WO2010134325A1 - 動的データフロー追跡方法、動的データフロー追跡プログラム、動的データフロー追跡装置 - Google Patents
動的データフロー追跡方法、動的データフロー追跡プログラム、動的データフロー追跡装置 Download PDFInfo
- Publication number
- WO2010134325A1 WO2010134325A1 PCT/JP2010/003346 JP2010003346W WO2010134325A1 WO 2010134325 A1 WO2010134325 A1 WO 2010134325A1 JP 2010003346 W JP2010003346 W JP 2010003346W WO 2010134325 A1 WO2010134325 A1 WO 2010134325A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- signature
- function
- data flow
- tag
- dynamic data
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/28—Error detection; Error correction; Monitoring by checking the correct order of processing
Definitions
- the present invention relates to a dynamic data flow tracking device, a dynamic data flow tracking method, and a dynamic data flow tracking program, and more particularly, to a dynamic data flow tracking device, a dynamic data flow tracking method, and a dynamic using information related to a library specification. Data flow tracking program.
- the method of embedding code for performance measurement, bug discovery, etc. by partially rewriting the execution code of the program at the time of execution is called binary instrumentation.
- binary instrumentation By using the binary instrumentation technique, the user can analyze at run time how data is exchanged within the process. This data analysis method is called dynamic data flow analysis.
- Input data refers to data read from a file, data received via a network, and the like, and a tag is information indicating the route through which the data is input.
- tags are information indicating the route through which the data is input.
- the program execution code is divided into units called basic blocks (Basic Block), and instrumentation is performed on the basic blocks.
- Instrumentation is a function that reads an execution code of a program, changes the execution code by applying a predetermined process, and executes the changed execution code.
- Non-patent document 1 is given as an example of disclosure of the instrumentation function.
- Non-Patent Document 2 discloses a technique in which dynamic data flow analysis is applied to discovery of attacks on program vulnerabilities.
- a type of attack such as a buffer overflow attack, that executes arbitrary code with a vulnerability of a program is executed by the following two steps. (1) The malicious code is loaded into the program from the outside mainly through the network. (2) Program control is transferred to the loaded illegal code.
- the process uses dynamic data flow analysis to determine whether to transfer execution control to data read from an unreliable information source (for example, data reception via the Internet). And determine whether (2) has occurred. By such processing, the user can find out or prevent a buffer overflow attack.
- Non-Patent Document 3 discloses a technique in which dynamic data flow analysis is applied to information leakage by spyware or the like. Information leakage by spyware is caused by a program sending confidential information to the outside of a network or the like against the user's intention.
- data read from a sensitive information source such as a document file in a PC (Personal Computer) is transmitted via the Internet using dynamic data flow analysis. Information leakage is discovered by determining whether or not the output is made to an unreliable target such as.
- dynamic data flow analysis can find information security problems.
- the dynamic data flow analysis records the exchange of internal data one by one at the time of program execution, there is a problem that the program execution speed decreases.
- the present invention has been made to solve such problems, and a data flow tracking method and a data flow tracking program capable of speeding up dynamic data flow analysis for a program in which a plurality of shared libraries are linked. And a data flow tracking device.
- One aspect of the dynamic data flow tracking method is to dynamically set a data flow by setting a tag for data in a process and propagating the tag according to the passing of data in the process.
- a specification of data passing in a function included in a shared library is defined as a signature, and the signature is referred to when a function calls the function defined by the signature.
- tag propagation in the function is omitted.
- a dynamic data flow tracking method capable of speeding up dynamic data flow analysis for a program in which a plurality of shared libraries are linked. it can.
- FIG. 1 is a block diagram of a dynamic data flow analysis apparatus according to a first embodiment.
- 1 is a block diagram of a dynamic data flow analysis apparatus according to a first embodiment.
- FIG. 3 is a conceptual diagram illustrating code embedding in a basic block according to the first embodiment.
- FIG. 3 is an API signature diagram according to the first embodiment;
- FIG. 3 is a diagram of an API address map according to the first embodiment.
- FIG. 3 is a diagram of a shared library address list according to the first exemplary embodiment.
- 3 is a flowchart showing a code embedding process in a basic block according to the first embodiment; 4 is an example of a function call code of a shared library according to the first exemplary embodiment.
- FIG. 3 is an execution code according to the first exemplary embodiment;
- FIG. 3 is a conceptual diagram illustrating code embedding in a basic block according to the first embodiment.
- FIG. 3 is an API signature diagram according to the first embodiment
- FIG. 3 is a diagram of an
- FIG. 3 is a diagram of an execution code in which an API tracking code according to the first embodiment is embedded.
- FIG. 3 is a block diagram of a dynamic data flow analyzing apparatus according to a second embodiment. It is a figure of the basic block concerning Embodiment 2.
- FIG. 10 is a flowchart of basic block generation according to the second exemplary embodiment; 12 is a flowchart of full tracking code generation processing according to the second exemplary embodiment;
- FIG. 10 is a diagram of an execution code in which a function call embedding process according to a second embodiment is performed.
- FIG. 6 is a block diagram of a dynamic data flow analyzing apparatus according to a third embodiment.
- 10 is a flowchart of conservative function call processing embedding processing according to the third embodiment;
- FIG. 12 is a diagram of an execution code that has undergone conservative function call processing embedding processing according to the third embodiment;
- 10 is a flowchart of conservative function call processing embedding processing according to the fourth embodiment;
- Embodiment 1 Embodiments of the present invention will be described below with reference to the drawings.
- the dynamic data flow analysis apparatus 100 according to the first exemplary embodiment of the present invention is configured to include a dynamic data flow analysis process adding unit 107 and a storage unit 108.
- the dynamic data flow analysis apparatus according to the present embodiment sets a tag indicating the data acquisition route for data in the process, and propagates the tag according to the delivery of the data in the process. It tracks data flow dynamically.
- the storage unit 108 stores a signature in which a specification of data passing in a function (user code) included in the shared library is defined.
- the dynamic data flow analysis processing adding unit 107 refers to a signature when calling a function defined by a signature (hereinafter also referred to as an API (Application Program Interface) signature) from a program. At least a part of the propagation of the tag is omitted, and preferably the tag is propagated in a lump.
- the dynamic data flow analysis process adding unit 107 adds a tag propagation process before or after the function call or to the call destination function when the function is called. In this embodiment, an example in which tags are propagated collectively will be described. However, by omitting at least a part of tag propagation, processing generated according to tag propagation processing is reduced and speeded up. can do.
- the dynamic data flow analysis apparatus 100 illustrated in FIG. 1 can be described as the dynamic data flow analysis apparatus 100 illustrated in FIG.
- the dynamic data flow analysis apparatus 100 can be configured as software executed by a computer that operates under program control, for example, a central processing unit (CPU: Central Processing Unit, not shown in FIG. 2).
- the dynamic data flow analysis apparatus 100 includes an operating system 101, an instrumentation unit 102, an application program 103, a shared library analysis unit 104, a dynamic data flow analysis processing addition unit 107, and an API knowledge storage unit. 108.
- the dynamic data flow analysis process addition unit 107 in FIG. 1 corresponds to the dynamic data flow analysis process addition unit 107 in FIG.
- the storage unit 108 in FIG. 1 corresponds to the API knowledge storage unit 108 in FIG.
- the operating system 101 is software that provides application software with an interface that abstracts hardware in a computer, and is a kind of basic software.
- the instrumentation unit 102 reads the execution code of the application program 103 and divides it into basic blocks. In addition, the instrumentation unit 102 uses the dynamic data flow analysis processing adding unit 107 to make a change to add the dynamic data flow analysis processing to the basic block, and the changed basic block is changed to the instrumentation unit. The data is stored in the data cache in 102.
- Application program 103 is an arbitrary program executed on the PC.
- the shared library analysis unit 104 receives the execution code loaded by the instrumentation unit 102 and the shared library information linked to the execution code as inputs.
- the shared library analysis unit 104 outputs an API address map 105 and a shared library address list 106 based on the input and information in the API knowledge storage unit 108.
- the dynamic data flow analysis processing adding unit 107 includes a data tracking code embedding unit 1071 and an API data tracking code embedding unit 1072.
- the dynamic data flow analysis process adding unit 107 receives a basic block from the instrumentation unit 102 as an input. Further, the dynamic data flow analysis processing adding unit 107 sets the dependency of data input / output to the basic block based on the API address map 105, the shared library address list 106, and the information in the API knowledge storage unit 108. A code for detection is generated, and the code is embedded in the basic block. Thereafter, the dynamic data flow analysis processing adding unit 107 outputs the generated basic block to the instrumentation unit 102.
- the API knowledge storage unit 108 stores information related to the API signature.
- the API signature indicates information related to the API of the function of the shared library called from the program.
- This API signature is information defining which API function can cause what kind of data flow (data transfer) between an argument and a return value.
- the API signature includes information for identifying an API function such as a module name and a function name, and information defining what kind of data flow (data transfer) is caused by calling the API function.
- the API function is a function defined in the API signature. In this embodiment, it is assumed that all functions included in the shared library are defined in the API signature. That is, in this embodiment, all functions of the shared library are API functions.
- the dynamic data flow analysis apparatus 100 is described as software realized by causing a CPU to execute a computer program, but may be realized as hardware.
- the computer program executed by the CPU can be provided by being recorded on a recording medium, or can be provided by being transmitted via the Internet or other communication media.
- the storage medium includes, for example, a flexible disk, a hard disk, a magnetic disk, a magneto-optical disk, a CD-ROM, a DVD, a ROM cartridge, a battery-backed RAM memory cartridge, a flash memory cartridge, and a nonvolatile RAM cartridge.
- the communication medium includes a wired communication medium such as a telephone line, a wireless communication medium such as a microwave line, and the like.
- the loader reads the execution code of the program and the execution code of the shared library to which the program is linked. Then, the loader transfers control to the execution start position of the program, and starts executing the program code itself read into the memory.
- the instrumentation unit 102 performs the following processing.
- the instrumentation unit 102 calls the shared library analysis unit 104 when the execution code of the program and the execution code of the shared library are read. The processing of the shared library analysis unit 104 will be described later.
- the instrumentation unit 102 reads the execution code into the memory.
- the instrumentation unit 102 extracts a basic block 1031 that is a group of execution codes from the execution start position of the execution code. Thereafter, the instrumentation unit 102 calls the dynamic data flow analysis processing addition unit 107 to cause the basic block 1031 to perform the process defined by the dynamic data flow analysis processing addition unit 107.
- the dynamic data flow analysis processing adding unit 107 embeds the dynamic data flow analysis processing in the basic block 1031 and moves the generated basic block 1031 to the instrumentation unit 102.
- the instrumentation unit 102 transfers control to the generated basic block 1031 and executes the basic block 1031.
- the instrumentation unit 102 stores the generated basic block 1031 in the code cache 1021.
- the control is transferred to the converted basic block 1031 stored in the code cache 1021.
- the code embedding process which takes a long processing time is made to occur only once in principle.
- the call destination is not transferred to the instrumentation unit 102 once. Decreasing the execution speed of the application by applying various known acceleration means such as rewriting the basic block 1031 in the code cache 1021 that is the call source so as to branch directly to the basic block 1031 in the code cache 1021 Can be suppressed.
- the instrumentation unit 102 performs the above basic block conversion process on all the basic blocks 1031.
- API signature stored in the API knowledge storage unit 108 will be described with reference to FIG.
- functions called GetProcAddress and MultiByteToWideChar implemented in a DLL called kernel32.dll, which is a shared library, and information on the data flow of the function are defined.
- the shared library analysis unit 104 is called when the instrumentation unit 102 loads a basic block of the application program 103 or a shared library (DLL) linked to the basic block of the application program 103 onto the memory.
- the shared library analysis unit 104 enumerates API functions called by the loaded basic block and shared library, and defines the API defined in the API knowledge storage unit 108 and its start address, that is, the function name of the API function and its start. Create a correspondence table with addresses. This correspondence table is called an API address map 105.
- the API address map 105 includes the name of an API function defined in the API knowledge storage unit 108 among API functions that are directly called from the application program 103 to be executed or indirectly through another API function.
- the start address pair is saved (FIG. 5).
- the shared library analysis unit 104 In addition to generating the API address map 105, the shared library analysis unit 104 also generates a shared library address list 106, which is a set of pairs of start addresses and end addresses of all loaded shared libraries (FIG. 6).
- FIG. 7 is a flowchart showing an operation when the dynamic data flow analysis process adding unit 107 performs the code embedding process on the basic block 1031.
- the dynamic data flow analysis processing adding unit 107 is between the start address and end address of any pair in which the start address of the basic block 1031 read by the instrumentation unit 102 is stored in the shared library address list 106. (S701). If it is included (S701: Yes), the dynamic data flow analysis process adding unit 107 recognizes that the process is in the shared library, does not perform the code embedding process in the basic block 1031, and ends the process.
- the dynamic data flow analysis processing adding unit 107 takes out the first instruction of the basic block.
- the extracted instruction is a data movement instruction (S702: Yes)
- the dynamic data flow analysis process adding unit 107 embeds a code for propagating the tag from the data movement source to the movement destination (S703). Since this process is a known technique in Non-Patent Document 2 and the like, details are omitted.
- the data movement instruction indicates copying / addition / subtraction between registers, loading from a memory to a register, storing from a register to a memory, push / pop to a stack, and the like.
- the dynamic data flow analysis processing adding unit 107 determines whether or not the instruction is a call instruction (function call instruction) (S704). If it is a call instruction (S704: Yes), the dynamic data flow analysis process adding unit 107 performs an API data tracking code embedding process (S705).
- the dynamic data flow analysis processing adding unit 107 stores the API function identifier and the argument value immediately before the call instruction in the thread local area (this value is saved in the stack). Embed the code that temporarily saves.
- the dynamic data flow analysis processing adding unit 107 stores data stored in the thread local area after the call instruction (argument value and API signature information stored immediately before the call instruction). ) Embed code that implements tag propagation based on Details of the code embedded by the API data tracking code embedding process (S705) will be described with reference to FIGS. 8A, 8B, and 9. FIG.
- FIG. 8A is an example of calling MultiByteToWideChar, which is a function of a shared library.
- This shared library function call is executed on the x86 architecture, an execution code as shown in FIG. 8B is obtained.
- the execution code in FIG. 9 is an example in the case where the dynamic data flow analysis process adding unit 107 embeds the API tracking code in the execution code in FIG. 8B.
- the embedded API tracking code is described in a C language format surrounded by ⁇ .
- the contents of the address of the call instruction are inspected immediately before the call instruction, and it is determined whether or not the address is defined in the API address map (FIG. 5).
- the parameter of the call instruction is the indirect address [0041A2090]
- the contents of the address “0041A2090” are inspected immediately before the call instruction, and whether or not the address is defined in the API address map (FIG. 5). Is determined (S901).
- the address of the call instruction is defined in the API address map
- the fact that the API function is called is recorded in the thread local area (S902).
- the API signature (FIG. 4) corresponding to the called function the contents of the data flow appearing in the API signature are stored in the thread local area (S903).
- the address of the call instruction is equal to the MultiByteToWideChar address “0x7C809BF8”
- the MultiByteToWideChar is called in the thread local area (S902).
- the third argument and the fifth argument passed to MultiByteToWideChar are stored in an array called TLS in the thread local area (S903).
- get_tag (x) is a function that reads a tag corresponding to the address x
- set_tag (x, t) represents a function that changes the value of the tag corresponding to the address x to t.
- TLS [1] and TLS [2] stored in the thread local area are referred to (S906). Thereafter, tag propagation processing is performed based on the referenced data TLS [1] and TLS [2] (S907).
- the dynamic data flow analysis process addition unit 107 embeds the API data tracking code inline before and after the call instruction.
- the tracking process may be combined into a function and the function may be called. .
- the overhead of function calls is added, but the code size of the entire code is reduced.
- the determination in S901 is shown by a linear search, but is not limited to this.
- a search unit such as a hash.
- the dynamic data flow analysis process adding unit 107 performs the above process (S702 to S705) for all instructions included in the basic block (S706).
- the tag propagation processing is performed immediately after the function call according to the API signature without performing the tag propagation processing one by one.
- the tag propagation process is not performed sequentially, but the tag propagation process is not performed inside the API function by performing it all at once (performing the tag propagation in a lump).
- the execution speed of dynamic data flow analysis can be increased.
- the target shared library is relatively small, an API signature can be defined for all functions implemented in the shared library, and the functions implemented in the shared library This is especially effective when there is no callback to the user-written code.
- Embodiment 2 The second embodiment of the present invention is characterized in that two types of code are embedded in a basic block and the execution code is switched during execution.
- the configuration of the dynamic data flow analysis apparatus according to this embodiment is shown in FIG.
- the dynamic data flow analysis process adding unit 107 includes an API internal determination process embedding unit 1073, a return process embedding unit 1074, and a function call process embedding unit. 1075, a data tracking code embedding unit 1076, and an API stack 1077.
- the operation of the dynamic data flow analysis apparatus 100 in this configuration will be described with respect to differences from the first embodiment.
- Embodiment 1 all functions in the shared library are defined in the API signature.
- some functions in the shared library are API signatures.
- only some functions defined in the API signature among the functions in the shared library are API functions.
- the user code refers to a program other than the API function, that is, a program such as a function that is not defined in the API signature.
- the API stack 1077 is created in the thread local area when the program is executed.
- the API stack 1077 stores the history of the called function in the stack data format.
- the API stack 1077 holds an identifier of an API function or an identifier representing a user code.
- the API stack 1077 stores one identifier indicating that it is a user code in the initial state.
- the instrumentation unit 102 embeds two types of codes in the basic block.
- the two types of code are appropriately switched and executed.
- the execution code is switched based on whether or not the identifier of the record stored at the top of the API stack 1077 represents a user code.
- a basic block executed when representing a user code is called a full tracking code, and a code executed when representing an identifier of an API function is called an API tracking code.
- FIG. 11 shows an example of a basic block generated by this embodiment and a flow of its processing.
- “API internal determination processing” described in FIG. 11 is an instruction for examining the identifier of a record stored at the top of the API stack 1077.
- the conditional branch instruction immediately after the “API internal determination process” represents a branch that is true when the result of the “API internal determination process” is user code.
- the dynamic data flow analysis process adding unit 107 extracts an instruction from the basic block and determines the type of instruction.
- the instruction type is a data movement instruction (S1301: Yes)
- the data tracking code embedding unit 1076 executes a data tracking code embedding process (S1303).
- the instruction type is a call instruction (S1304: Yes)
- the function call process embedding unit 1075 executes a function call process embedding process (S1305).
- the return process embedding unit 1074 executes a return process embedding process (S1307).
- the data tracking code embedding process (S1303) is the same process as in the first embodiment. Details of the function call process embedding process (S1305) and the return process embedding process (S1307) will be described below.
- the function call process embedding process is different from the API data tracking code embedding process (FIG. 7) of the first embodiment, and the following process is performed.
- an identifier representing a user code is stored at the top of the API stack 1077, it is determined whether or not the value at the time of execution of the call destination address of the call instruction is a value defined in the API address map (FIG. 4). If defined, pushes a record consisting of an API function identifier, the next address (return address) of the call instruction, and the value of the argument immediately before the call instruction (stored in the stack) onto the API stack 1077 Embed the code to do.
- the API stack 1077 When an identifier representing an API function is stored at the top of the API stack 1077, whether or not the value at the time of execution of the call destination address of the call instruction is included in the address area stored in the shared library address list is determined. judge. When it is not included in the address area, that is, when it is determined as a user code, the API stack 1077 has a record including an identifier indicating that it is a user code and a next address (return address) of the call instruction. Embed the code to push.
- the function call processing embedding unit 1075 does not embed code after the call instruction.
- tag propagation is performed based on the value of the argument stored in the record and the data flow information of the API signature specified by the identifier. I do.
- the dynamic data flow analysis processing adding unit 107 performs the above processing (S1301 to S1307) for all the instructions included in the basic block (S1308).
- the code shown in FIG. 14 is an example of the execution code after the function call embedding process is performed on the execution code shown in FIG. 8B.
- an identifier representing the API function is stored at the top of the API stack 1077 (S1403), it is determined whether the call destination of the call instruction is in the shared library address space. If not included, it is regarded as a callback to the user code, and the identifier representing the user code and the address next to the call instruction are stored in the API stack 1077 (S1404).
- a function called “is_dll” is called, and by referring to the shared library address list 106 in the “is_dll” function, it is determined whether or not the call instruction call destination is included in the shared library address space. judge. In the present embodiment, it is assumed that the shared library address list 106 holds addresses related to API functions.
- the return process embedding process will be specifically described with reference to FIG.
- the code shown in FIG. 15 is an example of the execution code after the return process embedding process is performed on the execution code of the call destination function.
- the return address stored in the API stack 1077 is referenced immediately before the return instruction ret (S1504), and is it the same as the return destination of the ret instruction (stored in the stack pointer esp)? It is determined whether or not (S1501). If it is determined that they are the same, the record is popped from the API stack 1077 (S1502). Further, when the identifier stored in the record represents an API function, tag propagation processing based on the data flow information defined in the API signature of the API function is performed in the same manner as in the first embodiment. (S1503).
- FIG. 16 is a flowchart showing the operation of generating the API tracking code. Compared to the operation of generating the full tracking code of FIG. 13, the difference is that nothing is executed in the case of a data movement instruction. That is, in the API tracking code, the data tracking code embedding process (S1303) is not performed. Therefore, in the API tracking code, tag propagation processing is not embedded at the time of a data movement command. The other processing (S1601 to S1608) is the same operation as when generating the full tracking code.
- tag propagation processing is not performed in the API tracking code. Therefore, in this embodiment, the tag propagation process in the function defined in the API signature can be omitted, and the execution speed of the dynamic data flow analysis is increased.
- the API stack 1077 is used to determine whether a function (API function) defined in the API signature is being called. Therefore, when only a part of the functions in the shared library is defined in the API signature, the API tracking code is executed when the defined function is executed. On the other hand, when a function that is not defined is executed, a full tracking code is executed, and a tag propagation process is performed by the code added by the data tracking code embedding process (S1303). Therefore, even if an API signature is defined only for a part of functions implemented in the shared library, it operates correctly. Since the API stack includes an identifier indicating whether or not user code is being executed, the API stack operates correctly even when the API has a callback to the user code. However, the price is lower than that of the first embodiment because the processing is more complicated than that of the first embodiment.
- a function of a shared library that passes data to the callback function cannot be defined in the API signature. If such a function is defined, tag propagation processing is not performed within the function, and the data flow from the function to the callback is not tracked.
- Embodiment 3 The third embodiment of the present invention has a conservative function call processing embedding unit 1078 instead of the function call processing embedding unit 1075 of the second embodiment as shown in FIG.
- the conservative function call processing embedding unit 1078 embeds conservative function call processing.
