CN102622558B - Excavating device and excavating method of binary system program loopholes - Google Patents

Excavating device and excavating method of binary system program loopholes Download PDF

Info

Publication number
CN102622558B
CN102622558B CN201210051642.5A CN201210051642A CN102622558B CN 102622558 B CN102622558 B CN 102622558B CN 201210051642 A CN201210051642 A CN 201210051642A CN 102622558 B CN102622558 B CN 102622558B
Authority
CN
China
Prior art keywords
binary program
input file
module
tested
genetic algorithm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201210051642.5A
Other languages
Chinese (zh)
Other versions
CN102622558A (en
Inventor
崔宝江
梁晓兵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Posts and Telecommunications
Original Assignee
Beijing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Posts and Telecommunications filed Critical Beijing University of Posts and Telecommunications
Priority to CN201210051642.5A priority Critical patent/CN102622558B/en
Publication of CN102622558A publication Critical patent/CN102622558A/en
Application granted granted Critical
Publication of CN102622558B publication Critical patent/CN102622558B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

Provided are an excavating device and an excavating method of binary system program loopholes. The excavating device is provided with a static analysis module, a debugger module, a genetic algorithm module, a test input generation module and an abnormal monitoring module which are sequentially connected and a dynamic pollution tracking module located between the debugger module and the genetic algorithm module. The excavating device is guided to generate a test case by aid of a fitness function of the genetic algorithm, the multi-objective fitness function is designed, and the test case is evaluated in view of quantification. Dynamic pollution tracking is used for identifying key bytes in input files to narrow search space of the genetic algorithm. The excavating device combines advantages of the genetic algorithm and the dynamic pollution tracking and is guided to generate the test case, so that the generated test case is strong in pertinence, generated test data are high in accuracy and efficiency, further qualitative analysis and quantitative calculation are combined, and therefore path explosion in binary system program testing based on the symbolic execution and constraint solving technology is avoided.

Description

A kind of excavating gear of binary program leak and method
Technical field
The present invention relates to a kind of software security technology, exactly, relate to a kind of blending inheritance algorithm and excavating gear and the method for dynamically polluting the binary program leak of following the tracks of, belong to the technical field that binary program security breaches detect.
Background technology
At present; in software security research field; often can carry out safety analysis to binary program, a major issue in safety analysis process is how to generate fast test case targetedly, the security breaches that may exist for triggering binary program.Now, the method that engineering industry circle generally adopts is that fuzz testing Fuzz Testing(is called again: random number black box violence method of testing).Fuzz Testing can produce test data automatically, and test result is accurate, applied widely; But, the path coverage that generates test input file is lower, and the same path of the many sensings of the test case generating, in the generative process of test input file, lack guided bone, efficiency is low, lack the incidence relation between test input file and program exception, larger to artificial dependence, the uncertain factor in implementation process is also more.
Current binary program bug excavation or detection technique can be divided into two classes: Static and dynamic, wherein dynamic approach is that first the input file to binary program makes a variation, then load this input file, and detect by monitoring the implementation of tested binary program the collapse whether this input file can cause tested binary program.Dynamic approach, mostly based on symbol execution technique and constraint solving technology, therefore, causes the efficiency of binary program Hole Detection to depend on the degree of accuracy of symbol execution technique and the ability that solves of constraint solver.If tested binary program contains the circulation nested with the degree of depth of complicated conditional branching, the execution route of the binary program being caused by input file can be very long.Bring expensive calculation cost for fear of carry out and retrain solution technique by symbol, bug excavation technology based on symbol execution and constraint solving only travels through the inner branch of circulation once conventionally, or the number of times that loop unrolling is set (common only expansion once).This result of blindly blocking circulation in order to save the cost in calculating, is probably to miss some important paths, and just probably comprises potential security breaches on these paths.
Static method does not move tested binary program, therefore can not obtain about the relevant information in binary program operational process, cause thus the Static Analysis Method rate of false alarm of most binary program higher, as Splint has 50% rate of false alarm nearly, Flawfinder and RATS also have higher rate of false alarm.
Along with the increase of software size, the conditional branching in software and the number of circulation also present inevitable rising tendency.The complicated conditional branching circulation nested with the degree of depth in binary program caused serious path blast problem.And the input space of program is very large, and can be very little by the space of malicious user control.Above-mentioned these reasons have all increased the difficulty of binary program bug excavation.
Comprehensively above-mentioned, at present, there is following problems in Static Analysis Technology and the dynamic analysis technology of main flow:
(1) carry out with the dynamic binary program bug excavation technology of constraint solving and face expensive calculation cost based on symbol.
(2) carry out with the dynamic binary program bug excavation technology of constraint solving and in the time collecting the constraint condition of binary program execution route, have incompleteness problem based on symbol, and current constraint solver is difficult to complicated Nonlinear Constraints to solve and obtain its exact solution.
(3) carry out with the dynamic binary program bug excavation technology of constraint solving and conventionally can block blindly circulation based on symbol, thereby be easy to miss the Program path that some may comprise leak.
(4) test case that the dynamic test based on Fuzzing generates automatically has blindness, and a large amount of test cases of generation are all pointed to same path, lacks directiveness, and its efficiency that triggers security breaches potential in binary program is low.
(5) efficiency of static analysis is higher, and its analysis belongs to path-sensitive.But it exists higher rate of failing to report and rate of false alarm in theory, be difficult to accurately locate leak.And static analysis need to be analyzed mostly on source code basis, for the also more complicated of static symbol execution technique of binary program, calculation cost costliness.
Therefore, how to merge both advantages of Static Analysis Technology and dynamic analysis technology, realize the binary program bug excavation of robotization, and improve the digging efficiency of binary program leak, become an important research topic in current software security field.
Summary of the invention
In view of this, the object of this invention is to provide a kind of blending inheritance algorithm and the apparatus and method of dynamically polluting the binary program bug excavation of following the tracks of, the present invention utilizes the fitness function of genetic algorithm to instruct the generation of test case, utilize dynamically pollution tracking module to dwindle the search volume of genetic algorithm simultaneously, accelerate the speed of convergence of genetic algorithm, thereby improve the Efficiency and accuracy of binary program bug excavation.
In order to achieve the above object, the invention provides a kind of blending inheritance algorithm and the excavating gear that dynamically pollutes the binary program leak of following the tracks of, it is characterized in that: described device is provided with the static analysis module, debugger module, genetic algorithm module, test input generation module and the abnormal monitoring module that are linked in sequence, and dynamic pollution tracking module between debugger module, genetic algorithm module; Wherein:
Static analysis module, based on interactive disassembler professional version IDAPro(Interactive DisassemblerProfessional) develop this module realizing for extracting control flow structure, the start address of fundamental block and the call address of dangerous function of tested binary program, and send these information to debugger module as configuration information; This module is by analyzing the jump instruction in binary program, obtains the redirect relation between start address and the fundamental block of binary program fundamental block; Then the built-in function that utilizes IDAPro to provide obtains the call address of the dangerous function in binary program;
Debugger module, as the basic platform of this device, for monitoring the implementation of tested binary program, and recording-related information: the configuration information providing according to static analysis module, the application programming interface API(Application Programming Interface of identification and interception Windows bottom) function, obtain tested binary program and open the position of input file and the fundamental block that the tested binary program that caused by input file of record was carried out, the execution number of times of dangerous function in the execution track of the tested binary program that input file is corresponding and this tested binary program, read the data in register and storehouse in binary program, calculate and upgrade register variable in binary program and the numerical value of memory variable, realize to given memory address the function to breakpoint under tested binary program, then the information that debugger module is obtained above-mentioned calculating sends genetic algorithm module to, for calculating the fitness function value that input file is corresponding,
Dynamically pollute tracking module, being used for realizing the fine-grained dynamic pollution of byte level follows the tracks of, identify the key bytes in the input file that tested binary program is corresponding, and space using this key bytes as genetic algorithm module crossover and mutation, improve the speed of convergence of genetic algorithm: in the input data that this module is tested binary program, each byte is given a unique tags, then follows the tracks of the transmittance process of this label in tested binary program; And following the tracks of in input data transfer, both considered the transitive dependency relation between data, also considered the control dependence between different variablees; Identify the key bytes in the input file that tested binary program is corresponding simultaneously, and crucial byte information is offered to genetic algorithm module, be used as the space of the crossover and mutation of genetic algorithm module;
Genetic algorithm module, the binary program execution track that the responsible fundamental block that comprises tested binary program that each input file covers providing according to debugger module is corresponding with it and wherein the execution number of times of dangerous function, and dynamically pollute the key bytes that tracking module identifies, calculate the fundamental block coverage rate of the tested binary program that each input file is corresponding, the execution number of times of the dangerous function that minimum execution path information and this input file are corresponding, then calculate the fitness function value that each input file is corresponding, and this fitness function value is passed to test input generation module, carry out next round test for generating new input file, and, if the fitness function value that input file is corresponding is higher, the execution route that fundamental block that input file may cause tested binary program to cover is more, cause tested binary program for " rare path " or the dangerous function number of times that causes tested binary program to be carried out more, when the execution number of times of dangerous function corresponding to the fundamental block coverage rate of the corresponding tested binary program of input file, minimum execution path information and this input file is when totally three numerical value is all high, this input file just may trigger the potential security breaches of tested binary program of its correspondence very much,
Test input generation module, be responsible for according to from the size of fitness function value corresponding to each input file of genetic algorithm module, the input file of tested binary program being sorted, then the scale arranging according to user, select the high input file of fitness function value to deliver to debugger module and carry out next round test, because the high input file of fitness function value more easily triggers the potential security breaches of tested binary program;
Abnormal monitoring module, be used for the implementation of the tested binary program of monitoring each input file, if occur abnormal, record causes this tested binary program to occur abnormal input file, and appearance position, Exception Type and the abnormal contextual information that occur of recording exceptional in tested binary program.
Described dangerous function is to comprise Memory Allocation, memory copying, character string and the many kinds of function that some contain format parameter; Described key bytes is the byte of polluting the parameter value of dangerous function in tested binary program in input file, is also referred to as the key bytes in the corresponding input file of this tested binary program.
The computing formula of the fitness function in described genetic algorithm module is: Fitness (x)=w 1× bbc x+ w 2× lcov x+ w 3× rIndex × log (D x), in formula, variable x is input file, bbc x, lcov xand D xbe respectively the execution number of times of the fundamental block coverage rate of the tested binary program that this input file x is corresponding, minimum execution path information and dangerous function, wherein, bbc xcause tested binary program to cover more fundamental block, lcov for making genetic algorithm module generate new tested input file xfor making genetic algorithm module generate the execution route difference as far as possible that new tested input file produces, realizing route covers and maximizes, D xcause tested binary program to carry out the dangerous function of more number of times for making genetic algorithm module generate new tested input file; w 1, w 2, w 3be respectively above-mentioned bbc x, lcov xand D xthe weight of three factors, its span is all [0,1], rIndex is that span is the adjustment factor of [0,1].
The genetic manipulation object of the crossover and mutation that described genetic algorithm module is carried out is the key bytes in the input file that tested binary program is corresponding, it is not whole input file, to dwindle the space of genetic algorithm crossover and mutation, improve the speed of convergence of genetic algorithm, and then improve the efficiency of binary program bug excavation.
In order to achieve the above object, the present invention also provides a kind of blending inheritance algorithm and detection method of dynamically polluting the excavating gear of the binary program leak of following the tracks of of adopting, it is characterized in that, described method has merged static analysis and performance analysis advantage, makes people only pay close attention to interested program code and carries out subsequent analysis; The method comprises following operation steps:
(1), according to tested binary program type, test file random amendment some bytes wherein that user prepares a standard in advance generate input file, and are controlled the scale of this input file by user;
(2) static analysis module is carried out static analysis to the tested binary program in input file, obtains jump information between start address, the fundamental block of tested binary program fundamental block and the call address of dangerous function; Again these information are passed to debugger module as configuration information;
(3) debugger module is to calculating the execution number of times of the fundamental block coverage rate of the tested binary program that each input file is corresponding, minimum execution path information and dangerous function from the configuration information of static analysis module;
(4) for dwindling the crossover and mutation space of genetic algorithm, dynamically pollute tracking module and identify the key bytes in the input file that tested binary program is corresponding, and these key bytes are written into after an array with respect to the offset address separately of input file head according to each key bytes, then deliver to genetic algorithm module; Carry out crossover and mutation for genetic algorithm module for this array; Then the array after crossover and mutation is write in input file with respect to the offset address of input file head according to each byte, as the new tested input file generating after genetic algorithm crossover and mutation, to dwindle the search volume of genetic algorithm, accelerate the speed of convergence of genetic algorithm, improve the digging efficiency of binary program leak;
(5) genetic algorithm module is according to the execution number of times of corresponding fundamental block coverage rate, minimum execution path information and dangerous function of the each input file obtaining from debugger module, and by the key bytes that dynamically pollutes Tracking Recognition, calculate the corresponding fitness function value of each input file; To use fitness function value to instruct the generation of tested input file, avoid dynamic testing method to generate the blindness of tested file;
(6) test input generation module sorts according to the size of its fitness function value to each input file, and the scale arranging according to user is chosen input file that fitness function value is high and delivered to debugger module and carry out the test of next round;
(7) after the tested binary program of abnormal monitoring module loading and the input file from step (6), monitor tested binary program and open the implementation after each input file, if tested binary program occurs abnormal, record causes tested binary program to occur abnormal input file, and this contextual information of appearance position, Exception Type and out-of-the way position in tested binary program extremely.
In described step (4), dynamically pollute the initialization operation that first tracking module carry out and comprise following content:
(41) tested binary program is carried out to initialization operation: use thread synchronization lock, to ensure that each thread when certain resource of access, guarantees can not access this resource at other threads of synchronization, and ensure to realize when stain is followed the tracks of the synchronous of read-write;
(42) Accreditation System call back function, the input parameter of catching the system API relevant to filtration and input file by the Hook Hook Mechanism that can carry out the instrument Pin of dynamic pitching pile to binary program with return results, for realizing the input monitoring to tested binary program dynamic initialization;
(43) travel through the derived table of the derived table of tested binary program and the dynamic link library of loading, by self-defining " dangerous function auxiliary regular ", the dangerous function porch of calling at tested binary program and end insert and monitor code.
In described step (4), dynamically polluting tracking module completing the content of operation of carrying out after initialization is: utilize the routine pitching pile ability of Pin to link up with the system function of Windows, and extract wherein core position and read in the byte number in internal memory, as the pollution source of tested binary program; Then, start taking fundamental block as unit reading command from tested binary program entry address; In the time monitoring tested binary program and open input file, starting to carry out dynamic tracking pollutes: while loading new instruction block at every turn, first monitor the whether new dynamic link library of dynamic load of tested binary program, if, travel through the derived table of new dynamic link library, link up with and insert again monitoring code with dangerous function, with the timeliness that ensures dynamically to follow the tracks of, can only be for the limitation of single input file while effectively avoiding static analysis; If not, continue load new instruction block and carry out corresponding operating.
The operand relating to because of the order structure of x86 is all 32, and the monitoring target of described dynamic pollution tracking module is the operating system based on 32; And for the operating accuracy that prevents from expanding contamination data and have a strong impact on dynamic pollution tracking module in reality test, dynamically pollute the degree of accuracy of tracking module tracking pollution and orientate Byte level as, be that every 8 Bit are a pollution unit, and all flag registers are defined separately again by its practical function.
The present invention's innovation advantage is compared with prior art:
The present invention utilizes the fitness function of genetic algorithm to instruct and generates test input file, and in the process of structure fitness function, the relevant informations such as the execution number of times of the fundamental block coverage rate of tested binary program, minimum execution path information and dangerous function are considered, use the generation of fitness function guiding test input file, avoided traditional technique of dynamic measurement to generate the blindness of test input file.
The present invention, in the process of structure fitness function, has considered the minimum execution path information of tested binary program, makes each test input file generating carry out as much as possible different paths, so that the path that test input file covers maximizes as far as possible.
The present invention utilizes dynamic pollution to follow the tracks of to identify the key bytes in the input file that tested binary program is corresponding, as the space of genetic algorithm crossover and mutation, to dwindle the running space of genetic algorithm, accelerate the speed that genetic algorithm generates specific aim test input file, improved the efficiency of binary program bug excavation.
Both advantages of binary program static analysis and performance analysis are merged in the present invention, the main dynamic approach that adopts generates test input file, utilize again Static Analysis Method to extract the relevant information of tested binary program simultaneously, utilize again genetic algorithm module to carry out static analysis and calculate fitness function value corresponding to each test input file the relevant information of the relevant tested binary program obtaining, then guide and generate test input file by fitness function value, avoid dynamically generating the blindness of test input file, make the test input file generating there is stronger specific aim, potential leak in can the tested binary program of rapid triggering, therefore, the present invention has good popularizing application prospect.
Brief description of the drawings
Fig. 1 is that blending inheritance algorithm of the present invention forms and its operating process block scheme with the structure of the device that dynamically pollutes the binary program bug excavation of following the tracks of.
Fig. 2 is that the genetic algorithm module of apparatus of the present invention is to the key bytes operation chart identifying.
Fig. 3 is the crossover and mutation operation chart of the genetic algorithm module of apparatus of the present invention.
Fig. 4 is the operating process block scheme of the dynamic pollution tracking module in apparatus of the present invention.
Embodiment
For making the object, technical solutions and advantages of the present invention clearer, below in conjunction with accompanying drawing, the present invention is described in further detail.
Referring to Fig. 1, first introduce blending inheritance algorithm of the present invention and the structure composition of device that dynamically pollutes the binary program bug excavation of following the tracks of: this device is provided with the static analysis module, debugger module, genetic algorithm module, test input generation module and the abnormal monitoring module that are linked in sequence, and dynamic pollution tracking module between debugger module, genetic algorithm module; Wherein:
Static analysis module, this module is based on interactive disassembler professional version IDAPro(InteractiveDisassembler Professional) exploitation realizes, for extracting the call address of control flow structure, fundamental block information and dangerous function of tested binary program; This module is by analyzing the jump instruction in binary program, obtain the fundamental block of binary program and control flow structure, the built-in function that recycling IDAPro provides obtains the call address of the dangerous function in binary program, and sends these information to debugger module as configuration information.
Debugger module, as the basic platform of this device, for monitoring the implementation of tested binary program, and the relevant execution information of record; This module major function comprises: the configuration information providing according to static analysis module, the application programming interface API(ApplicationProgramming Interface of identification and interception Windows bottom) function, the position that obtains tested binary program and open input file; And the execution number of times of dangerous function in the execution track of tested binary program corresponding to the tested binary program that caused by input file of record fundamental block, the input file carried out and this tested binary program; Read the data in register and storehouse in binary program, calculate and upgrade register variable in binary program and the numerical value of memory variable; Realize to given memory address the function to breakpoint under tested binary program; Then the information that debugger module is obtained above-mentioned calculating sends genetic algorithm module to, for calculating the fitness function value that input file is corresponding.
Dynamically pollute tracking module, being used for realizing the fine-grained dynamic pollution of byte level follows the tracks of, identify the key bytes in the input file that tested binary program is corresponding, and space using this key bytes as genetic algorithm module crossover and mutation, improve the speed of convergence of genetic algorithm: in the input data that this module is tested binary program, each byte is given a unique tags, then follows the tracks of the transmittance process of this label in tested binary program; And following the tracks of in input data transfer, both considered the transitive dependency relation between data, also considered the control dependence between different variablees; Identify key bytes in the input file that tested binary program is corresponding (so-called key bytes is the byte of polluting the parameter value of dangerous function in tested binary program in input file simultaneously, and dangerous function is to comprise Memory Allocation, memory copying, character string and the many kinds of function that some contain format parameter), and crucial byte information is offered to genetic algorithm module, be used as the space of the crossover and mutation of genetic algorithm module.
Genetic algorithm module, the binary program execution track that the responsible fundamental block that comprises tested binary program that each input file covers providing according to debugger module is corresponding with it and wherein the execution number of times of dangerous function, and dynamically pollute the key bytes that tracking module identifies, calculate the fundamental block coverage rate of the tested binary program that each input file is corresponding, the execution number of times of the dangerous function that minimum execution path information and this input file are corresponding, then calculate the fitness function value that each input file is corresponding, and this fitness function value is passed to test input generation module, carry out next round test for generating new input file, and, if the fitness function value that input file is corresponding is higher, the execution route that fundamental block that input file may cause tested binary program to cover is more, cause tested binary program for " rare path " or the dangerous function number of times that causes tested binary program to be carried out more, in the time that above-mentioned three numerical value of input file are all higher, this input file just may trigger the potential security breaches of tested binary program of its correspondence very much, the genetic manipulation object of the crossover and mutation that described genetic algorithm module is carried out is the key bytes in the input file that tested binary program is corresponding, it is not whole input file, to dwindle the space of genetic algorithm crossover and mutation, improve the speed of convergence of genetic algorithm, and then improve the efficiency of binary program bug excavation.The computing formula of the fitness function in this genetic algorithm module is: Fitness (x)=w 1× bbc x+ w 2× lcov x+ w 3× rIndex × lo g(D x), in formula, variable x is input file, bbc x, lcov xand D xbe respectively the execution number of times of the fundamental block coverage rate of the tested binary program that this input file x is corresponding, minimum execution path information and dangerous function, wherein, bbc xcause tested binary program to cover more fundamental block, lcov for making genetic algorithm module generate new tested input file xfor making genetic algorithm module generate the execution route difference as far as possible that new tested input file produces, realizing route covers and maximizes, D xcause tested binary program to carry out the dangerous function of more number of times for making genetic algorithm module generate new tested input file; w 1, w 2, w 3be respectively above-mentioned bbc x, lcov xand D xthe weight of three factors, its span is all [0,1], rIndex is that span is the adjustment factor of [0,1].
Test input generation module, be responsible for according to from the size of fitness function value corresponding to each input file of genetic algorithm module, the input file of tested binary program being sorted, then the scale arranging according to user, select the high input file of fitness function value to deliver to debugger module and carry out next round test, because the high input file of fitness function value more easily triggers the potential security breaches of tested binary program.
Abnormal monitoring module, be used for the implementation of the tested binary program of monitoring each input file, if occur abnormal, record causes this tested binary program to occur abnormal input file, and appearance position, Exception Type and the abnormal contextual information that occur of recording exceptional in tested binary program.
The present invention also provides blending inheritance algorithm and the excavating gear that dynamically pollutes the binary program leak of following the tracks of to detect the method for digging of the leak of binary program, blending inheritance algorithm and the dynamic trace analysis method advantage of polluting: for avoiding dynamic testing method blindly to generate test data, use the fitness function of genetic algorithm to instruct generating test use case, simultaneously in order to dwindle the space of genetic algorithm crossover and mutation, use dynamically pollution tracking module to identify the key bytes in test input file, and crucial byte information is written in an array with respect to the offset address of input file head according to key bytes, carry out crossover and mutation by genetic algorithm module for this array, make people only pay close attention to interested program code and carry out subsequent analysis, thereby dwindle the search volume of genetic algorithm, accelerate the speed of convergence of genetic algorithm, improve the efficiency of tested binary program bug excavation.The operation steps of the method is as follows:
The present invention also provides a kind of blending inheritance algorithm and detection method of dynamically polluting the bug excavation device of the binary program of following the tracks of of adopting: the method has merged both advantages of static analysis and the performance analysis of bug excavation technology, make people only need pay close attention to its interested program code, and for further analysis.
The method comprises following operation steps:
Step 1, according to tested binary program type, test file random amendment some bytes wherein that user prepares a standard in advance generate input file, and are controlled the scale of this input file by user.
Step 2, static analysis module is carried out static analysis to the tested binary program in input file, obtains jump information between start address, the fundamental block of tested binary program fundamental block and the call address of dangerous function; Again these information will be passed to debugger module as configuration information.
Step 3, debugger module is calculated the execution number of times of the fundamental block coverage rate of the tested binary program that each input file is corresponding, minimum execution path information and dangerous function to the configuration information coming from static analysis module.
Step 4, for dwindling the crossover and mutation space of genetic algorithm, dynamically pollute tracking module and identify the key bytes in the input file that tested binary program is corresponding, and these key bytes are written into after an array with respect to the offset address separately of input file head according to each key bytes, then deliver to genetic algorithm module; Carry out crossover and mutation for genetic algorithm module for this array; Then the array after crossover and mutation is write in input file with respect to the offset address of input file head according to each byte, as the new tested input file generating after genetic algorithm crossover and mutation, to dwindle the search volume of genetic algorithm, accelerate the speed of convergence of genetic algorithm, improve the digging efficiency of binary program leak.
Referring to Fig. 4, introduce and dynamically pollute the concrete operations content that tracking module is carried out in this step 4:
Dynamically pollute tracking module and first carry out following three initialization operations:
(41) tested binary program is carried out to initialization operation: use thread synchronization lock, to ensure that each thread is in certain resource of access, can guarantee that synchronization does not have other threads in the same resource of access, and ensure to realize when stain is followed the tracks of the synchronous of read-write;
(42) Accreditation System call back function, the input parameter of catching the system API relevant to filtration and input file by the Hook Hook Mechanism that can carry out the instrument Pin of dynamic pitching pile to binary program with return results, for realizing the input monitoring to tested binary program dynamic initialization;
(43) travel through the derived table of the derived table of tested binary program and the dynamic link library of loading, by self-defining " dangerous function auxiliary regular ", the dangerous function porch of calling at tested binary program and end insert and monitor code.
After initialization finishes, apparatus of the present invention are unit reading command with regard to starting to sentence fundamental block from the entry address of tested binary program.That to build on Pin(Pin be a kind of framework that can dynamically carry out pitching pile because dynamically polluting tracking module) basis on.Therefore dynamically polluting tracking module completes after initialization, the content of operation of carrying out is: utilize the routine pitching pile ability of Pin to link up with the system function (such as NtCreatFile, NtReadFile etc.) of Windows, and extract wherein core position and read in the byte number in internal memory, as the pollution source of tested binary program.Then, start taking fundamental block as unit reading command from tested binary program entry address; For example, in the time monitoring the input effective (having opened the input file of specifying) of tested binary program, starting to carry out dynamic tracking pollutes: while loading new instruction block at every turn, first monitor the whether new dynamic link library of dynamic load of tested binary program, if, travel through the derived table of new dynamic link library, link up with and insert again monitoring code with dangerous function, with the timeliness that ensures dynamically to follow the tracks of, can only be for the limitation of single input file while effectively avoiding static analysis; If not, continue load new instruction block and carry out corresponding operating.Continue below to introduce and dynamically pollute the operation steps that tracking module is carried out:
Step 4a, resolves the register and the core position that in present instruction, use, saves as respectively instruction type chained list, command source chained list and instruction object chained list.
Step 4b, whether decision instruction type is the instruction type that this device can be processed: comprise usual instructions, arithmetic instruction, steering order, jump instruction etc., kind more than totally 100.
Step 4c, whether the rule judgment while carrying out dynamically polluting tracking and Dynamic Execution, have the byte in input file to be delivered in dangerous function according to the list monitoring of dangerous function, if had, record the offset address of this byte with respect to input file head, dynamically stain is followed the tracks of taking Byte as unit.
Step 4d, monitors whether successful execution of redirect, and judges that whether redirect is relevant with input data.
Step 4f, the situation of change of record mark register, inter-related if contamination data belongs to,, in the time there is branch, directly from flag register data structure, read relevant information.
Step 4e, start address and the end address of exporting the pollution source of tested binary program, dynamically pollute the key bytes that tracking module identifies.
Dynamically pollute tracking module and realize based on x86 assembly instruction collection, therefore its dynamic pollution is followed the tracks of from recognition instruction type.The present invention has only selected conventional instruction set dynamically to pollute trace analysis.According to actual test analysis, compiler compiling ordinary procedure under windows platform is only used approximately 300 assembly instruction types, after the assembly instruction being of little use in rejecting and floating-point operation instruction (such instruction is little on the degree of accuracy impact of dynamic contamination analysis result), remaining instruction is to pollute the assembly instruction that tracker must be resolved.The operand relating to because of the order structure of x86 is again all 32, and the monitoring target of therefore dynamically polluting tracking module is the operating system based on 32; And in dynamic actual test of polluting tracking module, when if usually find in 32, a certain position or several are stain, just, whole 32 ways that are labeled as contamination data, conventionally just intangibly expand contamination data, had a strong impact on the degree of accuracy of dynamic pollution tracker.In order to prevent occurring this situation in reality test, dynamically pollute the degree of accuracy of tracking module tracking pollution and orientate Byte level as, namely every 8 bit are a pollution unit, and all flag registers are pressed to the definition separately again of its practical function.
Step 5, genetic algorithm module is according to the execution number of times of corresponding fundamental block coverage rate, minimum execution path information and dangerous function of the each input file obtaining from debugger module, and by the key bytes that dynamically pollutes Tracking Recognition, calculate the corresponding fitness function value of each input file; To use fitness function to instruct the generation of tested input file, avoid dynamic testing method to generate the blindness of tested file.
Step 6, test input generation module sorts according to the size of its fitness function value to each input file, and the scale arranging according to user is chosen input file that fitness function value is high and delivered to debugger module and carry out the test of next round.
Step 7, after the tested binary program of abnormal monitoring module loading and the input file from step (6), monitor tested binary program and open the implementation after each input file, if tested binary program occurs abnormal, record causes tested binary program to occur abnormal input file, and this contextual information of appearance position, Exception Type and out-of-the way position in tested binary program extremely.
Introduce impact below and dynamically pollute the assembly instruction list of tracker result degree of accuracy:
The inspection of dangerous function is also divided into two parts: a part is to have used unsafe built-in function.This part is realized by the interested varehouse for dangerous goods function of configuration input file, and collocation method need to provide the sum of function name, function parameter, and each dangerous function of configuration accounts for configuration file a line, and is completed by User Defined.Pin, in the time of load-on module, by the derivative function entrance of traversal dynamic link library derived table, can mate the parameter of dangerous function address, the dangerous several titles of letter and dangerous function.Introduce dangerous function list below:
Under the help of debugger module, genetic algorithm module extracts the control stream information of tested binary program, records an execution track that test input file causes, the execution number of times of minimum execution path information and dangerous function.These information are all provided for genetic algorithm module and carry out the corresponding fitness function value of the each input file of dynamic calculation.
Genetic manipulation in genetic algorithm module of the present invention is not for whole test input file, but for the key bytes in test input file.The key bytes about in the test input file of tested binary program that dynamically pollution tracking module identifies may be discontinuous, and this can cause larger difficulty to carry out genetic manipulation on these key bytes.In order to address this problem, the key bytes that dynamically pollution tracking module identifies is written in an array, then, key bytes is written to (shown in Figure 2) in another array with respect to the offset address of input file head.Key bytes adopts and represents with the form of 0~1 sequence in array, and genetic manipulation carries out for 0~1 sequence in array.
Interlace operation is the array length L that first calculates key bytes, generates at random the random number R am between 0 to L, then exchanges array meta and be set to 0~1 sequence of Ram both sides.Mutation operation is the random number R a first generating between 0 to L, then revises array meta and be set to the value at Ra place, if the value at this place is 1, is revised as 0, otherwise, be revised as 1(shown in Figure 3).
The control flow graph of tested binary program is a digraph, and its node correspondence continuous instruction block (being fundamental block), and its limit correspondence the discrete instruction (as conditional branch instructions) that connects different fundamental blocks.The control flow graph of tested binary program can be described as following formula: G=(N, E, s, e), wherein, N is node set, the set that E is limit, s and e are respectively entrance and the exit point of tested binary program, and s, e ∈ N.When a node n ∈ N represents a continuous instruction set (fundamental block), if there is an instruction to be performed in this instruction set, all instructions in this instruction set all can be sequentially performed., a limit (n i, n j) ∈ E represents from fundamental block n ito fundamental block n jone control stream transmit.
The present invention has carried out repeatedly implementing test, briefly introduces the situation of implementing test below
In order to guide better Genetic algorithm searching may cause the test input file of tested binary program collapse, design when fitness function the inventive method mainly consider below factor: the fundamental block coverage rate of tested binary program, if a test case has higher fundamental block coverage rate, this test case has and may trigger security breaches potential in tested binary program greatlyr.
Minimum execution path information: be the path of not carrying out in the past if the input file of a test causes tested binary program execution route, claim that this path is rare path.In order to distinguish the execution route of the tested binary program that different test input files causes, introduce the hash value that a Hash function calculates every paths, the fundamental block information that the tested binary program that the input file that this Hash function uses MD5 algorithm to calculate each test causes was carried out.Cause the hash value of the fundamental block information of tested binary program execution to write in a chained list each input file, if the hash value that certain input file is corresponding is identical with the hash value of having deposited in chained list, think that the path that tested binary program that this input file caused with certain former input file carries out is identical, abandon this input file.
The execution number of times of the dangerous function in tested binary program or risky operation, the dangerous function that test input file causes or the execution number of times of risky operation are larger, and to trigger the possibility of potential security hole in tested binary program larger for the input file of this test.
The number that fundamental block coverage rate has provided the fundamental block that tested binary program that a test input file causes carries out accounts for the number percent of tested binary program total fundamental block number, the fundamental block coverage rate that the input file of a test is corresponding is higher, and the possibility that this input file triggers potential leak in tested binary program is larger.Minimum possibility execution path information expects to cover the ability in the path of not carrying out for showing test input file.The input file of a test causes the execution number of times of the dangerous function in tested binary program more, and to trigger the possibility of potential leak in tested binary program larger for this input file.
In a word, the repeatedly enforcement evidence that the present invention has carried out, apparatus of the present invention and method can successfully detect the security breaches of some actual binary application programs, have realized goal of the invention.

Claims (8)

1. a blending inheritance algorithm and the dynamic device that pollutes the binary program bug excavation of following the tracks of, it is characterized in that: described device is provided with the static analysis module, debugger module, genetic algorithm module, test input generation module and the abnormal monitoring module that are linked in sequence, and dynamic pollution tracking module between debugger module, genetic algorithm module; Wherein:
Static analysis module, this module realizing based on interactive disassembler professional version IDAPro exploitation, for extracting control flow structure, the start address of fundamental block and the call address of dangerous function of tested binary program, and send these information to debugger module as configuration information; This module is by analyzing the jump instruction in binary program, obtains the redirect relation between start address and the fundamental block of binary program fundamental block; Then utilize the built-in function of IDAPro to obtain the call address of the dangerous function in binary program;
Debugger module, as the basic platform of this device, for monitoring the implementation of tested binary program, and recording-related information: the configuration information providing according to static analysis module, the application programming interface api function of identification and interception Windows bottom, obtains tested binary program and opens the execution number of times of dangerous function in the execution track of the tested binary program that fundamental block, input file that the position of input file and tested binary program that record is caused by input file carried out are corresponding and this tested binary program; Read the data in register and storehouse in binary program, calculate and upgrade register variable in binary program and the numerical value of memory variable; Realize to given memory address the function to breakpoint under tested binary program; Then the information that debugger module is obtained above-mentioned calculating sends genetic algorithm module to, for calculating the fitness function value that input file is corresponding;
Dynamically pollute tracking module, being used for realizing the fine-grained dynamic pollution of byte level follows the tracks of, identify the key bytes in the input file that tested binary program is corresponding, and space using this key bytes as genetic algorithm module crossover and mutation, improve the speed of convergence of genetic algorithm: in the input data that this module is tested binary program, each byte is given a unique tags, then follows the tracks of the transmittance process of this label in tested binary program; And following the tracks of in input data transfer, both considered the transitive dependency relation between data, also considered the control dependence between different variablees; Identify the key bytes in the input file that tested binary program is corresponding simultaneously, and crucial byte information is offered to genetic algorithm module, be used as the space of the crossover and mutation of genetic algorithm module;
Genetic algorithm module, the binary program execution track that the responsible fundamental block that comprises tested binary program that each input file covers providing according to debugger module is corresponding with it and wherein the execution number of times of dangerous function, and dynamically pollute the key bytes that tracking module identifies, calculate the fundamental block coverage rate of the tested binary program that each input file is corresponding, the execution number of times of the dangerous function that minimum execution path information and this input file are corresponding, then calculate the fitness function value that each input file is corresponding, and this fitness function value is passed to test input generation module, carry out next round test for generating new input file, and, if the fitness function value that input file is corresponding is higher, the execution route that fundamental block that input file may cause tested binary program to cover is more, cause tested binary program for " rare path " or the dangerous function number of times that causes tested binary program to be carried out more, when the execution number of times of dangerous function corresponding to the fundamental block coverage rate of the corresponding tested binary program of input file, minimum execution path information and this input file is when totally three numerical value is all high, this input file just may trigger the potential security breaches of tested binary program of its correspondence very much,
Test input generation module, be responsible for according to from the size of fitness function value corresponding to each input file of genetic algorithm module, the input file of tested binary program being sorted, then the scale arranging according to user, select the high input file of fitness function value to deliver to debugger module and carry out next round test, because the high input file of fitness function value more easily triggers the potential security breaches of tested binary program;
Abnormal monitoring module, be used for the implementation of the tested binary program of monitoring each input file, if occur abnormal, record causes this tested binary program to occur abnormal input file, and appearance position, Exception Type and the abnormal contextual information that occur of recording exceptional in tested binary program.
2. install according to claim 1, it is characterized in that: described dangerous function is to comprise Memory Allocation, memory copying, character string and the many kinds of function that some contain format parameter; Described key bytes is the byte of polluting the parameter value of dangerous function in tested binary program in input file, is also referred to as the key bytes in the corresponding input file of this tested binary program.
3. install according to claim 1, it is characterized in that: the computing formula of the fitness function in described genetic algorithm module is: Fitness (x)=w 1× bbc x+ w 2× lcov x+ w 3× rIndex × lo g(D x), in formula, variable x is input file, bbc x, lcov xand D xbe respectively the execution number of times of the fundamental block coverage rate of the tested binary program that this input file x is corresponding, minimum execution path information and dangerous function, wherein, bbc xcause tested binary program to cover more fundamental block, lcov for making genetic algorithm module generate new tested input file xfor making genetic algorithm module generate the execution route difference as far as possible that new tested input file produces, realizing route covers and maximizes, D xcause tested binary program to carry out the dangerous function of more number of times for making genetic algorithm module generate new tested input file; w 1, w 2, w 3be respectively above-mentioned bbc x, lcov xand D xthe weight of three factors, its span is all [0,1], rIndex is that span is the adjustment factor of [0,1].
4. device according to claim 1, it is characterized in that: the genetic manipulation object of the crossover and mutation that described genetic algorithm module is carried out is the key bytes in the input file that tested binary program is corresponding, it is not whole input file, to dwindle the space of genetic algorithm crossover and mutation, improve the speed of convergence of genetic algorithm, and then improve the efficiency of binary program bug excavation.
5. one kind adopts blending inheritance algorithm as claimed in claim 1 and the detection method of dynamically polluting the bug excavation device of the binary program of following the tracks of, it is characterized in that, described method has merged static analysis and performance analysis advantage, makes people only pay close attention to interested program code and carries out subsequent analysis; The method comprises following operation steps:
(1), according to tested binary program type, test file random amendment some bytes wherein that user prepares a standard in advance generate input file, and are controlled the scale of this input file by user;
(2) static analysis module is carried out static analysis to the tested binary program in input file, obtains jump information between start address, the fundamental block of tested binary program fundamental block and the call address of dangerous function; Again these information are passed to debugger module as configuration information;
(3) debugger module is to calculating the execution number of times of the fundamental block coverage rate of the tested binary program that each input file is corresponding, minimum execution path information and dangerous function from the configuration information of static analysis module;
(4) for dwindling the crossover and mutation space of genetic algorithm, dynamically pollute tracking module and identify the key bytes in the input file that tested binary program is corresponding, and these key bytes are written into after an array with respect to the offset address separately of input file head according to each key bytes, then deliver to genetic algorithm module; Carry out crossover and mutation for genetic algorithm module for this array; Then the array after crossover and mutation is write in input file with respect to the offset address of input file head according to each byte, as the new tested input file generating after genetic algorithm crossover and mutation, to dwindle the search volume of genetic algorithm, accelerate the speed of convergence of genetic algorithm, improve the digging efficiency of binary program leak;
(5) genetic algorithm module is according to the execution number of times of corresponding fundamental block coverage rate, minimum execution path information and dangerous function of the each input file obtaining from debugger module, and by the key bytes that dynamically pollutes Tracking Recognition, calculate the corresponding fitness function value of each input file; To use fitness function value to instruct the generation of tested input file, avoid dynamic testing method to generate the blindness of tested file;
(6) test input generation module sorts according to the size of its fitness function value to each input file, and the scale arranging according to user is chosen input file that fitness function value is high and delivered to debugger module and carry out the test of next round;
(7) after the tested binary program of abnormal monitoring module loading and the input file from step (6), monitor tested binary program and open the implementation after each input file, if tested binary program occurs abnormal, record causes tested binary program to occur abnormal input file, and this contextual information of appearance position, Exception Type and out-of-the way position in tested binary program extremely.
6. method according to claim 5, is characterized in that: in described step (4), dynamically pollute the initialization operation that first tracking module carry out and comprise following content:
(41) tested binary program is carried out to initialization operation: use thread synchronization lock, to ensure that each thread when certain resource of access, guarantees can not access this resource at other threads of synchronization, and ensure to realize when stain is followed the tracks of the synchronous of read-write;
(42) Accreditation System call back function, the input parameter of catching the system API relevant to filtration and input file by the Hook Hook Mechanism that can carry out the instrument Pin of dynamic pitching pile to binary program with return results, for realizing the input monitoring to tested binary program dynamic initialization;
(43) travel through the derived table of the derived table of tested binary program and the dynamic link library of loading, by self-defining " dangerous function auxiliary regular ", the dangerous function porch of calling at tested binary program and end insert and monitor code.
7. method according to claim 5, it is characterized in that: in described step (4), dynamically polluting tracking module completing the content of operation of carrying out after initialization is: utilize the routine pitching pile ability of Pin to link up with the system function of Windows, and extract wherein core position and read in the byte number in internal memory, as the pollution source of tested binary program; Then, start taking fundamental block as unit reading command from tested binary program entry address; In the time monitoring tested binary program and open input file, starting to carry out dynamic tracking pollutes: while loading new instruction block at every turn, first monitor the whether new dynamic link library of dynamic load of tested binary program, if, travel through the derived table of new dynamic link library, link up with and insert again monitoring code with dangerous function, with the timeliness that ensures dynamically to follow the tracks of, can only be for the limitation of single input file while effectively avoiding static analysis; If not, continue load new instruction block and carry out corresponding operating.
8. method according to claim 5, is characterized in that: the operand relating to because of the order structure of x86 is all 32, and the monitoring target of described dynamic pollution tracking module is the operating system based on 32; And for the operating accuracy that prevents from expanding contamination data and have a strong impact on dynamic pollution tracking module in reality test, dynamically pollute the degree of accuracy of tracking module tracking pollution and orientate Byte level as, be that every 8 Bit are a pollution unit, and all flag registers are defined separately again by its practical function.
CN201210051642.5A 2012-03-01 2012-03-01 Excavating device and excavating method of binary system program loopholes Expired - Fee Related CN102622558B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210051642.5A CN102622558B (en) 2012-03-01 2012-03-01 Excavating device and excavating method of binary system program loopholes

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210051642.5A CN102622558B (en) 2012-03-01 2012-03-01 Excavating device and excavating method of binary system program loopholes

Publications (2)

Publication Number Publication Date
CN102622558A CN102622558A (en) 2012-08-01
CN102622558B true CN102622558B (en) 2014-10-08

Family

ID=46562472

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210051642.5A Expired - Fee Related CN102622558B (en) 2012-03-01 2012-03-01 Excavating device and excavating method of binary system program loopholes

Country Status (1)

Country Link
CN (1) CN102622558B (en)

Families Citing this family (31)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104956372A (en) * 2013-02-28 2015-09-30 惠普发展公司,有限责任合伙企业 Determining coverage of dynamic security scans using runtime and static code analyses
CN103389939B (en) * 2013-07-03 2015-11-25 清华大学 A kind of detection method for the controlled distribution leak of heap and system
CN104252402B (en) * 2014-09-05 2018-04-27 深圳创维数字技术有限公司 A kind of program debugging method and device
CN104536877B (en) * 2014-11-28 2017-09-12 江苏苏测软件检测技术有限公司 A kind of test data generating method based on mixed strategy
CN104598383B (en) * 2015-02-06 2018-02-09 中国科学院软件研究所 A kind of dynamic bug excavation integrated system and method based on pattern
CN104657264A (en) * 2015-02-10 2015-05-27 上海创景计算机系统有限公司 Testing system for binary code covering rate and testing method thereof
CN106161319A (en) * 2015-04-13 2016-11-23 中南大学 Blending inheritance and hill-climbing algorithm reduce VLC-OFDM system peak-to-average power ratio
CN104933362B (en) * 2015-06-15 2017-10-20 福州大学 Android application software API misapplies class leak automated detection method
CN105608383B (en) * 2015-12-22 2018-09-28 工业和信息化部电子第五研究所 ActiveX control loophole test method and system
CN107346391A (en) * 2016-05-06 2017-11-14 阿里巴巴集团控股有限公司 A kind of method and system of product concept checking data
CN106156633B (en) * 2016-06-23 2018-11-23 扬州大学 The risk analysis method of software-oriented modification
CN106407809B (en) * 2016-09-20 2019-03-01 四川大学 A kind of Linux platform malware detection method
CN106599681A (en) * 2016-12-22 2017-04-26 北京邮电大学 Malicious program characteristic extraction method and system
CN106791168A (en) * 2017-01-13 2017-05-31 北京奇虎科技有限公司 Information of mobile terminal guard method, device and mobile terminal
CN106909510B (en) * 2017-03-02 2020-11-24 腾讯科技(深圳)有限公司 Method for obtaining test case and server
CN107368417B (en) * 2017-07-25 2020-10-23 中国人民解放军63928部队 Testing method of vulnerability mining technology testing model
CN107526970B (en) * 2017-08-24 2020-05-19 安徽大学 Method for detecting runtime program bugs based on dynamic binary platform
CN108446235B (en) * 2018-03-21 2021-01-12 北京理工大学 Fuzzy test key data positioning method combined with path label data variation
CN108647520B (en) * 2018-05-15 2020-05-29 浙江大学 Intelligent fuzzy test method and system based on vulnerability learning
CN109032927A (en) * 2018-06-26 2018-12-18 腾讯科技(深圳)有限公司 A kind of bug excavation method and device
CN109165507B (en) * 2018-07-09 2021-02-19 深圳开源互联网安全技术有限公司 Cross-site scripting attack vulnerability detection method and device and terminal equipment
CN109002721B (en) * 2018-07-12 2022-04-08 南方电网科学研究院有限责任公司 Mining analysis method for information security vulnerability
CN109308415B (en) * 2018-09-21 2021-11-19 四川大学 Binary-oriented guidance quality fuzzy test method and system
CN109657473B (en) * 2018-11-12 2020-09-18 华中科技大学 Fine-grained vulnerability detection method based on depth features
CN109597767B (en) * 2018-12-19 2021-11-12 中国人民解放军国防科技大学 Genetic variation-based fuzzy test case generation method and system
CN109739755B (en) * 2018-12-27 2020-07-10 北京理工大学 Fuzzy test system based on program tracking and mixed execution
CN111046396B (en) * 2020-03-13 2020-07-17 深圳开源互联网安全技术有限公司 Web application test data flow tracking method and system
CN111859388B (en) * 2020-06-30 2022-11-01 广州大学 Multi-level mixed vulnerability automatic mining method
CN112445709B (en) * 2020-11-30 2022-09-30 安徽工业大学 Method and device for solving AFL test model data imbalance through GAN
CN112527681B (en) * 2020-12-24 2024-03-12 中国银联股份有限公司 Program vulnerability detection method and device
CN116108449B (en) * 2023-01-12 2024-02-23 清华大学 Software fuzzy test method, device, equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101714119A (en) * 2009-12-09 2010-05-26 北京邮电大学 Test data generating device and method based on binary program
CN101968766A (en) * 2010-10-21 2011-02-09 上海交通大学 System for detecting software bug triggered during practical running of computer program
CN102323906A (en) * 2011-09-08 2012-01-18 哈尔滨工程大学 MC/DC test data automatic generation method based on genetic algorithm
CN102360334A (en) * 2011-10-17 2012-02-22 中国人民解放军信息工程大学 Dynamic and static combined software security test method

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050108562A1 (en) * 2003-06-18 2005-05-19 Khazan Roger I. Technique for detecting executable malicious code using a combination of static and dynamic analyses
JP2009098851A (en) * 2007-10-16 2009-05-07 Mitsubishi Electric Corp System for detecting invalid code

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101714119A (en) * 2009-12-09 2010-05-26 北京邮电大学 Test data generating device and method based on binary program
CN101968766A (en) * 2010-10-21 2011-02-09 上海交通大学 System for detecting software bug triggered during practical running of computer program
CN102323906A (en) * 2011-09-08 2012-01-18 哈尔滨工程大学 MC/DC test data automatic generation method based on genetic algorithm
CN102360334A (en) * 2011-10-17 2012-02-22 中国人民解放军信息工程大学 Dynamic and static combined software security test method

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
JP特开2009-98851A 2009.05.07
基于回溯与引导的关键代码区域覆盖的二进制程序测试技术研究;崔宝江等;《电子与信息学报》;20120131;第34卷(第1期);全文 *
崔宝江等.基于回溯与引导的关键代码区域覆盖的二进制程序测试技术研究.《电子与信息学报》.2012,第34卷(第1期),

Also Published As

Publication number Publication date
CN102622558A (en) 2012-08-01

Similar Documents

Publication Publication Date Title
CN102622558B (en) Excavating device and excavating method of binary system program loopholes
CN101714118B (en) Detector for binary-code buffer-zone overflow bugs, and detection method thereof
Cheng et al. Identifying bug signatures using discriminative graph mining
Livshits et al. Dynamine: finding common error patterns by mining software revision histories
US10664601B2 (en) Method and system automatic buffer overflow warning inspection and bug repair
CN103995782B (en) A kind of stain based on stain invariant set analyzes method
Partush et al. Abstract semantic differencing for numerical programs
CN101908006B (en) GCC abstract syntax tree-based buffer overflow vulnerability detection method
CN104766015A (en) Function call based dynamic detection method for buffer overflow vulnerability
CN111832026B (en) Vulnerability utilization positioning method, system, device and medium
Liao et al. Smartdagger: a bytecode-based static analysis approach for detecting cross-contract vulnerability
Sun et al. Mutation testing for integer overflow in ethereum smart contracts
Hough et al. A practical approach for dynamic taint tracking with control-flow relationships
CN115795489B (en) Software vulnerability static analysis method and device based on hardware-level process tracking
Ngo et al. Ranking warnings of static analysis tools using representation learning
CN109002723B (en) Sectional type symbol execution method
Kang A review on javascript engine vulnerability mining
Pakshad et al. A security vulnerability predictor based on source code metrics
Marinescu Identification of design roles for the assessment of design quality in enterprise applications
CN114546836A (en) Public component library automatic testing method and device based on push-down automaton guidance
Yuan et al. A method for detecting buffer overflow vulnerabilities
Jayalath et al. Towards secure software engineering
Zhang A framework of vulnerable code dataset generation by open-source injection
Bo et al. Performance Evaluation of Data Race Detection Based on Thread Sharing Analysis With Different Granularities: An Empirical Study
Zhang et al. A systematic review of binary program vulnerabilities feature extraction and discovery strategy generation methods

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20141008

Termination date: 20150301

EXPY Termination of patent right or utility model