CN111931191A - Dynamic detection method and system for binary software stack overflow leakage hole of Linux platform - Google Patents
Dynamic detection method and system for binary software stack overflow leakage hole of Linux platform Download PDFInfo
- Publication number
- CN111931191A CN111931191A CN202010938518.5A CN202010938518A CN111931191A CN 111931191 A CN111931191 A CN 111931191A CN 202010938518 A CN202010938518 A CN 202010938518A CN 111931191 A CN111931191 A CN 111931191A
- Authority
- CN
- China
- Prior art keywords
- program
- heap
- binary
- simulation execution
- target program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The Linux platform binary software stack overflow hole dynamic detection system can improve the stack overflow hole dynamic detection efficiency. The binary program simulation loading module loads the code segment and the data segment contents into a simulation execution environment according to the executable file format corresponding to the target program; the API function hooking module carries out API hooking on the binary program loaded into the simulation execution environment to form a simulation execution image of the target program; a binary program simulation execution module based on dynamic binary translation performs simulation execution on the formed simulation execution image; when the target program has malloc and realloc heap application operations during simulation execution, a heap management mechanism runtime hosting module hosts the heap application and returns the heap application to a memory block with accurate boundary of the application program; when the target program performs read-write access on the memory block with the accurate boundary obtained by application in execution, overflow occurs to inform a user that the program has a heap overflow vulnerability.
Description
Technical Field
The invention belongs to the technical field of vulnerability detection, and particularly relates to a dynamic detection method and system for binary software heap overflow and vulnerability of a Linux platform.
Background
The heap overflow bug refers to a program bug caused by the fact that a writing range exceeds the length of a target buffer when a program writes to a heap buffer of the program. In recent years, the vulnerability is frequently popped out in different software systems, and serious harm is caused to information safety.
The fuzzy testing technology is a main method in the field of binary software vulnerability mining at present. The method generates a large number of input instances, and whether the target software has a bug or not is confirmed by observing whether the input instances trigger an exception or not during execution. The strategy can effectively mine program bugs such as stack overflow, zero removal and the like. However, since most heap overflow vulnerability triggering behaviors do not explicitly generate execution exceptions, this method is currently inefficient in terms of heap overflow vulnerability mining.
As a mainstream binary software vulnerability detection technology in the current industry, a general operation flow of a fuzzy test technology is as follows: firstly, a large amount of data is randomly generated, and then the data is injected into the runtime address space of the application program to monitor the running condition of the target program. And when the target program is executed to a target defect program point and is triggered to crash, recording the input corresponding to the current operation as defect input. The process then continues to iterate until certain analyst-set termination conditions are met.
From the above, the fuzz testing technique can effectively detect the input instance causing the target binary program to execute and crash. This detection principle is fully applied for stack overflow bugs (because the input instance that can trigger a stack overflow bug will often cover the EIP register of the target program, hijacking the program flow to an illegal region and then causing a crash), and not for heap overflow bugs (because the input instance that triggers a heap overflow bug will often only cover a memory region near the heap buffer, which will not cause execution crash events such as control flow hijacking, page access exceptions, etc.). Therefore, the fuzzy test method based on crash detection is generally low in efficiency in the aspect of heap overflow vulnerability detection.
Aiming at the problems, Google provides an Address Santizer solution on the source code vulnerability detection level based on an LLVM compiling system. The scheme implicitly inserts heap vulnerability runtime detection codes in the source code compiling process of the target program. If the detection code determines that there is a heap bug trigger at runtime, execution of the program is immediately terminated by generating an exception. The peripheral fuzz tester may confirm the existence of the heap bug by detecting the corresponding type of exception event. The scheme is combined with fuzzy testers such as AFL (active face language) and libFuzz at present, and becomes a benchmark-level application example in the field of source code vulnerability mining. However, this method is not suitable for security analysis of binary programs due to instrumentation based on a compiler system in the case of active code.