- FIG. 18 is a flowchart showing an operation in which the conservative function call process embedding unit 1078 embeds the conservative function call process.
- the conservative function call process embedding process is different from that of the second embodiment in the process of S1803 in FIG. That is, it is different in that it is determined whether the tag of the argument that is the tag propagation source is a default value, that is, an initial value (clean), and the processing is changed based on the determination result.
- Other processes S1801, S1802, S1804 to S1806) are the same as those in the second embodiment.
- the API signature of the function is referred to, and the tag of the argument that is the tag propagation source is the default value (clean ) Is determined (S1803). If it is determined to be the default value, the API function identifier, return address, and argument are pushed onto the API stack 1077 (S1804).
- the execution code shown in FIG. 19 is an example when the conservative function call processing embedding unit 1078 embeds the conservative function call processing in the execution code of FIG. 8B.
- the propagation source of the tag of the function MultiByteToWideChar is defined as only arg2 (third argument). Therefore, a tag corresponding to the address (esp-2 * 4) of arg2 is acquired, and when the value is a default value (S1901, “0” in FIG. 19), a record is pushed onto the API stack 1077.
- Embodiment 4 In the fourth embodiment of the present invention, a flag indicating whether or not data transfer by callback occurs is added to the API signature.
- the operation of the dynamic data flow analysis apparatus 100 in this configuration will be described with reference to the flowchart of FIG. 20 for parts that are different from the third embodiment.
- the API signature holds a flag indicating whether or not data can be transferred by callback.
- this flag is referred to (S2007), and if the flag exists, it is considered that no data is transferred by the callback even if the tag is not clean.
- an API function identifier, a return address, and an argument are pushed onto the API stack.
- Other processes (S2001 to S2006) are the same as those in the third embodiment.
- the API tracking code is executed more frequently than in the third embodiment. Therefore, the processing speed can be improved.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
- Stored Programmes (AREA)
Abstract
Description
(1)主にネットワークを通じて、外部から不正コードがそのプログラム内にロードされる。
(2)プログラムの制御が、ロードされた不正コードに移る。
非特許文献2に開示の技術では、動的データフロー解析を用いて、プロセスは信頼できない情報源(たとえば、インターネット経由のデータ受信等)から読み込んだデータに対して実行制御を移すか否かを判定し、(2)が生じたか否かを判定する。このような処理により、ユーザは、バッファオーバーフロー攻撃を発見することや、防止することができる。
以下、図面を参照して本発明の実施の形態について説明する。
まず、図1を参照して、本発明の実施の形態1にかかる動的データフロー解析装置の概要について説明する。本発明の実施の形態1にかかる動的データフロー解析装置100は、動的データフロー解析処理追加部107と、格納部108とを備える構成である。本実施の形態にかかる動的データフロー解析装置は、プロセス内のデータに対して、そのデータの入手経路を示すタグを設定し、プロセス内のデータの受け渡しに応じてタグを伝播させることにより、動的にデータフローを追跡するものである。
本発明の実施の形態2は、基本ブロックに2通りのコードの埋め込みを行い、実行時に実行コードを切り替えることを特徴とする。本実施の形態にかかる動的データフロー解析装置の構成を図10に示す。本発明の実施の形態2にかかる動的データフロー解析装置100において、動的データフロー解析処理追加部107は、API内部判定処理埋め込み部1073と、リターン処理埋め込み部1074と、関数コール処理埋め込み部1075と、データ追跡コード埋め込み部1076と、APIスタック1077とを備える。この構成における動的データフロー解析装置100の動作について、第1の実施の形態と異なる部分を説明する。
本発明の実施の形態3は、図17に示すように実施の形態2の関数コール処理埋め込み部1075の変わりに、保守的関数コール処理埋め込み部1078を有する。保守的関数コール処理埋め込み部1078は、保守的関数コール処理の埋め込みを行う。次に、本実施の形態にかかる第2の実施の形態と異なる部分の動的データフロー解析装置100の動作について説明する。
本発明の実施の形態4は、APIシグネチャに、コールバックによるデータの受け渡しが生じるか否かを示すフラグを追加するものである。この構成における動的データフロー解析装置100の動作について、第3の実施の形態と異なる部分を図20のフローチャートを用いて説明する。
Claims (21)
- プロセス内のデータに対してタグを設定し、前記プロセス内のデータの受け渡しに応じてタグを伝播させることにより、動的にデータフローを追跡する動的データフロー追跡方法において、
共有ライブラリに含まれる関数内のデータ受け渡しの仕様をシグネチャとして定義し、
プログラムからの前記シグネチャで定義された関数への呼び出しの際に、前記シグネチャを参照することにより、前記関数内でのタグの伝播の少なくとも一部を省略する動的データフロー追跡方法。 - 前記関数の呼び出しの際に、一括してタグを伝播する請求項1の動的データフロー追跡方法。
- 実行中のコードである実行コードが前記共有ライブラリに含まれるか否かを判定し、この判定結果に基づき前記タグの伝播の少なくとも一部を省略する請求項1または請求項2に記載の動的データフロー追跡方法。
- メモリ上における、前記共有ライブラリのアドレス情報と前記実行コードのアドレス情報とを比較することにより、前記実行コードが前記共有ライブラリに含まれるか否かを判定する請求項3に記載の動的データフロー追跡方法。
- 前記シグネチャに定義されていない関数から前記シグネチャに定義されている関数が呼び出された際に、その戻りアドレスと引数の値とを履歴情報として保存し、タグの伝播の少なくとも一部を省略する第1の状態に移行し、
前記第1の状態で前記シグネチャに定義されていない関数のアドレスへの関数が呼び出された場合、その戻りアドレスを履歴情報として保存し、タグの伝播を省略しない第2の状態に移行し、
関数呼び出しからのリターンの際に、戻り先が最新の履歴情報に含まれる戻りアドレスと一致する場合は最新の履歴情報を取り除き、かつ前記第1の状態である場合はタグの伝播の少なくとも一部を省略する請求項1または請求項2に記載の動的データフロー追跡方法。 - 前記シグネチャに定義されていない関数から前記シグネチャに定義されている関数が呼び出された際に、前記シグネチャに示される、タグの伝播元となっているデータのタグが既定値である場合に限り、その戻りアドレスと引数の値とを履歴情報として保存し、前記第1の状態に移行する請求項5に記載の動的データフロー追跡方法。
- 前記シグネチャに定義されている関数から前記シグネチャに定義されていない関数へのコールバックが生じ、かつ前記シグネチャに定義されている関数に渡されたデータが前記コールバックに応じて受け渡されうるか否かの情報を前記シグネチャに定義しておき、
前記シグネチャに示される、タグの伝播元となっているデータのタグが既定値である場合、または前記タグが既定値でなく、かつコールバックに応じてデータ受け渡しがなされない場合に、その戻りアドレスと引数の値とを履歴情報として保存し、前記第1の状態に移行する請求項5に記載の動的データフロー追跡方法。 - プロセス内部のデータに対してタグを設定し、プロセス内のデータの受け渡しに応じてタグを伝播させることにより、動的にデータフローを追跡する動的データフロー追跡動作をコンピュータに実行させるためのプログラムであって、
共有ライブラリに含まれる関数内のデータ受け渡しの仕様をシグネチャとして定義し、
プログラムからの前記シグネチャで定義された関数への呼び出しの際に、前記シグネチャを参照することにより、前記関数内でのタグの伝播の少なくとも一部を省略する動的データフロー追跡プログラム。 - 前記関数の呼び出しの際に、一括してタグを伝播する請求項8に記載の動的データフロー追跡プログラム。
- 実行中のコードである実行コードが前記共有ライブラリに含まれるか否かを判定し、この判定結果に基づき前記タグの伝播の少なくとも一部を省略する請求項8または請求項9に記載の動的データフロー追跡プログラム。
- メモリ上における、前記共有ライブラリのアドレス情報と前記実行コードのアドレス情報とを比較することにより、前記実行コードが前記共有ライブラリに含まれるか否かを判定する請求項10に記載の動的データフロー追跡プログラム。
- 前記シグネチャに定義されていない関数から前記シグネチャに定義されている関数が呼び出された際に、その戻りアドレスと引数の値とを履歴情報として保存し、タグの伝播の少なくとも一部を省略する第1の状態に移行し、
前記第1の状態で前記シグネチャに定義されていない関数のアドレスへの関数が呼び出された場合、その戻りアドレスを履歴情報として保存し、タグの伝播を省略しない第2の状態に移行し、
関数呼び出しからのリターンの際に、戻り先が最新の履歴情報に含まれる戻りアドレスと一致する場合は最新の履歴情報を取り除き、かつ前記第1の状態である場合はタグの伝播の少なくとも一部を省略する請求項8または請求項9に記載の動的データフロー追跡プログラム。 - 前記シグネチャに定義されていない関数から前記シグネチャに定義されている関数が呼び出された際に、前記シグネチャに示される、タグの伝播元となっているデータのタグが既定値である場合に限り、その戻りアドレスと引数の値とを履歴情報として保存し、前記第1の状態に移行する請求項12に記載の動的データフロー追跡プログラム。
- 前記シグネチャに定義されている関数から前記シグネチャに定義されていない関数へのコールバックが生じ、かつ前記シグネチャに定義されている関数に渡されたデータが前記コールバックに応じて受け渡されうるか否かの情報を前記シグネチャに定義しておき、
前記シグネチャに示される、タグの伝播元となっているデータのタグが既定値である場合、または前記タグが既定値でなく、かつコールバックに応じてデータ受け渡しがなされない場合に、その戻りアドレスと引数の値とを履歴情報として保存し、前記第1の状態に移行する請求項12に記載の動的データフロー追跡プログラム。 - プロセス内のデータに対してタグを設定し、前記プロセス内のデータの受け渡しに応じてタグを伝播させることにより、動的にデータフローを追跡する動的データフロー追跡装置において、
共有ライブラリに含まれる関数内のデータ受け渡しの仕様が定義されたシグネチャを格納する格納手段と、
プログラムからの前記シグネチャで定義された関数への呼び出しの際に、前記シグネチャを参照することにより、前記関数内でのタグの伝播の少なくとも一部を省略するタグの伝播処理を追加する動的データフロー解析処理追加手段とを備えた動的データフロー追跡装置。 - 前記動的データフロー解析処理追加手段は、前記関数の呼び出しの際に、一括してタグを伝播する前記タグの伝播処理を前記関数呼び出しの前後に追加する請求項15の動的データフロー追跡装置。
- 前記動的データフロー解析処理追加手段は、実行中のコードである実行コードが前記共有ライブラリに含まれるか否かを判定し、この判定結果に基づき前記タグの伝播の少なくとも一部を省略する請求項15または請求項16に記載の動的データフロー追跡装置。
- 前記動的データフロー解析処理追加手段は、メモリ上における、前記共有ライブラリのアドレス情報と前記実行コードのアドレス情報とを比較することにより、前記実行コードが前記共有ライブラリに含まれるか否かを判定する請求項17に記載の動的データフロー追跡装置。
- 前記動的データフロー解析処理追加手段は、
前記シグネチャに定義されていない関数から前記シグネチャに定義されている関数が呼び出された際に、その戻りアドレスと引数の値とを履歴情報として保存し、タグの伝播の少なくとも一部を省略する第1の状態に移行し、前記第1の状態で前記シグネチャに定義されていない関数のアドレスへの関数が呼び出された場合、その戻りアドレスを履歴情報として保存し、タグの伝播を省略しない第2の状態に移行する処理を呼び出し元のプログラムに追加し、
関数呼び出しからのリターンの際に、戻り先が最新の履歴情報に含まれる戻りアドレスと一致する場合は最新の履歴情報を取り除き、かつ前記第1の状態である場合は前記シグネチャを参照してタグの伝播の少なくとも一部を省略する処理を呼び出し先のプログラムに追加する請求項15または請求項16に記載の動的データフロー追跡装置。 - 前記動的データフロー解析処理追加手段は、前記シグネチャに定義されていない関数から前記シグネチャに定義されている関数が呼び出された際に、前記シグネチャに示される、タグの伝播元となっているデータのタグが既定値である場合に限り、その戻りアドレスと引数の値とを履歴情報として保存し、前記第1の状態に移行する処理を前記呼び出し元のプログラムに追加する請求項19の動的データフロー追跡装置。
- 前記シグネチャ情報は、前記シグネチャに定義されている関数から前記シグネチャに定義されていない関数へのコールバックが生じ、かつ前記シグネチャに定義されている関数に渡されたデータが前記コールバックに応じて受け渡されうるか否かの情報を含み、
前記動的データフロー解析処理追加手段は、前記シグネチャに示される、タグの伝播元となっているデータのタグが既定値である場合、または前記タグが既定値でなく、かつコールバックに応じてデータ受け渡しがなされない場合に、その戻りアドレスと引数の値とを履歴情報として保存し、前記第1の状態に移行する処理を前記呼び出し元のプログラムに追加する請求項19の動的データフロー追跡装置。
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/321,753 US20120066698A1 (en) | 2009-05-20 | 2010-05-18 | Dynamic data flow tracking method, dynamic data flow tracking program, and dynamic data flow tracking apparatus |
JP2011514329A JP5459313B2 (ja) | 2009-05-20 | 2010-05-18 | 動的データフロー追跡方法、動的データフロー追跡プログラム、動的データフロー追跡装置 |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2009-122345 | 2009-05-20 | ||
JP2009122345 | 2009-05-20 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2010134325A1 true WO2010134325A1 (ja) | 2010-11-25 |
Family
ID=43126018
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2010/003346 WO2010134325A1 (ja) | 2009-05-20 | 2010-05-18 | 動的データフロー追跡方法、動的データフロー追跡プログラム、動的データフロー追跡装置 |
