KR102318714B1 - Computet program for detecting software vulnerability based on binary code clone - Google Patents

Abstract

In one embodiment of the present disclosure for solving the above problems, as a computer program stored in a computer-readable storage medium executable by one or more processors, the computer program causes the one or more processors to convert the binary code of software. The following operations are performed to determine a vulnerability based on the It may include an operation of generating a target function fingerprint and an operation of determining whether a vulnerability exists in the target software by comparing the similarity between the vulnerability signature and the target function fingerprint.

Description

COMPUTET PROGRAM FOR DETECTING SOFTWARE VULNERABILITY BASED ON BINARY CODE CLONE}

The present disclosure relates to a method of detecting a vulnerability in software, and more particularly, to a computer program for quickly and accurately detecting a code clone of a known vulnerable code in a binary of software to determine the presence or absence of a vulnerability.

A library is software that makes it possible to reuse logic frequently used in code writing. It is software that can implement specific functions and has an interface that can be combined with other software. In addition, the library can be created for the user's own use, or can be made public for use by an unspecified number of people. If you use the library, you can use the desired function by calling the API (Application Program Interface) provided by the library without having to implement the necessary logic yourself.

Open Source Software (OSS) refers to software that can be reused, modified and redistributed by anyone without special restrictions as long as the source code is open and the open source license is complied with.

In the case of using the library and open source software as described above, there is an advantage of reducing development time and cost, but there is a concern about the occurrence of code clones. Here, the code clone is a phenomenon in which the same or similar code is duplicated in several software or one software, and the main cause of occurrence is the reuse of external code. These code clones can cause problems with the software. For example, when a vulnerability is found in a specific code, the developer must identify and correct all code clones corresponding to the code.

In other words, since libraries and open source software are intended to be widely used, if they are distributed with vulnerabilities, they can act as a window for spreading vulnerabilities to numerous software. In addition, even after patching a vulnerability in a specific software, there is a risk that it takes a long time for the patch to be applied to other software that depends on the software. In addition, one source code can be compiled into various types of binaries depending on the compilation environment (ie, various functional patches are possible), but software vulnerability patches are often smaller than functional patches. In such an environment, it may be difficult to determine whether the cause of a small code change occurring in a binary is a change in the compilation environment or a patch for vulnerabilities in software. In addition, it may be difficult to determine whether a vulnerable part exists in a binary compiled of the code cloned source code.

Accordingly, there is a conventional technique for detecting a code clone by calculating the similarity of two binary functions. Specifically, the conventional binary code clone detection method can detect code clones by comparing all or part of the original binary code and the code clone suspicious binary code, or by comparing key phrases or tokens extracted based on parsing analysis. have.

However, the conventional code clone detection method only detects the existence of a code clone by calculating the similarity of binary function pairs, and it is difficult to determine whether a vulnerability exists in the corresponding code, and there may be a limit of scalability. In addition, since the conventional method performs string comparison on binary codes, it consumes relatively large computing resources and may require a large amount of work time.

Accordingly, there may be a need in the art for a method for scalable detection of known vulnerabilities in software binaries.

Korean Patent Registration 2014-0001951

The present disclosure has been made in response to the above-described background technology, and is intended to provide a computer program that detects a code clone of a known vulnerable code in a software binary quickly and accurately to determine the presence or absence of a vulnerability.

In an embodiment of the present disclosure for solving the above problems, a computer program for determining a vulnerability based on a binary code of software is disclosed. When the computer program is executed on one or more processors, the one or more processors cause the one or more processors to perform the following operations for determining a vulnerability based on a binary code of the software, wherein the operations are pre-processing for vulnerability information of the software It is determined whether a vulnerability exists in the target software through the operation of generating a vulnerability signature by performing It may include an action to

Alternatively, the vulnerability information may include vulnerability patch information in the form of source code, a binary code related to a vulnerability, and a binary code in which the vulnerability is patched.

Alternatively, the operation of generating a vulnerability signature by performing pre-processing on the vulnerability information of the software may include: identifying a binary code related to a change based on the vulnerability information; based on the identified binary code related to the change It may include generating a vulnerability function fingerprint and a patched function fingerprint, and generating a vulnerability signature including the vulnerable function fingerprint and the patched function fingerprint.

Alternatively, the generating of the weak function fingerprint and the patch function fingerprint based on the binary code related to the identified change may include: obtaining attribute information of the executable function and the binary code based on the binary code related to the identified change operation, obtaining property information of a function based on the executable function, dividing the function into one or more strands based on an independent code flow in the function, and in each of the one or more strands and generating the weak function fingerprint and the patch function fingerprint by mapping the attribute information of the function and the attribute information of the binary.

Alternatively, the strand is a set of instructions necessary to calculate the value of one variable, and may be a unit that is a standard for the similarity comparison.

Alternatively, the operation of generating a target function fingerprint by performing preprocessing on the target binary code includes: acquiring an executable target function based on the target binary code and property information of the target binary code; the target function Obtaining property information of the target function based on and generating the target function fingerprint by mapping attribute information of the target binary.

Alternatively, the similarity comparison between the vulnerability signature and the target function fingerprint may include dividing each of the function fingerprint corresponding to the vulnerability signature and the target function fingerprint into a predetermined unit, and how many units of all the divided units are similar. It may be an N-Gram similarity comparison that performs a comparison on whether or not.

Alternatively, the operation of determining whether a vulnerability exists in the target software through a similarity comparison between the vulnerability signature and the target function fingerprint includes a weak function fingerprint included in the vulnerability signature and a function included in each of the target function fingerprint Based on the operation of calculating a first degree of similarity between to determine whether a vulnerability exists in the target software.

Alternatively, the first similarity may have a positive correlation with a probability that a vulnerability is determined in the software, and the second similarity may have a negative correlation with a probability that a vulnerability is determined in the software.

Alternatively, the determining whether a vulnerability exists in the target software based on the difference between the first similarity and the second similarity may include: the difference between the first similarity and the second similarity exceeding a predetermined criterion; In this case, it may include an operation of determining that a vulnerability exists in the target software.

Alternatively, the operation of determining whether a vulnerability exists in the target software by comparing the similarity between the vulnerability signature and the target function fingerprint may include performing primary filtering on the vulnerability signature and the target function fingerprint to obtain a candidate vulnerability signature. and selecting a candidate target function fingerprint, and the primary filtering may be filtering for identifying a code related to a vulnerability in each of the vulnerability signature and the target function fingerprint.

Alternatively, the operation of determining whether a vulnerability exists in the target software by comparing the similarity between the vulnerability signature and the target function fingerprint may include performing secondary filtering on the candidate vulnerability signature and the candidate target function fingerprint to obtain a similar strand. It may further include an operation of identifying

In another embodiment of the present disclosure, a method for determining a vulnerability based on a target binary code of software executed in a processor of a computing device is disclosed. The method includes the steps of, by a processor included in a computing device, performing pre-processing on vulnerability information of software to generate a vulnerability signature, the processor performing pre-processing on a target binary code to generate a target function fingerprint, and the processor determining whether a vulnerability exists in the target software through a similarity comparison between the vulnerability signature and the target function fingerprint.

In another embodiment of the present disclosure, a computing device for determining a vulnerability based on a binary code of software is disclosed. The computing device includes a processor including one or more cores, a memory including program codes executable in the processor, and a network unit for transmitting and receiving data to and from a client, and the processor performs pre-processing on vulnerability information of software, It is possible to generate a vulnerability signature, perform preprocessing on the target binary code to generate a target function fingerprint, and determine whether a vulnerability exists in the target software by comparing the similarity between the vulnerability signature and the target function fingerprint.

The present disclosure may provide a computer program that detects a code clone of a known vulnerable code in a binary of software quickly and accurately to determine the presence or absence of a vulnerability.

Various aspects are now described with reference to the drawings, in which like reference numbers are used to refer to like elements collectively. In the following examples, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of one or more aspects. It will be evident, however, that such aspect(s) may be practiced without these specific details.
1 illustrates a block diagram of a computing device according to an embodiment of the present disclosure.
2 is a schematic diagram of a system for determining vulnerabilities of binary code clone-based software related to an embodiment of the present disclosure.
3 shows an exemplary flowchart of a process of pre-processing a vulnerability signature related to an embodiment of the present disclosure.
4 shows an exemplary flowchart of a process of preprocessing a target function fingerprint according to an embodiment of the present disclosure.
5 shows an exemplary flowchart of a process for detecting code clones and determining vulnerabilities related to an embodiment of the present disclosure.
6 is an exemplary diagram illustrating a method of calculating a similarity of a code flow pair related to an embodiment of the present disclosure.
7 is a schematic diagram exemplarily illustrating a processing process of a system for determining a vulnerability of binary code clone-based software related to an embodiment of the present disclosure.
8 is a schematic diagram exemplarily illustrating a process of preprocessing vulnerability information and preprocessing a binary code related to an embodiment of the present disclosure.
9 is a schematic diagram exemplarily illustrating a code clone detection and vulnerability determination process related to an embodiment of the present disclosure.
10 shows an exemplary flowchart of a method for determining a vulnerability of binary code clone-based software according to an embodiment of the present disclosure.
11 shows an exemplary flowchart of logic for implementing a method for determining a vulnerability of binary code clone-based software.
12 depicts a simplified, general schematic diagram of an exemplary computing environment in which embodiments of the present disclosure may be implemented.

Various embodiments are now described with reference to the drawings. In this specification, various descriptions are presented to provide an understanding of the present disclosure. However, it is apparent that these embodiments may be practiced without these specific descriptions.

The terms “component,” “module,” “system,” and the like, as used herein, refer to a computer-related entity, hardware, firmware, software, a combination of software and hardware, or execution of software. For example, a component can be, but is not limited to being, a process running on a processor, a processor, an object, a thread of execution, a program, and/or a computer. For example, both an application running on a computing device and the computing device may be a component. One or more components may reside within a processor and/or thread of execution. A component may be localized within one computer. A component may be distributed between two or more computers. In addition, these components can execute from various computer readable media having various data structures stored therein. Components may communicate via a network such as the Internet with another system, for example via a signal having one or more data packets (eg, data and/or signals from one component interacting with another component in a local system, distributed system, etc.) may communicate via local and/or remote processes depending on the data being transmitted).

In addition, the term “or” is intended to mean an inclusive “or” rather than an exclusive “or.” That is, unless otherwise specified or clear from context, "X employs A or B" is intended to mean one of the natural implicit substitutions. That is, X employs A; X employs B; or when X employs both A and B, "X employs A or B" may apply to either of these cases. It should also be understood that the term “and/or” as used herein refers to and includes all possible combinations of one or more of the listed related items.

Also, the terms "comprises" and/or "comprising" should be understood to mean that the feature and/or element in question is present. However, it should be understood that the terms "comprises" and/or "comprising" do not exclude the presence or addition of one or more other features, elements and/or groups thereof. Also, unless otherwise specified or otherwise clear from context to refer to a singular form, the singular in the specification and claims should generally be construed to mean "one or more."

Those skilled in the art will further appreciate that the various illustrative logical blocks, configurations, modules, circuits, means, logics, and algorithm steps described in connection with the embodiments disclosed herein may be implemented in electronic hardware, computer software, or combinations of both. It should be recognized that they can be implemented with To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, configurations, means, logics, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application. However, such implementation decisions should not be interpreted as causing a departure from the scope of the present disclosure.

Since libraries or open source software are intended to be widely used, if they are distributed to other users with vulnerabilities, they can act as a window to spread vulnerabilities to numerous software. Detecting code colons to mitigate the vulnerability propagation problem may be one of the most effective methods. Accordingly, various conventional techniques exist for detecting a code clone related to a vulnerability to determine a software vulnerability.

In general, as a method of detecting a vulnerability through a code clone, there may be a detection method based on the source code of the software and a detection method based on the binary code of the software.

First, the vulnerability detection method based on the source code may be performed by comparing the similarity between the source code related to a predefined vulnerability and the source code of the target software. In other words, it is possible to determine the code clone detection and vulnerability of the software by using the source code of the software. Although the above-described method is effective and efficient, in general, many programs are distributed in the form of binary codes such as commercial operating systems and proprietary software. That is, if the program itself does not provide the source code, it may be difficult to detect code clones and identify vulnerabilities through the method.

Additionally, the binary of the program may have different functions and vulnerabilities depending on the distributor even if they are compiled from the same source code. In addition, even if there is no vulnerability in the source code of the program itself, a dependent library may cause a vulnerability regardless of the security level of the program itself, so there may be incompleteness in vulnerability detection using the source code.

Accordingly, there are conventional techniques for detecting a code clone based on the binary code of the software. Code clone detection based on binary code can have high utilization because it does not require a separate source code.

However, conventional methods for detecting code clones based on binary codes may have problems in scalability due to the diversity of compilation environments, such as multiple binary representations compiled from a single source. In addition, although similarity between two target functions can be calculated through binary code, it may be difficult to determine whether a function exists in an actual target binary or whether it is a binary related to a vulnerability.

Additionally, it is difficult to secure both high accuracy and fast processing speed for vulnerability determination in the conventional methods for detecting code clones or detecting vulnerabilities based on binary codes. For example, while the conventional methods improve processing speed by relying on static properties of binary codes, they are vulnerable to changes in the compilation environment and thus accuracy may be reduced. As another example, it is possible to improve the accuracy by focusing on the processing of changes caused by the compilation environment, but there is a concern that the processing speed is reduced.

As described above, conventional techniques for detecting a code clone based on a binary code and determining a vulnerability have a concern that a vulnerability identification speed or accuracy is deteriorated.

Accordingly, the present disclosure may provide a computing device 100 that provides higher accuracy and faster processing speed in a process of detecting a code clone and determining a vulnerability based on a binary code. Specific methods for the computing device 100 of the present disclosure to determine a code clone and a vulnerability based on a binary code will be described below.

1 illustrates a block diagram of a computing device according to an embodiment of the present disclosure.

According to an embodiment of the present disclosure, the computing device 100 may determine whether the software has a vulnerability by detecting a code clone based on the binary code of the software. The computing device 100 may include a processor 110 , a memory 130 , and a network unit 150 as shown in FIG. 1 . The above-described components are exemplary, and the scope of the present disclosure is not limited to the above-described components. That is, additional components may be included or some of the above-described components may be omitted depending on implementation aspects for the embodiments of the present disclosure.

According to an embodiment of the present disclosure, the computing device 100 may include a network unit 150 for transmitting and receiving data with a client. The network unit 150 may provide a communication function between the computing device 100 and the client. For example, the network unit 150 may receive, from a client, a request related to code clone detection of a binary code of a specific software or a vulnerability determination of the corresponding software. The network unit 150 according to an embodiment of the present disclosure includes a Public Switched Telephone Network (PSTN), x Digital Subscriber Line (xDSL), Rate Adaptive DSL (RADSL), Multi Rate DSL (MDSL), VDSL ( A variety of wired communication systems such as Very High Speed DSL), Universal Asymmetric DSL (UADSL), High Bit Rate DSL (HDSL), and Local Area Network (LAN) can be used.

In addition, the network unit 150 presented herein is CDMA (Code Division Multi Access), TDMA (Time Division Multi Access), FDMA (Frequency Division Multi Access), OFDMA (Orthogonal Frequency Division Multi Access), SC-FDMA ( A variety of wireless communication systems may be used, such as Single Carrier-FDMA) and other systems. The techniques described herein are not limited to the networks mentioned above, but may be used in other networks as well.

According to an embodiment of the present disclosure, operations to be described later of the computing device 100 may be performed according to a query issued from a client. A client may mean any type of node(s) in a system having a mechanism for communicating with the computing device 100 . For example, such clients may include PCs, laptop computers, workstations, terminals, and/or any electronic device with network connectivity. In addition, the client may include any server implemented by at least one of an agent, an application programming interface (API), and a plug-in.

According to an embodiment of the present disclosure, the memory 130 may store any type of information generated or determined by the processor 110 and any type received by the network unit 150 . The memory 130 may store a computer program for performing vulnerability determination of software according to an embodiment of the present disclosure, and the stored computer program may be read and driven by the processor 110 . For example, the memory 130 may store information about a set of vulnerable code clones for detecting code clones. As another example, the memory 130 may store information about a code related to a vulnerability and a preprocessing method for each code of software that is a target for vulnerability determination. Description of the specific information stored in the above-described memory is merely an example, and the present disclosure is not limited thereto.

According to an embodiment of the present disclosure, the memory 130 is a flash memory type, a hard disk type, a multimedia card micro type, and a card type memory (eg, SD or XD memory, etc.), Random Access Memory (RAM), Static Random Access Memory (SRAM), Read-Only Memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Programmable Read (PROM) -Only Memory), a magnetic memory, a magnetic disk, and an optical disk may include at least one type of storage medium. The computing device 100 may operate in relation to a web storage that performs a storage function of the computing device 100 on the Internet. The description of the above-described memory is only an example, and the present disclosure is not limited thereto.

According to an embodiment of the present disclosure, the processor 110 may typically process the overall operation of the computing device 100 . The processor 110 processes signals, data, information, etc. input or output through the above-described components or runs an application program stored in the memory 130, thereby providing information appropriate to the client (eg, code clone detection related to the target software). , or information on the presence or absence of vulnerabilities) or functions.

According to an embodiment of the present disclosure, the processor 110 may detect a vulnerability based on a binary code of software. Specifically, the processor 110 compares the vulnerability signature 650 including information on the flow of code related to the patch with the binary code of the target software (ie, the target binary code 710 ), and thus the code of the software. Clones can be detected. In addition, it is possible to determine whether a vulnerability is embedded in the software through the code clone detected based on the binary code. That is, as shown in FIG. 2 , the processor 110 performs vulnerability information preprocessing 200 , target binary preprocessing 300 , and code clone detection and vulnerability determination 400 in order to determine whether a vulnerability exists for any software. ) process can be performed. Specific operations of the vulnerability information preprocessing 200 , the target binary preprocessing 300 , and the code clone detection and vulnerability determination 400 performed by the processor 110 will be described below with reference to FIGS. 3 to 6 .

According to an embodiment of the present disclosure, the processor 110 may perform pre-processing on the vulnerability information to generate the vulnerability signature 650 . Specifically, the processor 110 may generate the vulnerability signature 650 as a criterion for determining the vulnerability of the software by performing pre-processing on the vulnerability information related to the known vulnerability in the software. The vulnerability information may include vulnerability patch information in the form of source code, a binary code related to a vulnerability (ie, the vulnerable binary code 610 ), and a binary code in which the vulnerability is patched (ie, the patch binary code 620 ). The vulnerability patch information is information standardized to identify known vulnerabilities of software, and may be, for example, information related to a security vulnerability standard code (Common Vulnerabilities and Exposures). That is, the processor 110 may generate the vulnerability signature 650 by pre-processing vulnerability information that is a criterion for determining a code clone having a vulnerability usable for an attack.

The processor 110 may generate the vulnerability signature 650 through a preprocessing process for the vulnerability patch information, the vulnerable binary code 610 and the patch binary code 620 . The vulnerability signature 650 may include information on vulnerabilities known to the software, and may be pre-processed in a form that can match the target binary of the target software in the code clone detection and vulnerability determination process. Specifically, the processor 110 may identify the binary code related to the change based on the vulnerability information. In this case, the binary code related to the change may mean a code that is changed as commands are added or deleted according to a security patch of software. The processor 110 may generate a weak function fingerprint 643 and a patch function fingerprint based on the binary code related to the change. In addition, the processor 110 may generate a vulnerability signature 650 including a weak function fingerprint 643 and a patch function fingerprint.

More specifically, referring to FIG. 3 , the processor 110 may perform a removal mark 631 on the vulnerable binary code 610 based on the vulnerability patch information ( 211 ). The removal mark 631 may relate to an instruction deleted from a vulnerable binary by a security patch. Specifically, the processor 110 may identify the instruction removed in relation to the vulnerability based on the vulnerability patch information in the form of the source code, and a removal mark 631 on the code corresponding to the instruction removed from the vulnerable binary code 610 . ) can be done. That is, the processor 110 gives the vulnerable binary code 610 a removal mark 631 in relation to the binary code part corresponding to the source code removed according to the vulnerability patch, so that the entire binary code 650 is generated in the process of generating the vulnerability signature 650 . It is possible to perform only the preprocessing related to the command by identifying only the part related to the vulnerability, not the processing for the command. That is, the vulnerability signature 650 (ie, the weak function fingerprint 643 ) can be generated more efficiently through the corresponding removal mark 631 .

The processor 110 may acquire weak function and weak binary property information based on the weak binary code 610 ( 213 ). The weak function may mean a function related to an instruction corresponding to the weak binary code 610 . Vulnerable binary property information may mean a property corresponding to a binary having a vulnerability. In addition, the processor 110 may translate the vulnerable binary into an intermediate language (Intermediate Representation, IR) and analyze the vulnerable function to obtain attribute information of the vulnerable function ( 215 ). The property information of the vulnerable function may be stability information related to whether the corresponding function is affected by a change in the compilation environment. That is, the property information of a vulnerable function provides information on whether the vulnerable function is stable (that is, not affected by changes in the compilation environment) or unstable (that is, affected by changes in the compilation environment) in other compilation environments. may include The attribute information of such a vulnerable function may be based on at least one of the number of independent code flows or the number of calls to the function, which is not changed in the compilation environment, for example.

Translating vulnerable binaries into intermediate languages may be to speed up code clone detection algorithms that use binaries of multiple architectures. In other words, an intermediate language allows one code and algorithm to be leveraged across multiple architectures. Also, since one code and algorithm can be used on multiple architectures, it is easier to write algorithms for splitting a function into strands.

In addition, the processor 110 divides the vulnerable function into one or more strands based on the independent code flow in the vulnerable function, and maps the property information and the vulnerable binary property information of the vulnerable function corresponding to each of the divided one or more strands. to generate a weak function fingerprint 643 ( 217 ). A strand is a set of instructions required to calculate a single variable value, and may be a standard unit for similarity comparison. That is, the set of strands may represent some or all of the software semantics.

That is, the weak function fingerprint 643 generated by the processor 110 may mean a set in which binary codes related to vulnerabilities of software are divided into strands.

In addition, the processor 110 may perform an additional mark 632 (Additional Mark) on the patch binary code 620 based on the vulnerability patch information ( 221 ). Addition indication 632 may relate to instructions added to the patch binary by a security patch. Specifically, the processor 110 may identify an instruction added in relation to patching a vulnerability based on the vulnerability patch information in the form of a source code, and additionally display the code corresponding to the added instruction in the patch binary code 620 . (632) can be performed. That is, the processor 110 gives the additional binary code an additional mark 632 in relation to the binary code part corresponding to the source code added according to the vulnerability patch, thereby processing the entire binary in the process of generating the vulnerability signature 650 . Only the part related to the patched vulnerability can be identified and only the preprocessing related to the command can be performed. That is, the vulnerability signature 650 (ie, the patch function fingerprint) can be generated more efficiently through the corresponding additional indication 632 .

The processor 110 may obtain patch function and patch binary attribute information based on the patch binary code 620 ( 223 ). The patch function may mean a function related to an instruction corresponding to the patch binary code 620 . The patch binary attribute information may mean a property corresponding to a binary in which a vulnerability is patched. Also, the processor 110 may translate the patch binary into an intermediate language and analyze the patch function to obtain attribute information of the patch function ( 225 ). The attribute information of a patch function may include information about whether the patch function is stable (that is, not affected by changes in the compilation environment) or unstable (that is, affected by changes in the compilation environment) in different compilation environments. can The attribute information of the patch function, for example, may be based on at least one of the number of independent code flows that are not changed in the compilation environment or the number of calls of the function.

In addition, the processor 110 divides the patch function into one or more strands based on the independent code flow in the patch function, and maps the patch function attribute information and patch binary attribute information corresponding to each of the divided one or more strands. to generate a patch function fingerprint.

That is, the patch function fingerprint generated by the processor 110 may refer to a set in which a binary code for which software vulnerabilities are patched are divided in strand units. In other words, a patch function fingerprint can be a set of binary code that does not introduce a vulnerability in software.

Accordingly, the processor 110 may generate the vulnerability signature 650 including the weak function fingerprint 643 and the patch function fingerprint through the above-described preprocessing process ( 230 ). In other words, the processor 110 may generate the vulnerability signature 650 including the weak function fingerprint 643 and the patch function fingerprint by storing the flow of the code affected by the patch in units of strands. That is, since the vulnerability signature 650 is generated by including only the code flow associated with the vulnerability in a strand unit, it is not necessary to compare all the code flows in the similarity comparison process with the target binary code 710 so that the similar strand unit can be compared. This can dramatically reduce code clone detection time.

According to an embodiment of the present disclosure, the processor 110 may perform preprocessing on the target binary code 710 to generate the target function fingerprint 730 . The preprocessing of the target binary code 710 may correspond to the preprocessing of the weak binary code 610 and the patch binary code 620 described above.

Specifically, referring to FIG. 4 , the processor 110 may acquire target function and target binary attribute information based on the target binary code 710 of the target software (ie, software that is the target of vulnerability determination) ( 310). The target function may mean a function related to an instruction corresponding to the target binary code 710 . The target binary attribute information may mean a property corresponding to the target binary of the target software.

In a further embodiment, the target binary code 710, which is based on obtaining the target function and target binary attribute information, is an arbitrary mark for processing only the command related to the request of the client, not the processing of the entire target binary. may have been granted. That is, the processor 110 identifies only the part related to the client's request, not the entire target binary, in the process of generating the target function fingerprint 730 through an arbitrary indication given to the target binary code 710 and identifies the corresponding command. Only preprocessing related to . That is, it is possible to efficiently generate the target function fingerprint 730 through any indication related to the client's request. Also, the processor 110 may translate the target binary into an intermediate language and analyze the target function to obtain attribute information of the target function ( 320 ). The property information of the target function may include information on whether the target function is stable (that is, not affected by changes in the compilation environment) or unstable (that is, affected by changes in the compilation environment) in other compilation environments. can The attribute information of the target function, for example, may be based on at least one of the number of independent code flows or the number of calls of the function, which is not changed in the compilation environment.

In addition, the processor 110 divides the target function into one or more strands based on the independent code flow in the target function, and maps attribute information and target binary attribute information of the target function corresponding to each of the divided one or more strands. Thus, the target function fingerprint 730 may be generated. That is, the target function fingerprint 730 generated by the processor 110 may refer to a set in which binary codes related to target software are divided in strand units.

Accordingly, as described above, the processor 110 may store the flow of the code affected by the patch in strand units to pre-generate the vulnerability signature 650 including the weak function fingerprint 643 and the patch function fingerprint. . In addition, the processor 110 may generate the target function fingerprint 730 by preprocessing the target binary of the target software in a form comparable to the vulnerability signature 650 . In this case, since the target function fingerprint 730 also stores the code flow in units of strands, a comparison between the vulnerability signature 650 and the strands can be performed, which dramatically reduces the time for code clone detection and vulnerability determination. can be

According to an embodiment of the present disclosure, the processor 110 may perform code clone detection and vulnerability determination 400 in the target software based on the binary code of the software. The processor 110 compares the similarity between the vulnerability signature 650 generated through the vulnerability information preprocessing 200 and the target function fingerprint 730 generated through the target binary preprocessing 300 of the target software to detect a vulnerability in the target software. It can be determined whether it exists or not. A similarity comparison between the vulnerability signature 650 and the target function fingerprint 730 is a function fingerprint corresponding to the vulnerability signature 650 (ie, the weak function fingerprint 643 and the target function fingerprint 730 ) and the target function fingerprint 730 . ) may be an N-Gram similarity comparison that divides each into a predetermined unit, and performs a comparison on how many units of all the divided units are similar. After dividing the two sequences into N-Grams, the processor 110 may calculate the similarity between each function fingerprint based on how many N-Grams among all the generated N-Grams are the same. Unlike other sequence similarity comparison methods, N-Gram similarity preserves sequence sub-ordering. In other words, the tendency to preserve the sub-ordering of function semantics can be strong even if the binary form changes through similarity comparison based on N-Gram similarity.

For example, as shown in Figure 6, if sequence x contains ABCDE and sequence y contains ABCZE, then each sequence has Gx = {AB, ABC, BCD, CDE, DE} and Gy = {AB , ABC, BCZ, CZE, ZE} can be divided into N-Grams. In this case, the union of functions partitioned by N-Gram can be 8 (i.e., AB, ABC, BCD, CDE, DE, BCZ, CZE, ZE), and the intersection of the functions is 2 (AB, ABC). can That is, the N-Gram similarity of each sequence may be calculated as 2/8 (ie, 0.25). In other words, the N-Gram similarity comparison may be a similarity comparison method of each function based on how many N-grams among all N-grams generated by division are the same. That is, it is possible to calculate the similarity of how many code flows similar to the vulnerability signature 650 exist among the target function fingerprints 730 by appropriately comparing the types and frequencies of functions between each function fingerprint through the N-Gram similarity comparison. The detailed description of the function, division criterion, and similarity of each of the above-described sequences is merely an example, and the present disclosure is not limited thereto.

Also, the processor 110 may calculate the similarity of one function pair based on the similarity between the code flow sets for each function (that is, the function fingerprint included in the vulnerability signature 650 and the target function fingerprint 730 ). .

<Formula 1>

과

는 함수를 나타내며, 각각 n개와 m개의 스트랜드를 가질 수 있다.

의 스트랜드는

,

의 스트랜드는

로 표현될 수 있다.Equation 1 expresses how the similarity of a function pair is calculated from the similarity of the code flow.

class

denotes a function, and can have n and m strands, respectively.

the strand of

,

the strand of

can be expressed as

The processor 110 may calculate a first similarity between the weak function fingerprint 643 included in the vulnerability signature 650 and the function included in each of the target function fingerprint 730 . The first similarity is a degree of similarity between a function included in the target function fingerprint 730 and a function included in the weak function fingerprint 643 that is a set of binary codes related to vulnerabilities, and thus has a positive correlation with the probability that a vulnerability is determined in the target software. It may have a relationship (ie, a proportional relationship).

Also, the processor 110 may calculate a second similarity between the patch function fingerprint included in the vulnerability signature 650 and the function included in each of the target function fingerprint 730 . The second similarity is the similarity between the function included in the target function fingerprint 730 and the function included in the patch function fingerprint, which is a set of binary codes that do not cause a vulnerability (that is, the patch has been completed). It may have a negative correlation (ie, an inverse relationship) with the determined probability.

Also, the processor 110 may determine whether a vulnerability exists in the target software based on the difference between the first and second similarities. When the difference between the first similarity and the second similarity exceeds a predetermined criterion, the processor 110 may determine that a vulnerability exists in the target software.

Specifically, when the function of the target function fingerprint 730 is similar to the function of the weak function fingerprint 643 , the processor 110 may determine that the probability of being vulnerable is high, and the function of the target function fingerprint 730 is If it is similar to the function of the patch function fingerprint, it can be determined that the probability of not being vulnerable is high. In this case, when the vulnerability signature 650 is not accurately generated, the computing device 100 multiplies a coefficient less than 1 to minimize the possibility of a false positive in the process of calculating the similarity with the patched function fingerprint to reflect the low probability. can When the value obtained by subtracting the probability of not being vulnerable (ie, the second similarity) from the probability of being vulnerable (ie, the first similarity) is greater than a predetermined reference value, the processor 110 may determine that the vulnerability exists.

According to an embodiment of the present disclosure, the processor 110 may perform a similarity determination process more efficiently by filtering the vulnerability signature 650 and the target function fingerprint 730 . A detailed description of a specific filtering process for efficiently performing a similarity determination process will be described later with reference to FIG. 5 , and a redundant description will be omitted.

The processor 110 may select the candidate vulnerability signature 651 and the candidate target function fingerprint 731 by performing primary filtering on the vulnerability signature 650 and the target function fingerprint 730 based on the attribute information of the function. There is (410). The primary filtering may be filtering for identifying a code related to a vulnerability in each of the vulnerability signature 650 and the target function fingerprint 730 .

The primary filtering may be performed, for example, based on attribute information of a function corresponding to each of the function fingerprint and the target function fingerprint 730 included in the vulnerability signature 650 . Specifically, the vulnerability signature 650 may include a weak function fingerprint 643 and a patch function fingerprint 644 . In addition, each of the weak function fingerprint 643 , the patch function fingerprint 644 , and the target function fingerprint 730 may have function attribute information mapped through a preprocessing process by the processor 110 . The attribute information of the function may be information related to whether each function is stable in a compilation environment. That is, the processor 110 generates a weak function fingerprint 643 and a patch function fingerprint 644 based on the attribute information of the function mapped to each of the weak function fingerprint 643 , the patch function fingerprint 644 , and the target function fingerprint 730 . ) and the functions included in the target function fingerprint 730 , primary filtering (ie, filtering function fingerprints not related to vulnerabilities) may be performed to exclude stable functions from various compilation environments. The above-mentioned detailed description of the primary filtering related to the property of the function is only an example, and the primary filtering in the present disclosure may include various filter conditions for identifying binary codes related to vulnerabilities in each function fingerprint. .

In other words, the processor 110 loads only the function fingerprint corresponding to the binary code related to the vulnerability based on the function attribute information mapped to each fingerprint, thereby improving the speed of the entire processor in the comparison process, and reducing the resource usage. can be reduced. That is, the processor 110 may improve performance by reducing function fingerprints that are objects of similarity comparison.

In addition, the processor 110 may perform secondary filtering on the candidate vulnerability signature 651 and the candidate target function fingerprint 731 to identify similar strands in each function fingerprint ( 420 ). The candidate weak function fingerprint, the candidate patch function fingerprint, and the candidate target function fingerprint 731 included in the candidate vulnerability signature 651 may be divided into strand units through a preprocessing process of the processor 110 . In this case, each of the one or more strands included in each function fingerprint may represent one independent data flow as a set of instructions required to calculate one variable value. Specifically, the processor 110 may identify a similar strand among one or more strands included in the candidate weak function fingerprint and one or more strands included in the candidate target function fingerprint 731 . In addition, the processor 110 may identify a similar strand among one or more strands included in the candidate patch function fingerprint and one or more strands included in the candidate target function fingerprint 731 . That is, only similar strands having relevance among one or more strands included in each candidate function fingerprint may be identified as a function for similarity comparison. In other words, a function to be compared in the similarity in each function fingerprint can be more efficiently identified through the comparison of the strand unit representing the representativeness of the functions, so that the processing speed can be improved.

In addition, the processor 110 may calculate a similarity between the similar strands identified in each of the candidate vulnerability signature 651 and the candidate target function fingerprint 731 ( 430 ). In this case, the similarity comparison between each strand may be an N-gram similarity comparison. In addition, the processor 110 calculates the similarity of one function pair based on the similarity between the code flow sets for each function (that is, the function fingerprint included in the candidate vulnerability signature 651 and the candidate target function fingerprint 731 ). can The above-described similarity comparison method is merely an example, and the present disclosure is not limited thereto.

In addition, the processor 110 may provide a notification to the client by determining the presence or absence of a code clone and a vulnerability based on the similarity comparison result ( 440 ). Specifically, when the difference between the first degree of similarity and the second degree of similarity exceeds a predetermined criterion, the processor 110 may determine that a vulnerability exists in the target software. Also, when it is determined that a vulnerability exists in the target software, the processor 110 may provide a notification related to the vulnerability to the client. As the notification related to the vulnerability is provided to the client, the client can recognize whether the target software, which is the target of vulnerability determination, includes the vulnerability.

Accordingly, the processor 110 may pre-generate the code clone based on the binary of the software and the vulnerability signature 650 as a basis for vulnerability determination through pre-processing related to the vulnerability information. In addition, the processor 110 may generate the target function fingerprint 730 by preprocessing the target binary of any software in a form comparable to the vulnerability signature 650 . Also, the processor 110 may determine a code clone and a vulnerability of the target software based on a similarity comparison between the vulnerability signature 650 and the target function fingerprint 730 . In this case, each function fingerprint (that is, the weak function fingerprint 643, the patch function fingerprint 644, and the target function fingerprint 730) preprocessed by the processor 110 is stored in a strand unit, and the Since attribute information is mapped, primary filtering and secondary filtering may be performed in the similarity comparison process of each function fingerprint. Accordingly, the efficiency and processing speed of code clone detection and vulnerability determination may be improved.

7 is a schematic diagram exemplarily illustrating a processing process of a system for determining a vulnerability of binary code clone-based software related to an embodiment of the present disclosure. Among the features of the content shown in FIG. 7 , for features overlapping with the features described above with respect to FIGS. 2 to 5 , refer to the features described in FIGS. 2 to 5 , and a description thereof will be omitted herein.

As shown in FIG. 7 , the processor 110 targets code clones and vulnerabilities in arbitrary software through vulnerability information preprocessing 200 , target binary preprocessing 300 , and code clone detection and vulnerability determination 400 processes. can be identified.

In more detail, the processor 110 may perform the vulnerability information pre-processing 200 . The vulnerability information may include vulnerability patch information in the form of a source code, a vulnerable binary code 610 and a patch binary code 620 . Vulnerability patch information is standardized information to identify known vulnerabilities of software, and may include information on code changes before or after patching. The processor 110 may identify a code related to removal from the vulnerable binary code 610 based on the vulnerability patch information, and may identify a code related to addition from the patch binary code 620 . That is, the processor 110 may identify a code related to a change (ie, a code that is removed or added) in each of the vulnerable binary code 610 and the patch binary code 620 based on the vulnerability patch information. Accordingly, the processor 110 may perform a change mark 630 on the code related to the change in each of the weak binary code 610 and the patch binary code 620 . The change indication 630 may be for performing only the pre-processing related to the command by identifying only the part related to the vulnerability, not the entire binary code, in the pre-processing of the vulnerability information. The processor 110 may generate the vulnerability signature 650 by performing pre-processing 640 on the vulnerable binary code 610 and the patch binary code 620 . In addition, the processor 110 may store the vulnerability signature 650 generated through preprocessing of the vulnerable binary code 610 and the patch binary code 620 in the database 660 for matching with the target function fingerprint 730 . have.

In addition, the processor 110 may perform the preprocessing 300 on the target binary. The target binary code 710 may be a binary code related to the target software, and the preprocessing of the target binary code 710 may be to process the target binary code into a form that can match the vulnerability signature. Specifically, the processor 110 may generate the target function fingerprint 730 through the preprocessing 720 for the target binary code 710 . Also, the processor 110 may store the generated target function fingerprint in the cache memory 740 . That is, the processor 110 may generate the target function fingerprint 730 through the preprocessing 720 for the binary code of arbitrary software (ie, target software) that is the target of code clone and vulnerability determination, and the generated The target function fingerprint 730 may be stored in the cache memory 740 . The pre-processing of the target binary code may be performed based on a query request related to code clone and vulnerability determination of the target software received from the client. That is, the processor 110 may generate a target function fingerprint by performing pre-processing on the target binary code at an initial point in time corresponding to the query request of the client.

In addition, the processor 110 may detect code clones for arbitrary software and determine the presence or absence of vulnerabilities ( 400 ). Specifically, the processor 110 detects a code clone by comparing the similarity between the vulnerability signature 650 generated through the preprocessing of the vulnerability information and the target function fingerprint 730 generated through the preprocessing of the target binary code 710 . can do. In this case, since the vulnerability signature 650 is a set of codes related to vulnerabilities in software, when a code clone is detected in the target function fingerprint corresponding to the target binary code, the target software may contain a vulnerability. That is, the processor 110 may determine the code clone and the vulnerability through the similarity of the code flow between the vulnerability signature 650 and the target function fingerprint 730 . In addition, the processor 110 performs the processing for each of the vulnerability signature 650 and the target function fingerprint 730 to speed up the matching 810 process for code clone detection between the vulnerability signature 650 and the target function fingerprint 730 . Filtering can be performed. In more detail, the processor 110 may perform fingerprint filtering 820 on each of the vulnerability signature 650 and the target function fingerprint 730 . Also, the processor 110 may perform strand filtering 830 on each of the vulnerability signature 650 and the target function fingerprint 730 subjected to the fingerprint filtering 820 . In this case, the fingerprint filtering 820 and the strand filtering 830 may be filtering corresponding to each of the primary filtering and the secondary filtering described with reference to FIG. 5 . That is, the processor 110 may minimize the fingerprint matching 840 for detecting code clones through the fingerprint filtering 820 and the strand filtering 820 for the vulnerability signature 650 and the target function fingerprint 730, respectively. have. Accordingly, code cloning and vulnerability determination processes can be speeded up.

8 is a schematic diagram exemplarily illustrating a process of preprocessing vulnerability information and preprocessing a binary code related to an embodiment of the present disclosure. Among the features of the content shown in FIG. 8, for features overlapping with the features described above with respect to FIGS. 2 to 5, refer to the content described in FIGS. 2 to 5 and a description thereof will be omitted herein.

According to an embodiment of the present disclosure, the vulnerability signature 650 may be generated based on the vulnerability information of the processor 110 . Specifically, the processor 110 may perform a change mark 630 on each of the vulnerable binary code 610 and the patch binary code 620 . The change indication 630 may be for performing only pre-processing related to a corresponding command by identifying only a part related to a vulnerability rather than processing the entire binary code in the process of generating a vulnerability signature. The processor 110 may perform an additional mark 632 to the vulnerable binary code. Additional indications 632 may relate to instructions removed from the vulnerable binary by a security patch. The processor 110 may perform a removal mark 631 on the vulnerable binary code. The removal mark 631 may relate to an instruction added to the vulnerable binary code by a security patch.

In addition, the processor 110 may perform the vulnerable binary code preprocessing 641 based on the vulnerable binary code 610 and the removal mark 631 . In addition, the processor 110 may perform a patch binary code preprocessing 642 based on the patch binary code 620 and the additional indication 632 . In the present disclosure, since binary codes (ie, weak binary code, patch binary code, and target binary code) must be processed in the same form for similarity comparison for code clone detection, a corresponding preprocessing process may be included. Specifically, the processor 110 may perform the vulnerable binary code preprocessing 641 based on the vulnerable binary code 610 and the removal mark 631 , and the patch binary code and the patch binary based on the additional mark 632 . Code preprocessing 642 may be performed. In addition, the processor 110 may perform target binary code preprocessing based on the target binary code and the arbitrary representation 920 . The arbitrary indication 920 may be for performing pre-processing on only the code flow related to the client's request in the target binary code. Any indication may be optional based on the request of the client. When an arbitrary mark is given to the target binary code, the processor 110 may generate the target fingerprint function by performing preprocessing based on only the code flow of the corresponding part, so that the efficiency of the preprocessing process may be increased.

As described above, the preprocessing for binary codes (ie, weak binary code, patch binary code, and target binary code) performed by the processor 110 includes a corresponding execution process, so that the binary code preprocessing 640 is performed. Integrate to be described in detail later.

The processor 110 may analyze the binary code 910 to obtain function and binary attribute information corresponding to the binary ( 930 , 940 ). Also, the processor 110 may translate 950 a function corresponding to the binary code into an intermediate language. By translating a function corresponding to a binary code into an intermediate language, it is possible to speed up a code clone detection algorithm using binaries of various architectures. In other words, an intermediate language allows one code and algorithm to be leveraged across multiple architectures. Also, since one code and algorithm can be used on multiple architectures, it is easier to write algorithms for splitting a function into strands. Also, the processor 110 may divide the function into strands ( 960 ) and extract attribute information of the function ( 970 ). That is, the processor 110 divides the binary function into strands 961 , and maps the attribute information 971 and the binary attribute information 941 of the function corresponding to each of the divided strands to generate a function fingerprint 980 . can do.

That is, in the above process, when the binary code 910 is the weak binary code 610 , the processor 110 may generate the weak function fingerprint 643 , and in the case of the patch binary code 620 , the processor 110 . ) may generate a patch function fingerprint 644 . Also, when the binary code 910 is the target binary code 710 , the processor 110 may generate a target function fingerprint.

The processor 110 may generate a vulnerability signature including a weak function fingerprint 643 and a patch function fingerprint 644 , and apply each of the weak function fingerprint 643 and the patch function fingerprint 644 to the target function fingerprint 730 . Compared to , it is possible to perform code clone detection and vulnerability determination in the target software.

9 is a schematic diagram exemplarily illustrating a code clone detection and vulnerability determination process related to an embodiment of the present disclosure. Among the features of the content shown in FIG. 9 , for features overlapping with the features described above with respect to FIGS. 2 to 5 , refer to the features described in FIGS. 2 to 5 , and a description thereof will be omitted herein.

According to an embodiment of the present disclosure, the processor 110 may determine whether a vulnerability exists in the target software by detecting a code clone through a similarity comparison between the vulnerability signature 650 and the target function fingerprint 730 . The processor 110 may perform filtering on each of the vulnerability signature 650 and the target function fingerprint 730 to maximize the code clone detection speed between each function fingerprint. Specifically, the processor 110 may perform fingerprint filtering 820 on each of the vulnerability signature 650 and the target function fingerprint 730 to select the candidate vulnerability signature 651 and the candidate target function fingerprint 731 . . The fingerprint filtering 820 may be filtering for identifying a code related to a vulnerability in each of the vulnerability signature 650 and the target function fingerprint 730 .

The fingerprint filtering 820 may be performed, for example, based on attribute information of a function corresponding to the weak function fingerprint 643, the patch function fingerprint 644, and the target function fingerprint 730 included in the vulnerability signature. have. The property information of the function may be information related to whether each function is stable in a compilation environment. That is, the processor 110 performs fingerprint filtering 820 that excludes stable functions from various compilation environments among functions included in each of the vulnerability signature 650 and the target function fingerprint 730 through the fingerprint filtering 820, Only the function fingerprint corresponding to the binary code related to the vulnerability can be loaded. The detailed description of the fingerprint filtering related to the property of the function described above is only an example, and the fingerprint filtering in the present disclosure may include various filter conditions for identifying binary codes related to vulnerabilities in each function fingerprint.

Accordingly, in the comparison process between the vulnerability signature 650 and the target function fingerprint 730 , it is possible to improve the speed of the entire process and reduce the resource usage. That is, the processor 110 may improve performance by reducing function fingerprints that are objects of similarity comparison.

In addition, the processor 110 may detect a code clone in the target software through fingerprint matching 840 for the candidate vulnerability signature 651 and the candidate target function fingerprint 731 , and determine whether there is a vulnerability. The fingerprint matching 840 may be for comparing the similarity of each functional fingerprint. The processor 110 may perform strand filtering 830 on the candidate vulnerability signature 651 and the candidate target function fingerprint 731 to identify functions targeted for the fingerprint matching 840 . Specifically, the candidate weak function fingerprint, the candidate patch function fingerprint, and the candidate target function fingerprint 731 included in the candidate vulnerability signature 651 may be divided into strand units through a preprocessing process of the processor 110 . In this case, each of the one or more strands of each function fingerprint may represent one independent data flow as a set of instructions required to calculate the value of one variable. That is, the processor 110 may perform strand filtering 830 to identify a similar strand having relevance among one or more strands included in each candidate function fingerprint as a function for similarity comparison. In other words, a function to be compared in the similarity in each function fingerprint can be more efficiently identified through the comparison of the strand unit representing the representativeness of the functions, so that the processing speed can be improved. The processor 110 may detect a code clone through a similarity comparison between functions identified through the above-described process, and determine whether or not there is a vulnerability. Also, the processor 110 may transmit ( 850 ) a notification related to a code clone and a vulnerability of the target software to the client.

Using the binary code clone-based software vulnerability detection method of the present disclosure, it was checked whether code clones of 6 types of vulnerability signatures exist in the target 805MB Debian 9.0 C/C++ binary. There are a total of 5,420 target binaries, and it consists of 3,266,604 functions. In this case, the vulnerability signature represents six known vulnerabilities.

We successfully detected 6 out of 7 code clones of known vulnerabilities in the target binary, achieving an accuracy of 85.7%. In addition, two types of vulnerability signatures were detected in several target binaries, and it was confirmed that vulnerabilities could be detected not only in binaries compiled from the same source code, but also in binaries compiled from different source codes.

It took an average of 3,450 ms to preprocess one target binary, and 2 ms on average compared to each vulnerability signature. As a result of applying parallel programming, all target binaries were preprocessed and matched with vulnerability signatures in 62 minutes, and when the preprocessed target binaries were cached, code clones could be matched in 3 minutes.

That is, the present disclosure can determine whether a vulnerability exists in the target binary by generating a vulnerability signature based on the change history of the function before and after the patch, unlike the conventional technique that calculates only the similarity of the binary function pair. can

In addition, the present disclosure detected 85.7% of vulnerabilities among known vulnerabilities in the target binary, and proved that all of the vulnerabilities are detectable when one vulnerability exists in several binaries.

㎲가 소요되었지만, 본 발명의 경우 평균 134㎲만에 처리할 수 있었다. 따라서, 본 개시의 컴퓨팅 장치(100)는 종래 기술에 대비하여 임의의 소프트웨어 바이너리가 주어진 경우, 알려진 취약점을 빠르고 정확하게 탐지하는 효과를 제공할 수 있다.Additionally, in the present disclosure, it took an average of 3,450 ms to preprocess one target binary, and 2 ms was taken on average when compared with each vulnerability signature. In the same environment, the similarity of a pair of code flows can be calculated about 15,000 times faster than Esh, which is the existing technology. For Esh, the code flow averages on a pair of calculations

It took ㎲, but in the case of the present invention, it could be processed in an average of 134 ㎲. Accordingly, compared to the prior art, the computing device 100 of the present disclosure can provide an effect of quickly and accurately detecting known vulnerabilities when an arbitrary software binary is given.

10 is a flowchart illustrating an exemplary method for determining a vulnerability of binary code clone-based software according to an embodiment of the present disclosure.

According to an embodiment of the present disclosure, the computing device 100 may perform pre-processing on vulnerability information of software to generate a vulnerability signature ( 1010 ).

According to an embodiment of the present disclosure, the computing device 100 may perform preprocessing on the target binary code to generate a target function fingerprint ( 1020 ).

According to an embodiment of the present disclosure, the computing device 100 may determine whether a vulnerability exists in the target software by comparing the similarity between the vulnerability signature and the target function fingerprint ( S1030 ).

The order of the steps illustrated in FIG. 10 described above may be changed if necessary, and at least one or more steps may be omitted or added. That is, the above-described steps are merely embodiments of the present disclosure, and the scope of the present disclosure is not limited thereto.

11 illustrates logic for implementing a method for determining a vulnerability of binary code clone-based software.

According to an embodiment of the present disclosure, the computing device 100 may be implemented by the following logic.

According to an embodiment of the present disclosure, the computing device 100 performs pre-processing on vulnerability information of software to generate a logic 1110 for generating a vulnerability signature, and performs pre-processing on a target binary code to generate a target function fingerprint. Logic 1120 for determining whether a vulnerability exists in the target software through a similarity comparison between the vulnerability signature and the target function fingerprint may be included.

Alternatively, the vulnerability information may include vulnerability patch information in the form of source code, a binary code related to a vulnerability, and a binary code in which the vulnerability is patched.

Alternatively, the logic for generating a vulnerability signature by performing pre-processing on the vulnerability information of the software includes a logic for identifying a binary code related to a change based on the vulnerability information, a logic for identifying a binary code related to the identified change based on the vulnerability information. and logic for generating a vulnerability function fingerprint and a patched function fingerprint based on the vulnerability function fingerprint, and logic for generating a vulnerability signature including the vulnerability function fingerprint and the patch function fingerprint.

Alternatively, the logic for generating a weak function fingerprint and a patch function fingerprint based on the binary code related to the identified change may include: attribute information of the executable function and the binary code based on the binary code related to the identified change. logic for obtaining, logic for obtaining attribute information of a function based on the executable function, logic for dividing the function into one or more strands based on independent code flow within the function, and the one Logic for generating the weak function fingerprint and the patch function fingerprint by mapping the attribute information of the function and the attribute information of the binary to each of the above strands.

Alternatively, the strand is a set of instructions necessary to calculate the value of one variable, and may be a unit that is a standard for the similarity comparison.

Alternatively, the logic for generating a target function fingerprint by performing preprocessing on the target binary code includes: Logic for acquiring an executable target function based on the target binary code and attribute information of the target binary code; Logic for obtaining property information of a target function based on a target function, logic for dividing the target function into one or more strands based on independent code flow in the target function, and the target function on each of the one or more strands It may include logic for generating the target function fingerprint by mapping the attribute information of the target binary and the attribute information of the target binary.

Alternatively, the similarity comparison between the vulnerability signature and the target function fingerprint may include dividing each of the function fingerprint corresponding to the vulnerability signature and the target function fingerprint into a predetermined unit, and how many units of all the divided units are similar. It may be an N-Gram similarity comparison that performs a comparison on whether or not.

Alternatively, the logic for determining whether a vulnerability exists in the target software through a similarity comparison between the vulnerability signature and the target function fingerprint may include: Logic for calculating the first degree of similarity between functions, logic for calculating the second degree of similarity between the patch function fingerprint included in the vulnerability signature and the function included in each of the target function fingerprint, and the logic for calculating the first degree of similarity and the second degree of similarity Logic for determining whether a vulnerability exists in the target software based on the difference may be included.

Alternatively, the first similarity may have a positive correlation with a probability that a vulnerability is determined in the software, and the second similarity may have a negative correlation with a probability that a vulnerability is determined in the software.

Alternatively, the logic for determining whether a vulnerability exists in the target software based on the difference between the first degree of similarity and the second degree of similarity is that the difference between the first degree of similarity and the second degree of similarity exceeds a predetermined criterion. , logic for determining that a vulnerability exists in the target software may be included.

Alternatively, the logic for determining whether a vulnerability exists in the target software through a similarity comparison between the vulnerability signature and the target function fingerprint may include performing primary filtering on the vulnerability signature and the target function fingerprint to perform a candidate vulnerability. and logic for selecting a signature and a candidate target function fingerprint, and the primary filtering may be filtering for identifying a code related to a vulnerability in each of the vulnerability signature and the target function fingerprint.

Alternatively, the logic for determining whether a vulnerability exists in the target software through the similarity comparison between the vulnerability signature and the target function fingerprint may include performing secondary filtering on the candidate vulnerability signature and the candidate target function fingerprint to obtain similarity. It may further include logic to identify the strand.

According to an embodiment of the present disclosure, logic for implementing the computing device 100 may be implemented by means, circuits, or modules for implementing a computing program.

Those skilled in the art will further appreciate that the various illustrative logical blocks, configurations, modules, circuits, means, logics, and algorithm steps described in connection with the embodiments disclosed herein may be combined with electronic hardware, computer software, or combinations of both. It should be recognized that it can be implemented as To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, configurations, means, logics, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present disclosure.

12 depicts a simplified, general schematic diagram of an exemplary computing environment in which embodiments of the present disclosure may be implemented.

Although the present disclosure has been described above generally in the context of computer-executable instructions that may be executed on one or more computers, those skilled in the art will appreciate that the present disclosure may be implemented in combination with other program modules and/or in a combination of hardware and software. will be.

Generally, program modules include routines, procedures, programs, components, data structures, etc. that perform particular tasks or implement particular abstract data types. In addition, those skilled in the art will appreciate that the methods of the present disclosure are suitable for single-processor or multiprocessor computer systems, minicomputers, mainframe computers as well as personal computers, handheld computing devices, microprocessor-based or programmable consumer electronics, etc. (each of which is It will be appreciated that other computer system configurations may be implemented, including those that may operate in connection with one or more associated devices.

The described embodiments of the present disclosure may also be practiced in distributed computing environments where certain tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote memory storage devices.

Computers typically include a variety of computer-readable media. Any medium accessible by a computer may be a computer-readable medium, and the computer-readable medium may include a computer-readable storage medium and a computer-readable transmission medium. Such computer-readable storage media includes volatile and nonvolatile media, removable and non-removable media. Computer readable storage media includes volatile and nonvolatile media, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. A computer-readable storage medium may be RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital video disk (DVD) or other optical disk storage device, magnetic cassette, magnetic tape, magnetic disk storage device, or other magnetic storage device. device, or any other medium that can be accessed by a computer and used to store the desired information.

Computer-readable transmission media typically embody computer-readable instructions, data structures, program modules, or other data in a modulated data signal, such as a carrier wave or other transport mechanism. information delivery media. The term modulated data signal means a signal in which one or more of the characteristics of the signal is set or changed so as to encode information in the signal. By way of example, and not limitation, computer-readable transmission media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, RF, infrared, and other wireless media. Combinations of any of the above are also intended to be included within the scope of computer-readable transmission media.

An exemplary environment 1500 implementing various aspects of the present disclosure is shown including a computer 1502 , the computer 1502 including a processing unit 1504 , a system memory 1506 , and a system bus 1508 . do. A system bus 1508 couples system components, including but not limited to system memory 1506 , to the processing unit 1504 . The processing unit 1504 may be any of a variety of commercially available processors. Dual processor and other multiprocessor architectures may also be used as processing unit 1504 .

The system bus 1508 may be any of several types of bus structures that may be further interconnected to a memory bus, a peripheral bus, and a local bus using any of a variety of commercial bus architectures. System memory 1506 includes read only memory (ROM) 1510 and random access memory (RAM) 1512 . A basic input/output system (BIOS) is stored in non-volatile memory 1510, such as ROM, EPROM, EEPROM, etc., the BIOS is the basic input/output system (BIOS) that helps transfer information between components within computer 1502, such as during startup. contains routines. RAM 1512 may also include high-speed RAM, such as static RAM, for caching data.

The computer 1502 may also be configured with an internal hard disk drive (HDD) 1514 (eg, EIDE, SATA) - this internal hard disk drive 1514 may also be configured for external use within a suitable chassis (not shown). Yes—a magnetic floppy disk drive (FDD) 1516 (eg, for reading from or writing to removable diskette 1518), and an optical disk drive 1520 (eg, a CD-ROM) for reading from, or writing to, disk 1522 or other high capacity optical media such as DVDs. Hard disk drive 1514 , magnetic disk drive 1516 , and optical disk drive 1520 are connected to a system bus 1508 by a hard disk drive interface 1524 , a magnetic disk drive interface 1526 , and an optical drive interface 1528 , respectively. ) can be connected to The interface 1524 for implementing an external drive includes at least one or both of Universal Serial Bus (USB) and IEEE 1394 interface technologies.

These drives and their associated computer-readable media provide non-volatile storage of data, data structures, computer-executable instructions, and the like. For computer 1502, drives and media correspond to storing any data in a suitable digital format. Although the description of computer readable media above refers to HDDs, removable magnetic disks, and removable optical media such as CDs or DVDs, those skilled in the art will use zip drives, magnetic cassettes, flash memory cards, cartridges, etc. It will be appreciated that other tangible computer-readable media such as etc. may also be used in the exemplary operating environment and any such media may include computer-executable instructions for performing the methods of the present disclosure.

A number of program modules may be stored in drives and RAM 1512 , including operating system 1530 , one or more application programs 1532 , other program modules 1534 , and program data 1536 . All or portions of the operating system, applications, modules, and/or data may also be cached in RAM 1512 . It will be appreciated that the present disclosure may be implemented in various commercially available operating systems or combinations of operating systems.

A user may enter commands and information into the computer 1502 via one or more wired/wireless input devices, for example, a pointing device such as a keyboard 1538 and a mouse 1540 . Other input devices (not shown) may include a microphone, IR remote control, joystick, game pad, stylus pen, touch screen, and the like. Although these and other input devices are often connected to the processing unit 1504 through an input device interface 1542 that is connected to the system bus 1508, parallel ports, IEEE 1394 serial ports, game ports, USB ports, IR interfaces, It may be connected by other interfaces, etc.

A monitor 1544 or other type of display device is also coupled to the system bus 1508 via an interface, such as a video adapter 1546 . In addition to the monitor 1544, the computer typically includes other peripheral output devices (not shown), such as speakers, printers, and the like.

Computer 1502 may operate in a networked environment using logical connections to one or more remote computers, such as remote computer(s) 1548 via wired and/or wireless communications. The remote computer(s) 1548 may be a workstation, server computer, router, personal computer, portable computer, microprocessor-based entertainment device, peer device, or other common network node, and is generally Although including many or all of the components described, only memory storage device 1550 is shown for simplicity. The logical connections shown include wired/wireless connections to a local area network (LAN) 1552 and/or a larger network, eg, a wide area network (WAN) 1554 . Such LAN and WAN networking environments are common in offices and companies, and facilitate enterprise-wide computer networks, such as intranets, all of which can be connected to a worldwide computer network, for example, the Internet.

When used in a LAN networking environment, the computer 1502 is connected to the local network 1552 through a wired and/or wireless communication network interface or adapter 1556 . Adapter 1556 can facilitate wired or wireless communication to LAN 1552 , which also includes a wireless access point installed therein for communicating with wireless adapter 1556 . When used in a WAN networking environment, the computer 1502 may include a modem 1558 , connected to a communication server on the WAN 1554 , or otherwise establishing communications over the WAN 1554 , such as over the Internet. have the means A modem 1558 , which may be internal or external and a wired or wireless device, is coupled to the system bus 1508 via a serial port interface 1542 . In a networked environment, program modules described for computer 1502 , or portions thereof, may be stored in remote memory/storage device 1550 . It will be appreciated that the network connections shown are exemplary and other means of establishing a communication link between the computers may be used.

The computer 1502 may be associated with any wireless device or object that is deployed and operates in wireless communication, for example, a printer, scanner, desktop and/or portable computer, portable data assistant (PDA), communication satellite, wireless detectable tag. It operates to communicate with any device or place, and phone. This includes at least Wi-Fi and Bluetooth wireless technologies. Accordingly, the communication may be a predefined structure as in a conventional network or may simply be an ad hoc communication between at least two devices.

Wi-Fi (Wireless Fidelity) makes it possible to connect to the Internet, etc. without a wire. Wi-Fi is a wireless technology such as cell phones that allows these devices, eg, computers, to transmit and receive data indoors and outdoors, ie anywhere within range of a base station. Wi-Fi networks use a radio technology called IEEE 802.11 (a, b, g, etc.) to provide secure, reliable, and high-speed wireless connections. Wi-Fi can be used to connect computers to each other, to the Internet, and to wired networks (using IEEE 802.3 or Ethernet). Wi-Fi networks may operate in unlicensed 2.4 and 5 GHz radio bands, for example, at 11 Mbps (802.11a) or 54 Mbps (802.11b) data rates, or in products that include both bands (dual band). have.

Those of ordinary skill in the art of the present disclosure will recognize that the various illustrative logical blocks, modules, processors, means, circuits, and algorithm steps described in connection with the embodiments disclosed herein include electronic hardware, (convenience For this purpose, it will be understood that it may be implemented by various forms of program or design code (referred to herein as "software") or a combination of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the overall system. A person skilled in the art of the present disclosure may implement the described functionality in various ways for each specific application, but such implementation decisions should not be interpreted as a departure from the scope of the present disclosure.

The various embodiments presented herein may be implemented as methods, apparatus, or articles of manufacture using standard programming and/or engineering techniques. The term “article of manufacture” includes a computer program, carrier, or media accessible from any computer-readable device. For example, computer-readable media include magnetic storage devices (eg, hard disks, floppy disks, magnetic strips, etc.), optical disks (eg, CDs, DVDs, etc.), smart cards, and flash memory. devices (eg, EEPROMs, cards, sticks, key drives, etc.). Also, various storage media presented herein include one or more devices and/or other machine-readable media for storing information. The term “machine-readable medium” includes, but is not limited to, wireless channels and various other media capable of storing, holding, and/or carrying instruction(s) and/or data.

It is understood that the specific order or hierarchy of steps in the presented processes is an example of exemplary approaches. Based on design priorities, it is understood that the specific order or hierarchy of steps in the processes may be rearranged within the scope of the present disclosure. The appended method claims present elements of the various steps in a sample order, but are not meant to be limited to the specific order or hierarchy presented.

The description of the presented embodiments is provided to enable any person skilled in the art to make or use the present disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the scope of the present disclosure. Thus, the present disclosure is not intended to be limited to the embodiments presented herein, but is to be construed in the widest scope consistent with the principles and novel features presented herein.

Claims (14)

A computer program stored in a computer-readable storage medium, wherein, when the computer program is executed on one or more processors, the one or more processors perform the following operations for determining a vulnerability based on a binary code of software, the actions are,
generating a vulnerability signature by performing pre-processing on vulnerability information of software;
generating a target function fingerprint by performing preprocessing on the target binary code; and
determining whether a vulnerability exists in the target software by comparing the similarity between the vulnerability signature and the target function fingerprint;
including,
The operation of determining whether a vulnerability exists in the target software by comparing the similarity between the vulnerability signature and the target function fingerprint includes:
selecting a candidate vulnerability signature and a candidate target function fingerprint by performing primary filtering on the vulnerability signature and the target function fingerprint;
including, and
The first filtering is
Filtering for identifying a code related to a vulnerability in each of the vulnerability signature and the target function fingerprint,
A computer program stored on a computer-readable storage medium.
The method of claim 1,
The vulnerability information is
Vulnerability patch information in the form of source code, including binary code related to the vulnerability and the binary code in which the vulnerability is patched,
A computer program stored on a computer-readable storage medium.
The method of claim 1,
The operation of generating a vulnerability signature by performing pre-processing of the vulnerability information of the software includes:
identifying a binary code related to a change based on the vulnerability information;
generating a vulnerability function fingerprint and a patched function fingerprint based on the binary code related to the identified change; and
generating a vulnerability signature including the vulnerable function fingerprint and the patch function fingerprint;
comprising,
A computer program stored on a computer-readable storage medium.
4. The method of claim 3,
The operation of generating a weak function fingerprint and a patch function fingerprint based on the binary code related to the identified change comprises:
acquiring property information of an executable function and a binary code based on the binary code related to the identified change;
obtaining property information of a function based on the executable function;
dividing the function into one or more strands based on independent code flows within the function; and
generating the weak function fingerprint and the patch function fingerprint by mapping the attribute information of the function and the attribute information of the binary to each of the one or more strands;
comprising,
A computer program stored on a computer-readable storage medium.
5. The method of claim 4,
The strand is
A set of instructions required to calculate the value of one variable, which is a standard unit for the similarity comparison,
A computer program stored on a computer-readable storage medium.
The method of claim 1,
The operation of generating a target function fingerprint by performing pre-processing on the target binary code,
obtaining an executable target function and attribute information of the target binary code based on the target binary code;
obtaining attribute information of a target function based on the target function;
dividing the target function into one or more strands based on independent code flows within the target function; and
generating the target function fingerprint by mapping the attribute information of the target function and the attribute information of the target binary to each of the one or more strands;
comprising,
A computer program stored on a computer-readable storage medium.
The method of claim 1,
The similarity comparison between the vulnerability signature and the target function fingerprint is
An N-Gram similarity comparison that divides each of the function fingerprint corresponding to the vulnerability signature and the target function fingerprint into predetermined units, and compares how many units among all the divided units are similar;
A computer program stored on a computer-readable storage medium.
The method of claim 1,
The operation of determining whether a vulnerability exists in the target software by comparing the similarity between the vulnerability signature and the target function fingerprint includes:
calculating a first similarity between the weak function fingerprint included in the vulnerability signature and a function included in each of the target function fingerprints;
calculating a second similarity between a patch function fingerprint included in the vulnerability signature and a function included in each of the target function fingerprints; and
determining whether a vulnerability exists in the target software based on a difference between the first degree of similarity and the second degree of similarity;
comprising,
A computer program stored on a computer-readable storage medium.
9. The method of claim 8,
The first degree of similarity has a positive correlation with a probability that a vulnerability is determined in the software, and the second degree of similarity has a negative correlation with a probability that a vulnerability is determined in the software.
A computer program stored on a computer-readable storage medium.
9. The method of claim 8,
Determining whether a vulnerability exists in the target software based on a difference between the first degree of similarity and the second degree of similarity includes:
determining that a vulnerability exists in the target software when a difference between the first degree of similarity and the second degree of similarity exceeds a predetermined criterion;
comprising,
A computer program stored on a computer-readable storage medium.
delete The method of claim 1,
The operation of determining whether a vulnerability exists in the target software by comparing the similarity between the vulnerability signature and the target function fingerprint includes:
identifying similar strands by performing secondary filtering on the candidate vulnerability signature and candidate target function fingerprint;
comprising,
A computer program stored on a computer-readable storage medium.
A method for determining a vulnerability based on a target binary code of software executed in a processor of a computing device, the method comprising:
generating, by a processor included in the computing device, a vulnerability signature by performing pre-processing on vulnerability information of software;
generating, by the processor, a target function fingerprint by performing preprocessing on the target binary code; and
determining, by the processor, whether a vulnerability exists in the target software through a similarity comparison between the vulnerability signature and the target function fingerprint;
including,
The step of the processor determining whether a vulnerability exists in the target software through a similarity comparison between the vulnerability signature and the target function fingerprint,
selecting a candidate vulnerability signature and a candidate target function fingerprint by performing primary filtering on the vulnerability signature and the target function fingerprint;
including, and
The first filtering is
Filtering for identifying a code related to a vulnerability in each of the vulnerability signature and the target function fingerprint,
A method for determining a vulnerability based on the binary code of software running on a processor of a computing device.
A computing device for determining vulnerabilities based on the binary code of software,
a processor including one or more cores;
a memory including program codes executable by the processor; and
a network unit for transmitting and receiving data to and from the client;
including, and
The processor is
Performs pre-processing of software vulnerability information to generate vulnerability signatures,
Perform preprocessing on the target binary code to generate a target function fingerprint, and
determining whether a vulnerability exists in the target software by comparing the similarity between the vulnerability signature and the target function fingerprint;
When it is determined whether a vulnerability exists in target software by comparing the similarity between the vulnerability signature and the target function fingerprint, primary filtering is performed on the vulnerability signature and the target function fingerprint to obtain a candidate vulnerability signature and a candidate target function. select fingerprints, and
The first filtering is
Filtering for identifying a code related to a vulnerability in each of the vulnerability signature and the target function fingerprint,
A computing device for determining vulnerabilities based on the binary code of software.

Images