CN101615238A - Distort the detection and the leak positioning system of attack based on binary internal memory - Google Patents
Distort the detection and the leak positioning system of attack based on binary internal memory Download PDFInfo
- Publication number
- CN101615238A CN101615238A CN200910181577A CN200910181577A CN101615238A CN 101615238 A CN101615238 A CN 101615238A CN 200910181577 A CN200910181577 A CN 200910181577A CN 200910181577 A CN200910181577 A CN 200910181577A CN 101615238 A CN101615238 A CN 101615238A
- Authority
- CN
- China
- Prior art keywords
- code
- jump
- internal memory
- memory
- statement
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000015654 memory Effects 0.000 title claims abstract description 156
- 238000001514 detection method Methods 0.000 title claims abstract description 25
- 230000006870 function Effects 0.000 claims abstract description 24
- 238000003780 insertion Methods 0.000 claims abstract description 24
- 230000037431 insertion Effects 0.000 claims abstract description 24
- 230000004807 localization Effects 0.000 claims abstract description 16
- 238000006243 chemical reaction Methods 0.000 claims abstract description 12
- 230000005540 biological transmission Effects 0.000 claims abstract description 7
- 238000010186 staining Methods 0.000 claims abstract description 7
- 230000000644 propagated effect Effects 0.000 claims description 9
- 230000007480 spreading Effects 0.000 claims description 5
- 238000000151 deposition Methods 0.000 claims description 4
- 239000000975 dye Substances 0.000 claims description 4
- 238000000034 method Methods 0.000 description 22
- 238000004043 dyeing Methods 0.000 description 10
- 238000010586 diagram Methods 0.000 description 9
- 230000008569 process Effects 0.000 description 8
- 230000006854 communication Effects 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 238000012360 testing method Methods 0.000 description 3
- 238000002474 experimental method Methods 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000010998 test method Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 239000004615 ingredient Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003446 memory effect Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
- 239000011800 void material Substances 0.000 description 1
Images
Abstract
The invention discloses the detection and the leak positioning system of distorting attack based on binary internal memory, comprise that the code conversion unit is used for converting the x86 binary code to Valgrind intermediate code form VEX; Fundamental block data dependence relation record cell; Code inserts the unit and comprises color transmission code inserting part, attack detecting code insertion portion and memory pollution command record code insertion portion, be used for dynamic staining analysis function, along with program implementation can detect the unusual of internal storage data effectively, and record pollutes the write command of internal memory; The leak positioning unit comprises the memory address localization part of being distorted and distorts the instruction localization part of this internal memory, be used to find the memory address of being distorted by the outside input, and find the address of the write command of distorting this internal memory by the information that the unit, front is write down, promptly finish final location.The present invention can detect internal memory effectively and distort the position of attacking and can navigating to leak exactly.
Description
Technical field
The present invention relates to a kind of program is suffering internal memory to distort the detection of attack and the Method and kit for of leak location, particularly do not having on the scale-of-two rank basis of source code, the performance analysis when binary program is moved and follow the tracks of the trace routine internal memory to distort to attack and leak position, location distort the detection and the leak positioning system of attack based on binary internal memory.
Background technology
At present, most network attack and worm-type virus are caused by the relevant bug of internal memory, and the internal memory leak can cause, and the assailant internally deposits into any read-write operation of row by the malice input, thereby the control program behavior, even obtain the root of system authority.Many leaks only exist only in those and adopt in dangerous language (for example C/C++) written program.In the C language,, just may there be the relevant leak of internal memory in the program owing to do not have strong type checking and buffer zone bounds checking.Buffer zone overflows, heap is distorted and format character string is three kinds of common internal memory leaks.Buffer zone overflows and does not carry out " bounds checking " when buffer zone is read and write and cause; It is because the destroyed institute of the management data structures of heap causes that heap is distorted; The format character string then is to come from the nonstandard use of standard input-output function.
Many researchists have proposed at the detection of this type of safety problem and prevention method, but, these methods are only paid close attention to attack detecting and attaching filtering usually, and do not find the position at bug place, and this carries out the not tangible help of thorough reparation of leak program for the programmer.
At present, also few at the work of aspect, internal memory leak location specially.Severally all have certain shortcoming in following at least with the relevant work in leak location: (1) realizes that details is too complicated; (2) there is intrinsic inexactness; (3) inefficiency; (4) built-in function is not done particular processing.
Summary of the invention
Goal of the invention: the present invention is directed to the deficiencies in the prior art, a kind of detection and leak positioning system of distorting attack based on binary internal memory is provided.
Technical scheme: the invention discloses and a kind ofly distort the detection and the leak positioning system of attack based on binary internal memory, comprise with the lower part: code conversion unit, fundamental block data dependence relation unit, code insert unit and leak positioning unit;
Described code conversion unit is used for converting other code of binary level to Valgrind intermediate code form VEX;
Described fundamental block data dependence relation record cell is used for the relation of interdependence between the record data, and the memory address of being distorted for location in the leak positioning unit partly provides data to rely on information;
Described code inserts the unit and comprises color transmission code inserting part, attack detecting code insertion portion and memory pollution command record code insertion portion;
Wherein, the color code insertion portion is used to realize dynamic staining analysis function; The attack detecting code insertion portion is used to detect the unusual of internal storage data, i.e. the address operand of accessing operation or unconditional jump operation is contaminated; Memory pollution command record code insertion portion is used to write down the write command that pollutes internal memory.
Described leak positioning unit comprises the memory address localization part of being distorted and distorts the instruction localization part of this internal memory;
Wherein, the information that the memory address localization part of being distorted is write down by data dependence relation record cell in the fundamental block finds the memory address of being distorted by the outside input; The instruction localization part of distorting this internal memory finds the address of the write command of distorting this internal memory by the information of memory pollution command record code insertion section branch record, promptly finishes final location.
Among the present invention, fundamental block data dependence relation record cell carries out, and may further comprise the steps:
Step S100 judges statement type in the intermediate code VEX that Valgrind generates, if statement is temporary variable write statement Ist_WrTmp, then jump to step S200; If statement is register write statement Ist_Put or Ist_PutI, then jump to step S300; Otherwise, jump to step S1100;
Step S200 judges source type of expression among the temporary variable write statement Ist_WrTmp, if expression formula is internal memory read operation Iex_Load, then jumps to step S400; If expression formula is register read Iex_Get or Iex_GetI, then jump to step S500; Otherwise, jump to step S800;
Step S300 judges source type of expression among register write statement Ist_Put or the Ist_PutI, if expression formula is that temporary variable is read expression formula Iex_RdTmp, jumps to step S600; Otherwise jump to step S1100;
Step S400 judges that whether contaminated internal memory read among the expression formula Iex_Load source internal memory (English be taint), if jump to step S700; Otherwise jump to step S1100;
Step S500 judges whether source-register is contaminated among register read expression formula Iex_Get or the Iex_GetI, if jump to step S900; Otherwise jump to step S1100;
Step S600 judges whether temporary variable is read among the expression formula Iex_RdTmp temporary variable contaminated, if jump to step S1000; Otherwise jump to step S1100;
Step S700 writes down contaminated memory address and target temporary variable, jumps to step S1100;
Step S800, the dependence between record source temporary variable and the purpose temporary variable jumps to step S1100;
Step S900 finds the memory address of pollution source register by the dependence that writes down, and writes down this memory address and purpose temporary variable, jumps to step S1100;
Step S1000 finds the memory address of pollution source temporary variable by the dependence that writes down, and writes down this memory address and destination register, jumps to step S1100;
Step S1100 inserts at the enterprising line code of VEX intermediate code.
Among the present invention, the described code of step S1100 inserts the unit to carry out, and may further comprise the steps:
Step S1200 inserts the color spreading code and realizes dynamic dyeing course, jumps to step S1300;
Step S1300, the type of judgement VEX statement if statement is internal memory write statement Ist_Store, then jumps to step S1400; Read expression formula Iex_Load or, then jump to step S1500 if statement comprises internal memory for the unconditional jump operation; Otherwise, jump to step S1600;
Step S1400 inserts the code that record pollutes the write command of internal storage data, jumps to step S1500;
Step S1500, whether the address expression formula that insert to detect accessing operation (accessing operation comprise internal memory is write with internal memory read two generic operations) or unconditional jump operation the code of contaminated (being the unusual of internal storage data), is used for detecting internal memory and distorts, and jumps to S1600;
Step S1600 if detect during program run unusually, then locatees leak.
Among the present invention, described step S1200 color transmission code inserting part may further comprise the steps:
Step S1201 judges whether this statement place is read or recv system call statement, shows to enter the moment of program for outside input this moment, if then jump to step S1202; Otherwise jump to step S1203;
Step S1202 dyes the internal memory of depositing outer input data, jumps to step S1300;
Step S1203, according to the color propagation rule, even arbitrary source operand of an instruction is contaminated, then the destination operand that should instruct also will be contaminated along with the execution of this instruction, on the VEX intermediate code, insert and carry out the code that color is propagated, jump to step S1300;
Step S1300 judges the type of this VEX statement further.
Among the present invention, described step S1400 memory pollution command record code insertion portion may further comprise the steps:
Step S1401 judges whether the source operand of internal memory write statement Ist_Store is contaminated, if then jump to step S1402; Otherwise, jump to step S1500
Step S1402 notes the purpose memory address M of the address W of internal memory write statement Ist_Store and this statement together, is designated as that (M W), jumps to step S1500;
Step S1500, whether the address operand that insert to detect the operation of accessing operation or unconditional jump contaminated code.
Among the present invention, described step S1600 bug positioning unit carries out, and may further comprise the steps:
Step S1601, operation is jumped to step S1602 through the program that code inserts on the Valgrind platform;
Step S1602, whether the determining program operation finishes, if then jump to step S1606; Otherwise, jump to step S1603;
Whether the address operand that step S1603, the code that attack detecting code insertion portion (222) is inserted can detect in accessing operation or the unconditional jump operation is contaminated, if then jump to step S1604; Otherwise, jump to step S1601;
Step S1604 utilizes the data dependence relation that is write down by data dependence relation record cell (21) to recall and finds the memory address M ' that is distorted, and jumps to step S1605;
Step S1605, utilize that M ' that step S1604 finds and step S1402 write down (M W) finds the address W ' of the write command of distorting M ', jumps to S1606;
Step S1606, program run finishes.
The code conversion unit is transformed into another kind of intermediate code VEX with the X86 binary executable among the present invention, and the VEX instruction set comprises 10 kinds of statements (statement) type, 12 kinds of expression formulas (expression) type.Because VEX is the instruction set of a kind of similar RISC, so it provides convenience for code dynamic translation of the present invention.The unit of code conversion is a fundamental block.
The primary goal that internal memory is distorted attack is to pollute control flow data and data pointer two class data, is the data of program inside, and its numerical value of depositing is memory address, so its value is to be obtained by the outside input directly or indirectly.So the present invention detects the address operand of all accessing operations and unconditional jump operation.By analysis to intermediate code in the fundamental block, the present invention discerns accessing operation and unconditional jump operation, and inserts detection of code before these operations, and whether be used for detecting its address operand relevant with the outside input, if then the present invention just thinks that program suffered that internal memory distorts attack.
Internal memory is distorted attack, all is because external malice input causes usually.So in the time of running of program, the present invention needs the data of the external input of watchdog routine.The present invention is to dyeing from external input data, and in the operational process of program, carries out the dynamic communication of " color ".So need two concrete functions in this unit: (1) intercepts and captures read and recv system call, and the external stored internal memory of input data is dyeed; (2) in the program implementation process, utilize " color " communication strategy to insert code, make " color " along with the operation of program is propagated.
In the operational process of detection of code that inserts in program, detect when unusual, the present invention will start the leak positioning function automatically.By the data dependence relation that write down and the information such as write command of propagation " color ", recall and navigate to the instruction address of illegally distorting internal memory.If this instruction belongs to some shared library functions, then the present invention will navigate to the point of invocation of this built-in function.The reasonable more and easy to understand of the result of feasible location.
Workflow of the present invention can be divided into four steps: the intermediate code that at first by the code conversion unit binary code is converted to the VEX form.The code conversion unit is to be finished by the binary code analysis framework Valgrind under the X86/Linux platform; Secondly, by fundamental block data dependence relation record cell, the relation of interdependence between the record data is for the leak positioning unit of back provides required information; Once more, code inserts the unit and realizes the dynamic staining analysis function of program, along with program implementation correctly detects the unusual of internal storage data, and notes the contaminated process of internal memory, for the leak positioning unit of back provides required information; At last, the leak positioning unit finds the memory address of being distorted by outside input, and finds the address of the write command of distorting this internal memory by the information that aforementioned unit write down, and promptly finishes final location.
The present invention has used binary code conversion and analysis tool Valgrind and plug-in unit Flayer thereof.Wherein, Valgrind realizes that mainly other code of binary level converts the intermediate code form of VEX to; Flayer then provides the communication function and the mechanism of color.Other functions in the system are then realized by the present invention oneself.
In general, the present invention proposes that a kind of other distorts the detection and the leak localization method of attack at internal memory in binary level, by method to program " dyeing ", the propagation trajectories of dynamic monitoring outer input data in program; By detections of dyeing of the address operand to the operation of accessing operation and unconditional jump, and automatically carry out the leak location when attacking detecting, feasiblely find the work of leak position to finish automatically.
Beneficial effect: compare with positioning system with the attack detecting that existing internal memory is distorted, the present invention has following advantage: (1) scale-of-two rank need not source code; (2) attack detecting expanded range; (3) finder leak automatically and accurately; (4) realization is simple relatively.Be better proof advantage of the present invention, the present invention has chosen some representative softwares and has come the present invention is tested.The fundamental purpose of experiment is to estimate attack detecting and leak location are distorted in this invention at internal memory validity and accuracy.Experiment porch: Intel Core Duo T2300E 2.00GHz, 512MB/667HZDDR2 internal memory and Linux2.6.25kernel.Test procedure compiles by gcc-4.2, and uses the glibc2.7 shared library.The present invention has selected following software to come the real-time detectability of distorting attack at internal memory of system is carried out the evaluation and test of validity: ncompress-4.2.4, polymorph-0.4.0, gzip-1.2.4, man-1.5h1,129.compress, bc-1.06, wu-ftpd-2.6.1, squid-2.3 etc.In these programs, all exist with internal memory and distort relevant leak.Fig. 2 is the result of validity test.As can be seen, the present invention can be when above-mentioned test procedure suffers internal memory to distort attack, and the position of leak is attacked and located exactly in successful detection.
Description of drawings
Below in conjunction with the drawings and specific embodiments the present invention is done further to specify, above-mentioned and/or otherwise advantage of the present invention will become apparent.
Fig. 1 is a system architecture synoptic diagram of the present invention.
Fig. 2 is validity test result of the present invention.
Fig. 3 is a VEX instruction set pie graph.
Fig. 4 is a fundamental block data dependence relation record synoptic diagram of the present invention.
Fig. 5 is that code of the present invention inserts synoptic diagram.
Fig. 6 is that color spreading code of the present invention inserts synoptic diagram.
Fig. 7 is that the record code of pollution internal memory instruction of the present invention inserts synoptic diagram.
Fig. 8 is a bug of the present invention location synoptic diagram.
Fig. 9 is code instance and the stack architexture figure that has the buffer zone leak of the present invention
Embodiment:
The present invention is based upon on Valgrind and the plug-in unit Flayer thereof.
As shown in Figure 1, detection and leak positioning system 10 of distorting attack based on binary internal memory of the present invention comprises: code conversion unit 20, and fundamental block data dependence relation record cell 21, code inserts unit 22 and leak positioning unit 23.
Described code conversion unit 20 is used for converting other code of binary level to Valgrind intermediate code form VEX, and described VEX is a kind of reduced instruction set computer (RISC).The statement of VEX instruction set has 10 kinds.Expression formula has 12 kinds.As shown in Figure 3, the VEX instruction set is divided into statement and expression formula.The difference of statement and expression formula is: register/internal memory/temporary variable revised in statement, and expression formula is only used the value of register/internal memory/temporary variable.Data object is divided into four classes in the VEX instruction set: register, internal memory, temporary variable, constant.Write statement to register is: Ist_Put, Ist_PutI; The expression formula of reading to register is Iex_Get, Iex_GetI; Write statement to internal memory is: Ist_Store; The expression formula of reading to internal memory is Iex_Load; Write statement to temporary variable is: Ist_WrTmp; The expression formula of reading to temporary variable is Iex_RdTmp; The expression formula of reading to constant is: Iex_Const.
Described fundamental block data dependence relation record cell 21 is based upon on the VEX intermediate code that Valgrind generates, and is unit with the fundamental block, and the relation of interdependence between the record temporary variable is for the leak positioning unit of back provides required information.
Described code inserts unit 22 and is based upon on the basis of Flayer, be used for the dynamic staining analysis function of realization program, along with program implementation correctly detects the unusual of internal storage data, and note the contaminated process of internal memory, for the leak positioning unit of back provides required information.These functions are finished by color transmission code inserting part 221, attack detecting code insertion portion 222 and 223 3 modules of memory pollution command record code insertion portion respectively.
Described color spreading code inserts 221 modules need discern read and recv system call, all is to be caused by the input of the malice of outside because internal memory is distorted attack.And " color " of outside input can be propagated according to certain rules in running program running process.The data representation of being caught " color " is directly or indirectly relevant with outside input.
Described attack detecting code is inserted 222 modules need insert detection of code before Iex_Load, Ist_Store and Unconditional Jump three generic operations, whether " color " of address operand of checking this three generic operation be identical with " color " of outside input, thinks that then program is subjected to and comes internal memory to distort attack if " color " is identical.
The record code of described memory pollution command inserts 223 modules, in order to recall the illegal write command in location at the leak positioning unit of back, the write command W and the contaminated internal memory M that then must will pollute internal memory in running program running process note together, for (M, W).Whether " color " of the source operand by checking internal memory write command Ist_Store identical with the outside input determines whether carrying out record, if, record then; Otherwise, record not.
Described leak positioning unit 23, after the detection of code of inserting successfully detects, by analysis to data dependence record cell 21 recorded data dependences, find the memory address M ' that is distorted, and then pass through (the M that M ' is noted from the record code insertion portion 223 of memory pollution command, W) search corresponding W ' in two tuples, promptly distort the instruction address of internal memory M '.Promptly finished the location this moment.These functions are finished by the memory address localization part of being distorted 231 and 232 two modules of instruction localization part of distorting this internal memory respectively.
As shown in Figure 4, the data dependence relation record specifically comprises the steps: in the fundamental block
Step S100 judges statement type in the intermediate code VEX that Valgrind generates, if statement is temporary variable write statement Ist_WrTmp, then jump to step S200; If statement is register write statement Ist_Put or Ist_PutI, then jump to step S300; Otherwise, jump to step S1100;
Step S200 judges source type of expression among the temporary variable write statement Ist_WrTmp, if expression formula is internal memory read operation Iex_Load, then jumps to step S400; If expression formula is register read Iex_Get or Iex_GetI, then jump to step S500; Otherwise, jump to step S800;
Step S300 judges source type of expression among register write statement Ist_Put or the Ist_PutI, if expression formula is temporary variable read operation Iex_RdTmp, jumps to step S600; Otherwise jump to step S1100;
Step S400 judges whether internal memory is read among the expression formula Iex_Load source internal memory contaminated, if jump to step S700; Otherwise jump to step S1100;
Step S500 judges whether source-register is contaminated among register read expression formula Iex_Get or the Iex_GetI, if jump to step S900; Otherwise jump to step S1100;
Step S600 judges whether temporary variable is read among the expression formula Iex_RdTmp temporary variable contaminated, if jump to step S1000; Otherwise jump to step S1100;
Step S700 writes down contaminated memory address and target temporary variable, jumps to step S1100;
Step S800, the dependence between record source temporary variable and the purpose temporary variable jumps to step S1100;
Step S900, the data dependence relation that has write down by this unit finds the memory address of pollution source register, and this memory address is noted with the purpose temporary variable, jumps to step S1100;
Step S1000, the dependence that has write down by this unit finds the memory address of pollution source temporary variable, and this memory address is noted with destination register, jumps to step S1100;
Step S1100 inserts at the enterprising line code of VEX intermediate code.
As shown in Figure 5, on the VEX intermediate code, insert code to realize dynamic dyeing, attack detecting and leak location.Wherein comprise three submodule color transmission code inserting part 221, attack detecting code insertion portion 222 and memory pollution command record code insertion portion 223 again.Specifically comprise the steps:
Step S1200 inserts the color spreading code and realizes dynamic dyeing course, jumps to step S1300;
Step S1300, the type of judgement VEX statement if statement is internal memory write statement Ist_Store, then jumps to step S1400; Read expression formula Ist_Load or, then jump to step S1500 if statement comprises internal memory for the unconditional jump operation; Otherwise, jump to step S1600;
Step S1400 inserts the code that record pollutes the write command of internal storage data, jumps to step S1500 then;
Step S1500, whether the address operand that insert to detect the operation of accessing operation or unconditional jump contaminated code, is used for detecting internal memory and distorts, and jumps to step S1600;
Step S1600, if detect during program run unusual, finder leak automatically then.
Fig. 6 is the concrete implementing procedure synoptic diagram of dynamic staining technique, is about to outer input data and dyes, and along with program implementation, realize the dynamic communication process of color.
Step S1201 judges whether this statement place is read or recv system call, if then jump to step S1202; Otherwise jump to step S1203;
Step S1202 with depositing the internal memory dyeing of outer input data, jumps to step S1300;
Step S1203 according to the color propagation rule, on the VEX intermediate code, inserts and carries out the code that color is propagated, and jumps to step S1300;
Step S1300 judges the type of this VEX statement further.
Fig. 7 is the concrete implementing procedure synoptic diagram of memory pollution command record code insertion portion, plays the internal memory write command and the contaminated memory address that pollute the internal memory effect in the essential record program operation process.
Step S1401 judges whether the source operand of internal memory write statement Ist_Store is contaminated, if then jump to step S1402; Otherwise, jump to step S1500
Step S1402 notes the purpose memory address M of the address W of internal memory write statement Ist_Store and this statement together, is designated as that (M W), jumps to step S1500;
Step S1500, whether the address operand that insert to detect detects the operation of accessing operation or unconditional jump contaminated code.
Fig. 8 is after attack detecting code finds that internal memory is distorted attack, recalls the concrete enforcement synoptic diagram of finder leak position automatically.Wherein comprise memory address localization part 231 that two submodules are distorted and the instruction localization part 232 of distorting this internal memory again.
Step S1601, operation is jumped to step S1602 through the program that code inserts on the Valgrind platform;
Step S1602, whether the determining program operation finishes, if then jump to step S1606; Otherwise, jump to step S1603;
Step S1603, whether the address operand that detects in the operation of accessing operation or unconditional jump is contaminated, if then jump to step S1604; Otherwise, jump to step S1601;
Step S1604 utilizes data dependence relation record cell recorded data dependence to recall and finds the memory address M ' that is distorted, and jumps to step S1605;
Step S1605, utilize that M ' that step S1604 finds and step S1402 write down (M W) finds the address W ' of the write command of distorting M ', jumps to S1606;
Step S1606, program run finishes.
Among the present invention, operations such as pollution, dyeing, computer realm does not at home also have normalized term name now, and external computer realm is referred to as taint.
So-called dyeing: use some shadow EMS memories (shadow memory) to come explanation to certain certain state of variable, indicate this variable whether to be initialised, whether its value derives from certain another one variable, or the like, briefly, indicate some character of this variable exactly with a mark.Shadow EMS memory can use a bit, or byte indicates the character of this variable.The present invention has used the shadow EMS memory of four corresponding bytes of joint internal memory.
So-called color is propagated: be meant the color (actual is exactly the mark of this variable in shadow EMS memory) of a variable is propagated and given another variable that has data dependence relation with this variable.Data dependence relation can be assignment operation, arithmetical operation etc.For example: in function f (a), the color mark of a variable is tag1, in statement b=a, the color of a is propagated to b, so the color of b also becomes tag1.General, exactly the color of the operand on the right is passed to the operand on the left side.
Pollute: be meant that the value of certain variable derives from the data of an external input.This variable has just been polluted by external data so.
Extract color: be exactly the cue mark (color) that extracts certain variable.
Int f (int a) // suppose variable a from external input, its color is tag1
{
int?b;
B=2*a; // arithmetical operation, the color of a is propagated, and the color of b is tag1
Return b; // because the value of b derives from external input data a, so b is contaminated
}
Shown in follow procedure, the specific example that concrete use the present invention carries out attack detecting is as follows:
......
4?int?main(void)
5?{
6 char?buf[10];
7 char*str=(char*)malloc(8*sizeof(char);
8 int?i=0;
9
10 scanf(″%s″,buf);
11 ......
23 *(str+i*2)=′x′;
24
25 return?0;
26?}
There is the leak that buffer zone overflows among the example function m ain ().
At the 10th row of program, scanf () function receives the input from the outside, but the size of buf array fix, be 10.When the number of characters of user's input surpassed 10, the leak that buffer zone overflows had just taken place.From Fig. 9 the right stack architexture figure as can be seen, the data of overflowing may be distorted pointer variable str, integer variable i, stack frame pointer ebp and function return address.Str and function return address then are assailant's targets of normal attack.
Use the present invention, can distort error-detecting to this internal memory and come out.Concrete detection details is as follows:
The 23rd row, pointer variable str is when carrying out dereference, can use the stored value of str to calculate the address M ' of final access memory, if program has taken place to overflow, the str variable has just been caught and identical " color " of outside input, then propagates by " color ", and the address value that finally calculates has also been caught identical " color ", this moment, attack detecting code will find that the address operand of this internal memory write operation is contaminated, then reported an error and started the leak positioning function.It is the internal memory at str variable place that the leak locating module at first finds the memory address that pollutes M ' by data dependence relation, and then by write down (M, W) the binary group searching is to the write command W ' that pollutes M ', i.e. scanf () built-in function.Finish the location.
The present invention proposes by the dynamic method of " dyeing ", the relevant leak of internal memory is detected and accurately locate the position at leak place,, then navigate to the point of invocation of built-in function if the leak instruction is the interior instruction of built-in function.In addition, if comprised Debugging message in the executable file, the leak instruction can be corresponded to the row at source code place.Because adopted staining technique, thus certain loss is arranged on the performance, but compare with localization method with some real-time Hole Detection, performance loss will be lacked.
The invention provides and a kind ofly distort the detection of attack and the thinking and the method for leak positioning system based on binary internal memory; the method and the approach of this technical scheme of specific implementation are a lot; the above only is a preferred implementation of the present invention; should be understood that; for those skilled in the art; under the prerequisite that does not break away from the principle of the invention, can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.The all available prior art of each ingredient not clear and definite in the present embodiment is realized.
Claims (6)
1, a kind of detection and leak positioning system of distorting attack based on binary internal memory, it is characterized in that, comprise with the lower part: code conversion unit (20), fundamental block data dependence relation record cell (21), code insert unit (22) and leak positioning unit (23);
Described code conversion unit (20) is used for converting other code of binary level to Valgrind intermediate code form VEX;
Described fundamental block data dependence relation record cell (21) is used to write down the relation of interdependence between the data in the fundamental block, and the memory address of being distorted for location in the leak positioning unit (23) partly provides data to rely on information;
Described code inserts unit (22) and comprises color transmission code inserting part (221), attack detecting code insertion portion (222) and memory pollution command record code insertion portion (223);
Wherein, color code insertion portion (221) is used to realize dynamic staining analysis function; Attack detecting code insertion portion (222) is used to detect the unusual of internal storage data; Memory pollution command record code insertion portion (223) is used to write down the write command that pollutes internal memory;
Described leak positioning unit (23) comprises memory address localization part of being distorted (231) and the instruction localization part (232) of distorting this internal memory;
Wherein, the memory address localization part of being distorted (231) finds the memory address of being distorted by the outside input by the information that the interior data dependence relation record cell (21) of fundamental block is write down; The instruction localization part (232) of distorting this internal memory finds the address of the write command of distorting this internal memory by memory pollution command record code insertion portion (223) information that is write down, and promptly finishes final location.
2, according to claim 1ly distort the detection and the leak positioning system of attack, it is characterized in that described fundamental block data dependence relation record cell (21) may further comprise the steps based on binary internal memory:
Step S100 judges statement type in the intermediate code VEX that Valgrind generates, if statement is the temporary variable write statement, then jump to step S200; If statement is the register write statement, then jump to step S300; Otherwise, jump to step S1100;
Step S200 judges source type of expression in the temporary variable write statement, if expression formula is a memory read operation, then jumps to step S400; If statement is a register read operation, then jump to step S500; Otherwise, jump to step S800;
Step S300 judges source type of expression in the register write statement, if expression formula is the temporary variable read operation, jumps to step S600; Otherwise, jump to step S1100;
Step S400 judges whether internal memory reads in the expression formula source internal memory contaminated, if jump to step S700; Otherwise jump to step S1100;
Step S500 judges whether register reads in the expression formula source-register contaminated, if jump to step S900; Otherwise jump to step S1100;
Step S600 judges whether temporary variable reads in the expression formula temporary variable contaminated, if jump to step S1000; Otherwise jump to step S1100;
Step S700, record is jumped to step S1100 by the address and the target temporary variable of the internal memory of outside input pollution;
Step S800, the dependence between record source temporary variable and the purpose temporary variable jumps to step S1100;
Step S900 finds the memory address of pollution source register by the dependence that writes down, and writes down this memory address and purpose temporary variable, jumps to step S1100;
Step S1000 finds the memory address of pollution source temporary variable by the dependence that writes down, and writes down this memory address and destination register, jumps to step S1100;
Step S1100 inserts at the enterprising line code of VEX intermediate code.
3, according to claim 2ly distort the detection and the leak positioning system of attack, it is characterized in that described step S1100 inserts unit (22) by code to carry out, and may further comprise the steps based on binary internal memory:
Step S1200, the color spreading code inserts and dynamically dyes;
Step S1300, the type of judgement VEX statement is if the internal memory write statement then jumps to step S1400; If comprise the rdma read operation in the statement or, then jump to step S1500 for the unconditional jump operation; Otherwise, jump to step S1600;
Step S1400 inserts the code that record pollutes the write command of internal storage data, jumps to step S1500 then;
Step S1500, whether the address expression formula that insert to detect the operation of accessing operation or unconditional jump contaminated code, is used for detecting internal memory and distorts, and jumps to S1600;
Step S1600 detects unusually, the location leak.
4, according to claim 3ly distort the detection and the leak positioning system of attack, it is characterized in that described step S1200 is undertaken by color transmission code inserting part (221), may further comprise the steps based on binary internal memory:
Step S1201 judges whether this statement place is read or recv system call, if then jump to step S1202; Otherwise jump to step S1203;
Step S1202 dyes the internal memory of depositing outer input data, jumps to step S1300;
Step S1203, inserts and carries out the code that color is propagated on the VEX intermediate code according to the color propagation rule, jumps to step S1300;
Step S1300, the type of judgement VEX statement.
5, according to claim 3ly distort the detection and the leak positioning system of attack, it is characterized in that described step S1400 is undertaken by memory pollution command record code insertion portion (222), may further comprise the steps based on binary internal memory:
Step S1401 judges whether the source operand of internal memory write statement is contaminated, if then jump to step S1402; Otherwise, jump to step S1500
Step S1402, the address W of record internal memory write statement and the purpose memory address M of this write statement are designated as that (M W), jumps to step S1500;
Step S1500, whether the address operand that insert to detect the operation of accessing operation or unconditional jump contaminated code.
6, according to claim 3ly distort the detection and the leak positioning system of attack, it is characterized in that described step S1600 is undertaken by bug positioning unit (23), may further comprise the steps based on binary internal memory:
Step S1601, operation is jumped to step S1602 through the program that code inserts on the Valgrind platform;
Step S1602, whether the determining program operation finishes, if then jump to step S1606; Otherwise, jump to step S1603;
Whether the address operand that step S1603, the code that attack detecting code insertion portion (222) is inserted can detect in accessing operation or the unconditional jump operation is contaminated, if then jump to step S1604; Otherwise, jump to step S1601;
Step S1604 utilizes the data dependence relation that is write down by data dependence relation record cell (21) to recall and finds the memory address M ' that is distorted, and jumps to step S1605;
The memory address M ' that step S1605, the quilt that utilizes step S1604 to find distort and by step S1402 write down (M, W) information finds the address W ' of the write command of distorting M ', jumps to step S1606;
Step S1606, program run finishes.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009101815776A CN101615238B (en) | 2009-07-28 | 2009-07-28 | Binary-based system for detecting memory modifying attack and positioning bug |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009101815776A CN101615238B (en) | 2009-07-28 | 2009-07-28 | Binary-based system for detecting memory modifying attack and positioning bug |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101615238A true CN101615238A (en) | 2009-12-30 |
| CN101615238B CN101615238B (en) | 2011-06-01 |
Family
ID=41494871
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009101815776A Expired - Fee Related CN101615238B (en) | 2009-07-28 | 2009-07-28 | Binary-based system for detecting memory modifying attack and positioning bug |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101615238B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102034045A (en) * | 2010-12-15 | 2011-04-27 | 上海交通大学 | Software bug detection system with low computer system resource expense |
| CN104021073A (en) * | 2014-05-06 | 2014-09-03 | 南京大学 | Software vulnerability detection method based on pointer analysis |
| CN106991324A (en) * | 2017-03-30 | 2017-07-28 | 兴华永恒(北京)科技有限责任公司 | It is a kind of that the malicious code Tracking Recognition method that type is monitored is protected based on internal memory |
| CN108062474A (en) * | 2016-11-08 | 2018-05-22 | 阿里巴巴集团控股有限公司 | The detection method and device of file |
| CN110661804A (en) * | 2019-09-29 | 2020-01-07 | 南京邮电大学 | Stain analysis vulnerability detection method for firewall |
| CN112988563A (en) * | 2019-12-18 | 2021-06-18 | 中国电信股份有限公司 | Stain dynamic analysis method and device |
| CN115694982A (en) * | 2022-10-30 | 2023-02-03 | 济南三泽信息安全测评有限公司 | Network attack and defense virtual simulation system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101388055B (en) * | 2008-10-22 | 2010-12-22 | 南京大学 | Program operation characteristic extracting method for detecting vulnerability model |
-
2009
- 2009-07-28 CN CN2009101815776A patent/CN101615238B/en not_active Expired - Fee Related
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102034045A (en) * | 2010-12-15 | 2011-04-27 | 上海交通大学 | Software bug detection system with low computer system resource expense |
| CN102034045B (en) * | 2010-12-15 | 2012-11-28 | 上海交通大学 | Software bug detection system with low computer system resource expense |
| CN104021073A (en) * | 2014-05-06 | 2014-09-03 | 南京大学 | Software vulnerability detection method based on pointer analysis |
| CN104021073B (en) * | 2014-05-06 | 2017-02-01 | 南京大学 | Software vulnerability detection method based on pointer analysis |
| CN108062474A (en) * | 2016-11-08 | 2018-05-22 | 阿里巴巴集团控股有限公司 | The detection method and device of file |
| CN108062474B (en) * | 2016-11-08 | 2022-01-11 | 阿里巴巴集团控股有限公司 | File detection method and device |
| CN106991324A (en) * | 2017-03-30 | 2017-07-28 | 兴华永恒(北京)科技有限责任公司 | It is a kind of that the malicious code Tracking Recognition method that type is monitored is protected based on internal memory |
| CN106991324B (en) * | 2017-03-30 | 2020-02-14 | 兴华永恒(北京)科技有限责任公司 | Malicious code tracking and identifying method based on memory protection type monitoring |
| CN110661804A (en) * | 2019-09-29 | 2020-01-07 | 南京邮电大学 | Stain analysis vulnerability detection method for firewall |
| CN112988563A (en) * | 2019-12-18 | 2021-06-18 | 中国电信股份有限公司 | Stain dynamic analysis method and device |
| CN115694982A (en) * | 2022-10-30 | 2023-02-03 | 济南三泽信息安全测评有限公司 | Network attack and defense virtual simulation system |
| CN115694982B (en) * | 2022-10-30 | 2023-09-05 | 济南三泽信息安全测评有限公司 | Network attack and defense virtual simulation system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101615238B (en) | 2011-06-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101615238B (en) | Binary-based system for detecting memory modifying attack and positioning bug | |
| US9274923B2 (en) | System and method for stack crawl testing and caching | |
| CN103778061B (en) | Automatically detection and the bearing calibration of Array Bound mistake | |
| JP4204768B2 (en) | Methods and systems to support user-specific instrumentation | |
| US7895473B2 (en) | Method and apparatus for identifying access states for variables | |
| US20060020946A1 (en) | Method and apparatus for data-aware hardware arithmetic | |
| CN101587455B (en) | Method for checking memory leak for vxWorks operating system | |
| US7386690B2 (en) | Method and apparatus for hardware awareness of data types | |
| CN104156311B (en) | A kind of embedded type C language target code level unit test method based on CPU emulator | |
| Artho et al. | JNuke: Efficient dynamic analysis for Java | |
| CN111736846B (en) | Dynamic analysis-oriented source code instrumentation improvement method | |
| US7328374B2 (en) | Method and apparatus for implementing assertions in hardware | |
| Huang et al. | Safecheck: Safety enhancement of Java unsafe API | |
| CN101551773B (en) | Binary vulnerability detection location device for symbol error and assignment truncation | |
| De Goër et al. | Now you see me: Real-time dynamic function call detection | |
| Jianming et al. | PVDF: An automatic patch-based vulnerability description and fuzzing method | |
| Wang et al. | Cascade 2.0 | |
| Gao et al. | A comprehensive detection of memory corruption vulnerabilities for C/C++ programs | |
| CN114153451A (en) | Method for analyzing memory security in C code by using data flow analysis algorithm | |
| Romano et al. | symMMU: Symbolically executed runtime libraries for symbolic memory access | |
| Matoussi et al. | Loop aware ir-level annotation framework for performance estimation in native simulation | |
| CN101539976A (en) | Real-time detection system of binary program memory decay attack | |
| CN101452379A (en) | Internal memory space analyzing method and device and check point reserving method and device | |
| CN117555811B (en) | Embedded software analysis method, device and storage medium based on static symbol execution | |
| US20220164446A1 (en) | Process wrapping method for evading anti-analysis of native codes, recording medium and device for performing the method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20110601 Termination date: 20140728 |
|
| EXPY | Termination of patent right or utility model |