Country Status (3)
Country | Link |
---|---|
US (1) | US20120066698A1 (ja) |
JP (1) | JP5459313B2 (ja) |
WO (1) | WO2010134325A1 (ja) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2014185165A1 (ja) * | 2013-05-16 | 2014-11-20 | 日本電信電話株式会社 | 情報処理装置、および、情報処理方法 |
JP2014225160A (ja) * | 2013-05-16 | 2014-12-04 | 日本電信電話株式会社 | 情報処理装置および情報処理方法 |
JP2016103299A (ja) * | 2011-01-07 | 2016-06-02 | アビニシオ テクノロジー エルエルシー | フロー分析計装 |
WO2020252698A1 (zh) * | 2019-06-19 | 2020-12-24 | 深圳开源互联网安全技术有限公司 | 一种数据流跟踪方法、系统、存储介质和服务器 |
CN116467712A (zh) * | 2023-04-23 | 2023-07-21 | 北京安普诺信息技术有限公司 | 动态污点追踪方法、装置及相关污点传播分析系统 |
Families Citing this family (152)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8584239B2 (en) | 2004-04-01 | 2013-11-12 | Fireeye, Inc. | Virtual machine with dynamic data flow analysis |
US8171553B2 (en) | 2004-04-01 | 2012-05-01 | Fireeye, Inc. | Heuristic based capture with replay to virtual machine |
US8793787B2 (en) | 2004-04-01 | 2014-07-29 | Fireeye, Inc. | Detecting malicious network content using virtual environment components |
US8881282B1 (en) | 2004-04-01 | 2014-11-04 | Fireeye, Inc. | Systems and methods for malware attack detection and identification |
US8528086B1 (en) | 2004-04-01 | 2013-09-03 | Fireeye, Inc. | System and method of detecting computer worms |
US9106694B2 (en) | 2004-04-01 | 2015-08-11 | Fireeye, Inc. | Electronic message analysis for malware detection |
US8549638B2 (en) | 2004-06-14 | 2013-10-01 | Fireeye, Inc. | System and method of containing computer worms |
US8566946B1 (en) | 2006-04-20 | 2013-10-22 | Fireeye, Inc. | Malware containment on connection |
US7587537B1 (en) | 2007-11-30 | 2009-09-08 | Altera Corporation | Serializer-deserializer circuits formed from input-output circuit registers |
US8898788B1 (en) | 2004-04-01 | 2014-11-25 | Fireeye, Inc. | Systems and methods for malware attack prevention |
US8997219B2 (en) | 2008-11-03 | 2015-03-31 | Fireeye, Inc. | Systems and methods for detecting malicious PDF network content |
JP4572259B1 (ja) * | 2009-04-27 | 2010-11-04 | 株式会社フォティーンフォティ技術研究所 | 情報機器、プログラム及び不正なプログラムコードの実行防止方法 |
US8832829B2 (en) | 2009-09-30 | 2014-09-09 | Fireeye, Inc. | Network-based binary file extraction and analysis for malware detection |
US8730826B2 (en) * | 2010-11-17 | 2014-05-20 | Ixia | Testing fragment reassembly |
US10572665B2 (en) | 2012-12-28 | 2020-02-25 | Fireeye, Inc. | System and method to create a number of breakpoints in a virtual machine via virtual machine trapping events |
US9176843B1 (en) | 2013-02-23 | 2015-11-03 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications |
US9195829B1 (en) | 2013-02-23 | 2015-11-24 | Fireeye, Inc. | User interface with real-time visual playback along with synchronous textual analysis log display and event/time index for anomalous behavior detection in applications |
US9009823B1 (en) | 2013-02-23 | 2015-04-14 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications installed on mobile devices |
US8990944B1 (en) | 2013-02-23 | 2015-03-24 | Fireeye, Inc. | Systems and methods for automatically detecting backdoors |
US9367681B1 (en) | 2013-02-23 | 2016-06-14 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications using symbolic execution to reach regions of interest within an application |
US9104867B1 (en) | 2013-03-13 | 2015-08-11 | Fireeye, Inc. | Malicious content analysis using simulated user interaction without user involvement |
US9355247B1 (en) | 2013-03-13 | 2016-05-31 | Fireeye, Inc. | File extraction from memory dump for malicious content analysis |
US9626509B1 (en) | 2013-03-13 | 2017-04-18 | Fireeye, Inc. | Malicious content analysis with multi-version application support within single operating environment |
US9311479B1 (en) | 2013-03-14 | 2016-04-12 | Fireeye, Inc. | Correlation and consolidation of analytic data for holistic view of a malware attack |
US9430646B1 (en) * | 2013-03-14 | 2016-08-30 | Fireeye, Inc. | Distributed systems and methods for automatically detecting unknown bots and botnets |
US10713358B2 (en) | 2013-03-15 | 2020-07-14 | Fireeye, Inc. | System and method to extract and utilize disassembly features to classify software intent |
WO2014145805A1 (en) | 2013-03-15 | 2014-09-18 | Mandiant, Llc | System and method employing structured intelligence to verify and contain threats at endpoints |
US9495180B2 (en) | 2013-05-10 | 2016-11-15 | Fireeye, Inc. | Optimized resource allocation for virtual machines within a malware content detection system |
US9635039B1 (en) | 2013-05-13 | 2017-04-25 | Fireeye, Inc. | Classifying sets of malicious indicators for detecting command and control communications associated with malware |
US10133863B2 (en) | 2013-06-24 | 2018-11-20 | Fireeye, Inc. | Zero-day discovery system |
US9300686B2 (en) | 2013-06-28 | 2016-03-29 | Fireeye, Inc. | System and method for detecting malicious links in electronic messages |
CN103440201B (zh) * | 2013-09-05 | 2016-05-18 | 北京邮电大学 | 动态污点分析装置及其在文件格式逆向解析中的应用 |
US9690936B1 (en) | 2013-09-30 | 2017-06-27 | Fireeye, Inc. | Multistage system and method for analyzing obfuscated content for malware |
US9736179B2 (en) | 2013-09-30 | 2017-08-15 | Fireeye, Inc. | System, apparatus and method for using malware analysis results to drive adaptive instrumentation of virtual machines to improve exploit detection |
US9628507B2 (en) | 2013-09-30 | 2017-04-18 | Fireeye, Inc. | Advanced persistent threat (APT) detection center |
US9171160B2 (en) | 2013-09-30 | 2015-10-27 | Fireeye, Inc. | Dynamically adaptive framework and method for classifying malware using intelligent static, emulation, and dynamic analyses |
US10515214B1 (en) | 2013-09-30 | 2019-12-24 | Fireeye, Inc. | System and method for classifying malware within content created during analysis of a specimen |
US9294501B2 (en) | 2013-09-30 | 2016-03-22 | Fireeye, Inc. | Fuzzy hash of behavioral results |
US9921978B1 (en) | 2013-11-08 | 2018-03-20 | Fireeye, Inc. | System and method for enhanced security of storage devices |
US9756074B2 (en) | 2013-12-26 | 2017-09-05 | Fireeye, Inc. | System and method for IPS and VM-based detection of suspicious objects |
US9747446B1 (en) | 2013-12-26 | 2017-08-29 | Fireeye, Inc. | System and method for run-time object classification |
US9292686B2 (en) | 2014-01-16 | 2016-03-22 | Fireeye, Inc. | Micro-virtualization architecture for threat-aware microvisor deployment in a node of a network environment |
US9262635B2 (en) | 2014-02-05 | 2016-02-16 | Fireeye, Inc. | Detection efficacy of virtual machine-based analysis with application specific events |
US9241010B1 (en) | 2014-03-20 | 2016-01-19 | Fireeye, Inc. | System and method for network behavior detection |
US10242185B1 (en) | 2014-03-21 | 2019-03-26 | Fireeye, Inc. | Dynamic guest image creation and rollback |
US9591015B1 (en) | 2014-03-28 | 2017-03-07 | Fireeye, Inc. | System and method for offloading packet processing and static analysis operations |
US9223972B1 (en) | 2014-03-31 | 2015-12-29 | Fireeye, Inc. | Dynamically remote tuning of a malware content detection system |
US9432389B1 (en) | 2014-03-31 | 2016-08-30 | Fireeye, Inc. | System, apparatus and method for detecting a malicious attack based on static analysis of a multi-flow object |
US9594912B1 (en) | 2014-06-06 | 2017-03-14 | Fireeye, Inc. | Return-oriented programming detection |
US9438623B1 (en) | 2014-06-06 | 2016-09-06 | Fireeye, Inc. | Computer exploit detection using heap spray pattern matching |
US9973531B1 (en) | 2014-06-06 | 2018-05-15 | Fireeye, Inc. | Shellcode detection |
US10084813B2 (en) | 2014-06-24 | 2018-09-25 | Fireeye, Inc. | Intrusion prevention and remedy system |
US10805340B1 (en) | 2014-06-26 | 2020-10-13 | Fireeye, Inc. | Infection vector and malware tracking with an interactive user display |
US9398028B1 (en) | 2014-06-26 | 2016-07-19 | Fireeye, Inc. | System, device and method for detecting a malicious attack based on communcations between remotely hosted virtual machines and malicious web servers |
US10002252B2 (en) | 2014-07-01 | 2018-06-19 | Fireeye, Inc. | Verification of trusted threat-aware microvisor |
US9824214B2 (en) | 2014-08-15 | 2017-11-21 | Securisea, