CN102622558A - Excavating device and excavating method of binary system program loopholes - Google Patents

Excavating device and excavating method of binary system program loopholes Download PDF

Info

Publication number
CN102622558A
CN102622558A CN2012100516425A CN201210051642A CN102622558A CN 102622558 A CN102622558 A CN 102622558A CN 2012100516425 A CN2012100516425 A CN 2012100516425A CN 201210051642 A CN201210051642 A CN 201210051642A CN 102622558 A CN102622558 A CN 102622558A
Authority
CN
China
Prior art keywords
tested
binary program
input file
module
genetic algorithm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2012100516425A
Other languages
Chinese (zh)
Other versions
CN102622558B (en
Inventor
崔宝江
梁晓兵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Posts and Telecommunications
Original Assignee
Beijing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Posts and Telecommunications filed Critical Beijing University of Posts and Telecommunications
Priority to CN201210051642.5A priority Critical patent/CN102622558B/en
Publication of CN102622558A publication Critical patent/CN102622558A/en
Application granted granted Critical
Publication of CN102622558B publication Critical patent/CN102622558B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Debugging And Monitoring (AREA)
  • Stored Programmes (AREA)

Abstract

Provided are an excavating device and an excavating method of binary system program loopholes. The excavating device is provided with a static analysis module, a debugger module, a genetic algorithm module, a test input generation module and an abnormal monitoring module which are sequentially connected and a dynamic pollution tracking module located between the debugger module and the genetic algorithm module. The excavating device is guided to generate a test case by aid of a fitness function of the genetic algorithm, the multi-objective fitness function is designed, and the test case is evaluated in view of quantification. Dynamic pollution tracking is used for identifying key bytes in input files to narrow search space of the genetic algorithm. The excavating device combines advantages of the genetic algorithm and the dynamic pollution tracking and is guided to generate the test case, so that the generated test case is strong in pertinence, generated test data are high in accuracy and efficiency, further qualitative analysis and quantitative calculation are combined, and therefore path explosion in binary system program testing based on the symbolic execution and constraint solving technology is avoided.

Description

A kind of excavating gear of binary program leak and method
Technical field
The present invention relates to a kind of software security technology, exactly, relate to a kind of blending inheritance algorithm and excavating gear and the method for dynamically polluting the binary program leak of following the tracks of, belong to the technical field that the binary program security breaches detect.
Background technology
At present; In the software security research field; Through regular meeting binary program is carried out safety analysis, a major issue in the safety analysis process is how to generate test case targetedly fast, is used for triggering the security breaches that binary program possibly exist.Now, the method that generally adopts of engineering industry circle is that fuzz testing Fuzz Testing (is called again: random number black box violence method of testing).Fuzz Testing can produce test data automatically, and test result is accurate, and is applied widely; But; The path coverage rate that generates the test input file is lower, and the same path of the many sensings of the test case that generates, and in the generative process of test input file, lacks guided bone; Efficient is low; Lack the incidence relation between test input file and the program exception, bigger to the dependence of manual work, the uncertain factor in the implementation process is also more.
Present binary program bug excavation or detection technique can be divided into two types: static and dynamic; Wherein dynamic approach is at first the input file of binary program to be made a variation; Load this input file then, and detect the collapse whether this input file can cause binary program to be tested through the implementation of monitoring binary program to be tested.Dynamic approach mostly based on symbol execution technique and constraint solving technology, therefore, causes the efficient of binary program Hole Detection to depend on the degree of accuracy of symbol execution technique and the ability of finding the solution of constraint solver.If binary program to be tested contains the complicated conditional branching circulation nested with the degree of depth, the execution route of the binary program that is then caused by input file can be very long.For fear of carrying out by symbol and the constraint solution technique brings expensive calculation cost, based on symbol carry out with the bug excavation technology of constraint solving usually only the inner branch of traversal circulation once, the number of times of perhaps setting loop unrolling (usually only expansion once).This blindness is blocked the round-robin result in order to practice thrift the cost in the calculating, is to miss some important paths probably, and just comprises potential security breaches probably on these paths.
Static method does not move binary program to be tested; Therefore can not obtain about the relevant information in the binary program operational process; Cause the static analysis method rate of false alarm of most binary program higher thus; Like Splint 50% rate of false alarm is nearly arranged, Flawfinder and RATS also have higher rate of false alarm.
Along with the increase of software size, conditional branching in the software and round-robin number also demonstrate inevitable rising tendency.The circulation nested with the degree of depth of the conditional branching of the complicacy in the binary program caused serious path blast problem.And the input space of program is very big, and can be very little by the space of malicious user control.Above-mentioned these reasons have all increased the difficulty of binary program bug excavation.
Comprehensively above-mentioned, at present, there are following problems in the static analysis of main flow technology and dynamic analysis technology:
(1) carries out the calculation cost that faces costliness with the dynamic binary program bug excavation technology of constraint solving based on symbol.
(2) there is the incompleteness problem in the dynamic binary program bug excavation technology based on symbol execution and constraint solving when collecting the constraint condition of binary program execution route; And present constraint solver is difficult to the non-linear constrain condition of complicacy is found the solution its exact solution of acquisition.
(3) can block circulation blindly usually based on the symbol execution and the dynamic binary program bug excavation technology of constraint solving, thereby be easy to miss the Program path that some possibly comprise leak.
(4) have blindness based on the automatic test case that generates of the dynamic test of Fuzzing, the substantive test use-case of generation all points to same path, lacks directiveness, and its efficient that triggers security breaches potential in binary program is low.
(5) efficient of static analysis is higher, and its analysis to belong to the path responsive.But it exists higher rate of failing to report and rate of false alarm in theory, is difficult to accurately locate leak.And static analysis need be analyzed on the source code basis mostly, and to the static symbol execution technique of binary program also more complicated, calculation cost is expensive.
Therefore; How to merge both advantages of static analysis technology and dynamic analysis technology; Realize the binary program bug excavation of robotization, and improve the digging efficiency of binary program leak, become an important research project in the present software security field.
Summary of the invention
In view of this; The purpose of this invention is to provide a kind of blending inheritance algorithm and the apparatus and method of dynamically polluting the binary program bug excavation of following the tracks of; The present invention utilizes the fitness function of genetic algorithm to instruct the generation of test case; Utilize the dynamic tracking module that pollutes to dwindle the search volume of genetic algorithm simultaneously, accelerate the speed of convergence of genetic algorithm, thereby improve the efficient and the degree of accuracy of binary program bug excavation.
In order to achieve the above object; The invention provides a kind of blending inheritance algorithm and the excavating gear that dynamically pollutes the binary program leak of following the tracks of; It is characterized in that: said device is provided with static analysis module, debugger module, genetic algorithm module, test input generation module and the abnormal monitoring module that is linked in sequence, and the dynamic pollution tracking module between debugger module, genetic algorithm module; Wherein:
The static analysis module; This module that exploitation realizes based on interactive disassembler professional version IDAPro (Interactive Disassembler Professional) is used for extracting the control flow structure of binary program to be tested, the start address of fundamental block and the call address of dangerous function, and sends these information to debugger module as configuration information; Promptly this module is obtained the start address and the relation of the redirect between the fundamental block of binary program fundamental block through analyzing the jump instruction in the binary program; The built-in function that utilizes IDAPro to provide then obtains the call address of the dangerous function in the binary program;
Debugger module; Basic platform as this device; Be used to monitor the implementation of binary program to be tested; And recording-related information: the configuration information that provides according to the static analysis module; API API (the Application Programming Interface) function of identification and interception Windows bottom obtains the execution number of times of dangerous function in execution track and this binary program to be tested of binary program to be tested of fundamental block that binary program to be tested that position that binary program to be tested opens input file and record cause by input file carried out, input file correspondence; Read register and the interior data of storehouse in the binary program, the register variable in calculating and the renewal binary program and the numerical value of memory variable; Realization is to the function of given memory address to breakpoint under the binary program to be tested; Debugger module information that aforementioned calculation is obtained sends genetic algorithm module to then, is used to calculate the corresponding fitness function value of input file;
Dynamically pollute tracking module; Be used to realize the fine-grained dynamic pollution tracking of byte level; Discern the key bytes in the corresponding input file of binary program to be tested; And this key bytes intersected as genetic algorithm module and the space of variation, improve the speed of convergence of genetic algorithm: this module is that each byte is all given a unique tags in the input data of binary program to be tested, follows the tracks of the transmittance process of this label in binary program to be tested again; And in following the tracks of the input data transfer, both considered the transitive dependency relation between data, also considered the control dependence between different variablees; Discern the key bytes in the corresponding input file of binary program to be tested simultaneously, and offer genetic algorithm module to crucial byte information, as the intersection of genetic algorithm module and the space of variation;
Genetic algorithm module; The binary program execution track that the fundamental block of being responsible for providing according to debugger module that comprises binary program to be tested that each input file covers is corresponding with it and the execution number of times of dangerous function wherein; And dynamically pollute the key bytes that tracking module identifies; Calculate the execution number of times of the corresponding dangerous function of the fundamental block coverage rate of the corresponding binary program to be tested of each input file, minimum execution path information and this input file; Calculate the corresponding fitness function value of each input file then; And this fitness function value passed to test input generation module, be used to generate new input file and carry out the next round test; And; If the fitness function value that input file is corresponding is higher, then the input file fundamental block that possibly cause binary program to be tested to cover is more, the execution route that causes binary program to be tested is for " rare path " or cause the dangerous function number of times of binary program execution to be tested more; When above-mentioned three numerical value of input file were all higher, this input file just possibly trigger its corresponding potential security breaches of binary program to be tested very much;
Test input generation module; Be responsible for based on sorting from the size of the corresponding fitness function value of each input file of genetic algorithm module input file to binary program to be tested; The scale that is provided with based on the user then; Select the high input file of fitness function value to deliver to debugger module and carry out the next round test, because of the high input file of fitness function value triggers the potential security breaches of binary program to be tested more easily;
The abnormal monitoring module; Be used for monitoring the implementation of the binary program to be tested of each input file; If occur unusual; Then record causes this binary program to be tested unusual input file to occur, and appearance position, Exception Type and the unusual contextual information that occur of recording exceptional in binary program to be tested.
Said dangerous function is to comprise that Memory Allocation, memory copying, character string and some contain the multiple function of format parameter; Said key bytes is a byte of in input file, polluting the parameter value of dangerous function in the binary program to be tested, also is called as the key bytes in the pairing input file of this binary program to be tested.
The computing formula of the fitness function in the said genetic algorithm module is: Fitness (x)=w 1* bbc x+ w 2* lcov x+ w 3* rIndex * log (D x), in the formula, variable x is an input file, bbc x, lcov xAnd D xBe respectively the execution number of times of fundamental block coverage rate, minimum execution path information and the dangerous function of the corresponding binary program to be tested of this input file x, wherein, bbc xBeing used to make genetic algorithm module to generate new input file to be tested causes binary program to be tested to cover more fundamental block, lcov xIt is different as far as possible to be used to make that genetic algorithm module generates the new execution route that input file produced to be tested, and realizing route covers maximization, D xBeing used to make genetic algorithm module to generate new input file to be tested causes binary program to be tested to carry out the dangerous function of more number of times; w 1, w 2, w 3Be respectively above-mentioned bbc x, lcov xAnd D xThe weight of three factors, its span all are [0,1], and rIndex is that span is the adjustment coefficient of [0,1].
The intersection that said genetic algorithm module is carried out and the genetic manipulation object of variation are the key bytes in the corresponding input file of binary program to be tested; It is not whole input file; Genetic algorithm is intersected and the space of variation so that dwindle; Improve the speed of convergence of genetic algorithm, and then improve the efficient of binary program bug excavation.
In order to achieve the above object; The present invention also provides a kind of blending inheritance algorithm and detection method of dynamically polluting the excavating gear of the binary program leak of following the tracks of of adopting; It is characterized in that; Said method has merged static analysis and performance analysis advantage, makes people only pay close attention to interested program code and carries out subsequent analysis; This method comprises the following operations step:
(1) according to binary program type to be tested, test file and random modification some bytes wherein that the user prepares a standard in advance generate input file, and control the scale of this input file by the user;
(2) static analysis module is carried out static analysis to the binary program to be tested in the input file, obtains the call address of start address, the jump information between the fundamental block and the dangerous function of binary program fundamental block to be tested; Again these information will be passed to debugger module as configuration information;
(3) debugger module is to the execution number of times from fundamental block coverage rate, minimum execution path information and the dangerous function of the corresponding binary program to be tested of each input file of static analysis modules configured information calculations;
(4) intersection and the variation space for dwindling genetic algorithm; Dynamically pollute tracking module and discern the key bytes in the corresponding input file of binary program to be tested; And after being written into an array to these key bytes according to each key bytes with respect to the offset address separately of input file head, deliver to genetic algorithm module again; Intersect and make a variation to this array for genetic algorithm module; Write the array after intersection and the variation in the input file according to the offset address of each byte then with respect to the input file head; As the new input file to be tested that genetic algorithm is intersected and the variation back generates; So that dwindle the search volume of genetic algorithm; Accelerate the speed of convergence of genetic algorithm, improve the digging efficiency of binary program leak;
(5) genetic algorithm module is according to the execution number of times of corresponding fundamental block coverage rate, minimum execution path information and dangerous function of each input file that obtains from debugger module; And, calculate the pairing fitness function value of each input file by the key bytes of dynamic pollution Tracking Recognition; So that use fitness function to instruct the generation of input file to be tested, avoid dynamic testing method to generate the blindness of file to be tested;
(6) test input generation module sorts to the size of each input file according to its fitness function value, and chooses the high input file of fitness function value according to the scale that the user is provided with and deliver to the test that debugger module is carried out next round;
(7) behind abnormal monitoring module loading binary program to be tested and the input file from step (6); Monitor the implementation after binary program to be tested is opened each input file; If binary program to be tested occurs unusual; Then record causes binary program to be tested unusual input file to occur, and the contextual information that is somebody's turn to do unusual appearance position, Exception Type and out-of-the way position in binary program to be tested.
Under in the step (4), dynamically pollute the initialization operation that tracking module at first carries out and comprise following content:
(41) binary program to be tested is carried out initialization operation: use the thread synchronization lock, when visiting certain resource, guarantee to visit this resource, and guarantee to realize when stain is followed the tracks of the synchronous of read-write at other threads of synchronization to guarantee each thread;
(42) Accreditation System call back function; Use can be carried out input parameter and the return results that the Hook Hook Mechanism of the instrument Pin of dynamic pitching pile is caught the system API relevant with filtration and input file to binary program, is used to realize the input monitoring to binary program dynamic initialization to be tested;
(43) derived table of the dynamic link library of the derived table of traversal binary program to be tested and loading is through self-defining " dangerous function auxiliary regular ", at dangerous function porch and the end's insertion supervision code that binary program to be tested calls.
In the affiliated step (4); Dynamically polluting tracking module accomplishing the content of operation of carrying out after the initialization is: utilize the routine pitching pile ability of Pin to link up with the system function of Windows; And extract wherein the core position and read in the byte number in the internal memory, as the pollution source of binary program to be tested; Then, beginning with the fundamental block from binary program to be tested entry address is the unit reading command; When monitoring binary program to be tested when opening input file; Beginning to carry out dynamic tracking pollutes: when loading new instruction block, at first monitor the whether new dynamic link library of dynamic load of binary program to be tested at every turn, if; Then travel through the derived table of new dynamic link library; With dangerous function hook and insertion monitoring code,, can only be directed against the limitation of single input file when effectively avoiding static analysis again to guarantee the timeliness of dynamic tracking; If, then do not continue to load new instruction block and carry out corresponding operating.
The operand that relates to because of the order structure of x86 all is 32, and the monitoring target of said dynamic pollution tracking module is based on 32 operating system; And in order to prevent in the reality test, to enlarge contamination data and the operating accuracy that has a strong impact on dynamic pollution tracking module; Dynamically pollute the degree of accuracy of tracking module tracking pollution and orientate the Byte level as; Be that per 8 Bit are a pollution unit, and all flag registers are defined separately by its practical function again.
The present invention's innovation advantage compared with prior art is:
The present invention utilizes the fitness function of genetic algorithm to instruct and generates the test input file; And in the process of structure fitness function; The relevant informations such as execution number of times of the fundamental block coverage rate of binary program to be tested, minimum execution path information and dangerous function have been considered; Use the generation of fitness function guiding test input file, avoided the conventional dynamic measuring technology to generate the blindness of test input file.
The present invention has considered the minimum execution path information of binary program to be tested in the process of structure fitness function, make the test input file of each generation carry out different paths as much as possible, so that the path that the test input file covers maximizes as far as possible.
The present invention utilizes dynamic pollution to follow the tracks of and discerns the key bytes in the corresponding input file of binary program to be tested; Space as genetic algorithm intersection and variation; To dwindle the running space of genetic algorithm; Accelerate the speed that genetic algorithm generates specific aim test input file, improved the efficient of binary program bug excavation.
Both advantages of binary program static analysis and performance analysis are merged in the present invention; The main dynamic approach that adopts generates the test input file; Simultaneously utilize the static analysis method to extract the relevant information of binary program to be tested again; Utilize genetic algorithm module that the relevant information of the relevant binary program to be tested that obtains is carried out static analysis and calculated the corresponding fitness function value of each test input file again, use the fitness function value to guide then and generate the test input file, avoid dynamically generating the blindness of test input file; Make the test input file that generates have stronger specific aim; Potential leak in can rapid triggering binary program to be tested, therefore, the present invention has good popularization and application prospect.
Description of drawings
Fig. 1 is that blending inheritance algorithm of the present invention is formed and its operating process block scheme with the structure of the device that dynamically pollutes the binary program bug excavation of following the tracks of.
Fig. 2 is the key bytes operation chart of genetic algorithm module to identifying of apparatus of the present invention.
Fig. 3 is the intersection and the mutation operation synoptic diagram of the genetic algorithm module of apparatus of the present invention.
Fig. 4 is the operating process block scheme of the dynamic pollution tracking module in apparatus of the present invention.
Embodiment
For making the object of the invention, technical scheme and advantage clearer, the present invention is made further detailed description below in conjunction with accompanying drawing.
Referring to Fig. 1; Introducing blending inheritance algorithm of the present invention earlier forms with the structure of the device that dynamically pollutes the binary program bug excavation of following the tracks of: this device is provided with static analysis module, debugger module, genetic algorithm module, test input generation module and the abnormal monitoring module that is linked in sequence, and the dynamic pollution tracking module between debugger module, genetic algorithm module; Wherein:
The static analysis module; This module is based on interactive disassembler professional version IDAPro (Interactive Disassembler Professional) exploitation realization, is used for extracting the call address of control flow structure, fundamental block information and the dangerous function of binary program to be tested; This module is through analyzing the jump instruction in the binary program; Obtain the fundamental block and control flow structure of binary program; The built-in function that utilizes IDAPro to provide again obtains the call address of the dangerous function in the binary program, and sends these information to debugger module as configuration information.
Debugger module as the basic platform of this device, is used to monitor the implementation of binary program to be tested, and the relevant execution information of record; This module major function comprises: the configuration information that provides according to the static analysis module; API API (the Application Programming Interface) function of identification and interception Windows bottom obtains the position that binary program to be tested is opened input file; And the execution number of times of dangerous function in the execution track of the binary program to be tested of the fundamental block carried out of the binary program to be tested that causes by input file of record, input file correspondence and this binary program to be tested; Read register and the interior data of storehouse in the binary program, the register variable in calculating and the renewal binary program and the numerical value of memory variable; Realization is to the function of given memory address to breakpoint under the binary program to be tested; Debugger module information that aforementioned calculation is obtained sends genetic algorithm module to then, is used to calculate the corresponding fitness function value of input file.
Dynamically pollute tracking module; Be used to realize the fine-grained dynamic pollution tracking of byte level; Discern the key bytes in the corresponding input file of binary program to be tested; And this key bytes intersected as genetic algorithm module and the space of variation, improve the speed of convergence of genetic algorithm: this module is that each byte is all given a unique tags in the input data of binary program to be tested, follows the tracks of the transmittance process of this label in binary program to be tested again; And in following the tracks of the input data transfer, both considered the transitive dependency relation between data, also considered the control dependence between different variablees; (so-called key bytes is a byte of in input file, polluting the parameter value of dangerous function in the binary program to be tested to discern key bytes in the corresponding input file of binary program to be tested simultaneously; And dangerous function is to comprise that Memory Allocation, memory copying, character string and some contain the multiple function of format parameter); And offer genetic algorithm module to crucial byte information, as the intersection of genetic algorithm module and the space of variation.
Genetic algorithm module; The binary program execution track that the fundamental block of being responsible for providing according to debugger module that comprises binary program to be tested that each input file covers is corresponding with it and the execution number of times of dangerous function wherein; And dynamically pollute the key bytes that tracking module identifies; Calculate the execution number of times of the corresponding dangerous function of the fundamental block coverage rate of the corresponding binary program to be tested of each input file, minimum execution path information and this input file; Calculate the corresponding fitness function value of each input file then; And this fitness function value passed to test input generation module, be used to generate new input file and carry out the next round test; And; If the fitness function value that input file is corresponding is higher, then the input file fundamental block that possibly cause binary program to be tested to cover is more, the execution route that causes binary program to be tested is for " rare path " or cause the dangerous function number of times of binary program execution to be tested more; When above-mentioned three numerical value of input file were all higher, this input file just possibly trigger its corresponding potential security breaches of binary program to be tested very much; The intersection that said genetic algorithm module is carried out and the genetic manipulation object of variation are the key bytes in the corresponding input file of binary program to be tested; It is not whole input file; Genetic algorithm is intersected and the space of variation so that dwindle; Improve the speed of convergence of genetic algorithm, and then improve the efficient of binary program bug excavation.The computing formula of the fitness function in this genetic algorithm module is: Fitness (x)=w 1* bbc x+ w 2* lcov x+ w 3* rIndex * log (D x), in the formula, variable x is an input file, bbc x, lcov xAnd D xBe respectively the execution number of times of fundamental block coverage rate, minimum execution path information and the dangerous function of the corresponding binary program to be tested of this input file x, wherein, bbc xBeing used to make genetic algorithm module to generate new input file to be tested causes binary program to be tested to cover more fundamental block, lcov xIt is different as far as possible to be used to make that genetic algorithm module generates the new execution route that input file produced to be tested, and realizing route covers maximization, D xBeing used to make genetic algorithm module to generate new input file to be tested causes binary program to be tested to carry out the dangerous function of more number of times; w 1, w 2, w 3Be respectively above-mentioned bbc x, lcov xAnd D xThe weight of three factors, its span all are [0,1], and rIndex is that span is the adjustment coefficient of [0,1].
Test input generation module; Be responsible for based on sorting from the size of the corresponding fitness function value of each input file of genetic algorithm module input file to binary program to be tested; The scale that is provided with based on the user then; Select the high input file of fitness function value to deliver to debugger module and carry out the next round test, because of the high input file of fitness function value triggers the potential security breaches of binary program to be tested more easily.
The abnormal monitoring module; Be used for monitoring the implementation of the binary program to be tested of each input file; If occur unusual; Then record causes this binary program to be tested unusual input file to occur, and appearance position, Exception Type and the unusual contextual information that occur of recording exceptional in binary program to be tested.
The present invention also provides blending inheritance algorithm and the excavating gear that dynamically pollutes the binary program leak of following the tracks of to detect the method for digging of the leak of binary program; Be blending inheritance algorithm and the dynamic trace analysis method advantage of polluting: blindly generate test data for avoiding dynamic testing method; Use the fitness function of genetic algorithm to instruct the generation test case; Genetic algorithm is intersected and the space of variation in order to dwindle simultaneously; Use the dynamic tracking module that pollutes to identify the key bytes in the test input file, and be written to crucial byte information in the array according to the offset address of key bytes with respect to the input file head; Intersect and make a variation to this array by genetic algorithm module; Make people only pay close attention to interested program code and carry out subsequent analysis; Thereby dwindle the search volume of genetic algorithm, accelerate the speed of convergence of genetic algorithm, improve the efficient of binary program bug excavation to be tested.The operation steps of this method is following:
The present invention also provides a kind of blending inheritance algorithm and bug excavation Device Testing method of dynamically polluting the binary program of following the tracks of of adopting: this method has merged the static analysis of bug excavation technology and both advantages of performance analysis; Make people only need pay close attention to its interested program code, and do further to analyze.
This method comprises the following operations step:
Step 1, according to binary program type to be tested, test file and random modification some bytes wherein that the user prepares a standard in advance generate input file, and control the scale of this input file by the user.
Step 2, the static analysis module is carried out static analysis to the binary program to be tested in the input file, obtains the call address of start address, the jump information between the fundamental block and the dangerous function of binary program fundamental block to be tested; Again these information will be passed to debugger module as configuration information.
Step 3, debugger module are calculated the execution number of times of fundamental block coverage rate, minimum execution path information and the dangerous function of the corresponding binary program to be tested of each input file to the configuration information that comes from the static analysis module.
Step 4; Be intersection and the variation space that dwindles genetic algorithm; Dynamically pollute tracking module and discern the key bytes in the corresponding input file of binary program to be tested; And after being written into an array to these key bytes according to each key bytes with respect to the offset address separately of input file head, deliver to genetic algorithm module again; Intersect and make a variation to this array for genetic algorithm module; Write the array after intersection and the variation in the input file according to the offset address of each byte then with respect to the input file head; As the new input file to be tested that genetic algorithm is intersected and the variation back generates; So that dwindle the search volume of genetic algorithm; Accelerate the speed of convergence of genetic algorithm, improve the digging efficiency of binary program leak.
Referring to Fig. 4, introduce and dynamically pollute the concrete operations content that tracking module is carried out in this step 4:
Dynamically pollute tracking module and at first carry out following three initialization operations:
(41) binary program to be tested is carried out initialization operation: use the thread synchronization lock; To guarantee that each thread is in certain resource of visit; Can guarantee that synchronization does not have other threads visiting same resource, and guarantee to realize when stain is followed the tracks of the synchronous of read-write;
(42) Accreditation System call back function; Use can be carried out input parameter and the return results that the Hook Hook Mechanism of the instrument Pin of dynamic pitching pile is caught the system API relevant with filtration and input file to binary program, is used to realize the input monitoring to binary program dynamic initialization to be tested;
(43) derived table of the dynamic link library of the derived table of traversal binary program to be tested and loading is through self-defining " dangerous function auxiliary regular ", at dangerous function porch and the end's insertion supervision code that binary program to be tested calls.
After initialization finished, apparatus of the present invention were the unit reading command with regard to beginning to sentence fundamental block from the entry address of binary program to be tested.Because of dynamically polluting tracking module is to build on the basis of Pin (Pin is a kind of framework that can dynamically carry out pitching pile).So dynamically pollute tracking module after accomplishing initialization; The content of operation of carrying out is: utilize the routine pitching pile ability of Pin to link up with the system function (for example NtCreatFile, NtReadFile etc.) of Windows; And extract wherein the core position and read in the byte number in the internal memory, as the pollution source of binary program to be tested.Then, beginning with the fundamental block from binary program to be tested entry address is the unit reading command; When the input that monitors binary program to be tested effectively when (for example having opened the input file of appointment); Beginning to carry out dynamic tracking pollutes: when loading new instruction block, at first monitor the whether new dynamic link library of dynamic load of binary program to be tested at every turn, if; Then travel through the derived table of new dynamic link library; With dangerous function hook and insertion monitoring code,, can only be directed against the limitation of single input file when effectively avoiding static analysis again to guarantee the timeliness of dynamic tracking; If, then do not continue to load new instruction block and carry out corresponding operating.Continue below to introduce and dynamically pollute the operation steps that tracking module is carried out:
Step 4a resolves the register and the core position that use in the present instruction, saves as instruction type chained list, command source chained list and instruction purpose chained list respectively.
Step 4b, whether the decision instruction type can the processed instruction type for this device: comprise usual instructions, arithmetic instruction, steering order, jump instruction etc., kind more than totally 100.
Step 4c; Dynamically polluting the rule judgment when following the tracks of with dynamic the execution, whether have byte in input file be delivered in dangerous function, if having if monitoring according to the tabulation of dangerous function; Then write down the offset address of this byte with respect to the input file head, dynamically the stain tracking is a unit with Byte.
Step 4d keeps watch on whether successful execution of redirect, and judges that redirect is whether with to import data relevant.
Step 4f, the situation of change of record mark register if contamination data belongs to inter-related, then when branch occurring, directly reads relevant information from the flag register data structure.
Step 4e, the key bytes that tracking module identifies is dynamically polluted in the start address and the end address of exporting the pollution source of binary program to be tested.
Dynamically the pollution tracking module is based on the realization of x86 assembly instruction collection, begins from the recognition instruction type so its dynamic pollution is followed the tracks of.The present invention has only selected instruction set commonly used dynamically to pollute trace analysis.According to actual test analysis; Compiler compiling ordinary procedure under the windows platform is only used about 300 assembly instruction types; Assembly instruction and floating-point operation instruction back (such instruction is little to dynamic contamination analysis result's degree of accuracy influence) that rejecting is of little use, remaining instruction is to pollute the assembly instruction that tracker must be resolved.The operand that relates to because of the order structure of x86 again all is 32, and the monitoring target of therefore dynamically polluting tracking module is based on 32 operating system; And dynamically polluting in the actual test of tracking module; Usually find if when a certain position or several are stain in 32; Just, just intangibly enlarged contamination data usually, had a strong impact on the degree of accuracy of dynamic pollution tracker whole 32 ways that are labeled as contamination data.In order to prevent this situation of appearance in the reality test, dynamically pollute the degree of accuracy of tracking module tracking pollution and orientate the Byte level as, just per 8 bit are one and pollute the unit, and all flag registers are defined separately by its practical function again.
Step 5; Genetic algorithm module is according to the execution number of times of corresponding fundamental block coverage rate, minimum execution path information and dangerous function of each input file that obtains from debugger module; And, calculate the pairing fitness function value of each input file by the key bytes of dynamic pollution Tracking Recognition; So that use fitness function to instruct the generation of input file to be tested, avoid dynamic testing method to generate the blindness of file to be tested.
Step 6, test input generation module sorts to the size of each input file according to its fitness function value, and chooses the high input file of fitness function value according to the scale that the user is provided with and deliver to the test that debugger module is carried out next round.
Step 7; Behind abnormal monitoring module loading binary program to be tested and the input file from step (6); Monitor the implementation after binary program to be tested is opened each input file; If binary program to be tested occurs unusual, then record causes binary program to be tested unusual input file to occur, and the contextual information that is somebody's turn to do unusual appearance position, Exception Type and out-of-the way position in binary program to be tested.
Introduce influence below and dynamically pollute the tracker assembly instruction tabulation of degree of accuracy as a result:
Figure BDA0000139795130000141
The inspection of dangerous function also is divided into two parts: a part has been to use unsafe built-in function.This part realizes that through the interested varehouse for dangerous goods function of configuration input file collocation method need provide the sum of function name, function parameter, and each dangerous function of configuration accounts for configuration file delegation, and is accomplished by User Defined.Pin through the derivative function inlet of traversal dynamic link library derived table, can mate the parameter of dangerous function address, the dangerous several titles of letter and dangerous function when load-on module.Introduce the dangerous function tabulation below:
Figure BDA0000139795130000142
Figure BDA0000139795130000151
Under the help of debugger module, genetic algorithm module extracts the control stream information of binary program to be tested, writes down the execution track that a test input file causes, the execution number of times of minimum execution path information and dangerous function.These information all are provided for genetic algorithm module and come the pairing fitness function value of each input file of dynamic calculation.
Genetic manipulation in the genetic algorithm module of the present invention is not to whole test input file, but to the key bytes in the test input file.The key bytes about in the test input file of binary program to be tested that dynamic pollution tracking module identifies possibly be discontinuous, and this can cause big difficult on these key bytes, carrying out genetic manipulation.In order to address this problem, be written in the array dynamically polluting the key bytes that tracking module identifies, then, be written to (referring to shown in Figure 2) in another array to key bytes with respect to the offset address of input file head.Key bytes is employed in the array to be represented with the form of 0~1 sequence, and genetic manipulation then carries out to 0~1 sequence in the array.
Interlace operation is the array length L that at first calculates key bytes, generates the random number R am between 0 to L at random, exchanges 0~1 sequence that the array meta is changed to the Ram both sides then.Mutation operation is the random number R a that at first generates between 0 to L, revises the value that the array meta is changed to the Ra place then, if the value at this place is 1, then is revised as 0, otherwise, then be revised as 1 (referring to shown in Figure 3).
The control flow graph of binary program to be tested is a digraph, its node corresponding continuous instruction block (being fundamental block), its limit corresponding connect discrete instruction (like conditional branch instructions) of different fundamental blocks.The control flow graph of binary program to be tested can be described as following formula: G=(N, E, s, e), wherein, N is a node set, E is the set on limit, s and e are respectively the entrance and the exit point of binary program to be tested, and s, e ∈ N.When a node n ∈ N representes a continuous instruction set (fundamental block), if there is an instruction to be performed in this instruction set, then the instruction of all in this instruction set all can sequentially be carried out., a limit (n i, n j) ∈ E representes from fundamental block n iTo fundamental block n jA control stream transmit.
The present invention has carried out repeatedly implementing test, briefly introduces the situation of implementing test below
In order to guide the genetic algorithm search possibly cause the test input file of binary program collapse to be tested better; Factor below the inventive method is mainly considered when the design fitness function: the fundamental block coverage rate of binary program to be tested; If a test case has higher fundamental block coverage rate, then this test case has more greatly and possibly trigger security breaches potential in the binary program to be tested.
Minimum execution path information: if the input file of a test causes binary program execution route to be tested is the path of not carrying out in the past, claims that then this path is rare path.In order to distinguish the execution route of the binary program to be tested that different test input files caused; Introduce the hash value that a Hash function calculates every paths, the fundamental block information that this Hash function uses the binary program to be tested that input file caused of each test of MD5 algorithm computation to carry out.The hash value that causes each input file to put into the fundamental block information that binary program to be tested carries out writes a chained list; If the hash value of having deposited in the corresponding hash value of certain input file and the chained list is identical; Think that then the path that this input file and the former binary program to be tested that certain input file caused carry out is identical, then abandon this input file.
The execution number of times of dangerous function in the binary program to be tested or risky operation; The execution number of times of test dangerous function that input file caused or risky operation is big more, and then to trigger the possibility of potential security hole in the binary program to be tested big more for the input file of this test.
The number that the fundamental block coverage rate has provided the fundamental block that the test binary program to be tested that input file caused carries out accounts for the number percent of binary program to be tested total fundamental block number; The fundamental block coverage rate that the input file of a test is corresponding is high more, and the possibility that this input file triggers potential leak in the binary program to be tested is big more.Minimum possibility execution path information be used to show that the expectation of test input file covers the ability in the path of not carrying out.The input file of a test causes the execution number of times of the dangerous function in the binary program to be tested many more, and then to trigger the possibility of potential leak in the binary program to be tested big more for this input file.
In a word, the repeatedly enforcement evidence that the present invention has carried out, apparatus of the present invention and method can successfully detect the security breaches of some actual binary application programs, have realized goal of the invention.

Claims (8)

1. one kind merges propagation algorithm and the device that dynamically pollutes the binary program bug excavation of following the tracks of; It is characterized in that: said device is provided with static analysis module, debugger module, genetic algorithm module, test input generation module and the abnormal monitoring module that is linked in sequence, and the dynamic pollution tracking module between debugger module, genetic algorithm module; Wherein:
The static analysis module; This module based on interactive disassembler professional version IDAPro exploitation realization; Be used for extracting the control flow structure of binary program to be tested, the start address of fundamental block and the call address of dangerous function, and send these information to debugger module as configuration information; Promptly this module is obtained the start address and the relation of the redirect between the fundamental block of binary program fundamental block through analyzing the jump instruction in the binary program; Utilize the built-in function of IDAPro to obtain the call address of the dangerous function in the binary program then;
Debugger module; Basic platform as this device; Be used to monitor the implementation of binary program to be tested; And recording-related information: the configuration information that provides according to the static analysis module; The API api function of identification and interception Windows bottom obtains the execution number of times of dangerous function in execution track and this binary program to be tested of binary program to be tested of fundamental block that binary program to be tested that position that binary program to be tested opens input file and record cause by input file carried out, input file correspondence; Read register and the interior data of storehouse in the binary program, the register variable in calculating and the renewal binary program and the numerical value of memory variable; Realization is to the function of given memory address to breakpoint under the binary program to be tested; Debugger module information that aforementioned calculation is obtained sends genetic algorithm module to then, is used to calculate the corresponding fitness function value of input file;
Dynamically pollute tracking module; Be used to realize the fine-grained dynamic pollution tracking of byte level; Discern the key bytes in the corresponding input file of binary program to be tested; And this key bytes intersected as genetic algorithm module and the space of variation, improve the speed of convergence of genetic algorithm: this module is that each byte is all given a unique tags in the input data of binary program to be tested, follows the tracks of the transmittance process of this label in binary program to be tested again; And in following the tracks of the input data transfer, both considered the transitive dependency relation between data, also considered the control dependence between different variablees; Discern the key bytes in the corresponding input file of binary program to be tested simultaneously, and offer genetic algorithm module to crucial byte information, as the intersection of genetic algorithm module and the space of variation;
Genetic algorithm module; The binary program execution track that the fundamental block of being responsible for providing according to debugger module that comprises binary program to be tested that each input file covers is corresponding with it and the execution number of times of dangerous function wherein; And dynamically pollute the key bytes that tracking module identifies; Calculate the execution number of times of the corresponding dangerous function of the fundamental block coverage rate of the corresponding binary program to be tested of each input file, minimum execution path information and this input file; Calculate the corresponding fitness function value of each input file then; And this fitness function value passed to test input generation module, be used to generate new input file and carry out the next round test; And; If the fitness function value that input file is corresponding is higher, then the input file fundamental block that possibly cause binary program to be tested to cover is more, the execution route that causes binary program to be tested is for " rare path " or cause the dangerous function number of times of binary program execution to be tested more; When above-mentioned three numerical value of input file were all higher, this input file just possibly trigger its corresponding potential security breaches of binary program to be tested very much;
Test input generation module; Be responsible for based on sorting from the size of the corresponding fitness function value of each input file of genetic algorithm module input file to binary program to be tested; The scale that is provided with based on the user then; Select the high input file of fitness function value to deliver to debugger module and carry out the next round test, because of the high input file of fitness function value triggers the potential security breaches of binary program to be tested more easily;
The abnormal monitoring module; Be used for monitoring the implementation of the binary program to be tested of each input file; If occur unusual; Then record causes this binary program to be tested unusual input file to occur, and appearance position, Exception Type and the unusual contextual information that occur of recording exceptional in binary program to be tested.
2. according to the said device of claim 1, it is characterized in that: said dangerous function is to comprise that Memory Allocation, memory copying, character string and some contain the multiple function of format parameter; Said key bytes is a byte of in input file, polluting the parameter value of dangerous function in the binary program to be tested, also is called as the key bytes in the pairing input file of this binary program to be tested.
3. according to the said device of claim 1, it is characterized in that: the computing formula of the fitness function in the said genetic algorithm module is: Fitness (x)=w 1* bbc x+ w 2* lcov x+ w 3* rIndex * log (D x), in the formula, variable x is an input file, bbc x, lcov xAnd D xBe respectively the execution number of times of fundamental block coverage rate, minimum execution path information and the dangerous function of the corresponding binary program to be tested of this input file x, wherein, bbc xBeing used to make genetic algorithm module to generate new input file to be tested causes binary program to be tested to cover more fundamental block, lcov xIt is different as far as possible to be used to make that genetic algorithm module generates the new execution route that input file produced to be tested, and realizing route covers maximization, D xBeing used to make genetic algorithm module to generate new input file to be tested causes binary program to be tested to carry out the dangerous function of more number of times; w 1, w 2, w 3Be respectively above-mentioned bbc x, lcov xAnd D xThe weight of three factors, its span all are [0,1], and rIndex is that span is the adjustment coefficient of [0,1].
4. device according to claim 1; It is characterized in that: the intersection that said genetic algorithm module is carried out and the genetic manipulation object of variation are the key bytes in the corresponding input file of binary program to be tested; It is not whole input file; Genetic algorithm is intersected and the space of variation so that dwindle, and improves the speed of convergence of genetic algorithm, and then improves the efficient of binary program bug excavation.
5. one kind is adopted blending inheritance algorithm and the bug excavation Device Testing method of dynamically polluting the binary program of following the tracks of; It is characterized in that; Said method has merged static analysis and performance analysis advantage, makes people only pay close attention to interested program code and carries out subsequent analysis; This method comprises the following operations step:
(1) according to binary program type to be tested, test file and random modification some bytes wherein that the user prepares a standard in advance generate input file, and control the scale of this input file by the user;
(2) static analysis module is carried out static analysis to the binary program to be tested in the input file, obtains the call address of start address, the jump information between the fundamental block and the dangerous function of binary program fundamental block to be tested; Again these information will be passed to debugger module as configuration information;
(3) debugger module is to the execution number of times from fundamental block coverage rate, minimum execution path information and the dangerous function of the corresponding binary program to be tested of each input file of static analysis modules configured information calculations;
(4) intersection and the variation space for dwindling genetic algorithm; Dynamically pollute tracking module and discern the key bytes in the corresponding input file of binary program to be tested; And after being written into an array to these key bytes according to each key bytes with respect to the offset address separately of input file head, deliver to genetic algorithm module again; Intersect and make a variation to this array for genetic algorithm module; Write the array after intersection and the variation in the input file according to the offset address of each byte then with respect to the input file head; As the new input file to be tested that genetic algorithm is intersected and the variation back generates; So that dwindle the search volume of genetic algorithm; Accelerate the speed of convergence of genetic algorithm, improve the digging efficiency of binary program leak;
(5) genetic algorithm module is according to the execution number of times of corresponding fundamental block coverage rate, minimum execution path information and dangerous function of each input file that obtains from debugger module; And, calculate the pairing fitness function value of each input file by the key bytes of dynamic pollution Tracking Recognition; So that use fitness function to instruct the generation of input file to be tested, avoid dynamic testing method to generate the blindness of file to be tested;
(6) test input generation module sorts to the size of each input file according to its fitness function value, and chooses the high input file of fitness function value according to the scale that the user is provided with and deliver to the test that debugger module is carried out next round;
(7) behind abnormal monitoring module loading binary program to be tested and the input file from step (6); Monitor the implementation after binary program to be tested is opened each input file; If binary program to be tested occurs unusual; Then record causes binary program to be tested unusual input file to occur, and the contextual information that is somebody's turn to do unusual appearance position, Exception Type and out-of-the way position in binary program to be tested.
6. method according to claim 5 is characterized in that: in the affiliated step (4), dynamically pollute the initialization operation that tracking module at first carries out and comprise following content:
(41) binary program to be tested is carried out initialization operation: use the thread synchronization lock, when visiting certain resource, guarantee to visit this resource, and guarantee to realize when stain is followed the tracks of the synchronous of read-write at other threads of synchronization to guarantee each thread;
(42) Accreditation System call back function; Use can be carried out input parameter and the return results that the Hook Hook Mechanism of the instrument Pin of dynamic pitching pile is caught the system API relevant with filtration and input file to binary program, is used to realize the input monitoring to binary program dynamic initialization to be tested;
(43) derived table of the dynamic link library of the derived table of traversal binary program to be tested and loading is through self-defining " dangerous function auxiliary regular ", at dangerous function porch and the end's insertion supervision code that binary program to be tested calls.
7. method according to claim 5; It is characterized in that: in the affiliated step (4); Dynamically polluting tracking module accomplishing the content of operation of carrying out after the initialization is: utilize the routine pitching pile ability of Pin to link up with the system function of Windows; And extract wherein the core position and read in the byte number in the internal memory, as the pollution source of binary program to be tested; Then, beginning with the fundamental block from binary program to be tested entry address is the unit reading command; When monitoring binary program to be tested when opening input file; Beginning to carry out dynamic tracking pollutes: when loading new instruction block, at first monitor the whether new dynamic link library of dynamic load of binary program to be tested at every turn, if; Then travel through the derived table of new dynamic link library; With dangerous function hook and insertion monitoring code,, can only be directed against the limitation of single input file when effectively avoiding static analysis again to guarantee the timeliness of dynamic tracking; If, then do not continue to load new instruction block and carry out corresponding operating.
8. method according to claim 5 is characterized in that: the operand that relates to because of the order structure of x86 all is 32, and the monitoring target of said dynamic pollution tracking module is based on 32 operating system; And in order to prevent in the reality test, to enlarge contamination data and the operating accuracy that has a strong impact on dynamic pollution tracking module; Dynamically pollute the degree of accuracy of tracking module tracking pollution and orientate the Byte level as; Be that per 8 Bit are a pollution unit, and all flag registers are defined separately by its practical function again.
CN201210051642.5A 2012-03-01 2012-03-01 Excavating device and excavating method of binary system program loopholes Expired - Fee Related CN102622558B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210051642.5A CN102622558B (en) 2012-03-01 2012-03-01 Excavating device and excavating method of binary system program loopholes

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210051642.5A CN102622558B (en) 2012-03-01 2012-03-01 Excavating device and excavating method of binary system program loopholes

Publications (2)

Publication Number Publication Date
CN102622558A true CN102622558A (en) 2012-08-01
CN102622558B CN102622558B (en) 2014-10-08

Family

ID=46562472

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210051642.5A Expired - Fee Related CN102622558B (en) 2012-03-01 2012-03-01 Excavating device and excavating method of binary system program loopholes

Country Status (1)

Country Link
CN (1) CN102622558B (en)

Cited By (33)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103389939A (en) * 2013-07-03 2013-11-13 清华大学 Detection method and detection system for controlled heap allocation bug
CN104252402A (en) * 2014-09-05 2014-12-31 深圳创维数字技术有限公司 Program debugging method and device
CN104536877A (en) * 2014-11-28 2015-04-22 江苏苏测软件检测技术有限公司 Mixed strategy based test data generation method
CN104598383A (en) * 2015-02-06 2015-05-06 中国科学院软件研究所 Mode-based dynamic vulnerability discovery integrated system and mode-based dynamic vulnerability discovery integrated method
CN104657264A (en) * 2015-02-10 2015-05-27 上海创景计算机系统有限公司 Testing system for binary code covering rate and testing method thereof
CN104933362A (en) * 2015-06-15 2015-09-23 福州大学 Automatic detection method of API (Application Program Interface) misuse-type bug of Android application software
CN104956372A (en) * 2013-02-28 2015-09-30 惠普发展公司,有限责任合伙企业 Determining coverage of dynamic security scans using runtime and static code analyses
CN105608383A (en) * 2015-12-22 2016-05-25 工业和信息化部电子第五研究所 ActiveX control loophole testing method and system
CN106161319A (en) * 2015-04-13 2016-11-23 中南大学 Blending inheritance and hill-climbing algorithm reduce VLC-OFDM system peak-to-average power ratio
CN106156633A (en) * 2016-06-23 2016-11-23 扬州大学 The risk analysis method of software-oriented amendment
CN106407809A (en) * 2016-09-20 2017-02-15 四川大学 A Linux platform malicious software detection method
CN106599681A (en) * 2016-12-22 2017-04-26 北京邮电大学 Malicious program characteristic extraction method and system
CN106791168A (en) * 2017-01-13 2017-05-31 北京奇虎科技有限公司 Information of mobile terminal guard method, device and mobile terminal
CN106909510A (en) * 2017-03-02 2017-06-30 腾讯科技(深圳)有限公司 A kind of method and server for obtaining test case
CN107346391A (en) * 2016-05-06 2017-11-14 阿里巴巴集团控股有限公司 A kind of method and system of product concept checking data
CN107526970A (en) * 2017-08-24 2017-12-29 安徽大学 Method for detecting runtime program bugs based on dynamic binary platform
CN108446235A (en) * 2018-03-21 2018-08-24 北京理工大学 In conjunction with the fuzz testing critical data localization method of path label data variation
CN108647520A (en) * 2018-05-15 2018-10-12 浙江大学 A kind of intelligent fuzzy test method and system based on fragile inquiry learning
CN109002721A (en) * 2018-07-12 2018-12-14 南方电网科学研究院有限责任公司 Mining analysis method for information security vulnerability
CN109032927A (en) * 2018-06-26 2018-12-18 腾讯科技(深圳)有限公司 A kind of bug excavation method and device
CN109165507A (en) * 2018-07-09 2019-01-08 深圳开源互联网安全技术有限公司 Cross-site scripting attack leak detection method, device and terminal device
CN109308415A (en) * 2018-09-21 2019-02-05 四川大学 One kind is towards binary guiding performance fuzz testing method and system
CN109597767A (en) * 2018-12-19 2019-04-09 中国人民解放军国防科技大学 Genetic variation-based fuzzy test case generation method and system
CN109657473A (en) * 2018-11-12 2019-04-19 华中科技大学 A kind of fine granularity leak detection method based on depth characteristic
CN109739755A (en) * 2018-12-27 2019-05-10 北京理工大学 A kind of fuzz testing system executed based on program trace and mixing
CN111046396A (en) * 2020-03-13 2020-04-21 深圳开源互联网安全技术有限公司 Web application test data flow tracking method and system
CN107368417B (en) * 2017-07-25 2020-10-23 中国人民解放军63928部队 Testing method of vulnerability mining technology testing model
CN111859388A (en) * 2020-06-30 2020-10-30 广州大学 Multi-level mixed vulnerability automatic mining method
CN112445709A (en) * 2020-11-30 2021-03-05 安徽工业大学 Method and device for solving AFL test model data imbalance through GAN
CN112527681A (en) * 2020-12-24 2021-03-19 中国银联股份有限公司 Program vulnerability detection method and device
CN114519127A (en) * 2022-01-12 2022-05-20 中汽创智科技有限公司 Disassembling file processing method, device, equipment and storage medium
CN114780962A (en) * 2022-04-02 2022-07-22 中国人民解放军战略支援部队信息工程大学 Windows program fuzzy test method and system based on dynamic energy regulation and control
CN116108449A (en) * 2023-01-12 2023-05-12 清华大学 Software fuzzy test method, device, equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050108562A1 (en) * 2003-06-18 2005-05-19 Khazan Roger I. Technique for detecting executable malicious code using a combination of static and dynamic analyses
JP2009098851A (en) * 2007-10-16 2009-05-07 Mitsubishi Electric Corp System for detecting invalid code
CN101714119A (en) * 2009-12-09 2010-05-26 北京邮电大学 Test data generating device and method based on binary program
CN101968766A (en) * 2010-10-21 2011-02-09 上海交通大学 System for detecting software bug triggered during practical running of computer program
CN102323906A (en) * 2011-09-08 2012-01-18 哈尔滨工程大学 MC/DC test data automatic generation method based on genetic algorithm
CN102360334A (en) * 2011-10-17 2012-02-22 中国人民解放军信息工程大学 Dynamic and static combined software security test method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050108562A1 (en) * 2003-06-18 2005-05-19 Khazan Roger I. Technique for detecting executable malicious code using a combination of static and dynamic analyses
JP2009098851A (en) * 2007-10-16 2009-05-07 Mitsubishi Electric Corp System for detecting invalid code
CN101714119A (en) * 2009-12-09 2010-05-26 北京邮电大学 Test data generating device and method based on binary program
CN101968766A (en) * 2010-10-21 2011-02-09 上海交通大学 System for detecting software bug triggered during practical running of computer program
CN102323906A (en) * 2011-09-08 2012-01-18 哈尔滨工程大学 MC/DC test data automatic generation method based on genetic algorithm
CN102360334A (en) * 2011-10-17 2012-02-22 中国人民解放军信息工程大学 Dynamic and static combined software security test method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
崔宝江等: "基于回溯与引导的关键代码区域覆盖的二进制程序测试技术研究", 《电子与信息学报》 *

Cited By (53)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104956372A (en) * 2013-02-28 2015-09-30 惠普发展公司,有限责任合伙企业 Determining coverage of dynamic security scans using runtime and static code analyses
US10699017B2 (en) 2013-02-28 2020-06-30 Micro Focus Llc Determining coverage of dynamic security scans using runtime and static code analyses
CN103389939A (en) * 2013-07-03 2013-11-13 清华大学 Detection method and detection system for controlled heap allocation bug
CN103389939B (en) * 2013-07-03 2015-11-25 清华大学 A kind of detection method for the controlled distribution leak of heap and system
CN104252402A (en) * 2014-09-05 2014-12-31 深圳创维数字技术有限公司 Program debugging method and device
CN104252402B (en) * 2014-09-05 2018-04-27 深圳创维数字技术有限公司 A kind of program debugging method and device
CN104536877B (en) * 2014-11-28 2017-09-12 江苏苏测软件检测技术有限公司 A kind of test data generating method based on mixed strategy
CN104536877A (en) * 2014-11-28 2015-04-22 江苏苏测软件检测技术有限公司 Mixed strategy based test data generation method
CN104598383A (en) * 2015-02-06 2015-05-06 中国科学院软件研究所 Mode-based dynamic vulnerability discovery integrated system and mode-based dynamic vulnerability discovery integrated method
CN104598383B (en) * 2015-02-06 2018-02-09 中国科学院软件研究所 A kind of dynamic bug excavation integrated system and method based on pattern
CN104657264A (en) * 2015-02-10 2015-05-27 上海创景计算机系统有限公司 Testing system for binary code covering rate and testing method thereof
CN106161319A (en) * 2015-04-13 2016-11-23 中南大学 Blending inheritance and hill-climbing algorithm reduce VLC-OFDM system peak-to-average power ratio
CN104933362A (en) * 2015-06-15 2015-09-23 福州大学 Automatic detection method of API (Application Program Interface) misuse-type bug of Android application software
CN104933362B (en) * 2015-06-15 2017-10-20 福州大学 Android application software API misapplies class leak automated detection method
CN105608383A (en) * 2015-12-22 2016-05-25 工业和信息化部电子第五研究所 ActiveX control loophole testing method and system
CN105608383B (en) * 2015-12-22 2018-09-28 工业和信息化部电子第五研究所 ActiveX control loophole test method and system
CN107346391A (en) * 2016-05-06 2017-11-14 阿里巴巴集团控股有限公司 A kind of method and system of product concept checking data
CN106156633A (en) * 2016-06-23 2016-11-23 扬州大学 The risk analysis method of software-oriented amendment
CN106156633B (en) * 2016-06-23 2018-11-23 扬州大学 The risk analysis method of software-oriented modification
CN106407809B (en) * 2016-09-20 2019-03-01 四川大学 A kind of Linux platform malware detection method
CN106407809A (en) * 2016-09-20 2017-02-15 四川大学 A Linux platform malicious software detection method
CN106599681A (en) * 2016-12-22 2017-04-26 北京邮电大学 Malicious program characteristic extraction method and system
CN106791168A (en) * 2017-01-13 2017-05-31 北京奇虎科技有限公司 Information of mobile terminal guard method, device and mobile terminal
CN106909510B (en) * 2017-03-02 2020-11-24 腾讯科技(深圳)有限公司 Method for obtaining test case and server
CN106909510A (en) * 2017-03-02 2017-06-30 腾讯科技(深圳)有限公司 A kind of method and server for obtaining test case
CN107368417B (en) * 2017-07-25 2020-10-23 中国人民解放军63928部队 Testing method of vulnerability mining technology testing model
CN107526970A (en) * 2017-08-24 2017-12-29 安徽大学 Method for detecting runtime program bugs based on dynamic binary platform
CN107526970B (en) * 2017-08-24 2020-05-19 安徽大学 Method for detecting runtime program bugs based on dynamic binary platform
CN108446235B (en) * 2018-03-21 2021-01-12 北京理工大学 Fuzzy test key data positioning method combined with path label data variation
CN108446235A (en) * 2018-03-21 2018-08-24 北京理工大学 In conjunction with the fuzz testing critical data localization method of path label data variation
CN108647520A (en) * 2018-05-15 2018-10-12 浙江大学 A kind of intelligent fuzzy test method and system based on fragile inquiry learning
CN109032927A (en) * 2018-06-26 2018-12-18 腾讯科技(深圳)有限公司 A kind of bug excavation method and device
CN109165507A (en) * 2018-07-09 2019-01-08 深圳开源互联网安全技术有限公司 Cross-site scripting attack leak detection method, device and terminal device
CN109002721B (en) * 2018-07-12 2022-04-08 南方电网科学研究院有限责任公司 Mining analysis method for information security vulnerability
CN109002721A (en) * 2018-07-12 2018-12-14 南方电网科学研究院有限责任公司 Mining analysis method for information security vulnerability
CN109308415A (en) * 2018-09-21 2019-02-05 四川大学 One kind is towards binary guiding performance fuzz testing method and system
CN109308415B (en) * 2018-09-21 2021-11-19 四川大学 Binary-oriented guidance quality fuzzy test method and system
CN109657473B (en) * 2018-11-12 2020-09-18 华中科技大学 Fine-grained vulnerability detection method based on depth features
CN109657473A (en) * 2018-11-12 2019-04-19 华中科技大学 A kind of fine granularity leak detection method based on depth characteristic
CN109597767A (en) * 2018-12-19 2019-04-09 中国人民解放军国防科技大学 Genetic variation-based fuzzy test case generation method and system
CN109597767B (en) * 2018-12-19 2021-11-12 中国人民解放军国防科技大学 Genetic variation-based fuzzy test case generation method and system
CN109739755A (en) * 2018-12-27 2019-05-10 北京理工大学 A kind of fuzz testing system executed based on program trace and mixing
CN111046396A (en) * 2020-03-13 2020-04-21 深圳开源互联网安全技术有限公司 Web application test data flow tracking method and system
CN111859388A (en) * 2020-06-30 2020-10-30 广州大学 Multi-level mixed vulnerability automatic mining method
CN111859388B (en) * 2020-06-30 2022-11-01 广州大学 Multi-level mixed vulnerability automatic mining method
CN112445709A (en) * 2020-11-30 2021-03-05 安徽工业大学 Method and device for solving AFL test model data imbalance through GAN
CN112527681A (en) * 2020-12-24 2021-03-19 中国银联股份有限公司 Program vulnerability detection method and device
CN112527681B (en) * 2020-12-24 2024-03-12 中国银联股份有限公司 Program vulnerability detection method and device
CN114519127A (en) * 2022-01-12 2022-05-20 中汽创智科技有限公司 Disassembling file processing method, device, equipment and storage medium
CN114780962A (en) * 2022-04-02 2022-07-22 中国人民解放军战略支援部队信息工程大学 Windows program fuzzy test method and system based on dynamic energy regulation and control
CN114780962B (en) * 2022-04-02 2024-04-26 中国人民解放军战略支援部队信息工程大学 Windows program fuzzy test method and system based on dynamic energy regulation and control
CN116108449A (en) * 2023-01-12 2023-05-12 清华大学 Software fuzzy test method, device, equipment and storage medium
CN116108449B (en) * 2023-01-12 2024-02-23 清华大学 Software fuzzy test method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN102622558B (en) 2014-10-08

Similar Documents

Publication Publication Date Title
CN102622558B (en) Excavating device and excavating method of binary system program loopholes
US10664601B2 (en) Method and system automatic buffer overflow warning inspection and bug repair
CN101714118B (en) Detector for binary-code buffer-zone overflow bugs, and detection method thereof
Cheng et al. Identifying bug signatures using discriminative graph mining
CN102789419B (en) Software fault analysis method based on multi-sample difference comparison
CN101359352B (en) API use action discovering and malice deciding method after confusion of multi-tier synergism
Liao et al. SmartDagger: a bytecode-based static analysis approach for detecting cross-contract vulnerability
CN103995782B (en) A kind of stain based on stain invariant set analyzes method
CN101908006B (en) GCC abstract syntax tree-based buffer overflow vulnerability detection method
CN102567200A (en) Parallelization security hole detecting method based on function call graph
CN101241532A (en) Source code facing buffer overflow detection method based on inequalities solving
CN101159732A (en) Data flow analysis based hostile attack detecting method
CN104766015A (en) Function call based dynamic detection method for buffer overflow vulnerability
CN104732152A (en) Buffer overflow loophole automatic detection method based on symbolic execution path pruning
CN111832026B (en) Vulnerability utilization positioning method, system, device and medium
CN110147235A (en) Semantic comparison method and device between a kind of source code and binary code
CN116305162A (en) Concurrent program vulnerability detection method based on fuzzy test and static analysis
Hough et al. A practical approach for dynamic taint tracking with control-flow relationships
CN105487983A (en) Sensitive point approximation method based on intelligent route guidance
CN118094567A (en) Binary code static analysis method based on x86-64 instruction set
Zhang et al. Multi-transaction sequence vulnerability detection for smart contracts based on inter-path data dependency
Kang A review on javascript engine vulnerability mining
CN113886832A (en) Intelligent contract vulnerability detection method, system, computer equipment and storage medium
Ngo et al. Ranking warnings of static analysis tools using representation learning
Li et al. VulHunter: Hunting Vulnerable Smart Contracts at EVM bytecode-level via Multiple Instance Learning

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20141008

Termination date: 20150301

EXPY Termination of patent right or utility model