Through the analysis, it can be seen that the binary fuzzy test technology can effectively detect input instances which can cause program execution crash when triggered by stack overflow and the like, but is not suitable for detecting bugs which cannot cause execution crash, such as stack overflow and the like; the Address Santizer inherently provides a relatively ideal scheme for dynamically detecting the heap bugs, but is only suitable for performing security analysis on the target program of the active code due to the fact that the method is based on compiling-time instrumentation, and is relatively low in efficiency in the dynamic detection of the heap bugs of the binary program.
Therefore, one technical problem that needs to be solved by those skilled in the art is: how to creatively provide an effective Linux platform binary software stack overflow leakage hole dynamic detection method, overcome the defects of the prior art, and meet more requirements in practical application.
Disclosure of Invention
The embodiment of the application aims to provide a Linux platform binary software stack overflow hole dynamic detection method and a Linux platform binary software stack overflow hole dynamic detection system.
In order to solve the above technical problem, the embodiment of the present application is implemented as follows:
according to a first aspect of the embodiments of the present application, a Linux platform binary software heap overflow hole dynamic detection system is provided, where the system includes: the system comprises a binary program simulation loading module, an API function hook module, a binary program simulation execution module based on dynamic binary translation, a heap management mechanism runtime hosting module and an exception alarm module based on self-customized machine codes, wherein the binary program simulation loading module loads the code segment and the data segment content into a simulation execution environment according to the executable file format corresponding to a target program; the API function hooking module carries out API hooking on the binary program loaded into the simulation execution environment to form a simulation execution image of the target program; a binary program simulation execution module based on dynamic binary translation performs simulation execution on the formed simulation execution image; when the target program has malloc and realloc heap application operations during simulation execution, a heap management mechanism runtime hosting module hosts the heap application and returns the heap application to a memory block with accurate boundary of the application program; when the target program overflows when read-write access is performed on the memory block with accurate boundary obtained by application in execution, the abnormity alarm module based on the self-customized machine code is used for capturing an overflow event and notifying a user that a heap overflow vulnerability exists in the program.
In another embodiment of the Linux platform binary software heap overflow hole dynamic detection system, the binary program simulation loading module analyzes the content of the target program based on the ELF executable file format, determines the memory mapping information of the contents of the code part and the data part of the target program, maps the memory mapping information to the memory space of the binary program simulation execution module based on the dynamic binary translation, and calls a dynamic linker adapted in the target environment to dynamically relocate the external import item in the executable file.
In another embodiment of the Linux platform binary software heap overflow hole dynamic detection system according to the present invention, the binary program emulation execution module based on dynamic binary translation converts an instruction of a client architecture into a corresponding machine instruction under a host platform, and performs emulation execution on a target program by executing a host binary code obtained by translation.
In another embodiment of the Linux platform binary software heap overflow hole dynamic detection system based on the present invention, the heap management mechanism runtime hosting module hosts a heap application, and aims to perform a "boundary-accurate" memory application, allowing only a target program to read and write a memory region allocated to the target program, and alarming illegally all memory accesses to memory segments in the adjacent region.
Based on another aspect of the embodiment of the invention, the invention discloses a dynamic detection method for the overflow leakage hole of the binary software heap of the Linux platform, which comprises the following steps: s1, loading the code segment and data segment into the simulation execution environment according to the executable file format corresponding to the target program;
s2, carrying out API hooking on the binary program loaded into the simulation execution environment to form a simulation execution image of the target program;
s3, performing simulation execution on the formed simulation execution image;
s4, during simulation execution, if the target program has malloc and realloc heap application operation, the heap application is managed and returned to the memory block with accurate boundary of the application program;
s5, when the target program overflows during the read-write access of the obtained memory block with accurate boundary, the target program will access the invalid memory page and trigger the exception as the address crosses the boundary, thereby notifying the user program of the existence of heap overflow vulnerability.
The invention can judge the input as the verification input (PoC) which can trigger the heap overflow vulnerability in real time under the condition that the input example causes the heap overflow action to occur but does not cause the execution crash. Thereby enhancing the capability level of vulnerability mining techniques based on fuzz testing.
The core technical idea of the application aims to dynamically host heap memory application and release operations occurring in the dynamic monitoring process of the target program execution track, and forcibly convert heap overflow out-of-bound access behaviors which cannot trigger exception originally into exception events which can cause program execution crash. Therefore, whether the current execution of the target program contains a bug (including a heap overflow bug) is confirmed through monitoring the execution abnormal event.
Drawings
FIG. 1 illustrates a schematic structural diagram of a Linux platform binary software heap overflow hole dynamic detection system provided according to some embodiments of the present application;
FIG. 2 illustrates a schematic structural diagram of another embodiment of a Linux platform binary software heap overflow hole dynamic detection system provided in accordance with some embodiments of the present application;
fig. 3 illustrates a schematic diagram of memory regions of a malloc hook utility provided in accordance with some embodiments of the present application;
FIG. 4 is a schematic diagram of a program provided in accordance with some embodiments of the present application running in an execution heap overflow vulnerability dynamic detection prototype system constructed in embodiment 1;
FIG. 5 shows a schematic of experimental results of AFL provided according to some embodiments of the present application;
FIG. 6 shows a schematic diagram of the results according to example 2 of the present application;
FIG. 7 illustrates a flowchart of a Linux platform binary software heap overflow hole dynamic detection method provided according to some embodiments of the present application.
Detailed Description
The following detailed description of embodiments of the invention refers to the accompanying drawings.
Fig. 1 is a schematic diagram of a Linux platform binary software heap overflow hole dynamic detection system according to some embodiments of the present application, which is described in detail with reference to fig. 1 and includes: the system comprises a binary program simulation loading module 101, an API function hook module 102, a binary program simulation execution module 103 based on dynamic binary translation, a heap management mechanism runtime hosting module 104 and an exception alarm module 105 based on self-customized machine codes, wherein the binary program simulation loading module 101 loads the contents of code segments and data segments of a target program into a simulation execution environment according to an executable file format corresponding to the target program; the API function hooking module 102 carries out API hooking on the binary program loaded into the simulation execution environment to form a simulation execution image of the target program; the binary program simulation execution module 103 based on dynamic binary translation is used for performing simulation execution on the formed simulation execution image; when the target program has malloc and realloc heap application operations during simulation execution, the heap management mechanism runtime hosting module 104 hosts the heap application and returns the heap application to the memory block with the accurate boundary of the application program; when the target program overflows during read-write access to the memory block with accurate boundary obtained by application in execution, the abnormity alarm module 105 based on the self-customized machine code is used for capturing an overflow event and notifying a user that a heap overflow vulnerability exists in the program. The boundary access right of the boundary accuracy is strictly limited, the memory area in the range corresponding to the block can be read and written, and the memory area beyond the range of the block cannot be read and written.
In specific implementation, referring to fig. 2, a schematic structural diagram of another embodiment of the Linux platform binary software heap overflow hole dynamic detection system according to some embodiments of the present application is shown, where a binary program often needs to comply with a file format specified by its target operating platform, such as a PE file format under a Windows platform, an ELF file format under a Linux platform, and the like. These file formats specify the organization of the disk files of code segments, data segments, etc. in the executable file and the specific way of mapping to memory.
In order to dynamically monitor the running process of a binary application program under a Linux platform by using an emulation execution method, an emulation loading module for an ELF executable file is firstly constructed in the application. The loading module firstly analyzes the content of a given target program based on an ELF executable file format protocol, determines the memory mapping information of the contents of a code part and a data part of the given target program, immediately maps the contents to the memory space of the simulation executor, calls a dynamic linker adapted in a target environment to dynamically relocate an external import item in the executable file, and simultaneously carries out API hooking operation discussed in section 2.2, thereby forming a complete simulation execution mirror image.
LD _ PRELOAD is an environment variable of Linux system that allows us to define dynamic link libraries that are loaded preferentially into its address space before the target program runs. The application realizes the API hook during the running of the target program by using the important system mechanism under the Linux platform. Specifically, we build a dynamic link library libhook, so, which contains the system functions we are interested in, and is marked by LD _ PRELOAD environment variables when the target program is runningfuncSynonymous function definitionfunc'. So at the time of the link when the dynamic linker loads the target program, the link defined in libhookfunc' function linking to object programfuncThe location of the function call. Thereby realizing dynamic hijacking of the target program to the calling of the API functions at the runtime.
We hooked 1) __ libc _ start _ main function, 2) heap management functions like malloc, realloc in libhook. Based on the hook of the former, an event processing function corresponding to abnormal signals such as SIGTERM, SIGALRM and the like is hung at the starting time of a target program, and an analysis engine immediately calls an 'abnormal alarm module based on self-customized machine code' to process when the abnormality occurs; the hook of the latter provides a necessary monitoring condition for the real-time capture of the heap application operation by the heap management mechanism runtime hosting module.
The concrete methods for instruction simulation execution are divided into two methods of interpretation and dynamic binary translation. The former generally first converts instructions of the client architecture into some kind of structured intermediate representation, and then interprets and executes the intermediate representation; the latter converts the instruction of the client system structure into a corresponding machine instruction under the host platform, and directly executes the translated binary code.
In order to be compatible with dynamic monitoring analysis of target programs under various architectures, the method adopts a simulation execution mode based on the latter. For a given simulation execution image and program entry point position, the simulation execution engine constructed by the application firstly applies a recursive downward disassembling algorithm to extract a simulation instruction sequence and converts the instructions into a corresponding micro instruction sequence form. And then extracting a corresponding simulation execution template described by the host machine instruction according to the micro-operation type. After the related instruction operands in the template are relocated, the instruction operands are integrated into a code block, and finally a host machine simulation execution code corresponding to the source CPU instruction is generated.
Take the add eax, 16 instruction under the x86 architecture as an example. The simulation execution engine firstly analyzes the micro-operation sequence corresponding to the instruction, and the specific form and the corresponding meaning are as follows:
the host emulation execution binary code templates corresponding to the various micro-operations are as follows:
env- > regs [ R _ EAX ] appearing in the code template corresponds to the storage location of the EAX register in the emulation environment, and T0 is the emulation storage location of the intermediate variable T0 register.
After determining each micro-operation and the corresponding simulation template, the simulation execution engine performs code relocation on the simulation execution block integrated by each template, fills the required instruction operand to the corresponding position, obtains a complete simulation execution code block, and thus realizes the simulation execution of the target program.
Runtime hosting of system heap management, aiming at performing "boundary accurate" memory applications: i.e. only the target program is allowed to read and write the memory region allocated to it, while all memory accesses to memory segments in its neighborhood are illegal. When the target program makes a malloc function call to request memory space of length byte length, our malloc hook will use mmap system call to allocate memory space as shown in the following figure.
Referring to fig. 3, for a length-long malloc request, we use mmap system call to allocate a total of 8+ length +1 kbyte of memory space (here we assume our target program is a 32-bit ELF format executable program). The real-chunk part allocates memory for the length byte length that we want to return to the target program. The access right corresponding to the memory area of the page 1 behind the area is set as PROT _ NONE to ensure that read/write access occurs to the area when the target program runs, and an SEGMENTATION FAULT signal is generated due to illegal access, so that the real-time detection of the upward overflow of the heap memory access is realized; the 4 bytes located immediately adjacent to the low address end of the real-chunk region are set to the specific byte search that we preset. If the application program subsequently performs a write access to the part of the memory, the hook function set at the end of the application program detects a difference in search, and thus confirms the occurrence of a heap memory access underflow event.
When the target program is abnormal due to the fact that the heap access is out of range, an abnormal event signal processing callback function hung on a binary program simulation loading module is triggered. These all occur within a dynamic binary translated software virtual machine. We need to inform the virtual machine monitor running on the host of this exception message from within the virtual machine. Here we implement the process through self-customized machine code in a manner similar to the S2E symbolic execution engine.
Self-customized "exception-causing instruction" machine code, as follows: 0x0f 0x3f 0x 000 x 000 x 000 x 00.
The "exception-occurring instruction" instruction is executed within a signal processing function. In a software virtual CPU of dynamic binary translation, decoding execution operation of the instruction is supplemented, and instruction operation semantics of informing a virtual machine monitor target program of exception is added. Therefore, real-time alarming of the target program abnormity in the virtual machine to the peripheral monitor is realized.
Example 1: execution trace heap overflow vulnerability dynamic detection prototype system
And constructing a heap overflow vulnerability dynamic detection prototype system based on a user-mode simulation component of the QEMU virtual machine. For a given target program and specific input, the system dynamically tracks the program execution track corresponding to the specific input, and when a heap overflow behavior is found, whether the behavior is abnormal or not, an alarm is immediately sent to a user.
Example 2: heap overflow vulnerability dynamic excavation prototype system based on fuzzy test
The heap overflow vulnerability dynamic detection prototype system constructed in the embodiment 1 is combined with a fuzzy tester AFL which is widely applied in the current vulnerability mining aspect, so that the heap overflow vulnerability dynamic mining prototype system based on the fuzzy test is formed. Compared with the original AFL fuzz tester, the system can effectively detect the input instance capable of triggering the heap overflow action.
Experimental example 1: to verify the dynamic detection capability of example 1 for heap overflow bugs in single program execution traces, we target the following programs. It can be seen that there is a distinct heap overflow write operation for this program.
We compile this program on the 64-bit Ubuntu-16.04 operating system as the ELF executable test-p0 under the 32-bit i386 architecture. While the program is running, it is passing 32 bytes into the buffer via the standard input, but the test-p0 program does not crash (because the memory write access of the additional 16 bytes beyond the buffer does not trigger a memory page access exception).
We run this program in the execution trace heap overflow vulnerability dynamic detection prototype system constructed in example 1, and the result is shown in FIG. 4.
Therefore, based on the heap management runtime hosting mechanism provided by the application, the prototype system converts the out-of-bounds behavior of the heap memory access address into an execution crash event in the monitoring system in the execution monitoring process of the target program, so that an overflow behavior alarm is generated successfully.
Experimental example 2: to verify the effectiveness of embodiment 2 in heap overflow vulnerability mining, we use the above program as a test target, use a common input instance that does not trigger vulnerability behavior as an initial seed set of a fuzzy test, and respectively start embodiment 2 and AFL to perform vulnerability mining.
The results of the AFL experiments are shown in fig. 5. It can be seen that, after 2271 iterations, the heap overflow hole is still not found by the fuzzy tester.
The results of example 2 are shown in fig. 6. Therefore, after the operation is carried out for only 1 second (after 19 rounds of iteration), the improved AFL vulnerability mining system based on the application can successfully find the heap overflow vulnerability and generate a corresponding input example capable of triggering the heap overflow behavior.
Fig. 7 is a flowchart illustrating a method for dynamically detecting a Linux platform binary software heap overflow hole according to some embodiments of the present application, and details of the method for dynamically detecting a Linux platform binary software heap overflow hole in an example embodiment are described in conjunction with fig. 7. The Linux platform binary software stack overflow leakage hole dynamic detection method comprises the following steps:
s1, loading the code segment and data segment into the simulation execution environment according to the executable file format corresponding to the target program;
s2, carrying out API hooking on the binary program loaded into the simulation execution environment to form a simulation execution image of the target program;
s3, performing simulation execution on the formed simulation execution image;
s4, during simulation execution, if the target program has malloc and realloc heap application operation, the heap application is managed and returned to the memory block with accurate boundary of the application program;
s5, when the target program overflows during the read-write access of the obtained memory block with accurate boundary, the target program will access the invalid memory page and trigger the exception as the address crosses the boundary, thereby notifying the user program of the existence of heap overflow vulnerability.
In the specific implementation, 1) the binary program simulation loader loads the code segment, the data segment and other contents into the simulation execution environment according to the executable file format corresponding to the target program; 2) the API function hooking module carries out API hooking on the binary program loaded into the simulation memory, so that a simulation execution image of the target program is formed; 3) the emulation execution module based on the dynamic binary translation performs emulation execution on the execution image; 4) during simulation execution, if a target program has heap application operations such as malloc and realloc, a heap management mechanism runtime hosting module immediately hosts the request and returns the request to a memory block with an accurate boundary of the application program; 5) and (4) the target program overflows when reading and writing access is carried out on the memory block with the accurate boundary obtained by the step 4 in the subsequent execution. This behavior triggers an exception event of "access violation" due to an address out of bounds accessing an invalid memory page. The event is captured by an 'exception alarm module based on self-customized machine code', and then a user is informed that the program has a heap overflow bug.
It will be evident to those skilled in the art that the embodiments of the present invention are not limited to the details of the foregoing illustrative embodiments, and that the embodiments of the present invention are capable of being embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the embodiments being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned. Furthermore, it is obvious that the word "comprising" does not exclude other elements or steps, and the singular does not exclude the plural. Several units, modules or means recited in the system, apparatus or terminal claims may also be implemented by one and the same unit, module or means in software or hardware. The terms first, second, etc. are used to denote names, but not any particular order.
Finally, it should be noted that the above embodiments are only used for illustrating the technical solutions of the embodiments of the present invention and not for limiting, and although the embodiments of the present invention are described in detail with reference to the above preferred embodiments, it should be understood by those skilled in the art that modifications or equivalent substitutions can be made on the technical solutions of the embodiments of the present invention without departing from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (6)
1. A Linux platform binary software heap overflow hole dynamic detection system is characterized by comprising: the system comprises a binary program simulation loading module, an API function hook module, a binary program simulation execution module based on dynamic binary translation, a heap management mechanism runtime hosting module and an exception alarm module based on self-customized machine codes, wherein the binary program simulation loading module loads the code segment and the data segment content into a simulation execution environment according to the executable file format corresponding to a target program; the API function hooking module carries out API hooking on the binary program loaded into the simulation execution environment to form a simulation execution image of the target program; a binary program simulation execution module based on dynamic binary translation performs simulation execution on the formed simulation execution image; when the target program has malloc and realloc heap application operations during simulation execution, a heap management mechanism runtime hosting module hosts the heap application and returns the heap application to a memory block with accurate boundary of the application program; when the target program overflows when read-write access is carried out on the memory block with accurate boundary obtained by application in execution, the abnormal alarm module based on the self-customized machine code captures the overflow event and informs a user that the program has a heap overflow vulnerability.
2. The Linux platform binary software heap overflow hole dynamic detection system of claim 1, wherein the executable file format corresponding to the target program comprises a PE file format under a Windows platform and an ELF file format under a Linux platform.
3. The Linux platform binary software heap overflow hole dynamic detection system of claim 2, wherein the binary program emulation load module performs content parsing on a target program based on an ELF executable file format, determines memory mapping information of contents of a code portion and a data portion thereof, maps the memory mapping information to a memory space of the binary program emulation execution module based on dynamic binary translation, and invokes a dynamic linker adapted in a target environment to dynamically relocate an external import item in the executable file.
4. The Linux platform binary software heap overflow hole dynamic detection system of claim 3, wherein the binary program emulation execution module based on dynamic binary translation converts an instruction of a client architecture into a corresponding machine instruction under a host platform, and executes emulation execution on a target program by executing a host binary code obtained by translation.
5. The Linux platform binary software heap overflow hole dynamic detection system of claim 1, wherein the heap management mechanism runtime hosting module hosts a heap application, which is intended to perform a "boundary accurate" memory application, allowing only a target program to read and write a memory region allocated to it, and all memory accesses to memory segments in its neighboring region are illegal alarms.
6. A dynamic detection method for binary software heap overflow leakage holes of a Linux platform is characterized by comprising the following steps:
s1, loading the code segment and data segment into the simulation execution environment according to the executable file format corresponding to the target program;
s2, carrying out API hooking on the binary program loaded into the simulation execution environment to form a simulation execution image of the target program;
s3, performing simulation execution on the formed simulation execution image;
s4, during simulation execution, if the target program has malloc and realloc heap application operation, the heap application is managed and returned to the memory block with accurate boundary of the application program;
s5, when the target program overflows during the read-write access of the obtained memory block with accurate boundary, the target program will access the invalid memory page and trigger the exception as the address crosses the boundary, thereby notifying the user program of the existence of heap overflow vulnerability.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010938518.5A CN111931191A (en) | 2020-09-09 | 2020-09-09 | Dynamic detection method and system for binary software stack overflow leakage hole of Linux platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010938518.5A CN111931191A (en) | 2020-09-09 | 2020-09-09 | Dynamic detection method and system for binary software stack overflow leakage hole of Linux platform |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111931191A true CN111931191A (en) | 2020-11-13 |
Family
ID=73309879
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010938518.5A Pending CN111931191A (en) | 2020-09-09 | 2020-09-09 | Dynamic detection method and system for binary software stack overflow leakage hole of Linux platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111931191A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112685744A (en) * | 2020-12-28 | 2021-04-20 | 安芯网盾(北京)科技有限公司 | Method and device for detecting software bugs by using stack-related registers |
| CN113138874A (en) * | 2021-03-19 | 2021-07-20 | 中国电子科技集团公司第二十九研究所 | Method for detecting memory overflow of embedded software of airborne electronic warfare |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7437759B1 (en) * | 2004-02-17 | 2008-10-14 | Symantec Corporation | Kernel mode overflow attack prevention system and method |
| CN101470619A (en) * | 2007-12-29 | 2009-07-01 | 安凯(广州)软件技术有限公司 | Application program dynamic loading method based on microkernel operating system |
| CN103389939A (en) * | 2013-07-03 | 2013-11-13 | 清华大学 | Detection method and detection system for controlled heap allocation bug |
| CN103559439A (en) * | 2013-11-19 | 2014-02-05 | 浪潮(北京)电子信息产业有限公司 | Detection method and system for buffer overflow |
| CN104766015A (en) * | 2015-04-10 | 2015-07-08 | 北京理工大学 | Function call based dynamic detection method for buffer overflow vulnerability |
| CN106055478A (en) * | 2016-05-31 | 2016-10-26 | 腾讯科技(深圳)有限公司 | Method and device for detecting memory leak |
| CN106610892A (en) * | 2015-10-23 | 2017-05-03 | 腾讯科技(深圳)有限公司 | Memory leak detecting method and device |
| CN108664394A (en) * | 2018-04-10 | 2018-10-16 | 北京奇安信科技有限公司 | A kind of RAM leakage process tracing method and device |
| US10579806B1 (en) * | 2019-08-27 | 2020-03-03 | Zeus Sw Defender, Llc | Systems and methods for dynamic reencryption of code pointers |
| CN111597109A (en) * | 2020-04-24 | 2020-08-28 | 清华大学 | Defect detection method and system for cross-architecture firmware stack memory |
-
2020
- 2020-09-09 CN CN202010938518.5A patent/CN111931191A/en active Pending
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7437759B1 (en) * | 2004-02-17 | 2008-10-14 | Symantec Corporation | Kernel mode overflow attack prevention system and method |
| CN101470619A (en) * | 2007-12-29 | 2009-07-01 | 安凯(广州)软件技术有限公司 | Application program dynamic loading method based on microkernel operating system |
| CN103389939A (en) * | 2013-07-03 | 2013-11-13 | 清华大学 | Detection method and detection system for controlled heap allocation bug |
| CN103559439A (en) * | 2013-11-19 | 2014-02-05 | 浪潮(北京)电子信息产业有限公司 | Detection method and system for buffer overflow |
| CN104766015A (en) * | 2015-04-10 | 2015-07-08 | 北京理工大学 | Function call based dynamic detection method for buffer overflow vulnerability |
| CN106610892A (en) * | 2015-10-23 | 2017-05-03 | 腾讯科技(深圳)有限公司 | Memory leak detecting method and device |
| CN106055478A (en) * | 2016-05-31 | 2016-10-26 | 腾讯科技(深圳)有限公司 | Method and device for detecting memory leak |
| CN108664394A (en) * | 2018-04-10 | 2018-10-16 | 北京奇安信科技有限公司 | A kind of RAM leakage process tracing method and device |
| US10579806B1 (en) * | 2019-08-27 | 2020-03-03 | Zeus Sw Defender, Llc | Systems and methods for dynamic reencryption of code pointers |
| CN111597109A (en) * | 2020-04-24 | 2020-08-28 | 清华大学 | Defect detection method and system for cross-architecture firmware stack memory |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112685744A (en) * | 2020-12-28 | 2021-04-20 | 安芯网盾(北京)科技有限公司 | Method and device for detecting software bugs by using stack-related registers |
| CN113138874A (en) * | 2021-03-19 | 2021-07-20 | 中国电子科技集团公司第二十九研究所 | Method for detecting memory overflow of embedded software of airborne electronic warfare |
| CN113138874B (en) * | 2021-03-19 | 2023-04-25 | 中国电子科技集团公司第二十九研究所 | Method for detecting memory overflow of embedded software of airborne electronic warfare |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Long et al. | Automatic runtime error repair and containment via recovery shepherding | |
| JP4518564B2 (en) | Method for preventing unauthorized code execution, program for preventing unauthorized code execution, and recording medium for program for preventing unauthorized code execution | |
| KR101835250B1 (en) | Detection of unauthorized memory modification and access using transactional memory | |
| US6662359B1 (en) | System and method for injecting hooks into Java classes to handle exception and finalization processing | |
| US8117660B2 (en) | Secure control flows by monitoring control transfers | |
| Volckaert et al. | Cloning your gadgets: Complete ROP attack immunity with multi-variant execution | |
| CN109583200B (en) | Program abnormity analysis method based on dynamic taint propagation | |
| US9047405B2 (en) | Remapping debuggable code | |
| US10984096B2 (en) | Systems, methods, and apparatus for detecting control flow attacks | |
| US7386690B2 (en) | Method and apparatus for hardware awareness of data types | |
| US9069894B2 (en) | Data collisions in concurrent programs | |
| US20060277371A1 (en) | System and method to instrument references to shared memory | |
| CN108920253B (en) | Agent-free virtual machine monitoring system and monitoring method | |
| CN111931191A (en) | Dynamic detection method and system for binary software stack overflow leakage hole of Linux platform | |
| US8407787B1 (en) | Computer apparatus and method for non-intrusive inspection of program behavior | |
| US11599445B2 (en) | Watcher: precise and fully-automatic on-site failure diagnosis | |
| US7328374B2 (en) | Method and apparatus for implementing assertions in hardware | |
| He et al. | {FreeWill}: Automatically Diagnosing Use-after-free Bugs via Reference Miscounting Detection on Binaries | |
| US7657792B2 (en) | Identifying race conditions involving asynchronous memory updates | |
| Seo et al. | A profiling method by PCB hooking and its application for memory fault detection in embedded system operational test | |
| CN113987507A (en) | Heap memory vulnerability detection method and device, storage medium and electronic equipment | |
| Huang et al. | Safecheck: Safety enhancement of Java unsafe API | |
| Filho et al. | Evasion and countermeasures techniques to detect dynamic binary instrumentation frameworks | |
| De Goër et al. | Now you see me: Real-time dynamic function call detection | |
| US20220335135A1 (en) | Vulnerability analysis and reporting for embedded systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201113 |
|
| RJ01 | Rejection of invention patent application after publication |