KR20180076550A - Apparatus and method for inter-procedure static analysis - Google Patents

Abstract

The present invention relates to an inter-procedure static analysis apparatus which includes a static analysis unit for performing a static analysis on input data which is data about an inputted binary program, a determination unit for determining whether or not the input data calls another function based on the result of the static analysis, and a risk analysis unit for extracting at least one free variable affecting another function based on a determination result and analyzing a risk for the at least one free variable; and a method thereof. Accordingly, the present invention can supply useful information to a user by using various static analysis methods in the static analysis of a crash.

Description

[0001] APPARATUS AND METHOD FOR INTER-PROCEDURE STATIC ANALYSIS [0002]

The present invention relates to a multifunctional static analysis apparatus and method that extends the scope of analysis in static analysis of binary programs.

It is also important to write the source code so that the vulnerability does not occur in order to defend the vulnerability of the program, but it is also very important to verify from the perspective of the hacker whether the distributed program is actually attacked by hackers.

From these hackers' perspective, Fuzzer, a program verification tool that verifies program vulnerabilities, manipulates input data to artificially trigger a crash and verify the program with or without a crash.

Here, there is a pattern of hackers who find a vulnerability by analyzing the crash by manipulating input data through fuzzing in a binary program without source code, and in this process, fuzzing is automated However, the process of determining whether a crash is a vulnerability requires a long time to manually check hundreds to thousands of Basic Blocks.

Here, the most important condition for the vulnerability to occur is whether or not the PC value desired by the attacker can be changed by the manipulated input data. In most cases, the crash occurred immediately to the attack point. However, Offensive attacks are emerging.

In this case, it is very difficult to determine the path through which the data affecting the occurrence of the crash is propagated and which command can be attacked. That is, from the point of occurrence of the crash to the end of the function, several hundred basic blocks and commands There is a very difficult problem to manually analyze these vulnerabilities.

Korean Registered Patent No. 10-1159365 (Jun. 18, 2012)

An object of the present invention is to solve the above problem by performing a static analysis on input data which is data of a binary program inputted and determining whether or not the input data calls another function based on the result of the static analysis , To analyze the risk of at least one free variable extracted when calling another function, and to extend the scope of analysis in the static analysis of the binary program.

The problems to be solved by the present invention are not limited to the above-mentioned problem (s), and another problem (s) not mentioned can be clearly understood by those skilled in the art from the following description.

According to an aspect of the present invention, there is provided a multi-function static analysis apparatus comprising: a static analysis unit for performing a static analysis on input data that is data on an inputted binary program; And a risk analysis unit for extracting at least one free variable that affects other functions based on the determination result and analyzing the risk of at least one free variable .

According to an embodiment of the present invention, static analysis is performed on input data, which is data on input binary programs, and it is determined whether or not the input data calls another function based on the result of the static analysis. It analyzes the risk of at least one free variable extracted, and extends the scope of analysis in the static analysis of the binary program. In the static analysis of the crash, various static analysis techniques are used to provide useful information to the user In addition, it can provide users with more accurate information by using a technique that can analyze a wide range.

1 is a block diagram illustrating a multi-function static analysis apparatus according to an embodiment of the present invention.
FIG. 2 is a diagram for explaining an apparatus and a method for multifunctional static analysis according to an embodiment of the present invention.
FIG. 3 and FIG. 4 are views for explaining an apparatus and method for analyzing a multifunctional static analysis according to the first embodiment of the present invention.
FIGS. 5 to 14 are diagrams for explaining a multifunctional static analysis apparatus and method according to a second embodiment of the present invention.
FIG. 15 is a diagram for comparing the analysis result of the multifunction static analyzer according to the second embodiment of the present invention and the analysis result of the conventional technique.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings in order to facilitate a person skilled in the art to easily carry out the technical idea of the present invention. . In the drawings, the same reference numerals are used to designate the same or similar components throughout the drawings. In the following description of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear.

Hereinafter, a multi-function static analysis apparatus and method according to an embodiment of the present invention will be described in detail with reference to the accompanying drawings.

1 is a block diagram illustrating a multi-function static analysis apparatus according to an embodiment of the present invention.

1, a multi-function static analysis apparatus 100 according to an embodiment of the present invention includes a static analysis unit 110, a determination unit 120, and a risk analysis unit 130.

The static analysis unit 110 performs a static analysis on input data, which is data on the inputted binary program.

The determination unit 120 determines whether or not the input data calls another function based on the result of the static analysis.

The risk analysis unit 130 extracts at least one free variable that affects other functions based on the determination result, and analyzes the risk for at least one free variable.

For example, the multi-function static analysis apparatus 100 according to an embodiment of the present invention may be for expanding an analysis range to a multi-function range in a static analysis of a binary program.

For example, in order to expand the scope of analysis to a range of multiple functions in the program static analysis, the multi-function static analysis apparatus 100 according to the embodiment of the present invention includes a function called (caller) in the function call and a function called Callee ) Can be used as a method of continuing the analysis based on the data transmitted between the mobile stations.

Referring now to FIG. 2, a multi-function static analysis apparatus and method according to an embodiment of the present invention will be described.

FIG. 2 is a diagram for explaining an apparatus and a method for multifunctional static analysis according to an embodiment of the present invention.

The static analysis unit 110 performs a static analysis on input data (Taint Source, crash information), which is data on the inputted binary program.

At this time, the static analysis performed by the static analysis unit 110 includes a Reaching Def analysis, a memory area analysis, a Def-Use-Chain analysis, and an exploitable analysis can do.

For example, the static analysis performed by the static analysis unit 110 may be to sequentially perform the four static analysis methods described above, but the present invention is not limited thereto.

For example, the static analysis performed by the static analysis unit 110 may include various static analysis methods in addition to the above-described four static analysis methods, and the present invention is not limited to the above-described four static analysis methods.

The determination unit 120 determines whether the multi-function analysis is performed by determining whether the function is called after a static analysis process.

If it is determined that no other function is called, the risk analysis unit 130 may calculate the risk level by analyzing the risk of the inputted binary program.

As a result of the determination, when a different function is called, the risk analysis unit 130 extracts at least one free variable that affects other functions.

At this time, at least one free variable may include a global variable, an argument, and a return value, but the present invention is not limited thereto.

In this case, the risk analysis unit 130 may analyze the risk for each of the global variable, the argument, and the return value, synthesize the results, and calculate the risk level.

In this case, the risk analysis unit 130 transmits an argument of the extracted free variables to the static analysis unit 110, and the correction analysis unit 110 outputs an argument as input data (Taint Source, ) To perform additional static analysis to repeat the above-described operation.

When the above operation is repeated and no further function is called, the multifunction static analyzer 100 according to the embodiment of the present invention stores the result, outputs it to the outside, and reports it to the user to complete the analysis .

In other words, the multi-function static analysis apparatus 100 according to an embodiment of the present invention performs a static analysis using a binary file and crash information, automatically determines the risk of a crash, reports it to a user, Range to a multi-function range, but the present invention is not limited thereto.

For example, a typical example of a conventional crash analysis tool is a program called "! Exploitable" produced by MicroSoft, but the conventional crash analysis tool dynamically analyzes the crash to determine the risk and uses some static analysis depending on the condition There is one, single block analysis range, so there is a problem that the risk after that can not be judged.

On the other hand, the multi-function static analysis apparatus 100 according to the embodiment of the present invention not only can analyze a conventional single block but also can analyze multi-blocks and further analyze multi-functions.

Now, with reference to FIG. 3 and FIG. 4, an apparatus and method for multifunctional static analysis according to a first embodiment of the present invention will be described.

A crash created using a fuzzer means a bug in the program, which can cause a vulnerability and must be corrected. Since a crash caused by a fuzzer is a result of randomly manipulating the input value, And the other.

In order to detect a vulnerability due to this data, dynamic analysis requires an execution trace. However, since there is no trace of execution after a crash point, there is an impossible problem. To solve this problem, The apparatus and method for multifunctional static analysis according to the embodiments can be identified through static analysis.

For example, Fuzzer automatically executes a part of the input data at random, and if the exception processing of the program is not successful, the operating system will force a crash to terminate the execution, and the Fuzzer In this way, it is used to test the program whether a crash occurs or not. Such verification is intended to prevent a pattern from creating an attacker's point of view and developing it as a vulnerability, and a representative tool is Peach Fuzzer.

For example, the operation sequence of the multifunctional static analysis apparatus and method according to the first embodiment of the present invention may be as shown in FIG.

This data can be used to influence the value of the destination address of a branch / jump instruction if the crash data produced by the user is manipulable through input data manipulation, This could mean that a vulnerability could occur.

For example, the apparatus and method for multifunctional static analysis according to the first embodiment of the present invention determine whether data affected by a crash through exploitable analysis is likely to occur as a vulnerability after a crash point Check for possible vulnerabilities through the resulting crashes, and classify the risks.

The apparatus and method for multifunctional static analysis according to the first embodiment of the present invention first extract idb files including disassembled data and control flow data through IDA pro, And then a static analysis is performed in order to find an exploitable point in real time. The procedure is as shown in FIG.

For example, Binnavi, developed by Zynamics, is a tool for analyzing and debugging programs. In addition to providing a plug-in such as a path finder for program analysis, it can provide various APIs and REIL intermediate languages .

The Reversing Engineering Intermediate Language (REIL) is capable of translating various instructions such as x86, ARM, and PowerPC-32, and consists of a total of 17 instructions, which are more complicated than x86 and ARM architectures with hundreds of instructions. There is an advantage that it is easy to perform static analysis.

For example, the apparatus and method for multifunctional static analysis according to the first embodiment of the present invention utilize a reaching definition, a def-use chaining, and exploitable checking You can run a static analysis.

For example, IDA pro (Interactive Disassembler) can be used as a disassembler for generating assembly language source code from a binary program. It can be used on Windows, ARM, Linux, Mac OS, and express various instruction sets such as Intel x86 and ARM architecture. However, the present invention can disassemble data by using various programs known in addition to IDA pro, and the present invention is not limited to IDA pro.

For example, in the apparatus and method for multifunctional static analysis according to the first embodiment of the present invention, an instruction which can reach each instruction through analysis of a reating definition, which is a static analysis technique of a compiler, And the result is used to perform a def-use chaining analysis.

For example, the apparatus and method for multifunctional static analysis according to the first embodiment of the present invention may be configured to start from input data (Taint Source, crash point), Def-use chaining to define definition (Use) in i1 among the Definitions, the relationship is reflected in the graph.

As a result, the relationship between all the commands affected by the crash is analyzed and the Def-Use Graph is completed. The vertex contained in the DEF-USE graph is an instruction influenced by a crash point and detects whether there is an exploitable point, which is an instruction that is likely to branch to the attacker's code Exploitable checking is done. The case corresponding to this is determined according to the criterion for judging the risk of the crash of the instruction, and the path and the analysis result of the contaminated data can be stored and displayed to the user upon completion of the analysis. Lt; / RTI >

For example, the multi-function static analysis apparatus and method according to the first embodiment of the present invention may notify a user of a final classification of a crash risk to be more dangerous in order to conservatively classify the crash classification, There may be more than one classification criteria.

In this case, the final classification is reported as a more dangerous classification criterion in order to provide a conservative analysis result to the user. For example, by using the results of the multi-function static analysis apparatus and method according to the first embodiment of the present invention, a crash classified as NE (not exploitable) as a complementary program is regarded as having no possibility of attack and is excluded from the supplementary object And can reduce the scope of analysis.

On the other hand, E (exploitable) can be important because it is necessary to find and fix dangerous parts. In the case of a crash classified as PE (probably exploitable), it means that only data or destination address is controllable. In order to provide users with more useful information, it is necessary to provide more detailed analysis of the crashed parts classified as likely exploitable (PE) in particular.

For example, a multi-function static analysis apparatus and method according to the first embodiment of the present invention can be implemented using a compiler optimization technique to perform a static analysis to find an exploitable point, It is possible to provide a result of NE (not exploitable) to reduce the scope of analysis, and it is necessary to conduct a conservative analysis to ensure accuracy, so that the memory is abstracted and analyzed, There may also be problems in analyzing within the scope of the inner procedure, which can be exploitable in a function (callee) that is invoked by calling other functions, point) can not be detected.

Now, with reference to FIG. 5 to FIG. 14, an apparatus and a method for analyzing a multifunctional static analysis according to a second embodiment of the present invention will be described.

The apparatus and method for multifunctional static analysis according to the second embodiment of the present invention are similar to those of the multifunctional static analysis apparatus and method according to the first embodiment of the present invention, May be to improve the limit.

In the following, an analysis of Memory Location Analysis (MLA) and Inner Procedure Analysis that introduces value-set-analysis to more precisely analyze the abstracted memory area Inter-procedural Analysis (IPA) for extending the scope is described.

As a result, the apparatus and method for multifunctional static analysis according to the second embodiment of the present invention receive the crash information and the binary file as input and analyze the original function as the multifunctional static analysis apparatus and method according to the first embodiment of the present invention. It may mean an apparatus and method for selectively refining memory location analysis and interprocedural analysis while using it as it is.

The configuration of the multifunctional static analysis apparatus and method according to the second embodiment of the present invention may be as shown in FIG.

Memory Location Analysis (MLA) analyzes the def-use relationship of data to find the exploitable points and analyzes the correlation of the variables used by the instructions.

For example, in order to execute commands in each PC, registers and memory areas are used for reading and writing data, and when judging whether data in memory is contaminated or not, Despite the use of memory area values, it can be interpreted as using contaminated data.

Here, the disadvantage of the memory abstraction may be as shown in Fig.

The reasons for this phenomenon are as follows. In the case of a register, the object is obvious in the instruction operand. However, in the case of a memory area, the shape of the stack changes according to the instruction execution and is accessed by using a special register such as esp, ebp, or SP.

As a result, even if the operands are the same, the object indicated by each instruction may be different, and since the object of the memory area can not be specified only by the operand of the instruction, In the analysis apparatus and method, all the memory areas are abstracted into a single space like a register, and as a result, overtaint may occur. In this case, the uncontaminated data is analyzed as being contaminated, causing the crashes to be classified as NE (not exploitable) to be classified as E (exploitable) or PE (probably exploitable).

To elaborate on this, it is necessary to clarify the relationship between defining and using different memories. That is, it can be solved by refining the memory analysis when analyzing the def-use relationship. To this end, in the apparatus and method for multifunctional static analysis according to the second embodiment of the present invention, a memory image is created by creating a table storing a set of values that a specific memory region or register can have in each instruction. If there is no overlap between the set of values that the definition command can have and the use command, then the def-use chain is terminated because the same memory address is not used. Each memory can be distinguished, and the purpose of such memory refinement is as shown in FIG.

Value-set-analysis is an analysis that creates a memory image by determining what values a register or memory can have in an instruction. In a multi-function static analysis apparatus and method according to an embodiment of the present invention, a memory image in each instruction is composed of two maps. One is the register - set of 'Values' (defined as rTable) and the other is the abstract memory location - set of 'Values' (defined as Env).

In this case, 'Values' consists of four major items: 1) an original machine code register, 2) a temporary register, 3) a constant value, 3) a memory location ) 4) Top & bottom symbol.

A temporary register is a temporary register that is inserted in the assembly as it is translated into the REIL intermediate language. The memory region can be expressed as " * (reg1 + c1) + reg2 + c2 ", where "reg1" and "reg2" can not be temporary registers.

This is a method for expressing the memory space, which expresses a register +/- offset through "reg2 + c2 ", and combines pointers for expressing indirect values. Finally, the Top and Bottom symbols may be added for static analysis, and the top symbol indicates when it can not be represented by any one domain. For example, "register * memory location". The bottom symbol is when you do not know which value is not yet assigned a value.

The elements other than the top symbol and the bottom symbol may be configured horizontally as shown in FIG. 8 below, and the values may have only an upward direction or a horizontal direction of the hierarchy, and may not proceed in the reverse direction.

For example, memory elaboration analysis can be done in three steps based on abstract interpretation using the MonoREIL framework provided by Binnavi, and it first takes steps to initialize tables and various special registers. Thereafter, as the instruction progresses, the values that the register or the memory area may have are changed, and a transfer function is applied to reflect the same in the table. In addition, a meet operation to combine possibilities of various control flows is implemented using a union operation, and other necessary elements are applied to the iteration. Finally, we can distinguish the memory through the completed table and apply it to improve the sophistication.

For example, the MonoREIL framework provides an abstract interpretation for static analysis that can be used for initialization, transfer function, meet operation, etc. analysis. It may be used in a form of analyzing only essential parts, but the present invention is not limited thereto.

In the first initialization, rTable and Env are generated at the beginning of the function, and the reference point of the stack area is designated as "stack-0" at the start of the function. In this case, it can be based on the SP register in the case of the ARM binary and the ESP in the case of x86. The register value used in the existing function or the LR register storing the address of the instruction for returning to the caller after the function is terminated Can be initialized.

Then, the transfer function is applied to apply the changed table to each instruction, and the transfer function can apply the formula as shown in FIG.

If a memory image for each instruction comes out through the above process, it is possible to more specifically distinguish which area is used by an operand used in the instruction.

Therefore, it is possible to notify the user of a more effective result by disconnecting the connections that have been previously determined to be related due to overtain, and the procedure is as shown in FIG.

As shown in FIG. 10, if the left two paths are disconnected through elaboration, the route that is determined to be actually dangerous will disappear, and the class that has been classified as E (exploitable) due to the exploitable point, The exploitable point disappears and is reclassified as NE (not exploitable). Depending on the binary file and the type of crash, the risk classification level changes to a downward direction, or the number of paths that need to be analyzed decreases.

Now, we will discuss Inter Procedure Analysis (IPA).

The scope of analysis in program analysis is one of the most important factors that can not be missed in program analysis. For this reason, dynamic analysis also considers coverage to be an important indicator, and filling static analysis with the disadvantage that analysis can not be done after a crash has occurred.

A typical static analysis tool, "! Exploitable [! Exploitable]", reports that the analysis scope is an Inner Basic Block where the crash occurred, and reports an analysis result of "Unknown" It is a disadvantage that comes out as a limit.

Accordingly, the apparatus and method for multifunctional static analysis according to the second embodiment of the present invention extend the exploit detection technique of the above-described function to detect an exploitable point in an inter-procedure range, Lt; RTI ID = 0.0 > a < / RTI >

FIG. 11 is an example code in which data affected by a crash through a global variable and a function argument are propagated and connected to an exploitable point.

A crash can occur if you divide by zero in the process of storing user input as input and data to be passed as global variables and function arguments. This data becomes an exploitable point that can be diverted to the desired code by replacing the function pointer in the callee to be called.

Since the possibility of an exploit beyond the scope of the analysis could not be detected before the multifunctional analysis, it can be said that only the inner-procedure was possible. Multifunction analysis analyzes the possibility of vulnerability by propagating data contaminated by other functions in the function where a crash occurs, in order to expand the scope of analysis so as to analyze the crash.

There are two main ways to perform inter procedure analysis.

First, in the case of inlining, a function code portion of a function (callee) to be called instead of a call instruction is directly inserted when another function is called in a calling function, thereby correcting the code. If you call "plus ()" in the main function, you can see how inlining is applied.

This method has the advantage that it is easy to implement because it simply inserts the code, but the code of the calling caller and the function of the callee to be called are combined, have.

In static analysis, the feature is stored for each instruction. At this time, as the length of the instruction becomes longer, the number of data to be executed or the number of calculation in each instruction increases sharply. For example, in a Reaching-Definition analysis, it is a set of commands that can be reached in each instruction, and a set of values that a memory location analysis can have. In addition, it can not be applied to code implemented with recursion because it inserts the code of the called function (callee) directly.

Next, in the multifunctional static analysis apparatus and method according to the second embodiment of the present invention, a composition analysis introduced for performing a multifunction analysis is a function analysis between a caller and a callee to be called The analysis method is as shown in FIG. 13. FIG.

Identify and analyze factors such as arguments, global variables, and other data that are contaminated with data. The core of this analysis is exploit analysis of the free variable, which is the data that reaches the callee called from the caller, with a taint source.

This can be analyzed when a callee that is called differently from inlining recalls itself. When a function is called from another function, it uses the result already stored (dynamic programing time can be shortened.

At this time, the free variables are the arguments used from the caller, the registers used without being defined in the called function (callee), the calling function (caller), and the calling function (callee) And may include a global variable.

In this case, it is highly probable that the register used without being defined in the called function (callee) is used as an argument. For example, when a function is called by a fast call in x86, It is very likely that the register r4 was used as an argument.

For example, a portion that pushes a register to back up the register data used by a caller called from a callee called according to a calling convention may be excluded.

According to one embodiment, it may happen that the multi-function analysis is not performed for speed improvement and efficiency.

For example, multifunctional analysis is an additional measure of whether there are more risky elements. Crashes that are already classified as E (exploitable) are not subject to analysis. Also, if there is no function call instruction in the object function to be analyzed now, it can be regarded as not propagating to another function.

If the target function does not use a global variable, global variable analysis may not be performed when analyzing the free variable.

For example, in the called function (callee), the risk analysis is largely divided into three parts. First, when there is an exploitable point in the called callee, the same as in the first embodiment The crash can be classified according to the criteria of the exploitable analysis, and the method can be as shown in FIG.

If you call another function at this time, you can perform the multi-function analysis again to analyze whether the called function has an exploitable point. Finally, we know if the polluted data is returned at the end of the function.

The analysis can be divided into global variable analysis and function call analysis according to the characteristics of the input data (taint source).

Finally, each element is analyzed and collected. Depending on the input value, there may be a lot of paths to reach an exploitable point, and other functions may be affected.

For example, since the apparatus and method for multifunctional static analysis according to the embodiment of the present invention inform the user of the conservative result when classifying and reporting the risk of the crash, the exploitable analysis, the function call analysis function call analysis, and global variable analysis, as the final grade.

Here, the part corresponding to the multi-function analysis can mean the inside of the range of the red line in FIG.

For example, function call analysis is an analysis to detect the possibility that contaminated data propagated through a function parameter may cause a vulnerability. As in the case of analyzing a crash point as a taint source, you can find the free variables such as the function arguments of the called function (callee) and the registers to use without defining them, Performs an exploitable analysis and stores the results. In this case, exploitable analysis and multifunction analysis should be performed in the same way because the call instruction may exist in the called function (callee) which is currently analyzed and may be similarly vulnerable. can do.

For example, it is not necessary to repeatedly analyze functions that have been called once and stored as separate functions and called the same function many times, thereby reducing the time cost and also the situation that can be continued infinitely like a regression Can be avoided.

In addition to analyzing exploitable possibilities, it can be considered that if the contaminated data is propagated to the return value, it will again affect the calling function. If the caller stores the contaminated value, it should be regarded as a taint source. Therefore, return value analysis is performed to determine whether the return value is contaminated, and the result is stored. The return value may be eax for x86 and R0 register for ARM, but the present invention is not limited to this.

Now we describe the Global Variable Analysis.

In addition to being propagated as function arguments, a global variable can also affect the data of other functions. If the contaminated data is stored in a global variable, data outside the scope of the function containing the crash point can also be manipulated.

If you use a global variable in the calling function, it is possible that this variable will be used by other functions. If you use the same global variable in a calling function (callee), you can treat this global variable as a free variable because there is an exploitable possibility to change the PC value through this variable.

At this time, the analysis result of the risk analysis unit 130 may mean four stages of E (exploitable), PE (probably exploitable), PNE (probably not exploitable) and NE (not exploitable).

Referring now to FIG. 15, the analysis result of the multifunction static analyzer according to the second embodiment of the present invention is compared with the analysis result of the prior art.

As shown in FIG. 15, it can be seen that the multi-function static analysis apparatus according to the second embodiment of the present invention can classify more NEs (not exploitable) than the conventional technique.

While the present invention has been described in connection with what is presently considered to be practical exemplary embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, but many variations and modifications may be made without departing from the scope of the present invention. It will be understood that the invention may be practiced.

100: Multifunctional static analyzer
110: static analysis section
120:
130: Risk Analysis Department

Claims (1)

A static analyzer for performing a static analysis on input data which is data on an inputted binary program;
A determination unit for determining whether or not the input data calls another function based on a result of the static analysis; And
And a risk analysis unit for extracting at least one free variable that affects the other function based on the determination result and analyzing the risk for the at least one free variable.

Images