequence belongs to certain basic function.For belonging to The command sequence of basic function, it is collected as the code snippet of the basic function.Attack code generation phase, according to The code snippet of predefined attack each basic function of form assembly, generates attack code.For making in attack code comprising secondary Code snippet, its side effect is eliminated using side effect dispelling tactics, it is ensured that the normal realization of attack code function.Attack generation In the code record stage, the attack code for successfully eliminating side effect recorded in corresponding test result file.Software security report In the announcement stage, the attack code recorded in each test result file is exported, report potential in user's program to be detected can be achieved respectively The multiplexing code (i.e. attack code) of kind attack, with the potential potential safety hazard of evaluation software.
The key operation of the present invention is as follows:
(1) search of return instruction.The return instruction existing for search in the executable section of program to be detected;
(2) byte sequence dis-assembling.Reverse dis-assembling is carried out to the byte sequence before return instruction, until dis-assembling is complete Into.Dis-assembling result is multiple instruction sequence;
(3) basic function code snippet is collected.A variety of basic functions are predefined in the present invention.For the instruction being collected into Sequence, solving checking using semantic resolution device, whether it belongs to certain basic function.If belonged to, using command sequence as the base The code snippet of this function is collected, the corresponding code snippet collection of each basic function;
(4) code snippet distributes.Various attacks template is predefined in the present invention, attack template is by basic function sentence structure Into every basic function sentence has corresponding basic function code snippet collection.Each attack template is traveled through, for attacking template In every basic function sentence, the code snippet of search operation number matching is concentrated from corresponding basic function code snippet.Often Bar basic function sentence corresponds to the code snippet of multiple matchings, and these code snippets form the distribution code of the basic function sentence Fragment collection.
(5) attack code generates.Each bar basic function sentence in traversal attack template, from every basic function sentence Distribute code snippet and concentrate one code snippet of selection.Every kind of combination of the code snippet of these selections, form an attack generation Code.Concentrated due to the distribution code snippet of every basic function sentence and include multiple code snippets, so attack code presence is more Kind code snippet combination, i.e., each attack template can generate multiple attack codes.Wherein, side effect is used to judge, be fixed The operations such as justice-collected using chain, side effect elimination and attack code record;
(6) side effect judges.The code snippet in attack code is traveled through, each code snippet is judged by definition-using chain Whether side effect is carried;
(7) definition-collected using chain.Data flow in analytical attack code between each code snippet, collect attack code Present in definition-use chain;
(8) side effect eliminates.For side effect code snippet present in attack code, using the generation for introducing basic function Chip segment eliminates to its side effect, so as to ensure that attack code normally performs;
(9) attack code records.The details for the attack code for successfully eliminating side effect be recorded into corresponding test In destination file.
(10) software security is reported.The attack code in each test result file is exported, reports user's program to be detected In potential code reuse is threatened and all kinds of attacks are realized in program to be detected possibility, effective detection software is present Potential safety hazard.
The invention has the advantages that semantic resolution device is used when judging whether code snippet belongs to specific basic function The method of solution, manual analysis complicated order sequence is avoided, the code snippet that can not be manually collected into can be collected into, improved The quantity that basic function code snippet is collected.In attack code generation phase, introduce side effect code snippet and provide elimination pair Effect strategy eliminates its side effect, improves attack code generation success rate.The attack template of definition covers various attacks row For from many aspects for the potential safety hazard of code reuse attack existing for inspection software.Compared to conventional technology, energy of the present invention The potential safety hazard of the programming class of code reuse present in software is more precisely detected out, programming raising software is improved will pass through Safe mass.
Brief description of the drawings
Fig. 1 is directed to the software security overhaul flow chart of code reuse programming;
Fig. 2 return instruction search routine figures;
Fig. 3 byte sequence dis-assembling flow charts;
Fig. 4 basic functions code snippet collects flow chart;
Fig. 5 code snippet allocation process diagrams;
Fig. 6 attack code product process figures;
Fig. 7 side effect decision flow charts;
Fig. 8 defines-used chain and collects flow chart;
Fig. 9 side effects eliminate flow chart;
Figure 10 attack codes record flow chart;
Figure 11 software securities report flow chart.
Specific implementation method
Fig. 1 is the overview flow chart of this software security detection method.The input of this method is program to be detected, and output is The attack code that can be potentially utilized in program to be detected by attacker.Collected first in the executable section of program to be detected each The code snippet of basic function;Then each basic function code snippet being collected into according to predefined attack form assembly, it is raw Into attack code;Due to adding side effect code snippet in attack code generating process, so being needed after attack code generation Side effect elimination is carried out using side effect dispelling tactics to side effect code snippet in attack code;If generation in attack code Chip segment side effect eliminates successfully, then the attack code can use, and recorded in corresponding test result file;Finally export each survey Attack code in test result file, report and code programming potential safety hazard is multiplexed present in user's program to be detected.
Fig. 2 is the flow chart of return instruction search, searches for return instruction present in the executable section of program to be detected.Make With following data structure:ELF file header data structures, the base attribute of whole file, wherein member variable program header table are described Skew is the deviant of program header table hereof;Program header table, with array form storage program head data structure;Program header number According to structure, each segment information of program is described, includes Authorization Attributes (readable, writeable and executable), program header skew and program header The member variables such as size.
Step 20 is initial actuating.Step 21 obtains the skew of program header table from program ELF file headers.Step 22 is from program Program fetch head is present procedure head in order in head table.Step 23 judges whether present procedure head is executable section, i.e. program header Whether Authorization Attributes are equal to executable in structure.If it is, jump to step 24;Otherwise step 22 is jumped to.Step 24 will Program header skew in present procedure head is assigned to executable section start offset, offsets with program header size by program header and assigns It is worth and terminates to offset to executable section.Step 25 setting pointer is initialized as the start offset of executable section.Step 26 judges pointer Whether the byte of sensing is return instruction.If it is, jump to step 27;Otherwise step 28 is jumped to.Step 27 refers to return Byte sequence before order carries out dis-assembling operation, collects command sequence.Idiographic flow is as shown in figure 3, input is return instruction Byte sequence before.Step 28 sets pointer offset to next byte.Step 29, which judges whether pointer offset is more than, to be held Row section terminates to offset.If it is, jump to step 2a;Otherwise step 26 is jumped to.Step 2a is done state.
Fig. 3 is the flow chart of byte sequence dis-assembling, and dis-assembling is carried out to the byte sequence before return instruction.Input is Byte sequence before return instruction.Output is the command sequence being collected into after dis-assembling.Because the instruction of x86 platforms is intensive Property, byte sequence is corresponded to a variety of dis-assembling command sequence results, stored using tree.Use following data structure: The data structure of instruction, based on the data structure of INSTRUCTION structures in LIBDASM, to store dis-assembling instruction Command information, mainly comprising member variables such as instruction type, source operand set and destination operand set.Wherein, source operates Manifold closes all source operands used comprising instruction, is stored with chain sheet form;Destination operand set includes instruction modification All purposes operand, stored with chain sheet form.The data structure of operand, the number based on OPERAND structures in LIBDASM According to structure, to the operand information of store instruction, mainly comprising operand type, addressing system, operand authority and operation The member variables such as number size.Wherein operand type includes register, internal memory and immediate;Operand authority include reading and writing and Perform.The data structure of tree interior joint, mainly include instruction, command offsets, father node pointer and child node pointer number The member variables such as group.Instruction is stored with instructions data structures;Father node pointer points to father node, child node array of pointers includes Each pointer points to child node.During dis-assembling, it is 20 to set instruction most long word joint number.The present invention is anti-using LIBDASM Assembler carries out dis-assembling to byte sequence.LIBDASM provides interface function get_instruction functions, after dis-assembling Command information is stored in INSTRUCTION structures.Input is input byte sequence and INSTRUCTION structures, is exported Be instruction byte number, 0 represent byte sequence can not dis-assembling be effective instruction.
Step 30 is initial actuating.Step 31 creates node data structures, and initialization member variable instruction is return instruction, Command offsets are that return instruction is offset in executable section.Its root node for being tree is set and the node is added to team In row.It is present node that step 32 takes out head of the queue node from queue.Step 33 sets the relative skew of variable pos initialization to work as Skew of the front nodal point in executable section, it is 1 to set variable len.Step 34 judges whether len is more than instruction most long word joint number. If it is, jump to step 39;Otherwise step 35 is jumped to.Step 35 carries out dis-assembling using LIBDASM, and dis-assembling scope is From the byte sequence of skew (pos-len) to (pos-1).Step 36 judges according to get_instruction functions returning result Whether byte sequence is effective instruction.If it is, jump to step 37;Otherwise step 38 is jumped to.Step 37 is to byte sequence Dis-assembling result is stored using the data structure of instruction, and creates the child node that node data structures are added to present node In.Then new node is added in queue.Len is carried out step 38 plus 1 operation, then branches to step 34 and re-executes step Rapid 34 action.Step 39 judges whether queue is empty.If it is, jump to step 3a;Otherwise step 32 is jumped to.Step 3a is Done state.
Fig. 4 is the flow chart for collecting basic function code snippet, and whether decision instruction sequence belongs to basic function and to category The code snippet of corresponding basic function is collected as in the command sequence of basic function.Input is command sequence and basic function table. The offspring's chip segment that is finished is collected into code snippet chained list corresponding to each basic function.Code snippet is referred to returning Make the command sequence of ending.Program state={ general register, segment register, command register, internal memory }.Use following data Structure:Basic function table, each predefined basic function is stored with array form.The data structure of basic function, to retouch The information of basic function is stated, mainly comprising basic function classification, basic function expression formula, source operand type, destination operand The member variable such as type and code snippet chained list.Wherein, basic function classification includes biography value between register assignment, register, read Internal memory, write the operation of arithmetical logic between internal memory, register, in the arithmetical logic operation that destination operand is internal memory, source operand are The arithmetical logic deposited is operated, flag bit is set, controlling stream shifts, system is called;Basic function expression formula is the shape with expression formula Formula describes the operation of the basic function;Source operand type is source operand type in the basic function expression formula;Purpose operates Several classes of types are destination operand types in the basic function expression formula;Code snippet storage of linked list meets the code of the basic function Fragment.The data structure of code snippet, to store the code snippet of each basic function, mainly comprising command sequence, basic The member variables such as functional category, function input operand, fuction output operand and address.Wherein, every in command sequence Instruction is stored using instructions data structures;Fuction output operand is the destination operand of basic function expression formula, with operand Data structure storage;Function input operand is the source operand of basic function expression formula, is stored with operand data structure;Ground Location is address of the code snippet in program to be detected.
During whether decision instruction sequence belongs to basic function use Binary analysis platform BAP in TOIL and TOPREDICATE instruments and Z3 solvers (the semantic resolution device chosen in the present invention).TOIL is realized the table of bytes of instruction Show and be converted into BAP intermediate representation language BIL.BIL uses SSA forms, the operation that description instruction performs.TOIL inputs are ELF texts Part, the initial address of instruction and end address, output are the BIL formatted files of instruction.TOPREDICATE is realized BIL forms File translations are SMT-LIB2 language.SMT-LIB2 is the general pattern of the input of SMT solvers, covers assignment, arithmetic sum logic Deng operation.TOPREDICATE inputs are BIL formatted files and customized postcondition, and output is the SMT-LIB2 of conversion Formatted file.Z3 solvers realize the solution to SMT-LIB2 formatted files.Input is SMT-LIB2 formatted files, and output is that have One of effect, invalid and uncertain three kinds of states.Emulate functions realize that the simulation to instruction performs in XEN.Input is instruction Program state before execution, output are the program states after instruction performs.In XEN, program state is with x86_emulate_ Ctxt structures store.
Step 40 is initial actuating.It is current basic function that step 41 takes basic function in order from basic function table. Step 42 is assigned to each register and internal memory member variable in program state input using rand functions generation random value.Step 43 are performed by emulate function pairs command sequence simulation in XEN, obtain the program state output after command sequence performs.Step Whether the member variable of the rapid input of 44 detection program state and program state output meets the basic function table of current basic function Up to formula.If it is, jump to step 45;Otherwise step 49 is jumped to.Step 45 is by instrument TOIL in BAP by command sequence Byte stream is converted into BIL intermediate representation language, while generates BIL expressions for the basic function expression formula of current basic function.Step Rapid 46 represent the BIL of command sequence and basic function expression formula by instrument TOPREDICATE in BAP to be converted into SMT- LIB2.The basic function expression formula of step 47 decision instruction sequence and current basic function whether there is equivalence, i.e. Z3 outputs Result whether be effective.If it is, jump to step 48;Otherwise step 49 is jumped to.Step 48 creates code snippet data Structure store code fragment, and be added in the code snippet chained list of current basic function.Step 49 judges that basic function table is It is no to have taken.If it is, jump to step 4a;Otherwise step 41 is jumped to.Step 4a is done state.
Fig. 5 is the flow chart of code snippet distribution, for the code of each basic function sentence distribution matching in attack template Fragment.Input is sensitive operation and basic function table.The offspring's chip segment that is finished is assigned to each basic training in attack template In the distribution code snippet chained list of energy sentence.Sensitive operation is that attacker writes the attack that multiplexing code is intended to realize, this Invention presets that any internal memory is write, function call and system call three kinds of sensitive operations, i.e. sensitive operation collection={ internal memory is write, function Call, system is called }.Each sensitive operation corresponds to multiple predefined attack templates.Attack template is compiled by basic function sentence Write, be basic function statement sequence.Use data below structure:Sensitive operation table, each sensitive operation is stored with array form; The data structure of sensitive operation, include attack template chained list and sensitive operation title member variable.Wherein, template chained list is attacked to use To store each attack template corresponding to sensitive operation, the member that the entitled sensitive operation of sensitive operation is concentrated.Attack template Data structure, include basic function sentence linked list.Wherein, basic function sentence linked list storage basic function statement sequence.Substantially The data structure of function sentence, mainly comprising basic function classification, function input operand and fuction output operand, distribution generation The member variable such as chip segment chained list and the next basic function sentence pointer of sensing.Wherein, distribute code snippet storage of linked list with The code snippet that basic function sentence matches.
Step 50 is to start to act.Step 51 takes first attack template to work as from the attack template chained list of sensitive operation Preceding attack template.It is current that step 52 takes first basic function sentence from the basic function sentence linked list of current attack template Basic function sentence.It is current basic function that step 53 takes basic function in order from basic function table.Step 54 judges to work as Whether the basic function classification of preceding basic function sentence and current basic function is identical.If it is, jump to step 56;Otherwise jump Go to step 55.Step 55 judges whether basic function table takes.If it is, jump to step 5f;Otherwise step 53 is jumped to. It is current code fragment that step 56 takes first code snippet from the code snippet chained list of current basic function.Step 57 judges Whether the fuction output operand of current code fragment is identical with basic function statement function output operand.If it is, redirect To step 58;Otherwise step 5a is jumped to.Step 58 judge current code fragment function input operand whether with basic training Energy statement function input operand is identical.If it is, jump to step 59;Otherwise step 5a is jumped to.Step 59 creates code The data structure storage current code fragment of fragment, and be added in the distribution code snippet chained list of basic function sentence.Step It is current code fragment that 5a takes next code snippet from the code snippet chained list of current basic function.Step 5b judges current Whether code snippet is empty.If it is, jump to step 5c;Otherwise step 57 is jumped to.Step 5c judges current basic function Whether the distribution code snippet chained list in sentence is empty.If it is, jump to step 5f;Otherwise step 5d is jumped to.Step 5d It is current basic function sentence that next basic function sentence is taken from the basic function sentence linked list of current attack template.Step 5e judges whether current basic function sentence is empty.If it is, jump to step 5f;Otherwise step 52 is jumped to.Step 5f from It is current attack template that next attack template is taken in attack template chained list.Step 5g judges whether current attack template is empty. If it is, jump to step 5h;Otherwise step 51 is jumped to.Step 5h is done state.
Fig. 6 is the flow chart of attack code generation, combines code snippet corresponding to each basic function sentence, generation attack Code.Input is basic function sentence linked list, code snippet chained list and sensitive operation.Wherein, code snippet chained list is initialized as Sky, to store attack code corresponding to attack template.Side effect elimination is carried out using attack code as input after being finished, And the attack code for successfully eliminating side effect recorded in corresponding test result file.
Step 60 is to start to act.Step 61 judges whether the basic function sentence linked list of input is empty.If it is, redirect To step 6a;Otherwise step 62 is jumped to.Step 62 takes first basic function sentence to work as from basic function sentence linked list Preceding sentence.It is current code fragment that step 63 takes first code snippet from the distribution code snippet chained list of current statement.Step Current code fragment is added to code snippet chained list afterbody by rapid 64.Step 65 takes next basic function sentence of current statement For follow-up sentence.Step 66 antithetical phrase attack template carries out attack code generation, and idiographic flow is as shown in fig. 6, parameter is with follow-up Sentence is the basic function sentence linked list and code snippet chained list of start node.Step 67 deletes the generation of code snippet chained list afterbody Chip segment.It is current code fragment that step 68 takes next code snippet from the distribution code snippet chained list of current statement.Step Rapid 69 judge whether current code fragment is empty.If it is, jump to step 6d;Otherwise step 64 is jumped to.Step 6a is to life Into code snippet chained list in code snippet caused by side effect eliminated, idiographic flow as shown in fig. 7, input be generation Code snippet chained list, output be whether eliminate side effect success.Step 6b judges attack code side effect according to returning result Whether elimination succeeds.If it is, jump to step 6c;Otherwise step 6d is jumped to.Step 6c records to attack code.Tool Body flow is as shown in Figure 10, and input is successfully to eliminate the code snippet chained list and sensitive operation of side effect.Step 6d is end shape State.
Fig. 7 is the flow chart that side effect judges, judges that each code snippet whether there is side effect in attack code.Input It is code snippet chained list (i.e. attack code) and basic function table.Export to eliminate side effect success or eliminating side effect failure. Step 70 is to start to act.It is current code fragment that step 71 takes first code snippet from code snippet chained list.Step 72 It is present instruction that first instruction is taken from the command sequence of current code fragment.Step 73 is from definition-using being taken in chain chained list First definition-the use of chain being current definition-uses chain.Definition-use the generation idiographic flow of chain chained list as shown in figure 8, defeated Enter for code snippet chained list, export as definition-use chain chained list.Step 74 judges whether present instruction destroys and currently defines-make With chain, i.e., the destination operand set of present instruction whether comprising current definition-use operand in chain structure body.If It is to jump to step 75;Otherwise step 77 is jumped to.Step 75 eliminates side effect using side effect dispelling tactics.Idiographic flow As shown in figure 9, input is current code fragment, current definition-using chain, code snippet chained list and basic function table, output is Eliminate side effect success or eliminate side effect failure.The result that step 76 eliminates process return according to side effect judges code snippet Whether side effect eliminates success.If it is, jump to step 77;Otherwise step 7d is jumped to.Step 77 is from definition-use chain chain Chain of making a definition-use is taken in table as current definition-use chain.Step 78 judges whether current definition-using chain is empty.Such as Fruit is to jump to step 79;Otherwise step 73 is jumped to.Step 79 removes an instruction from current code fragment command sequence For present instruction.Step 7a judges whether present instruction is empty.If it is, jump to step 7b;Otherwise step 74 is jumped to.Step It is current code fragment that rapid 7b takes next code snippet from code snippet chained list.Whether step 7c judges current code fragment For sky.If it is, jump to step 7d;Otherwise step 71 is jumped to.Step 7d is done state.
Fig. 8 is the flow chart for collecting definition-use chain, collects definition-use chain present in attack code.Input is generation Chip segment chained list (i.e. attack code), output are definition-use chain chained list.Program state element belongs to program state set Element.When program state element be a code snippet GA fuction output operand (GA realize function define the program State elements) and be that (function that GB is realized has used the journey for the function input operand of another code snippet GB after GA Sequence state elements), and the program state element is not the fuction output operand of the arbitrary code fragment between GA and GB, that It is a definition-use chain for the program state element from GA to GB.GA is the defining point of the program state element, and GB is this The point of use of program state element.Use following data structure:Definition-use chain chained list, stores the definition-use being collected into Chain.Definition-and using the data structure of chain, mainly include defining point code snippet, point of use code snippet and program state element. Step 80 is initial actuating.It is current code fragment that step 81 takes first code snippet from code snippet chained list.Step 82 It is follow-up that first current code fragment is taken from the child list using the next code snippet of current code fragment as start node Code snippet.Step 83 judges whether follow-up code snippet is empty.If it is, jump to step 89;Otherwise step 84 is jumped to. Step 84 judges whether current code fragment fuction output operand is identical with follow-up code snippet fuction output operand.If It is to jump to step 89;Otherwise step 85 is jumped to.Step 85 judges that the function input set of operands of follow-up code snippet is closed It is no to include current code fragment fuction output operand.If it is, jump to step 86;Otherwise step 87 is jumped to.Step 86 Establishment definition-use chain data structure, defining point code snippet is current code fragment, and point of use code snippet is follow-up code Fragment, new definition-is added to definition using chain-and uses chain chained list afterbody.Step 87 is from next with current code fragment Code snippet is that next current code fragment is taken in the child list of start node is follow-up code snippet.Step 88 judges follow-up Whether code snippet is empty.If it is, jump to step 89;Otherwise step 84 is jumped to.Step 89 is from code snippet chained list It is current code fragment to take next code snippet.Step 8a judges whether current code fragment is empty.If it is, jump to step Rapid 8b;Otherwise step 81 is jumped to.Step 8b is done state, and definition-collected using chain is finished.
Fig. 9 is the flow chart for eliminating side effect, eliminates the side effect for the code snippet that side effect in attack code be present.It is defeated Enter is side effect code snippet, definition-use chain, code snippet chained list (i.e. attack code) and basic function table.Output is to disappear Except side effect success or eliminate side effect failure.Step 90 is to start to act.Code piece of the step 91 from register assignment function It is current code fragment that first code snippet is taken in section chained list.Step 92 judges the fuction output operand of current code fragment Whether with definition-using chain operand it is identical.If it is, jump to step 93;Otherwise step 96 is jumped to.Step 93 ought Preceding code snippet is added in code snippet chained list, after being inserted into side effect code snippet.Step 94 judges current code fragment Whether side effect is produced.If it is, jump to step 95;Otherwise step 98 is jumped to, side effect is returned and eliminates successfully.Judge to work as Whether preceding code snippet produces side effect, and idiographic flow is as shown in fig. 7, input is code snippet chained list and points to current code piece The pointer of section.Step 95 deletes current code fragment from code snippet chained list.Generation of the step 96 from register assignment function It is current code fragment that next code snippet is taken in chip segment chained list.Step 97 judges whether current code fragment is empty.Such as Fruit is jump procedure 98, and side effect eliminates failure;Otherwise step 91 is jumped to.Step 98 is done state.
Figure 10 is the flow chart of attack code record, and the attack code for successfully eliminating side effect recorded into corresponding test In destination file.Input is code snippet chained list (attack code for successfully eliminating side effect) and sensitive operation.It is each sensitive The corresponding test result file of operation (the entitled corresponding sensitive operation name of test result file), phase is recorded by attack code In the test result file answered.Step 100 is to start to act.Step 101 is found correspondingly according to the sensitive operation name of sensitive operation Sensitive operation file.It is current code fragment that step 102 takes first code snippet from code snippet chained list.Step 103 Current code fragment address, basic function classification and command sequence assembly code are write in file.Step 104 is from code snippet It is current code fragment that next code snippet is taken in chained list.Step 105 judges whether current code fragment is empty.If it is, Jump to step 106;Otherwise step 102 is jumped to.Step 106 represents done state.
Figure 11 is the flow chart of software security report, and what is recorded in test result file corresponding to output sensitive operation attacks Hit code information.Input is test result file.Output test result attack code information in file after being finished.Step 110 be to start to act.Step 111 outputs test result filename, i.e. sensitive operation name.Step 112 is taken in test result file The first behavior current line.Step 113 judges whether current line is empty.If it is, jump to step 116;Otherwise step is jumped to Rapid 114.The attack code information that step 114 output current line preserves.Step 115 takes next behavior in test result file to work as Move ahead.Step 116 is done state.

Claims (10)

  1. A kind of 1. software security detection method for code reuse programming, it is characterized in that including command sequence dis-assembling, base This function code fragment is collected, attack code generates, attack code record and software security report five stages;
    In the command sequence dis-assembling stage, dis-assembling is carried out to the byte sequence before return instruction;
    Basic function code snippet collection phase, its command sequence for inputting to collect on last stage;Whether decision instruction sequence Belong to certain basic function, the command sequence for belonging to basic function, carried out as the code snippet of the basic function Collect;
    Attack code generation phase, according to the code snippet of predefined attack each basic function of form assembly, generation attack generation Code, the code snippet for including side effect in attack code, its side effect is eliminated using side effect dispelling tactics, it is ensured that attack The normal realization of code function;
    Attack code records the stage, and the attack code for successfully eliminating side effect recorded in corresponding test result file;
    The software security report stage, the attack code recorded in each test result file is exported, report user's program to be detected In potentially can be achieved various attacks multiplexing code be attack code, with the potential potential safety hazard of evaluation software;
    Key operation step is as follows:
    (1)The search of return instruction, the return instruction existing for search in the executable section of program to be detected;
    (2)Byte sequence dis-assembling, reverse dis-assembling is carried out to the byte sequence before return instruction, until dis-assembling is completed; Dis-assembling result is multiple instruction sequence;
    (3)Basic function code snippet is collected, and predefines a variety of basic functions;For the command sequence being collected into, using semanteme Solver solves checking, and whether it belongs to certain basic function;If belonged to, the code using command sequence as the basic function Fragment is collected, the corresponding code snippet collection of each basic function;
    (4)Code snippet distributes;Predefined various attacks template, attack template are made up of basic function sentence, every basic training Corresponding basic function code snippet collection be present in energy sentence;Each attack template is traveled through, it is basic for every in attack template Function sentence, the code snippet of search operation number matching is concentrated from corresponding basic function code snippet;Every basic function language The code snippet of the corresponding multiple matchings of sentence, these code snippets form the distribution code snippet collection of the basic function sentence;
    (5)Attack code generates;Each bar basic function sentence in traversal attack template, from the distribution of every basic function sentence Code snippet concentrates one code snippet of selection;Every kind of combination of the code snippet of these selections, form an attack code;By Concentrated in the distribution code snippet of every basic function sentence and include multiple code snippets, so attack code has Multiple Code Fragment combination mode, i.e., each attack template can generate multiple attack codes;Wherein, side effect judgement, definition-use to be used Chain is collected, side effect elimination and attack code record operate;
    (6)Side effect judges;The code snippet in attack code is traveled through, whether each code snippet is judged by definition-using chain With side effect;
    (7)Definition-collected using chain;Data flow in analytical attack code between each code snippet, collect and deposited in attack code Definition-use chain;
    (8)Side effect eliminates;For side effect code snippet present in attack code, using the code piece for introducing basic function Section eliminates to its side effect, so as to ensure that attack code normally performs;
    (9)Attack code records;The details for the attack code for successfully eliminating side effect be recorded into corresponding test result In file;
    (10)Software security is reported;The attack code in each test result file is exported, reports in user's program to be detected and dives Code reuse threaten and the possibility realized in program to be detected of all kinds of attacks, effective detection software is existing to pacify Full hidden danger.
  2. 2. software security detection method according to claim 1, it is characterized in that operating procedure(1)The search of return instruction In flow, following data structure is used:ELF file header data structures, the base attribute of whole file, wherein member variable are described The skew of program header table is the deviant of program header table hereof;Program header table, with array form storage program head data structure; Program header data structure, describe each segment information of program, comprising readable, writeable and executable Authorization Attributes, program header skew and Program header size member variable;
    It is specific as follows:Step 20 is initial actuating;Step 21 obtains the skew of program header table from program ELF file headers;Step 22 Program fetch head is present procedure head in order from program header table;Step 23 judges whether present procedure head is executable section, i.e., Whether Authorization Attributes are equal to executable in program header structure;If it is, jump to step 24;Otherwise step 22 is jumped to;Step Program header skew in present procedure head is assigned to executable section start offset by rapid 24, by program header skew and program header size And be assigned to executable section and terminate to offset;Step 25 setting pointer is initialized as the start offset of executable section;Step 26 is sentenced Whether the byte that severed finger pin points to is return instruction;If it is, jump to step 27;Otherwise step 28 is jumped to;Step 27 is right Byte sequence before return instruction carries out dis-assembling operation, collects command sequence;Idiographic flow is as shown in figure 3, input is to return Refer to the byte sequence before order;Step 28 sets pointer offset to next byte;Step 29 judges whether pointer offset is big Terminate to offset in executable section;If it is, jump to step 2a;Otherwise step 26 is jumped to;Step 2a is done state;
    Operating procedure(2)In the flow of byte sequence dis-assembling, dis-assembling is carried out to the byte sequence before return instruction;Input Byte sequence before being return instruction;Output is the command sequence being collected into after dis-assembling;Because the instruction of x86 platforms is intensive Property, byte sequence is corresponded to a variety of dis-assembling command sequence results, stored using tree;Use following data structure: The data structure of instruction, based on the data structure of INSTRUCTION structures in LIBDASM, to store dis-assembling instruction Command information, mainly comprising instruction type, source operand set and destination operand set member's variable;Wherein, source operand All source operands that set uses comprising instruction, stored with chain sheet form;Destination operand set includes the institute of instruction modification Purposeful operand, stored with chain sheet form;The data structure of operand, the data based on OPERAND structures in LIBDASM Structure, to the operand information of store instruction, mainly comprising operand type, addressing system, operand authority and operand Size member variable;Wherein operand type includes register, internal memory and immediate;Operand authority includes reading and writing and execution; The data structure of tree interior joint, mainly include instruction, command offsets, father node pointer and child node array of pointers member Variable;Instruction is stored with instructions data structures;Each pointer that father node pointer points to father node, child node array of pointers includes Point to child node;During dis-assembling, it is 20 to set instruction most long word joint number;Using LIBDASM disassemblers to syllable sequence Row carry out dis-assembling;LIBDASM provides interface function get_instruction functions, and command information after dis-assembling is stored in In INSTRUCTION structures;Input is input byte sequence and INSTRUCTION structures, and output is to instruct byte number, 0 Represent byte sequence can not dis-assembling be effective instruction;
    It is specific as follows:Step 30 is initial actuating;Step 31 creates node data structures, and initialization member variable instruction is return Instruction, command offsets are that return instruction is offset in executable section;Its root node for being tree is set and adds the node Enter into queue;It is present node that step 32 takes out head of the queue node from queue;Step 33 sets variable pos initialization relatively inclined The skew for being present node in executable section is moved, it is 1 to set variable len;Step 34 judges whether len is more than instruction most long word Joint number;If it is, jump to step 39;Otherwise step 35 is jumped to;Step 35 carries out dis-assembling, dis-assembling using LIBDASM Scope is the byte sequence from skew pos-len to pos-1;Step 36 is sentenced according to get_instruction function returning results Whether disconnected byte sequence is effective instruction;If it is, jump to step 37;Otherwise step 38 is jumped to;Step 37 is to syllable sequence Row dis-assembling result is stored using the data structure of instruction, and creates the son section that node data structures are added to present node Point in;Then new node is added in queue;Len is carried out step 38 plus 1 operation, then branches to step 34 and re-executes Step 34 acts;Step 39 judges whether queue is empty;If it is, jump to step 3a;Otherwise step 32 is jumped to;Step 3a For done state.
  3. 3. software security detection method according to claim 1, it is characterized in that operating procedure(3)Collect basic function generation In the flow of chip segment, whether decision instruction sequence belongs to basic function and the command sequence to belonging to basic function is collected as phase Answer the code snippet of basic function;Input is command sequence and basic function table;The offspring's chip segment that is finished is collected into respectively In code snippet chained list corresponding to individual basic function;Code snippet is the command sequence to be ended up with return instruction;Program state= { general register, segment register, command register, internal memory };Use following data structure:Basic function table, with array form Store each predefined basic function;The data structure of basic function, to describe the information of basic function, include basic training Can classification, basic function expression formula, source operand type, destination operand type and code snippet chained list member variable;Wherein, Basic function classification includes biography value, rdma read between register assignment, register, writes arithmetical logic operation, mesh between internal memory, register Operand be internal memory arithmetical logic operation, the operation of arithmetical logic that source operand is internal memory, flag bit set, control circulation Move, system is called;Basic function expression formula is that the operation of the basic function is described in the form of expression formula;Source operand type is Source operand type in the basic function expression formula;Destination operand type is destination operand class in the basic function expression formula Type;Code snippet storage of linked list meets the code snippet of the basic function;The data structure of code snippet, to store each base The code snippet of this function, mainly comprising command sequence, basic function classification, function input operand, fuction output operand With address member variable;Wherein, every instruction in command sequence is stored using instructions data structures;Fuction output operand is The destination operand of basic function expression formula, stored with operand data structure;Function input operand is basic function expression The source operand of formula, stored with operand data structure;Address is address of the code snippet in program to be detected;
    During whether decision instruction sequence belongs to basic function use Binary analysis platform BAP in TOIL and TOPREDICATE instruments and Z3 semantic resolution devices;TOIL realizes is converted into BAP intermediate representation language by the byte representation of instruction BIL;BIL uses SSA forms, the operation that description instruction performs;TOIL inputs are ELF files, the initial address of instruction and end Address, output are the BIL formatted files of instruction;TOPREDICATE realizes is converted into SMT-LIB2 language by BIL formatted files; SMT-LIB2 is the general pattern of the input of SMT solvers, covers assignment, arithmetic sum logical operation;TOPREDICATE is inputted BIL formatted files and customized postcondition, output are the SMT-LIB2 formatted files of conversion;Z3 semantic resolutions device is realized Solution to SMT-LIB2 formatted files;Input is SMT-LIB2 formatted files, and output is effective, invalid and uncertain three kinds One of state;Emulate functions realize that the simulation to instruction performs in XEN;Input is the program state before instruction performs, and is exported It is the program state after instruction performs;In XEN, program state is stored with x86_emulate_ctxt structures;
    It is specific as follows:Step 40 is initial actuating;It is current basic that step 41 takes basic function in order from basic function table Function;Each register and internal memory member that step 42 is assigned in program state input using rand functions generation random value becomes Amount;Step 43 is performed by emulate function pairs command sequence simulation in XEN, obtains the program state after command sequence performs Output;Whether the member variable of step 44 detection program state input and program state output meets the basic of current basic function Functional representation;If it is, jump to step 45;Otherwise step 49 is jumped to;Step 45 will be instructed by instrument TOIL in BAP The byte stream of sequence is converted into BIL intermediate representation language, while generates BIL tables for the basic function expression formula of current basic function Show;The BIL of command sequence and basic function expression formula is represented to be converted into by step 46 by instrument TOPREDICATE in BAP SMT-LIB2;The basic function expression formula of step 47 decision instruction sequence and current basic function whether there is equivalence, i.e. Z3 Whether the result of output is effective;If it is, jump to step 48;Otherwise step 49 is jumped to;Step 48 creates code snippet Data structure storage code snippet, and be added in the code snippet chained list of current basic function;Step 49 judges basic function Whether table has taken;If it is, jump to step 4a;Otherwise step 41 is jumped to;Step 4a is done state.
  4. 4. software security detection method according to claim 1, it is characterized in that operating procedure(4)Code snippet distribution Flow, for the code snippet of each basic function sentence distribution matching in attack template;Input is sensitive operation and basic function Table;The offspring's chip segment that is finished is assigned in attack template in the distribution code snippet chained list of each basic function sentence;It is quick Sense operation be attacker write multiplexing code be intended to realize attack, the present invention preset any internal memory write, function call and System calls three kinds of sensitive operations, i.e. sensitive operation collection={ internal memory is write, function call, and system is called };Each sensitive operation is corresponding Multiple predefined attack templates;Attack template is write by basic function sentence, is basic function statement sequence;Use following number According to structure:Sensitive operation table, each sensitive operation is stored with array form;The data structure of sensitive operation, include attack template Chained list and sensitive operation title member variable;Wherein, template chained list is attacked to store each attack mould corresponding to sensitive operation Plate, the member that the entitled sensitive operation of sensitive operation is concentrated;The data structure of template is attacked, includes basic function sentence linked list; Wherein, basic function sentence linked list storage basic function statement sequence;The data structure of basic function sentence, it is main comprising basic Functional category, function input operand and fuction output operand, distribution code snippet chained list and the next basic function of sensing Sentence pointer member variable;Wherein, the code snippet that code snippet storage of linked list matches with basic function sentence is distributed;
    Specific as follows, step 50 is to start to act;Step 51 takes first attack mould from the attack template chained list of sensitive operation Plate is current attack template;Step 52 takes first basic function sentence from the basic function sentence linked list of current attack template For current basic function sentence;It is current basic function that step 53 takes basic function in order from basic function table;Step 54 Judge whether the basic function classification of current basic function sentence and current basic function is identical;If it is, jump to step 56; Otherwise step 55 is jumped to;Step 55 judges whether basic function table takes;If it is, jump to step 5f;Otherwise jump to Step 53;It is current code fragment that step 56 takes first code snippet from the code snippet chained list of current basic function;Step Rapid 57 judge whether the fuction output operand of current code fragment is identical with basic function statement function output operand;If It is to jump to step 58;Otherwise step 5a is jumped to;Step 58 judge current code fragment function input operand whether with Basic function statement function input operand is identical;If it is, jump to step 59;Otherwise step 5a is jumped to;Step 59 is created The data structure storage current code fragment of code snippet is built, and is added to the distribution code snippet chained list of basic function sentence In;It is current code fragment that step 5a takes next code snippet from the code snippet chained list of current basic function;Step 5b Judge whether current code fragment is empty;If it is, jump to step 5c;Otherwise step 57 is jumped to;Step 5c judges current Whether the distribution code snippet chained list in basic function sentence is empty;If it is, jump to step 5f;Otherwise step is jumped to 5d;It is current basic function that step 5d takes next basic function sentence from the basic function sentence linked list of current attack template Sentence;Step 5e judges whether current basic function sentence is empty;If it is, jump to step 5f;Otherwise step 52 is jumped to; It is current attack template that step 5f takes next attack template from attack template chained list;Step 5g judges that current attack template is No is sky;If it is, jump to step 5h;Otherwise step 51 is jumped to;Step 5h is done state.
  5. 5. software security detection method according to claim 1, it is characterized in that operating procedure(5)Attack code generation Flow, code snippet corresponding to each basic function sentence is combined, generate attack code;Input be basic function sentence linked list, Code snippet chained list and sensitive operation;Wherein, code snippet chained list is initialized as sky, to store attack corresponding to attack template Code;After being finished side effect elimination, and the attack code that will successfully eliminate side effect are carried out using attack code as input It recorded in corresponding test result file;
    Step 60 is to start to act;Step 61 judges whether the basic function sentence linked list of input is empty;If it is, jump to step Rapid 6a;Otherwise step 62 is jumped to;It is current language that step 62 takes first basic function sentence from basic function sentence linked list Sentence;It is current code fragment that step 63 takes first code snippet from the distribution code snippet chained list of current statement;Step 64 Current code fragment is added to code snippet chained list afterbody;After step 65 takes next basic function sentence of current statement to be After sentence;Step 66 antithetical phrase attack template carries out attack code generation, and parameter is the basic training using follow-up sentence as start node Can sentence linked list and code snippet chained list;Step 67 deletes the code snippet of code snippet chained list afterbody;Step 68 is from current language It is current code fragment that next code snippet is taken in the distribution code snippet chained list of sentence;Step 69 judges that current code fragment is No is sky;If it is, jump to step 6d;Otherwise step 64 is jumped to;Step 6a is to the generation in the code snippet chained list of generation Side effect is eliminated caused by chip segment, and input is the code snippet chained list of generation, and output is whether to eliminate side effect success; Whether step 6b judges that attack code side effect eliminates according to returning result and succeeds;If it is, jump to step 6c;Otherwise redirect To step 6d;Step 6c records to attack code;Input is the code snippet chained list for successfully eliminating side effect and sensitive behaviour Make;Step 6d is done state.
  6. 6. software security detection method according to claim 1, it is characterized in that operating procedure(6)The stream that side effect judges Journey, judge that each code snippet whether there is side effect in attack code;Input is code snippet chained list i.e. attack code and base This menu;Export to eliminate side effect success or eliminating side effect failure;Step 70 is to start to act;Step 71 is from code piece It is current code fragment that first code snippet is taken in section chained list;Step 72 takes first from the command sequence of current code fragment Bar instruction is present instruction;Step 73 from definition-using first definition-using chain is taken in chain chained list be current definition-use Chain;Definition-using chain chained list generation idiographic flow as shown in figure 8, input be code snippet chained list, export as definition-use Chain chained list;Step 74 judges whether present instruction destroys current definition-use chain, i.e. the destination operand set of present instruction is It is no comprising current definition-use chain structure body in operand;If it is, jump to step 75;Otherwise step 77 is jumped to;Step Rapid 75 eliminate side effect using side effect dispelling tactics;Idiographic flow:Input be current code fragment, current definition-using chain, Code snippet chained list and basic function table, output are to eliminate side effect success or eliminate side effect to fail;Step 76 is made according to pair The result returned with elimination process judges whether code snippet side effect eliminates success;If it is, jump to step 77;Otherwise jump Go to step 7d;Step 77 uses chain as current definition-use chain from definition-being made a definition using being taken in chain chained list-;Step 78 judge whether current definition-using chain is empty;If it is, jump to step 79;Otherwise step 73 is jumped to;Step 79 from work as It is present instruction that an instruction is removed in preceding code snippet command sequence;Step 7a judges whether present instruction is empty;If it is, Jump to step 7b;Otherwise step 74 is jumped to;Step 7b takes next code snippet to work as former generation from code snippet chained list Chip segment;Step 7c judges whether current code fragment is empty;If it is, jump to step 7d;Otherwise step 71 is jumped to;Step Rapid 7d is done state.
  7. 7. software security detection method according to claim 1, it is characterized in that operation(7)Definition-use chain chained list Generation:Input as code snippet chained list, export as definition-use chain chained list;Collection definition-and using in the flow of chain, collection is attacked Hit definition present in code-use chain;Input is code snippet chained list i.e. attack code, and output is definition-use chain chained list; Program state element is the element for belonging to program state set;When program state element is code snippet GA fuction output The function that operand, GA are realized defines the program state element and is the function input of another code snippet GB after GA The function that operand, GB are realized has used the program state element, and the program state element is not appointing between GA and GB Anticipate the fuction output operand of code snippet, then be a definition-use chain for the program state element from GA to GB;GA is The defining point of the program state element, GB are the point of use of the program state element;Use following data structure:Definition-use Chain chained list, store the definition that is collected into-use chain;Definition-use chain data structure, mainly include defining point code snippet, Point of use code snippet and program state element;
    Step 80 is initial actuating;It is current code fragment that step 81 takes first code snippet from code snippet chained list;Step Rapid 82 take first current code fragment to be from the child list using the next code snippet of current code fragment as start node Follow-up code snippet;Step 83 judges whether follow-up code snippet is empty;If it is, jump to step 89;Otherwise step is jumped to Rapid 84;Step 84 judge current code fragment fuction output operand whether with follow-up code snippet fuction output operand phase Together;If it is, jump to step 89;Otherwise step 85 is jumped to;Step 85 judges the function input operation of follow-up code snippet Manifold closes whether include current code fragment fuction output operand;If it is, jump to step 86;Otherwise step is jumped to 87;Step 86 creates definition-use chain data structure, and defining point code snippet is current code fragment, point of use code snippet For follow-up code snippet, new definition-is added to definition using chain-and uses chain chained list afterbody;Step 87 is from current code The next code snippet of fragment is that next current code fragment is taken in the child list of start node is follow-up code snippet;Step 88 judge whether follow-up code snippet is empty;If it is, jump to step 89;Otherwise step 84 is jumped to;Step 89 is from code It is current code fragment that next code snippet is taken in fragment chained list;Step 8a judges whether current code fragment is empty;If It is to jump to step 8b;Otherwise step 81 is jumped to;Step 8b is done state, and definition-collected using chain is finished.
  8. 8. software security detection method according to claim 1, it is characterized in that operating procedure(8)Eliminate the stream of side effect Journey, eliminate the side effect for the code snippet that side effect in attack code be present;Input is side effect code snippet, definition-use Chain, code snippet chained list are attack code and basic function table;Output is to eliminate side effect success or eliminate side effect to fail;Step Rapid 90 be to start to act;Step 91 takes first code snippet to work as former generation from the code snippet chained list of register assignment function Chip segment;Step 92 judge current code fragment fuction output operand whether with definition-using chain operand it is identical;Such as Fruit is to jump to step 93;Otherwise step 96 is jumped to;Current code fragment is added in code snippet chained list by step 93, After being inserted into side effect code snippet;Step 94 judges whether current code fragment produces side effect;If it is, jump to step 95;Otherwise step 98 is jumped to, side effect is returned and eliminates successfully;Judge whether current code fragment produces side effect, input is Code snippet chained list and the pointer for pointing to current code fragment;Step 95 deletes current code fragment from code snippet chained list Remove;It is current code fragment that step 96 takes next code snippet from the code snippet chained list of register assignment function;Step 97 judge whether current code fragment is empty;If it is, jump procedure 98, side effect eliminates failure;Otherwise step 91 is jumped to; Step 98 is done state.
  9. 9. software security detection method according to claim 1, it is characterized in that operating procedure(9)Attack code record In flow, the attack code for successfully eliminating side effect recorded in corresponding test result file;Input is code snippet chain Table, the attack code and sensitive operation for successfully eliminating side effect;Each sensitive operation corresponds to a test result file, test The entitled corresponding sensitive operation name of destination file, attack code recorded in corresponding test result file;Step 100 is to open Initiating is made;Step 101 sensitive operation file according to corresponding to being found the sensitive operation name of sensitive operation;Step 102 is from code piece It is current code fragment that first code snippet is taken in section chained list;Step 103 is by current code fragment address, basic function classification Write with command sequence assembly code in file;Step 104 takes next code snippet to work as former generation from code snippet chained list Chip segment;Step 105 judges whether current code fragment is empty;If it is, jump to step 106;Otherwise step is jumped to 102;Step 106 represents done state.
  10. 10. software security detection method according to claim 1, it is characterized in that operating procedure(10)Software security report The flow of announcement, export the attack code information recorded in test result file corresponding to sensitive operation;Input is test result text Part;Output test result attack code information in file after being finished;Step 110 is to start to act;Step 111 output test Destination file name, i.e. sensitive operation name;Step 112 takes the first behavior current line in test result file;Step 113 judges to work as Whether move ahead is empty;If it is, jump to step 116;Otherwise step 114 is jumped to;What step 114 output current line preserved attacks Hit code information;Step 115 takes next behavior current line in test result file;Step 116 is done state.
CN201510467987.2A 2015-08-03 2015-08-03 A kind of software security detection method for code reuse programming Active CN105138914B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510467987.2A CN105138914B (en) 2015-08-03 2015-08-03 A kind of software security detection method for code reuse programming

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510467987.2A CN105138914B (en) 2015-08-03 2015-08-03 A kind of software security detection method for code reuse programming

Publications (2)

Publication Number Publication Date
CN105138914A CN105138914A (en) 2015-12-09
CN105138914B true CN105138914B (en) 2018-02-16

Family

ID=54724259

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510467987.2A Active CN105138914B (en) 2015-08-03 2015-08-03 A kind of software security detection method for code reuse programming

Country Status (1)

Country Link
CN (1) CN105138914B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105825086B (en) * 2016-03-16 2018-07-24 西北大学 A kind of ROP means of defences based on Attack Tree
CN110515652B (en) * 2019-08-30 2021-10-15 腾讯科技(深圳)有限公司 Code abstract generation method and device and storage medium
CN113553041B (en) * 2021-09-22 2021-12-10 武汉江民网安科技有限公司 Method, apparatus and medium for generating function code formalized structure in binary program
CN115017507A (en) * 2022-07-14 2022-09-06 北京华云安信息技术有限公司 Method, device, equipment and storage medium for detecting source code tampering

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102662830A (en) * 2012-03-20 2012-09-12 湖南大学 Code reuse attack detection system based on dynamic binary translation framework

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102662830A (en) * 2012-03-20 2012-09-12 湖南大学 Code reuse attack detection system based on dynamic binary translation framework

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
BIOP:自动构造增强型ROP攻击;邢骁 等;《计算机学报》;20140530;第37卷(第5期);正文第1111-1123页 *

Also Published As

Publication number Publication date
CN105138914A (en) 2015-12-09

Similar Documents

Publication Publication Date Title
Quiring et al. Misleading authorship attribution of source code using adversarial learning
CN105138914B (en) A kind of software security detection method for code reuse programming
Caliskan-Islam et al. De-anonymizing programmers via code stylometry
Fass et al. Jstap: a static pre-filter for malicious javascript detection
Wang et al. Blended, precise semantic program embeddings
Muškardin et al. AALpy: an active automata learning library
CN107367686B (en) A kind of generation method of RTL hardware Trojan horse test vector
CN105138335B (en) A kind of function call path extraction method and device based on controlling stream graph
CN106156623B (en) SQLIA defence methods based on intention
CN111475820B (en) Binary vulnerability detection method, system and storage medium based on executable program
CN108563433A (en) A kind of device based on LSTM auto-complete codes
CN102012987A (en) Automatic behavioural analysis system for binary malicious codes
CN108595341A (en) Automatic example generation method and system
CN110245467A (en) Android application program guard method based on Dex2C and LLVM
EP3918494B1 (en) Systems, methods, and storage media for obfuscating a computer program by representing the control flow of the computer program as data
RU2004100525A (en) METHOD AND SYSTEM FOR RECORDING MACROS IN SYNTAXIS, INDEPENDENT ON THE LANGUAGE
CN106055343B (en) A kind of object code reverse-engineering system based on program evolution model
CN116361810A (en) Intelligent contract vulnerability detection method based on symbol execution
JP4951416B2 (en) Program verification method and program verification apparatus
Shrestha et al. DeepFuzzSL: Generating models with deep learning to find bugs in the Simulink toolchain
Meng et al. Adversarial binaries for authorship identification
CN101937395B (en) Detected object program feature extraction method for vulnerability detection
CN108647533A (en) Security assertions automatic generation method for detecting hardware Trojan horse
Klint et al. Micro-machinations: A DSL for game economies
Hang et al. Malware detection method of android application based on simplification instructions

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant