CN103440201B - Dynamically stain analytical equipment and the application in file format resolving inversely thereof - Google Patents
Dynamically stain analytical equipment and the application in file format resolving inversely thereof Download PDFInfo
- Publication number
- CN103440201B CN103440201B CN201310400437.XA CN201310400437A CN103440201B CN 103440201 B CN103440201 B CN 103440201B CN 201310400437 A CN201310400437 A CN 201310400437A CN 103440201 B CN103440201 B CN 103440201B
- Authority
- CN
- China
- Prior art keywords
- stain
- file
- data
- information
- instruction
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention relates to a kind of dynamic stain analytical equipment and the application in file format resolving inversely thereof, device wherein comprises: dynamically pitching pile executive logging module is utilized binary program pitching pile platform invoke and carries out tested program, behavior is opened, resolves and closed to the data file that monitoring includes original stain data in tested program implementation, obtains the snapshot log that includes whole instruction flows, contextual information and internal storage access information in tested program implementation according to the implementation of tested program; Static snapshot is resolved stain tracking module and is resolved snapshot log, and carries out according to the playback of resolving the information simulation process obtaining, and the processing of original stain data in recording data files with diffuse information, obtain stain data flow path. The present invention can reduce I/O, time and the space expense of dynamic stain analysis in Dynamic Execution process, and can support expansion instruction set, also can obtain continuity and the incidence relation of original stain data self.
Description
Technical field
The present invention relates to dynamic stain analytical technology, particularly relate to a kind of improved dynamic stain analysisDevice and this improved dynamic stain analytical equipment answering in grey box file format resolving inversely technologyWith.
Background technology
Substantially the thought that realizes of stain analysis is: be stain data by all input data scalings, and followThe flow path of these stain data of track in program process, afterwards, on the basis of flow pathOn analyze accordingly.
At present, stain analysis is divided into conventionally for the dynamic stain analysis of binary code and quietState stain is analyzed, and dynamic stain analysis is wherein research hot topic nearly ten years.
Existing dynamic stain analysis mainly contains two kinds of implementations: a kind of is based on total system virtual machineImplementation, carries out stain analysis by inside or external plug-in code, as based on BitBlaze itemThe stain analysis module of order dynamic analysis TEMU virtual machine, the Panorama work based on QEMU virtual machineTool and integrated efficient Minemu instrument of own simulator etc.; Another kind is based on existing binary systemProgram pitching pile platform implementation, writes pitching pile plug-in code the data flow of one process is followedTrack; As the TaintCheck instrument based on Valgrind platform, based on DynamoRIO platformTaintTrace instrument and the libdft based on Pin platform and TaintReplayer instrument etc.
The implementation procedure that realizes dynamic stain analysis based on binary program pitching pile platform generally includes twoDivide content, the i.e. service portion of the monitor portion of Dynamic Execution and stain data message. Dynamic ExecutionMonitor portion towards when operation logic, comprise the monitoring of data input channel to identify original dirtPoint position and size, and the impact of the flow direction on contamination data stream on the instruction that relates to stain data;The service portion of stain data message is towards when operation storage, before being included in each instruction and carrying out, whenAll contaminated data acquisition systems in front internal memory and register, and according to the tainting logic of instruction,After carrying out, instruction upgrades this data acquisition system. Because above-mentioned two partial contents have high couplingDegree, therefore, existing dynamic stain analytical system is carried out dirt often in dynamic test implementationThe storage of dot information and renewal, definition are also safeguarded the stain state of all internal storage datas and register, bagDrawing together whether contaminated and pollution sources is which input byte etc., and disposable defeated after program is carried outGo out stain data flow.
Because stain analysis itself can reflect the processing row that program is carried out input data all sidedlyFor, and implicitly comprised the semantic information of program, the information such as type and form of input data,Therefore, can carry out statistical procedures and the data based on semantic information to stain analysis result completelyExcavate and process.
At present, there are some recent studies ons based on stain analysis both at home and abroad, for example, agreement has been carried outFormat analysis, based on stain analysis result, the network of the application program to transmission receiving network dataDatagram protocol carries out format analysis; Again for example, the variable existing in binary program data is carried outExcavate, to obtain position, type and the information such as semantic of variable; Again for example, by input numberAccording to structure and agreement etc. fully understand, can be to the make of the input data of fuzz testingInstruct, thereby can, in ensureing the randomness of fuzz testing, avoid in fuzz testingCannot cover the shortcoming of darker execution route due to the blindness of input data.
Inventor finds realizing in process of the present invention: input data knot based on stain analysis resultBeing applied to mainly to rest on so far of structure analysis limitedly utilized relate in stain analysis specificThe partial information of the stain stay of two nights of function parameter, and do not make full use of the whole process of stain data disseminationRouting information, and research object is also mainly the comparatively simple private network data pack protocol of structure, andFor the more privately owned file format of facing in fuzz testing, because its complexity and diversity do not haveCorresponding achievement in research.
In addition, also there are some problems in existing dynamic stain analytical technology, as:
1, excessive expense. Binary program pitching pile platform is being introduced outside intrinsic expense, and stain dividesAnalyse logic and need to remember stain propagated state, and by state by instruction ground pitching pile analysis context shapeState and interior access value etc., these can additionally introduce a lot of operation time and space expense; And virtual machineImplementation can there is because of total system simulation the problem of inefficiency.
2, lack expansion instruction set support. For reducing development difficulty, dynamically stain analytical system tends toSelect to translate and carry out instruction analysis based on existing intermediate language, by the end of so far, this dependenceMake not have the dynamic stain analytical system of moulding can support XMM or SSE family expansion instruction setAnalyze, and these instructions a large amount of large scale business software (as MicrosoftOffice) execution exactlyThe main code of data processing.
3, there is I/O bottleneck. For the record of tainting result, conventionally need to be in test analysis mistakeIn journey, necessary information being write in journal file or database, can there is a large amount of magnetic disc i/os in thisOperation, this is a very large expense. If the information category recording in minimizing daily record, can makeThe routing information that dynamically stain is followed the tracks of cannot reduce, thereby makes dynamic stain analysis tool lose that it is availableProperty, and dynamically stain analysis result does not have durability yet.
Because the problem that existing dynamic stain analysis and application thereof exist, the inventor is based on being engaged inPractical experience and professional knowledge that this type of product design manufacture is enriched for many years, and coordinate the utilization of studying the science,Actively research and innovation in addition, to founding a kind of dynamically stain analytical equipment and reverse in file formatApplication in parsing, can solve problem and base that existing dynamic stain analytical technology self existsIn the existing problem of application of stain analysis result, make it have more practicality. Through constantly grindingStudy carefully design, and after repeatedly studying sample and improving, finally create this having practical valueBright.
Summary of the invention
The object of the invention is to, overcome problem that existing dynamic stain analytical technology self exists withAnd the existing existing problem of application based on stain analysis result, and provide a kind of improved dynamicStain analytical equipment and the application in file format resolving inversely thereof, problem to be solved is to subtractFew dynamic stain analysis is the I/O operation to storage resources in Dynamic Execution process, reduces time overheadAnd space expense, and can support expansion instruction set, and in addition, can also be by utilizing dynamic stainThe relevance in the dynamic stain data dissemination path in analysis obtains the continuous of original stain data selfProperty and incidence relation.
Object of the present invention and solve its technical problem and can adopt following technical scheme to realize.
The dynamic stain analytical equipment of one proposing according to the present invention, mainly comprises: dynamically pitching pile is carried outLogging modle, for utilizing binary program pitching pile platform invoke and carrying out tested program, monitoring comprisesThere is data file the opening, resolving and closing in tested program implementation of original stain dataBehavior, and obtain and include in tested program implementation according to the implementation of described tested programAll snapshot logs of instruction flow, contextual information and internal storage access information; Static snapshot is resolvedStain tracking module, for resolving described snapshot log, and according to resolving the information simulation process obtainingPlayback carry out, and in process playback implementation, record the original stain in described data fileThe processing of data with diffuse information, to obtain complete stain data flow path.
The present invention also proposes a kind of file format resolving inversely system of analyzing based on dynamic stain, described inSystem comprises above-mentioned dynamic stain analytical equipment, and described system also should comprise: File Format Analysis mouldPiece, for carrying out data correlation compare of analysis according to described stain data flow path, and according to describedThe result of data correlation compare of analysis carries out described data file to divide based on semantic format fieldsCut, described in extracting according to the function information in described tested program and specific command information, cut apartAfter the incidence relation of interfield.
By technique scheme, dynamic stain analytical equipment of the present invention and reverse in file formatApplication in parsing at least has following advantages and beneficial effect: the present invention has effectively reduced dynamic stainAnalyze the I/O operation to storage resources in Dynamic Execution process, reduced time overhead and spaceExpense, and can support expansion instruction set completely, in addition, the present invention can also be dynamically dirty by utilizingThe relevance in the dynamic stain data dissemination path in point analysis obtains the company of original stain data selfContinuous property and incidence relation, thus a kind of brand-new file format resolving inversely mode is provided, can be rightThe file format of privately owned file format or not full disclosure ins and outs is carried out resolving inversely.
Above-mentioned explanation is only the general introduction of technical solution of the present invention, of the present invention in order to better understandTechnological means, and can being implemented according to the content of description, and for allow of the present invention above-mentioned andOther objects, feature and advantage can become apparent, below especially exemplified by preferred embodiment, say in detailBright as follows.
Brief description of the drawings
Fig. 1 is the file format resolving inversely system analyzed based on dynamic stain of the embodiment of the present inventionSchematic diagram;
Fig. 2 is the flow chart of the performed operation of dynamic pitching pile executive logging module of the embodiment of the present invention;
Fig. 3 is the flow process that the static snapshot of the embodiment of the present invention is resolved the performed operation of stain tracking moduleFigure;
Fig. 4 is the flow chart of the performed operation of File Format Analysis module of the embodiment of the present invention.
Detailed description of the invention
Below in conjunction with accompanying drawing to according to the embodiment of the present invention propose dynamic stain analytical equipment and at literary compositionDetailed description of the invention and the feature etc. of the application in part form resolving inversely are elaborated.
The file format resolving inversely system of analyzing based on dynamic stain of the embodiment of the present invention is as Fig. 1 instituteShow, the file format resolving inversely system shown in Fig. 1 mainly comprises: dynamically stain analytical equipment andFile Format Analysis module (being " File Format Analysis " of Fig. 1 lower right side), and dynamic dirt whereinPoint analysis device mainly comprises two modules, and dynamically pitching pile executive logging module (is Fig. 1 upper right side" dynamically pitching pile executive logging ") and static snapshot to resolve stain tracking module (be in Fig. 1 right side" static snapshot is resolved stain and is followed the tracks of " of portion).
It (can be existing that dynamic pitching pile executive logging module is mainly used in utilizing binary program pitching pile platformSome binary program pitching pile platforms, as multiple types of tools based on Pin platform etc.) call and carry out quiltMeasuring program, and row is opened, resolves and closed to monitor data file in tested program implementationFor, in above-mentioned data file, include original stain data; Dynamically pitching pile executive logging module is according to quiltThe implementation of measuring program obtains snapshot log, and above-mentioned snapshot log is mainly used in the playback of the process of simulatingCarry out, hence one can see that, includes and can realize the each of simulation process playback execution in above-mentioned snapshot logThe information of kind, as the whole instruction flows in tested program implementation, thread switch and context changeInformation and internal storage access information etc.
Above-mentioned data file also can be called sample file, and this sample file is to advise according to predetermined formatThe file that model is encoded. Tested program should be resolved error-free to this sample fileProcess. In embodiments of the present invention, should be correctly first that dynamic pitching pile executive logging module is specified quiltThe path of measuring program and the path of sample file, like this, dynamically pitching pile executive logging module can be in order toLoad tested program with binary program pitching pile platform and move, and automatically open sample file.
Static snapshot is resolved stain tracking module and is mainly used in resolving dynamic pitching pile executive logging module generationSnapshot log, and the playback of resolving the information simulation process obtaining according to it carries out, and at process weightPut in implementation, record in time processing and the propagation of the original stain data in above-mentioned data fileInformation (as the original stain information in reading data file, and is carried out to instruction stain data one by onePropagate and analyze, record corresponding information simultaneously), to obtain complete stain data flow path. NeedBright, it is not at dynamic pitching pile that static snapshot is resolved the performed aforesaid operations of stain tracking moduleIn the process of executive logging module Dynamic Execution operation, realize.
The process that the playback of above-mentioned simulation process is carried out can be: static snapshot is resolved stain tracking moduleAnalysis result according to it for the snapshot log of specifying is written into the static state of reflection, basic block and instructionInformation etc., so that the index of simulation process playback procedure; Afterwards, static snapshot is resolved stain trackingModule, according to the execution flow process of the context itemize ground replay process of different threads, is reduced eachThe execution of instruction; In this process, static snapshot is resolved stain tracking module need to be fast from what parse(comprise original stain data and dynamic stain according to reading corresponding stain data in daily record and being written intoData), static snapshot is resolved stain tracking module and is safeguarded that stain data acquisition system is (as posted based on stain dataThe stain data acquisition system of storage and stain datarams etc.), in simulation process playback procedure, static stateSnapshot is resolved stain tracking module can this stain data acquisition system of real-time update, and in sample fileEach byte records stain data processing chain information, with after simulation process is complete, static stateSnapshot is resolved stain tracking module can export complete dynamic stain analysis result, and this dynamic stain dividesAnalysing result can be with the formal output of stain data processing chain.
File Format Analysis module is mainly used in resolving according to static snapshot the dirt that stain tracking module producesPoint data flow path is carried out data correlation compare of analysis, and according to the knot of data correlation compare of analysisFruit carries out data file to cut apart based on semantic format fields, afterwards, and File Format Analysis module rootExtract the interfield after above-mentioned cutting apart according to the function information in tested program and specific command informationIncidence relation (this incidence relation is as field type of each field in sample file etc.).
That is to say, File Format Analysis module is determined stain according to the dynamic stain analysis result of specifyingThe semantic information of data flow path, and utilize this semantic information to calculate each adjacent words in sample fileSave right similarity, afterwards, File Format Analysis module calculates minimum according to all similarities between twoValue point, this minimum point is the file field border that need to cut apart; On this basis, canCarry out several pattern deduction for all fields in sample file, to check energy in several patternEnough meet the pattern of specific fields type, thus the field acceptance of the bid that just can be partitioned into according to this patternMake some significant field, and then utilize these significant fields just can infer typical fieldIncidence relation.
Order by above-mentioned three modules is carried out, and the form of given sample file can be carried out to baseIn semantic construction recovery. In addition, by repeating to choose the sample literary composition that comprises different content of the typePart, and the different tested program of the sample file of selection parsing the type, can obtain the typeFile format (being the file format of type under sample file) as far as possible comprehensively resolve.
The present invention can be called the file format under sample file grey box file format. The ash hereBox file format refers to, its inherent file structure, by concrete open standardization, only can getResolve the specific binary program of this kind of file format. Such file format normally business is softThe privately owned file format that part adopts, this is because such file format is conventionally only by specificBinary program utilizes, and be not used as standard and standardize, or for protectiveness objectHave a mind to hide the internal structure of file format. In addition, if some file format has only obtained coarse grainThe open explanation of degree, but its concrete resolving also needs file format to carry out more fine-grained solutionAnalyse, the file format of this type also belongs to the category of grey box file format.
Seen from the above description the file format of analyzing based on dynamic stain that, the embodiment of the present invention providesIt is contrary that resolving inversely system also can be called grey box file format based on the dynamic stain analytical framework of off-line typeTo resolution system.
It should be noted that in addition, the tested program relating in the embodiment of the present invention can be WindowsThe application program with unique file analytical capabilities in operating system platform, the embodiment of the present invention is carriedThe device of confession and system can be applied in Windows operating system; Certainly, the embodiment of the present invention is carriedThe device of confession and system also can be applied in other operating system platforms.
Below in conjunction with Fig. 2-4, dynamic pitching pile executive logging module, static snapshot are resolved to stain and follow the tracks of mouldPiece and the performed operation of File Format Analysis module are described in further detail.
Dynamically the performed operating process of pitching pile executive logging module as shown in Figure 2.
Operating process in Fig. 2 mainly comprises following four steps:
Step 2-1, be written into after tested program, whole process is carried out binary image pitching pile. Concrete, dynamicallyPitching pile executive logging module can utilize API (ApplicationProgrammingInterface,Application programming interface) binary image module in all tested program is written into and a little calls readjustmentFunction, dynamically title, path, the Pin of pitching pile executive logging module records binary image module are twoThe sequence number that system image module distributes and binary image module loading are to low address and the highland of internal memoryLocation, and dynamically pitching pile executive logging module can be recorded to foregoing in above-mentioned the 3rd snapshot log.In addition, the operation in this step can be specifically by the executable image in dynamic pitching pile executive logging moduleMonitoring unit is carried out.
Step 2-2, whole process are carried out system call pitching pile. Concrete, dynamically pitching pile executive logging module pairAll system call entrances insert call back function, check that operating system call number is to determine operating system tuneWith type function, if call function type belongs to file operation type, the ginseng of corresponding function readingNumber, to check that whether this function is to specifying the sample file operation that conducts interviews, if to appointment sampleThe presents operation that conducts interviews (as is opened sample file, is read in sample file, adjusts sample file and refer toPin and close the operations such as sample file), dynamic corresponding behaviour under pitching pile executive logging module recordsDo, further, if to specifying the operation of reading in of sample file, dynamic pitching pile executive loggingModule also should record the information of being introduced by original stain data, and starts to carry out TRACE pitching pile. Above-mentionedThe information of introducing is written into the positional information of internal memory as original stain data, and this positional information can comprise:Store the memory address of original stain data, the memory size of storing original stain data and original dirtThe side-play amount of some data in data file etc. The information of above-mentioned introducing can be stored in for the second snapshot dayIn will. In addition, the operation in this step can be specifically by the system in dynamic pitching pile executive logging moduleCall function monitoring unit is carried out.
Step 2-3, in the entrance of TRACE, the basic block of all codes of traversal in TRACE, rightAll sequential access to basic block carry out pitching pile, be that all basic blocks of having access to distribute signsThe unique serial number of order, and record the static information of all basic blocks that have access to, the static state hereInformation can comprise the sequence number of basic block, affiliated reflection and affiliated function etc., and these information canBe recorded in the first snapshot log. In addition, the operation in this step can specifically be carried out by dynamic pitching pileBasic block Grain Size Record and indexing units in logging modle are carried out.
Step 2-4, in basic block pitching pile function, travel through all instructions of this basic block, judge this baseIn this piece, whether exist internal storage access or condition to carry out the instruction of type, if there is this typeInstruction, instruction place of this type in this basic block insert call back function so that rearWhen continuous execution, information can record all operations time, these information comprise that the instruction of internal storage access class holdingIn row, carry out address and the instruction of condition execution class of memory read-write and whether truly carry out lamp, and these lettersBreath can be stored in the second snapshot log. In addition, the operation in this step can be specifically by dynamically insertingInstruction granularity in stake executive logging module is carried out information recording unit and is carried out.
Concrete, above-mentioned steps 2-2 can be refined as again following steps:
Dynamically pitching pile executive logging module (as system call function monitoring unit) is to all operations systemThe entrance and exit of call function carries out pitching pile, and at the tune of porch decision operation system call functionWith number;
If call number is NtCreateFi1e, dynamic pitching pile executive logging module is (as system callFunction monitoring unit) judge whether the filename in the suction parameter of call function is the sample literary composition of specifyingPart name, if the sample file name of specifying, at the exit of this operating system call function recordThe file object handle spreading out of in lower outlet parameter, this file object handle is stored in the activity literary composition of internal memoryIn the queue of part handle;
If call number is NtReadFile, dynamic pitching pile executive logging module is (as system call letterNumber monitoring units) judge that whether the file object handle that imports in the suction parameter of call function is beforeThe specific file object handle stored (is stored in the activity file handle queue of internal memory specificFile object handle), if the specific file object handle stored before, dynamically pitching pile is carried outLogging modle (as system call function monitoring unit) record in suction parameter represented go out originalStain data are read in buffer zone address and the original stain data of the reading in skew in data fileAmount, and record the actual original dirt of reading in from data file spreading out of in outlet parameter in exitThe byte number of some data. Dynamically pitching pile executive logging module (as system call function monitoring unit) canWith the original stain data of above-mentioned original stain data being read in to buffer zone address, read at data literary compositionSide-play amount in part and from data file the byte number of actual original stain data of reading in be recorded inIn the second snapshot log. In addition, utilize above-mentioned side-play amount can express actual reading from data fileThe byte number length of the original stain data that enter;
If call number is NtSetInformationFile, dynamically pitching pile executive logging module (asSystem call function monitoring unit) judge that whether the file object handle that imports in suction parameter is beforeThe specific file object handle stored (is stored in the activity file handle queue of internal memory specificFile object handle), if the specific file object handle stored before, dynamically pitching pile is carried outLogging modle (as system call function monitoring unit) is adjusted and this specific file object handle record pipeThe file read operation side-play amount of reason;
If call number is NtCreateSection, dynamic pitching pile executive logging module is (as system is adjustedUse function monitoring unit) judge that whether the file object handle importing in suction parameter is by being stored beforeSpecific file object handle (be the specific file pair of having stored in the activity file handle queue of internal memoryResemble handle), if the specific file object handle stored before, dynamic pitching pile executive logging mouldPiece (as system call function monitoring unit) is recorded the internal memory spreading out of in outlet parameter and is reflected in exitPenetrate object handle, and dynamically pitching pile executive logging module (as system call function monitoring unit) canThis memory-mapped object handle is stored in the acquisition document memory mapping object queue in internal memory;
If call number is NtMapViewOfSection, dynamic pitching pile executive logging module is (as beingSystem call function monitoring unit) judge whether for it the memory-mapped object handle that to import in suction parameterFront stored memory-mapped object handle (be in the activity file memory-mapped object queue of internal memoryThe memory-mapped object handle of storage), if the memory-mapped object handle stored is before movingState pitching pile executive logging module (as system call function monitoring unit) record mapping memory address,The length of mapping and corresponding document misregistration amount; Dynamically pitching pile executive logging module is (as system callFunction monitoring unit) can be by the length of the memory address of mapping, mapping and corresponding document misregistrationAmount is stored in the second snapshot log;
If call number is NtUnmapViewOfSection, dynamically pitching pile executive logging module (asSystem call function monitoring unit) judge that whether the memory mapping object handle that imports in suction parameter isThe memory-mapped object handle before stored (is in the activity file memory-mapped object queue of internal memoryThe memory-mapped object handle of having stored), if the memory-mapped object handle stored before,Dynamically pitching pile executive logging module (as system call function monitoring unit) is from activity file memory-mappedIn object queue, delete this record (deleting the memory-mapped object handle that this has been stored);
If call number is NtClose, dynamic pitching pile executive logging module is (as system call function prisonControl unit) judge the whether specific literary composition for storing before of the file object handle that imports in suction parameterPart object handle (being the specific file object handle of having stored in the activity file handle queue of internal memory),If the specific file object handle stored before, dynamic pitching pile executive logging module is (as beingSystem call function monitoring unit) from the queue of activity file handle, delete this record and (deleted thisThe specific file object handle of storage).
Concrete, above-mentioned steps 2-3 can be refined as again following steps:
Step 2-3-1, dynamic pitching pile executive logging module (as basic block Grain Size Record and indexing units)For each thread is set a buffer zone, this buffer zone is for recording the base of the current execution of this threadThe relevant information when operation of this piece, this information can be recorded with the form of queue, and each basic blockRelevant information when operation all can start with the thread number in when operation;
Step 2-3-2, in the time starting to carry out a basic block, dynamically pitching pile executive logging module is (as baseThis piece Grain Size Record and indexing units) upgrade the basic block sequence number in the buffer memory of corresponding thread;
Step 2-3-3, after basic block is carried out and is finished, dynamically pitching pile executive logging module is (as substantiallyPiece Grain Size Record and indexing units) all information of the thread number of current thread and buffer memory are write toIn one snapshot log, and empty the queue of the relevant information in storage thread when operation.
Concrete, above-mentioned steps 2-4 can be refined as again following steps:
In the time of each instruction of carrying out in basic block, if this instruction exists corresponding pitching pile readjustment letterNumber, dynamically pitching pile executive logging module (as instruction granularity is carried out information recording unit) is recorded phase(this relevant information is multidate information to relevant information when the thread of answering moves, as instruction access internal memoryAddress etc.); This relevant information can be stored in the second snapshot log;
If be there is the read-write operation of internal memory by the instruction of pitching pile, and the internal memory that this instruction is accessed does not existWithin the scope of thread stack, or this instruction is the finger of the Article 1 access thread stack in the basic block at its placeOrder, dynamically pitching pile executive logging module (as instruction granularity is carried out information recording unit) is fast secondAccording to the memory address that records this instruction in daily record and access;
If the internal memory of being accessed by the instruction of pitching pile is within the scope of thread stack, and this instruction is not its instituteBasic block in the instruction of accessing for the first time thread stack, dynamically pitching pile executive logging module (asInstruction granularity carry out information recording unit) in the second snapshot log, record this this access of instruction inDeposit address with respect to the side-play amount of accessing for the first time thread stack address;
If be that condition is set (SETcc) instruction or moves for condition data by the instruction of pitching pile(CMOVcc) instruction, dynamic pitching pile executive logging module (as instruction granularity is carried out information recording unit)In the second snapshot log, record whether actual execution of this instruction, if accessed internal memory while carrying out,Dynamically pitching pile executive logging module (as instruction granularity is carried out information recording unit) is simultaneously fast secondAccording to recording internal storage access address in daily record.
In embodiments of the present invention, basic block Grain Size Record and the rope in dynamic pitching pile executive logging moduleDraw unit, instruction granularity carry out information recording unit and system call function monitoring unit can be based onThe mode of Memory Mapping File and its is transmitted corresponding snapshot day to the first snapshot log and the second snapshot logWill information, and utilize the method for existing dynamic growth mapping subregion number of pages to increase step by step each snapshot logVolume upper limit, and in the time that pitching pile recording process finish, the size of each snapshot log is adjusted to realitySize of data.
Static snapshot is resolved the performed operating process of stain tracking module as shown in Figure 3.
Operating process shown in Fig. 3 mainly comprises following three steps:
Step 3-1, static snapshot are resolved first snapshot log and three of stain tracking module from resolvingIn snapshot log, obtain corresponding static information, as process static information etc., and according to this static informationThe corresponding process of framework, thread, basic block, instruction and for storing the operand class of static informationType container; Above-mentioned process static information mainly comprises: reflection list, basic block list and instruction convergeCompile code listing etc.; Operation in this step can specifically be resolved in stain tracking module by static snapshotStatic information loading unit carry out.
Step 3-2, static snapshot are resolved in second snapshot log of stain tracking module from resolving and are obtainedCorresponding information, and go out according to this information reverting the Dynamic Execution information that tested program is complete, and according toDynamic Execution information and instruction type are determined the access act of revision of each instruction to internal memory and register; ShouldThe dynamic process that operation in step can specifically be resolved in stain tracking module by static snapshot is reset singleUnit carries out;
Step 3-3, static snapshot are resolved stain tracking module stain data acquisition system are safeguarded, are enteringJourney playback time, static snapshot is resolved stain tracking module and is judged whether according to the data flow of every instructionThere is access, propagation or the elimination of dynamic stain data, if existed, upgrade stain data setClose, and in recording data files each byte in process is reset as the access of stain data, propagation andElimination process; Above-mentioned stain data acquisition system mainly comprises: real-time stain state, the storage of register are movingCorresponding original of the memory address of the stain data of state and length and the dynamic stain data of storingThe side-play amount of stain data in described data file etc.; Above-mentioned renewal stain data acquisition system can be:For being written into and unloading behavior and basic block act of execution of stain data, directly at stain data setIn closing, carry out the interpolation of data and eliminate operation; Operation in this step can be specifically by static snapshot solutionThe stain data acquisition system record of analysing in stain tracking module is carried out with propagation tracking cell.
In above-mentioned steps 3-3, upgrade the concrete mistake of stain data acquisition system for basic block act of executionJourney can be refined as again following steps:
Step 3-3-1, read in the thread number in this record, the virtual register state of execution is switched toAforementioned this thread context of having stored;
The static information of step 3-3-2, this basic block of index, and be written into the instruction list of basic block;
Step 3-3-3, according to putting in order in instruction list, the instruction type of each instruction is carried outJudgement;
If instruction contains explicit internal memory operation number or the internal storage access that contains implicit expression, from recordThe queue of relevant information in current thread when operation in eject corresponding information, and reduce memory read-writeAddress;
If instruction access stain data, continue judge corresponding stain data propagation data flowTo, and upgrade accordingly stain data acquisition system;
If instruction is LEA instruction, continue judge source operand be whether store stain data inDeposit (can referred to as stain internal memory), if stain internal memory represents it is that stain data are got locationFor the operation of pointer assignment, carry out independent record;
If instruction is CMP instruction, and follow-up conditional jump instruction (Jcc) reflects that this relativelyOperation is passed through, and judges whether source operand is stain data, if stain data enter one againStep judges whether target operand is constant data, or whether target operand is that certain binary system reflectsThe constant data of picture, or whether target operand be the internal memory of global variable data segment (.data section),If one of them represents it is data verification, corresponding stain data are constant field, carry out listSolely record;
If instruction is memset, memcpy or SetFi1ePointer function entrance basic blockEntry instruction, according to the thread stack address of instruction access, the order that associative function parameter is stacked and largeLittle, judge the address of the thread stack at the Parameter storage place that represents length or side-play amount in parameter, ifThis address is the memory address of stain data, represents that this parameter is the field as stain data length,Carry out independent record;
Step 3-3-4, stain data access is processed to operation note at the output literary composition of stain data flow pathIn shelves (as output journal), corresponding to all bytes in sample file, in this output journal, all haveCorresponding line item, each line item is to carry out in tested program for the corresponding byte in sample fileThe all operations of in process, this byte being processed, all records can form stain dataProcessing chain, increase new record in output journal time, new record can be served as this stain data processing chainA node is added on the end of this chain, and the information recording in node comprises: basic block is number (currentThe basic block sequence number at the instruction place that node relates to), timestamp (can exist with the basic block of current executionThe representative of sequence number in total process executive logging), binary image number (two of this basic block placeSystem reflection sequence number) and instruction side-play amount (be that the instruction that relates to of present node is at binary image literary compositionIn part with respect to the side-play amount of file header) etc.
The performed operating process of File Format Analysis module as shown in Figure 4.
Operating process shown in Fig. 4 mainly comprises the steps:
Step 4-1, File Format Analysis module (as file field cutting unit) are written into dynamic pitching pile and holdThe static information of reflection, basic block and instruction that line item module is recorded, so that index, literary compositionPart format analysis module (as file field cutting unit) is written into static snapshot and resolves stain tracking moduleThe stain data flow path generating, i.e. stain data processing chain;
Step 4-2, File Format Analysis module (as file field cutting unit) select progressively sample literary compositionStain data processing chain corresponding to all adjacent byte in part, and calculate successively two stain data processingsThe node similarity that all nodes of chain are right;
Step 4-3, File Format Analysis module (as file field cutting unit) are by the dirt of two bytesDivided by two stain data processing chain lengths after the similarity of some data processing chain all nodes is cumulativeProduct, obtains the average similarity of node, i.e. byte stain data processing chain similarity;
Step 4-4, File Format Analysis module (as file field cutting unit) are according to above-mentioned similarityCalculate all adjacent byte except from beginning to end to similarity and last byte and a rear byte to similarityRatio, obtain overall forward direction and backward sequence of ratio values, realize and go dimension normalization; File formatParsing module (as file field cutting unit) carries out threshold value judgement, for example, and in two sequence of ratio valuesThe value of same position is less than 0.75 the minimum point that is similarity curve simultaneously, and this byte is to beingThe cut-point of two file fields, cuts apart thereby complete file field;
Step 4-5, File Format Analysis module (as field association mode is inferred unit) are according to above-mentioned dirtIndependent record in point analysis, finds and corresponding includes CMP instruction and constant field is relatively passed throughStain process the field of byte, and be demarcated as constant field, value is immutable or at certainField within several value set;
Step 4-6, File Format Analysis module (as field association mode is inferred unit) are according to above-mentioned dirtIndependent record in point analysis, finds the corresponding length ginseng as memset, memcpy that includesThe stain of number is processed the field of byte, and is demarcated as length field, and this field is integer, tableShow the length of the stain data field that source buffering area that these functions point to stores;
Step 4-7, File Format Analysis module (as field association mode is inferred unit) are according to above-mentioned dirtIndependent record in point analysis, finds the corresponding side-play amount as SetFilePointer that includesThe stain of parameter is processed the field of byte, and is demarcated as offset field, and this field is integer,Represent the data field that store after follow-up introducing stain data destination buffer that these functions point toSide-play amount hereof;
Step 4-8, File Format Analysis module (as field association mode is inferred unit) are according to above-mentioned dirtIndependent record in point analysis, finds and corresponding include LEA instruction and carry out stain data and get location and refer toThe stain of pin assignment is processed the field of byte, the normally relatively large file minor structure of such pointer assignmentThe feature of the first byte of the start field of (file field group), so can be demarcated as potential largeThe start field of data structure.
Concrete, the process of the calculating stain data processing chain node similarity in above-mentioned steps 4-2 is realOn border, can be the process of giving a mark according to semantic information, and full marks are 1.0, this marking process canSpecifically be refined as following steps:
Step 4-2-1, File Format Analysis module (as file field cutting unit) judge two nodesTimestamp whether identical;
If both timestamps of step 4-2-2 are identical, continue to judge that whether the instruction of processing is identical,If the instruction that both process is identical, give a mark 1.0, if the instruction that both process is not identical, marking0.9; If both timestamps are not identical, can adopt mark subitem accumulation process, continue to sentenceWhether disconnected both timestamp is close, if both timestamps differ within certain threshold range,Marking adds 0.2; In addition, in the case of both timestamp is not identical, also should carry out following step4-2-3;
Step 4-2-3, File Format Analysis module (as file field cutting unit) continue to carry out followingThe cumulative operation of mark, judge whether two node processing instructions belong to Same Function, if belong toOne function, then continue to judge whether carry out that node processing instruction belongs to same basic block, if do not belonged toGive a mark and add 0.1 in same basic block; If belong to same basic block, continue to judge two node processingWhether instruction is same instruction, and if not same instruction, marking adds 0.2, if same instruction,Marking adds 0.5.
Seen from the above description, the embodiment of the present invention has perfect stain analysis logic. For arithmeticThe situation in multiple stains source, forms data unit that computing and the instruction of bit arithmetic type may cause, has introduced manyStain label, and the transmission of supporting many labels, single label are eliminated; In addition, to multiple special roleThe tainting that causes of packing of orders sequence carried out refinement. Support expansion instruction set, can be rightSeparate procedure is analyzed.
In addition, the present invention also has higher execution efficiency. By stain analytic operation is peeled off as listOnly module, this framework has promoted the execution efficiency of dynamic test; Meanwhile, because Dynamic Execution processIn needn't record stain state set, needn't introduce memory headroom mapping array, thereby save greatlySpace hold, and make the support of 64 programs become possibility. The embodiment of the present invention is by introducingMemory Mapping File and its mode records snapshot log, has substantially eliminated the I/O in dynamic stain analytic processBottleneck problem.
Further, the invention provides a kind of novel file format inverse algorithm, by fully excavatingThe dynamically semantic information in stain analysis result, and emphasize similarity and the pass between data handling procedureConnection property, for file format resolving inversely provides a kind of brand-new theory hypothesis, this theory hypothesis passes throughExperimental results show that fully. File format resolving inversely system provided by the invention can make user obtainThe cognition of the file format to privately owned file format or not full disclosure ins and outs.
In sum, one aspect of the present invention provide a set of can be at Windows system platform or itsOn his operating system (as Mobile operating system etc.) platform, carry out efficient and analysis result is dynamic accuratelyStain analytical equipment, the snapshot log that dynamic pitching pile executive logging module wherein generates can also conductReversibility record in manual debugging work, can be according to snapshot log easily to exception-triggered pointTrigger the reversely tracing of reason; Static snapshot is resolved the stain analysis knot that stain tracking module obtainsFruit is also the master tool of a lot of other research work, and high-efficiency dynamic stain proposed by the invention is analyzedFramework can provide basic-level support to analyzing large scale business software; On the other hand, literary composition provided by the inventionThe reverse reduction of part form can be served the fuzz testing based on file structure well, make based onThe test sample book that variation or the variation of the fuzz testing based on generating device generate can have larger code and coverLid rate and darker path coverage, and the Path complexity of stain analysis result itself be also one canProcess the tolerance of complexity for portraying file data, and can instruct the data variation of fuzz testingPriority.
The above is only preferred embodiment of the present invention, not the present invention is done any formalRestriction, although the present invention disclose as above with preferred embodiment, but not in order to limit the present invention,Any those skilled in the art are not departing within the scope of technical solution of the present invention, on can utilizingThe technology contents of stating announcement is made a little change or is modified to the equivalent embodiment of equivalent variations, is in every caseDo not depart from the content of technical solution of the present invention, according to technical spirit of the present invention, above embodiment is doneAny simple modification, equivalent variations and modification, all still belong in the scope of technical solution of the present invention.
Claims (9)
1. a file format resolving inversely system of analyzing based on dynamic stain, is characterized in that instituteThe system of stating comprises: dynamically stain analytical equipment and File Format Analysis module, and described dynamic stainAnalytical equipment comprises: dynamically pitching pile executive logging module, and for utilizing binary program pitching pile platform to adjustWith and carry out tested program, monitoring includes the data file of original stain data and carries out in tested programIn process, open, resolve and close behavior, and obtain according to the implementation of described tested programInclude whole instruction flows, contextual information and internal storage access letter in tested program implementationThe snapshot log of breath; And
Static snapshot is resolved stain tracking module, for resolving described snapshot log, and obtains according to parsingThe playback of the information simulation process obtaining is carried out, and in process playback implementation, records described dataThe processing of the original stain data in file with diffuse information, to obtain complete stain data flow path;
Described File Format Analysis module, for carrying out data correlation according to described stain data flow pathProperty compare of analysis, and according to the result of described data correlation compare of analysis, described data file is carried outFormat fields based on semantic is cut apart, according to the function information in described tested program and specifically refer toMake the incidence relation of the interfield after information extraction is cut apart described in going out.
2. the system as claimed in claim 1, is characterized in that, described dynamic pitching pile executive logging mouldPiece comprises:
Basic block Grain Size Record and indexing units, for the command sequence basic block to single entry single exitCarry out pitching pile, and the assembly code of the include instruction of pitching pile is recorded in the first snapshot log; By instituteState basic block serial number, and all basic block information recordings of in process flow process, order being carried out existIn the first snapshot log;
Instruction granularity is carried out information recording unit, for the instruction that relates to internal storage access is carried out to pitching pile,And the instruction that relates to internal storage access of pitching pile memory address of accessing in the time carrying out is recorded in second fastIn daily record, wherein, in the time judging accessed memory address and be the address of thread stack, described inThe memory address of recording in the second snapshot log is the side-play amount of relative thread stack base address;
System call function monitoring unit is for the entrance and exit of tested program is carried out to pitching pile, logicalCross and judge that the parameter of tested program call function monitors opening, resolve and closing of described data fileClose behavior, and the positional information that original stain data are written into internal memory is recorded in the second snapshot log,Wherein said positional information comprises: store original stain data memory address, store original stain numberAccording to memory size and the side-play amount of original stain data in data file;
Executable image monitoring unit, for to all loadings of carrying out binary image of the process spaceFunction carries out pitching pile, and by all loaded memory headroom models of binary image of carrying out that monitorEnclose, load plot and image file name information recording in the 3rd snapshot log.
3. system as claimed in claim 2, is characterized in that, described system call function monitoring is singleUnit specifically for:
Operating system call function entrance and exit in tested program implementation is carried out to pitching pile, andJudge call number in porch;
If call number is NtCreateFile, judge whether the filename in suction parameter is appointmentSample file name, if specify sample file name, will in outlet parameter, spread out of in exitFile object handle be stored in the activity file handle queue of internal memory;
If call number is NtReadFile, judge that the file object handle importing in suction parameter isThe no specific file object handle for having stored in the activity file handle queue in internal memory, if so,By the original stain that represents in suction parameter that original stain data are read in buffer zone address and read inThe side-play amount of data in described data file is recorded in the second snapshot log, and will go out in exitThe actual byte number that reads in from data file spreading out of in mouth parameter is recorded in the second snapshot log;
If call number is NtSetInformationFile, judge the file importing in suction parameterWhether object handle is the specific file object sentence of having stored in the activity file handle queue in internal memoryHandle, if so, adjusts and records associated file read operation side-play amount with this specific file object handle;
If call number is NtCreateSection, judge the file object sentence importing in suction parameterWhether handle is the specific file object handle of having stored in the activity file handle queue in internal memory, ifIn exit, the memory-mapped object handle spreading out of in outlet parameter to be stored in to the work in internal memoryIn moving document memory mapping object queue;
If call number is NtMapViewOfSection, judge that the internal memory importing in suction parameter reflectsWhether penetrate object handle is that the internal memory of having stored in the activity file memory-mapped object queue in internal memory reflectsPenetrate object handle, if so, by the memory address of mapping, length and corresponding document misregistration amountBe recorded in the second snapshot log;
If call number is NtUnmapViewOfSection, judge the internal memory importing in suction parameterWhether mapping object handle is the internal memory of having stored in the activity file memory-mapped object queue in internal memoryMapping object handle if so, is deleted this from described activity file memory-mapped object queueRecord;
If call number is NtClose, judge that whether the file object handle that imports in suction parameter isThe specific file object handle of having stored in activity file handle queue in internal memory, if so, fromIn the queue of described activity file handle, delete this record.
4. system as claimed in claim 2, is characterized in that, described dynamic pitching pile executive logging mouldThe mode of each unit in piece based on Memory Mapping File and its is to described the first snapshot log and the second snapshotThe corresponding SNAPSHOT INFO of log transmission, utilizes the method for dynamic growth mapping subregion number of pages to increase step by step respectivelyThe volume upper limit of snapshot log, and in the time that pitching pile recording process finish by the large ditty of each snapshot logWhole to real data size.
5. system as claimed in claim 2, is characterized in that, described static snapshot is resolved stain and followedTrack module comprises:
Static information loading unit, for according to from described the first snapshot log and the 3rd snapshot logResolve the corresponding process of information architecture, thread, basic block, instruction that obtain and for storing static stateThe operand type container of information;
Dynamic process playback unit, the letter obtaining from the parsing of described the second snapshot log for basisBreath restores the Dynamic Execution information that tested program is complete, and according to described Dynamic Execution information and refer toMake type determine the access act of revision of each instruction to internal memory and register, wherein said Dynamic Execution letterBreath comprises the traffic flow information of each instruction;
Stain data acquisition system record and propagation tracking cell, for safeguarding stain data acquisition system, in processPlayback time, according to the data flow of every instruction judge whether exist dynamic stain data access,Propagate and eliminate, if existed, upgrade described stain data acquisition system, and record described data fileIn each byte in process is reset as access, propagation and the elimination process of stain data, wherein saidStain data acquisition system comprises: the real-time stain state of register, store the internal memory of dynamic stain dataOriginal stain data corresponding to address and length and the dynamic stain data of storing are in described dataSide-play amount in file.
6. system as claimed in claim 5, is characterized in that, described stain data acquisition system record withPropagate tracking cell specifically for:
The buffer status of each thread is initialized as to dummy status, and initializes stain data acquisition system, withOriginal stain data are joined in stain data acquisition system;
In the virtual implementation of each thread, every instruction is carried out respectively to the language based on instruction typeJustice is analyzed;
If source operand is to have comprised posting of stain attribute tags in current thread register stain stateStorage, or include the element in described stain data acquisition system, source operand pair described in buffer memoryThe stain attribute tags of answering is source stain label;
If source operand is not comprise stain attribute tags in current thread register stain stateRegister, memory range or immediate, arrange source stain label for empty;
Judge the instruction type of current execution, if instruction type is arithmetical operation type, keep orderThe current stain attribute tags of mark operand, otherwise the stain attribute tags of target operand is emptied;
Judge target operand type, if target operand type is register type, by source dirtPoint label-copying is in the stain attribute tags of current thread register stain state;
If target operand type is type of memory, upgrade stain data acquisition system, described renewal dirtPoint data acquisition system comprises: insertion, elimination, intersection of sets collection and the union operation of stain memory address.
7. the system as claimed in claim 1, is characterized in that, described File Format Analysis module bagDraw together:
File field cutting unit, for processing stream according to the stain of every byte of described data fileProgram row carry out the adjacent byte similarity coupling based on semantic, and stain corresponding to definite adjacent byteProcess the similarity of the node in sequence, the similarity of described matching result and described node is returnedOne changes processing, and will meet the adjacent byte merger of similarity condition according to the result after normalizedFor same field, thereby described data file is cut apart;
Whether field association mode is inferred unit, exist for the stain handling process that judges described fieldThe association of the direct relation of instruction granularity or function call parameter granularity, and determine according to judged resultGo out the type of field.
8. system as claimed in claim 7, is characterized in that, described file field cutting unit toolBody is used for:
Obtain the stain of adjacent byte in described data file and process path, and obtain described processing pathIn the relevant information of each node, described relevant information comprises: basic block numbering, IA, instituteBelong to function, affiliated binary image and timestamp;
All nodes that the stain of adjacent byte is processed in path carry out similarity comparison marking, and instituteState marking between 0~1, the similarity total score that two stains are processed to path is divided by two stain processingThe product of the nodes in path, its result is the sequence node similarity after normalized;
Obtain the overall situation according to the sequence node similarity of all adjacent byte in described data file similarThe line of writing music, will remove all sequence node similarities outside two sequence node similarities of head and the tail respectivelyDivided by last similarity and a rear similarity, obtain forward direction sequence of ratio values and backward sequence of ratio values, ifForward direction ratio and backward ratio are all less than the first predetermined threshold, determine the utmost point of overall similarity curveLittle value, and during lower than the second predetermined threshold, determine corresponding in adjacent byte similarity corresponding to minimumAdjacent byte be discontinuous byte, otherwise be same field by corresponding adjacent byte merger.
9. the system as described in arbitrary claim in claim 1 to 8, is characterized in that, described inData file is the data file of grey box file format, and the data file of described grey box scheme refers to fileUnexposed or the not data file of full disclosure of file format of form.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310400437.XA CN103440201B (en) | 2013-09-05 | 2013-09-05 | Dynamically stain analytical equipment and the application in file format resolving inversely thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310400437.XA CN103440201B (en) | 2013-09-05 | 2013-09-05 | Dynamically stain analytical equipment and the application in file format resolving inversely thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103440201A CN103440201A (en) | 2013-12-11 |
| CN103440201B true CN103440201B (en) | 2016-05-18 |
Family
ID=49693892
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310400437.XA Expired - Fee Related CN103440201B (en) | 2013-09-05 | 2013-09-05 | Dynamically stain analytical equipment and the application in file format resolving inversely thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103440201B (en) |
Families Citing this family (29)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103714288B (en) * | 2013-12-26 | 2016-05-25 | 华中科技大学 | A kind of data flow tracking |
| CN103679034B (en) * | 2013-12-26 | 2016-04-13 | 南开大学 | A kind of computer virus analytic system based on body and feature extracting method thereof |
| CN104750602B (en) * | 2013-12-27 | 2018-04-27 | 阿里巴巴集团控股有限公司 | A kind of dynamic stain data analysing method and device |
| CN105808576B (en) * | 2014-12-30 | 2019-05-28 | 展讯通信(天津)有限公司 | A kind of digital data recording system and method |
| CN104765687B (en) * | 2015-04-10 | 2017-07-21 | 江西师范大学 | The J2EE bug detection methods analyzed based on Object tracking and stain |
| CN104778419A (en) * | 2015-04-15 | 2015-07-15 | 华中科技大学 | User privacy data protection method based on dynamic data flow tracking under cloud environment |
| CN105653939B (en) * | 2015-07-13 | 2019-07-26 | 哈尔滨安天科技股份有限公司 | A kind of method and device that defence document overflows |
| CN106778328B (en) * | 2016-11-23 | 2019-12-10 | 中国人民解放军信息工程大学 | Sensitive information security protection method and system |
| CN106599681A (en) * | 2016-12-22 | 2017-04-26 | 北京邮电大学 | Malicious program characteristic extraction method and system |
| CN107066707B (en) * | 2017-03-27 | 2019-07-30 | 中国科学院计算技术研究所 | A kind of adjustable design method for tracing and device using snapshot |
| CN107193732B (en) * | 2017-05-12 | 2020-12-08 | 北京理工大学 | Verification function positioning method based on path comparison |
| CN107239410B (en) * | 2017-05-31 | 2020-06-09 | 上海交通大学 | Large-block memory allocation system and method based on dynamic instrumentation |
| CN107491387A (en) * | 2017-07-18 | 2017-12-19 | 中国人民解放军信息工程大学 | A kind of pass point of documentor and inspection independent positioning method and system |
| CN109901987B (en) * | 2017-12-11 | 2022-07-05 | 北京京东尚科信息技术有限公司 | Method and device for generating test data |
| CN108255711A (en) * | 2017-12-29 | 2018-07-06 | 湖南优利泰克自动化系统有限公司 | A kind of PLC firmware fuzz testing systems and test method based on stain analysis |
| CN110213243B (en) * | 2019-05-15 | 2020-05-12 | 浙江大学 | Industrial communication protocol reverse analysis method based on dynamic taint analysis |
| CN111027096B (en) * | 2019-12-11 | 2022-03-11 | 杭州蚂蚁聚慧网络技术有限公司 | Method and device for detecting leakage channel for private data |
| CN111046396B (en) * | 2020-03-13 | 2020-07-17 | 深圳开源互联网安全技术有限公司 | Web application test data flow tracking method and system |
| CN113778838B (en) * | 2020-06-09 | 2024-01-26 | 中国电信股份有限公司 | Binary program dynamic stain analysis method and device |
| CN111913718B (en) * | 2020-06-22 | 2022-02-11 | 西安交通大学 | Binary function differential analysis method based on basic block context information |
| CN114020278A (en) * | 2020-07-19 | 2022-02-08 | 腾讯科技(深圳)有限公司 | Data processing method, device, equipment and storage medium |
| CN111967044B (en) * | 2020-08-13 | 2024-04-19 | 华中科技大学 | Tracking method and system of leaked privacy data suitable for cloud environment |
| CN113176990B (en) * | 2021-03-25 | 2022-10-18 | 中国人民解放军战略支援部队信息工程大学 | Taint analysis framework and method supporting correlation analysis among data |
| CN113268427B (en) * | 2021-06-15 | 2022-03-29 | 中国电子科技网络信息安全有限公司 | Crash analysis method and system for binary program |
| CN114741700B (en) * | 2022-03-28 | 2024-05-03 | 中国人民解放军战略支援部队信息工程大学 | Public component library vulnerability availability analysis method and device based on symbolized stain analysis |
| CN115617410B (en) * | 2022-11-01 | 2023-09-19 | 清华大学 | Drive interface identification method, device, equipment and storage medium |
| CN116108449B (en) * | 2023-01-12 | 2024-02-23 | 清华大学 | Software fuzzy test method, device, equipment and storage medium |
| CN115878498A (en) * | 2023-03-03 | 2023-03-31 | 中国电子科技集团公司第三十研究所 | Key byte extraction method for predicting program behavior based on machine learning |
| CN116451228B (en) * | 2023-04-23 | 2023-10-17 | 北京安普诺信息技术有限公司 | Dynamic taint tracking method, device and related online taint propagation analysis system |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101238726A (en) * | 2005-08-09 | 2008-08-06 | 夏普株式会社 | Data recording device, data reproduction device, program, and recording medium |
| CN102081719A (en) * | 2009-12-01 | 2011-06-01 | 王伟 | Software security testing system and method based on dynamic taint propagation |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120066698A1 (en) * | 2009-05-20 | 2012-03-15 | Nec Corporation | Dynamic data flow tracking method, dynamic data flow tracking program, and dynamic data flow tracking apparatus |
-
2013
- 2013-09-05 CN CN201310400437.XA patent/CN103440201B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101238726A (en) * | 2005-08-09 | 2008-08-06 | 夏普株式会社 | Data recording device, data reproduction device, program, and recording medium |
| CN102081719A (en) * | 2009-12-01 | 2011-06-01 | 王伟 | Software security testing system and method based on dynamic taint propagation |
Non-Patent Citations (1)
| Title |
|---|
| 基于动态二进制翻译的逆向调试器的设计与实现;刘涛;《中国优秀硕士学位论文全文数据库 信息科技辑》;20090715;第8-9页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103440201A (en) | 2013-12-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103440201B (en) | Dynamically stain analytical equipment and the application in file format resolving inversely thereof | |
| CN108241621B (en) | legal knowledge retrieval method and device | |
| US7853930B2 (en) | Annotating graphs to allow quick loading and analysis of very large graphs | |
| CN104850411B (en) | Storage system benchmark evaluation program generation method and device | |
| CN102375826B (en) | Structured query language script analysis method, device and system | |
| US20070150809A1 (en) | Division program, combination program and information processing method | |
| US20150378870A1 (en) | Time travel debugging in managed runtime | |
| CN102508880B (en) | Method for joining files and method for splitting files | |
| CN111782265B (en) | Software resource system based on field-level blood-relation and establishment method thereof | |
| CN107135663A (en) | Impact analysis | |
| US8010894B2 (en) | Memory optimizing for re-ordering user edits | |
| CN102138139A (en) | Data logging in graph-based computations | |
| US9298590B2 (en) | Methods and apparatuses for automated testing of streaming applications using mapreduce-like middleware | |
| US20220269884A1 (en) | Document lineage management system | |
| CN107247624A (en) | A kind of cooperative optimization method and system towards Key Value systems | |
| CN108885579A (en) | For tracking the method and apparatus for carrying out data mining according to core | |
| CN112000929A (en) | Cross-platform data analysis method, system, equipment and readable storage medium | |
| CN113176990B (en) | Taint analysis framework and method supporting correlation analysis among data | |
| CN201548954U (en) | Device for automatically testing Web page | |
| Winter et al. | Deriving and combining mixed graphs from regulatory documents based on constraint relations | |
| CN116860583A (en) | Database performance optimization method and device, storage medium and electronic equipment | |
| JP2007249949A (en) | Device for storing variable value to provide context for test result to be formatted | |
| JP2007122207A (en) | Program analysis program, program analyzing device and program analyzing method | |
| CN111078905A (en) | Data processing method, device, medium and equipment | |
| CN105843661B (en) | A kind of code method for relocating and its system towards host system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160518 Termination date: 20160905 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |