CN109583200B - Program abnormity analysis method based on dynamic taint propagation - Google Patents
Program abnormity analysis method based on dynamic taint propagation Download PDFInfo
- Publication number
- CN109583200B CN109583200B CN201710894260.1A CN201710894260A CN109583200B CN 109583200 B CN109583200 B CN 109583200B CN 201710894260 A CN201710894260 A CN 201710894260A CN 109583200 B CN109583200 B CN 109583200B
- Authority
- CN
- China
- Prior art keywords
- instruction
- taint
- memory
- analysis
- target program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention provides a program abnormity analysis method based on dynamic taint propagation, which comprises the following steps: dynamically running a target program in a virtualization environment, monitoring a target process of the target program and recording execution sequence information; marking input data causing the target program abnormity as a dirty point source, and performing dirty point propagation analysis according to instruction semantics of an instruction executed by the target process to obtain dirty point state information of a memory; identifying memory access abnormality in the running process of the target program, extracting an abnormal position of an abnormal instruction, and detecting an operand of the abnormal position and a stain state of a register according to stain state information of the memory; if the operand and the register are polluted, an error point is positioned through stain backtracking; otherwise, the register is subjected to reverse slicing analysis to find out a related data link, and heap overflow detection and UAF detection are carried out on each node on the data link, and error points are positioned through comparison analysis.
Description
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a method for analyzing the abnormity or the vulnerability of a binary program and positioning an error point on a virtualization platform based on the data flow analysis of dynamic taint propagation.
Background
With the continuous increase of program functions, scale and complexity, the aggravation of update iteration speed and the lack of safety awareness of software developers, software bugs seriously threaten the safety of network space, and the damage caused by the software bugs is increasingly serious. The vulnerability is initially manifested in program crashes and exceptions, most of which are caused by memory access exceptions. The current memory access exception comprises memory read exception, write exception, execution exception, and common causes are null pointer reference, wild pointer reference (using uninitialized data or released pointer), stack overflow, heap overflow and the like. The traditional program exception analysis is performed based on a debugger, the location of an exception, accessed memory information and exception types are generally given, the cause of the exception is not analyzed, and the analysis of the cause of the exception depends on source codes to a great extent. However, in the market, a large amount of closed source software does not provide source codes, and PDB files for debugging are also lacked, so that the improvement of the abnormal analysis capability of the closed source binary program is necessary.
Current program crash cause analysis techniques typically use several methods as follows:
1. debugger and decompilation tool based analysis
Capturing the triggered exception through a debugger, and obtaining an exception module, an exception position and an exception type. And performing disassembly and decompiling analysis on the abnormal module, reading disassembly and decompiling codes, understanding the program logic, and analyzing error points in the program code logic. This method is highly dependent on the level of the analyst, on the level of the analyst's understanding and comprehension of the target program, with high human costs, difficult replication and inheritance of analytical capacity, and high culture costs of capacity.
2. Analysis based on static function call graphs
Wu et al propose a program crash operation record recovery method based on a static function call graph, which is used to locate a bug position in a program, but based on target software which cannot be protected by a shell based on static analysis, the loss of partial modules will cause incomplete record recovery to influence the analysis result.
Retracer system
The RETracer system developed by w.cui et al of microsoft corporation extracts the pointer to the crash point and the data of the program stack by analyzing the dump file of the program crash, and infers the process of dereferencing the corrupted pointer by using reverse taint analysis technique.
4.CREDAL
The CREDAL method proposed by J.xu et al, university of Pennsylvania, locates software vulnerabilities by means of control flow graphs and identification of data dependent mismatches, which is established under the conditions of source code, depends on the integrity of stack space, and is not applicable to cases where stack space is destroyed.
In summary, the main drawbacks of the current program exception analysis method are: the method depends on a debugger and a large number of analysts, cannot deal with target software with shell confusion and anti-debugging capabilities, has insufficient analysis depth, stays on a surface layer, cannot effectively and deeply analyze the root cause of the abnormity, and has certain dependence on source codes.
Disclosure of Invention
Aiming at the technical problems in the prior art, the invention aims to provide a program exception analysis method based on dynamic taint propagation, which monitors and tracks the collapse and exception generated in the dynamic running process of a binary program, can accurately analyze and locate the reason and key points of exception formation and is independent of a target program source code.
In order to achieve the purpose, the technical scheme adopted by the invention is as follows:
a program exception analysis method based on dynamic taint propagation comprises the following steps:
dynamically running a target program in a virtualization environment, monitoring a target process of the target program and recording execution sequence information;
marking input data causing the target program abnormity as a dirty point source, and performing dirty point propagation analysis according to instruction semantics of an instruction executed by the target process to obtain dirty point state information of a memory;
identifying memory access abnormality in the running process of the target program, extracting an abnormal position of an abnormal instruction, and detecting an operand of the abnormal position and a stain state of a register according to stain state information of the memory;
if the operand and the register are polluted, an error point is positioned through stain backtracking; otherwise, the register is subjected to reverse slicing analysis to find out a related data link, and heap overflow detection and UAF detection are carried out on each node on the data link, and error points are positioned through comparison analysis.
Further, when the target program is monitored, the data structure of the target process is analyzed, key variables are extracted, and currently executed process information is obtained so as to discriminate whether the current process is an instruction of the target process; the process information includes instructions, instruction addresses, general registers, operand memory addresses, and memory values.
Further, the marking of the stain source needs to be performed in a virtualization engine, the PE structure information of the target program dynamic library is analyzed, the relevant API function of the input data is extracted and monitored, the position where the marked stain source data is read into the memory is obtained, and the memory address, the memory size, the mapped input position, the input type, and the sequence number of the currently executed instruction are recorded.
Further, the input data includes file, network, and peripheral operation information.
Further, the method of the taint propagation analysis is as follows: every time an instruction of the target process is executed, whether input data of the instruction is taint data or not is detected, if yes, the taint state of the output of the instruction is modified according to a set rule, and the taint state comprises a taint label, a time sequence ID for marking the stored taint and an instruction address; and if not, and the preorder state of the output position of the instruction is taint data, carrying out bleaching treatment on the output position.
Further, the bleaching treatment also comprises the step of bleaching the special operation of special instructions of xor eax, sub ebx, ebx and edx, 0.
Further, the dirty state information of the memory is stored by the improved page table, each page table entry of the improved page table is a pointer of a dirty state, if the corresponding memory is not dirty, the pointer is null, otherwise, the pointer points to a dirty state structure.
Further, the dirty state structure includes a number of dirty bytes, a dirty source tag set, and a timing ID, instruction address, and value of location that last marked the memory location dirty.
Further, the method for detecting the stack overflow comprises the following steps: monitoring heap allocation and release in the running process of the target program, recording addresses and sizes of the heap allocation, marking a space for storing heap addresses as a taint, performing taint propagation analysis on a pointer dereferencing process, and detecting whether each node of the data link has heap overflow of which the access exceeds the size of a heap allocation range.
Further, the UAF detection method is: and monitoring heap allocation and release in the running process of the target program, performing taint propagation analysis on a pointer dereferencing process, and detecting whether each node of the data link refers to the released heap pointer.
Further, the method of the comparative analysis is as follows: and analyzing the attribute difference of the target program at the abnormal position of the normal input, wherein the attribute comprises a register value, an operand address, an operand value, a slice path and a slice path node, and further analyzing the logic relation between the difference and the input data for the node with obvious difference.
Further, the inverse slicing analysis may be iteratively performed on each node of the data link.
The invention can completely monitor the whole running process of the program by dynamically running the target program in the virtualization environment, carry out taint propagation analysis on input data causing the abnormity of the target program, update the taint states of a register and a memory by utilizing an improved page table, find out the abnormal position causing the abnormity of the memory access of the target program, carry out reverse slicing analysis or iterative reverse slicing analysis on the register at the abnormal position, find out a related data link, carry out stack overflow detection and UAF detection on each node on the link, and locate error points by contrast analysis. The method can monitor and track the collapse and the abnormity generated in the dynamic running process of the program, can deeply analyze the forming reason of the program abnormity, diagnoses the program overflow from the internal logic relation of the data stream, can accurately analyze and locate the reason and the key point of the abnormity formation, does not depend on the source code of the target program, has the analysis capability of analyzing the target program which is difficult to deal with by the traditional method and uses the shell adding technology and the anti-debugging technology, and improves the analysis efficiency by more than 30 percent.
Drawings
FIG. 1 is a flow chart of a method for analyzing program anomalies based on dynamic taint propagation according to the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to specific embodiments and the accompanying drawings.
As shown in fig. 1, a program exception analysis method based on dynamic taint propagation includes the steps of:
1. configuring a virtualized environment
The invention adopts a dynamic virtualization technology, firstly a virtual machine operating system for operating a target program needs to be installed, the target program is installed and deployed in the virtual machine operating system, an input data file causing abnormity is imported, and conditions such as software and hardware environment, network environment and the like required by operation are configured.
2. Dynamically running object programs
The invention adopts a dynamic analysis method, uses a virtualization engine with monitoring capability to dynamically run a target program, and gives an input use case required by the target program, such as double-click opening of a sample file in a running virtualization environment or command line with parameters to start the target program.
3. Monitoring the progress of the target program and recording the execution sequence information
The invention adopts instruction-level fine-grained analysis, the execution sequence information of the process needs to be recorded in the running process of the target program, the monitoring is realized in the virtualization engine, and the target program is insensitive to the analysis process, so the method is not influenced by the inverse debugging and inverse analysis of the target program. Analysis in the virtualization engine requires parsing of the process data structure, extraction of the key variable CR3 of the target process, and obtaining of the currently executed process information, including instructions, instruction addresses, register values, operand addresses, and operand values, in order to discriminate whether the instructions are of the target process.
4. Sewage source mark
The invention needs to monitor the function of input data causing program abnormity in the program execution process, so input data is marked as a dirty point source, and the input data can be files, networks, peripheral operation information and the like, for example, input of a specified file is marked as dirty, input data of a specified network IP and a specified port is marked as dirty, or peripheral operation information input to a specified edit box is marked as dirty.
Marking of the stain source needs to be carried out in the virtualization engine, PE structure information of a target program dynamic library is analyzed, API functions related to input data are extracted, the key functions and parameters are monitored in the virtualization engine, the position where the marked stain source data are read into the memory is obtained, and finally the marked memory address, the memory size, the mapping input position, the input type and the sequence number of the current execution instruction are recorded.
5. Taint propagation analysis
According to the invention, taint propagation analysis is carried out after the taint source is successfully marked, each instruction executed by a process is analyzed according to the marked taint source, and taint propagation analysis is carried out according to instruction semantics. Every time an instruction of a target process is executed, whether the input of the instruction is taint data or not is detected, if yes, the taint state of the output of the instruction is modified according to rules, and the state comprises a taint label, a time sequence ID and an instruction address for marking the stored taint, and the like; if not, the output position is required to be bleached if the preceding state of the output position is the taint data. In addition, for special operations such as special instructions xor eax, sub ebx, and edx,0 and the like, bleaching treatment is required.
The taint state of the memory is stored by using the improved page table, so that the space is saved, the query is convenient and quick, and the taint state updating capability is high-efficiency. Each page table entry is a pointer in a dirty state, if the corresponding memory is not dirty, the pointer is null, otherwise, the pointer points to a dirty state structure, and the dirty state structure is as follows:
the COUNT is the number of corresponding TAINT bytes, the Labels array records a corresponding TAINT source label set, the upper limit of the label is TAINT _ MAX _ LABELS _ COUNT, the label can be adjusted according to a specific target object, srcId is a time sequence ID for marking TAINT for the storage position for the last time, srcEip is an instruction address for marking TAINT for the storage position for the last time, and val is a value after the storage position is marked with TAINT for the last time. In addition, the address space of the register is mapped to the memory address 0x 0000-0 xFFFF space which is not commonly used by the user mode program, and different threads map different spaces so as to be distinguished.
6. Program exception monitoring
The invention needs to monitor whether the target program is abnormal and when and where the target program is abnormal, and obtains the address information of the API function for abnormal processing by analyzing the PE structure information in the virtualization engine. The instrumentation monitors the execution of exception processing, screens out memory access exceptions through error numbers, acquires exception instructions, extracts exception code types and exception positions, and detects whether registers, memories and access pointers of the exception positions have direct data dependency or logic dependency with input according to the results of taint propagation analysis, namely whether the registers, memories and access pointers are directly controlled by input data or not and specifically controlled by specific input bytes, and the analysis precision reaches byte level accuracy.
And analyzing the operand of the abnormal position instruction, the taint state of the register and the taint state of the effective memory pointed by each register, if the addressing pointer register is controlled by taint data to cause crash, the array is abnormal caused by out-of-range undetected, and the calculation process of abnormal data can be drawn through taint backtracking to determine bit error points. If the operands of the abnormal position and the related addressing register are not controlled by the taint data, the process of pointer dereferencing and the data link node are extracted through reverse data flow analysis.
7. Reverse slice analysis
The reverse slicing analysis is to perform reverse tracing analysis on the key data of the abnormal position. When the abnormal position and the input data have no direct data flow relation and logic dependency relation, the indirect relation between the abnormal position and the input data needs to be analyzed, the key data nodes on the abnormal path are found out by reversely slicing the key data of the abnormal position, and then suspicious key points on a plurality of path points are screened out by combining the methods of the steps 8 and 9.
8. Heap overflow and UAF detection
The invention expands the taint propagation function, also supports marking the pointer returned by the heap allocation as taint, simultaneously records the size of the heap allocation, and performs taint propagation calculation in the execution process, when accessing a heap memory, the heap block information which is intended to be accessed by a program instruction can be locked according to the taint label, and simultaneously the legal heap range is obtained by combining the size during heap allocation, and the heap overflow detection can be performed by detecting whether the accessed memory address falls into the legal heap block range. Meanwhile, the invention also marks the released heap and adopts specific odd-even labels for distinguishing, and if the label corresponding to the quoted heap pointer is released, the label can be effectively detected. Because the memory heap is frequently accessed, if the detection cost for each instruction is huge, the method only detects the abnormal path node screened in the step 7, and analyzes the logic relationship between the input and the overflow point or the UAF when the stack overflow or the UAF exists in the abnormal path node. Compared with the traditional heap overflow detection, the method only detects the extracted abnormal path nodes, the detection points are more simplified, meanwhile, the heap allocation and the heap use establish direct connection through taint propagation, and the traditional heap overflow detection only can detect whether the accessed legal heap address exists or not and report missing exists when the heap overflow from a cross heap to another heap.
9. Comparative analysis
The invention also uses a comparative analysis method to compare the slice data link which is normally input. According to the data link relation statistics of the training sample library, the processing condition of a target program to normal input (input which does not cause program exception) is analyzed, and the attribute difference of the target program at an exception position (exception position of input which triggers exception) is analyzed, wherein the attributes comprise register values, operand addresses, operand values, slice paths and slice path nodes. For points where the difference is significant, the logical relationship between the difference and the input data is further analyzed. And detecting the abnormity of the key points of the pointer dereferencing process through node attribute comparison analysis.
10. Iterative analysis
The invention adopts an iterative analysis method, can carry out slice analysis again on points on the slice path, and simultaneously analyzes the difference between the stack abnormal situation and the comparison normal situation on the newly generated slice path.
The method can monitor and track collapse and abnormity generated in the dynamic running process of the program, can deeply analyze the forming reason of the program abnormity, diagnoses the program overflow from the internal logic relation of the data stream, can accurately analyze and locate the reason and key points of the abnormity, does not depend on the source code of the target program, has the function of analyzing the target program which is difficult to deal with by the traditional method and uses the shell adding technology and the anti-debugging technology in the aspect of analysis capacity, and improves the analysis efficiency by more than 30 percent.
For those skilled in the art, the process module to be monitored can be configured as required, so that the processing process of the target process on the input data can be comprehensively analyzed, and the direct or indirect relation between the input and the exception can be established.
Although the present invention has been disclosed in the form of specific embodiments and drawings for the purpose of facilitating an understanding of the contents of the present invention and for the purpose of practicing the same, those skilled in the art will appreciate that various substitutions, alterations, and modifications can be made without departing from the spirit and scope of the invention and claims. Therefore, the present invention should not be limited to the disclosure of the preferred embodiments and the drawings, and the scope of protection is defined by the scope of the claims.
Claims (10)
1. A program exception analysis method based on dynamic taint propagation comprises the following steps:
dynamically running a target program in a virtualization environment, monitoring a target process of the target program and recording execution sequence information;
marking input data causing the target program abnormity as a dirty point source, and performing dirty point propagation analysis according to instruction semantics executed by the target process to obtain dirty point state information of a memory;
identifying memory access abnormality in the running process of the target program, extracting an abnormal position of an abnormal instruction, and detecting an operand of the abnormal position and a stain state of a register according to stain state information of the memory;
if the operand and the register are polluted, an error point is positioned through stain backtracking; otherwise, the register is subjected to reverse slicing analysis to find out a related data link, and heap overflow detection and UAF detection are carried out on each node on the data link, and error points are positioned through comparison analysis.
2. The method according to claim 1, wherein when the target program is monitored, the data structure of the target process is analyzed, key variables are extracted, and currently executed process information is acquired, wherein the process information includes instructions, instruction addresses, general registers, operand memory addresses, and values of a memory.
3. The method according to claim 1, wherein the marking of the stain source is performed in a virtualization engine, the PE structure information of the target program dynamic library is analyzed, the API function related to the input data is extracted and monitored, the position of reading the marked stain source data into the memory is obtained, and the memory address, the memory size, the mapped input position, the input type and the sequence number of the currently executed instruction are recorded.
4. The method of claim 1 or 3, wherein the input data comprises file, network, peripheral operating information.
5. The method of claim 1, wherein the taint propagation analysis is performed by: every time an instruction of the target process is executed, whether input data of the instruction is taint data or not is detected, if yes, the taint state of the output of the instruction is modified according to a set rule, and the taint state comprises a taint label, a time sequence ID marked to be stored as taint and an instruction address; and if not, and the preorder state of the output position of the instruction is taint data, carrying out bleaching treatment on the output position.
6. The method as claimed in claim 5, wherein the bleaching process further comprises bleaching a special operation of special instruction xor eax, sub ebx, and edx, 0.
7. The method of claim 1, wherein the dirty state information of the memory is stored by a modified page table, each page table entry of the modified page table being a pointer to a dirty state, the pointer being null if the corresponding memory is not dirty, otherwise the pointer points to a dirty state structure.
8. The method of claim 7, wherein the dirty state structure comprises a number of dirty bytes, a dirty source tag set, and a last time a memory location is marked with values for a timing ID, an instruction address, and a location of a dirty.
9. The method of claim 1,
the method for detecting the heap overflow comprises the following steps: monitoring heap allocation and release in the running process of the target program, recording addresses and sizes of the heap allocation, marking a space for storing heap addresses as a taint, performing taint propagation analysis on a pointer dereferencing process, and detecting whether each node of the data link has heap overflow of which the access exceeds the size of a heap allocation range;
the UAF detection method comprises the following steps: monitoring heap allocation and release in the running process of the target program, performing taint propagation analysis on a pointer dereferencing process, and detecting whether each node of the data link refers to the released heap pointer;
the method for the comparative analysis comprises the following steps: and analyzing the attribute difference of the target program at the abnormal position of the normal input, wherein the attribute comprises a register value, an operand address, an operand value, a slice path and a slice path node, and further analyzing the logic relation between the difference and the input data for the node with obvious difference.
10. The method of claim 1, wherein each node of the data link is iteratively inverse sliced.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710894260.1A CN109583200B (en) | 2017-09-28 | 2017-09-28 | Program abnormity analysis method based on dynamic taint propagation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710894260.1A CN109583200B (en) | 2017-09-28 | 2017-09-28 | Program abnormity analysis method based on dynamic taint propagation |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109583200A CN109583200A (en) | 2019-04-05 |
| CN109583200B true CN109583200B (en) | 2021-04-27 |
Family
ID=65912491
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710894260.1A Active CN109583200B (en) | 2017-09-28 | 2017-09-28 | Program abnormity analysis method based on dynamic taint propagation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109583200B (en) |
Families Citing this family (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110177085B (en) * | 2019-04-26 | 2020-09-08 | 华中科技大学 | Cross-host dynamic stain tracking method and system suitable for cloud environment |
| CN110515655B (en) * | 2019-08-27 | 2023-04-18 | 内蒙古工业大学 | Data instruction analysis method |
| CN110661804B (en) * | 2019-09-29 | 2021-12-31 | 南京邮电大学 | Stain analysis vulnerability detection method for firewall |
| CN110941552B (en) * | 2019-11-20 | 2023-07-07 | 广州大学 | Memory analysis method and device based on dynamic taint analysis |
| CN112988563A (en) * | 2019-12-18 | 2021-06-18 | 中国电信股份有限公司 | Stain dynamic analysis method and device |
| CN111291373B (en) * | 2020-02-03 | 2022-06-14 | 思客云(北京)软件技术有限公司 | Method, apparatus and computer-readable storage medium for analyzing data pollution propagation |
| CN111338864B (en) * | 2020-02-18 | 2023-08-18 | 上海闻泰电子科技有限公司 | Memory problem detection method, device, computer equipment and storage medium |
| CN113176990B (en) * | 2021-03-25 | 2022-10-18 | 中国人民解放军战略支援部队信息工程大学 | Taint analysis framework and method supporting correlation analysis among data |
| CN113268427B (en) * | 2021-06-15 | 2022-03-29 | 中国电子科技网络信息安全有限公司 | Crash analysis method and system for binary program |
| CN113626805B (en) * | 2021-07-16 | 2022-05-03 | 中国科学院软件研究所 | Buffer overflow attack defense method and system based on RISC-V and unexecutable memory |
| CN113746819B (en) * | 2021-08-24 | 2022-08-23 | 中国科学院信息工程研究所 | Binary software protocol detection load mining method and device |
| CN115617410B (en) * | 2022-11-01 | 2023-09-19 | 清华大学 | Drive interface identification method, device, equipment and storage medium |
| CN115795489B (en) * | 2023-02-09 | 2023-05-09 | 中国电子科技集团公司第三十研究所 | Software vulnerability static analysis method and device based on hardware-level process tracking |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102622536A (en) * | 2011-01-26 | 2012-08-01 | 中国科学院软件研究所 | Method for catching malicious codes |
| CN106599681A (en) * | 2016-12-22 | 2017-04-26 | 北京邮电大学 | Malicious program characteristic extraction method and system |
| CN106919831A (en) * | 2015-12-25 | 2017-07-04 | 阿里巴巴集团控股有限公司 | The method and apparatus that stain is followed the trail of |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8321840B2 (en) * | 2007-12-27 | 2012-11-27 | Intel Corporation | Software flow tracking using multiple threads |
-
2017
- 2017-09-28 CN CN201710894260.1A patent/CN109583200B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102622536A (en) * | 2011-01-26 | 2012-08-01 | 中国科学院软件研究所 | Method for catching malicious codes |
| CN106919831A (en) * | 2015-12-25 | 2017-07-04 | 阿里巴巴集团控股有限公司 | The method and apparatus that stain is followed the trail of |
| CN106599681A (en) * | 2016-12-22 | 2017-04-26 | 北京邮电大学 | Malicious program characteristic extraction method and system |
Non-Patent Citations (1)
| Title |
|---|
| 基于有限约束满足问题的溢出漏洞动态检测方法;陈恺等;《计算机学报》;20120515;第35卷(第5期);898-909 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109583200A (en) | 2019-04-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109583200B (en) | Program abnormity analysis method based on dynamic taint propagation | |
| TWI553503B (en) | Method of generating in-kernel hook point candidates to detect rootkits and system thereof | |
| Carmony et al. | Extract Me If You Can: Abusing PDF Parsers in Malware Detectors. | |
| JP4518564B2 (en) | Method for preventing unauthorized code execution, program for preventing unauthorized code execution, and recording medium for program for preventing unauthorized code execution | |
| CN112733150B (en) | Firmware unknown vulnerability detection method based on vulnerability analysis | |
| US10599558B1 (en) | System and method for identifying inputs to trigger software bugs | |
| CN111832026B (en) | Vulnerability utilization positioning method, system, device and medium | |
| CN107526970B (en) | Method for detecting runtime program bugs based on dynamic binary platform | |
| US20220335135A1 (en) | Vulnerability analysis and reporting for embedded systems | |
| US11868465B2 (en) | Binary image stack cookie protection | |
| Kim et al. | Large-scale analysis on anti-analysis techniques in real-world malware | |
| CN113987507A (en) | Heap memory vulnerability detection method and device, storage medium and electronic equipment | |
| CN113760770A (en) | Anti-debugging method and system based on automatic static resource detection | |
| Giuffrida et al. | Practical automated vulnerability monitoring using program state invariants | |
| Gao et al. | A comprehensive detection of memory corruption vulnerabilities for C/C++ programs | |
| CN114741700B (en) | Public component library vulnerability availability analysis method and device based on symbolized stain analysis | |
| Jurn et al. | A survey of automated root cause analysis of software vulnerability | |
| CN112269597B (en) | Method and system for detecting abnormal behavior of processor instruction | |
| CN114443418A (en) | RISCV memory overflow vulnerability detection method and device based on hardware virtualization | |
| Zhu et al. | Dytaint: The implementation of a novel lightweight 3-state dynamic taint analysis framework for x86 binary programs | |
| CN111143851A (en) | Detection method and system suitable for leakage of kernel object address of operating system | |
| Isawa et al. | Generic unpacking method based on detecting original entry point | |
| KR102421394B1 (en) | Apparatus and method for detecting malicious code using tracing based on hardware and software | |
| KR101824583B1 (en) | System for detecting malware code based on kernel data structure and control method thereof | |
| Hsu et al. | Divergence detector: A fine-grained approach to detecting vm-awareness malware |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |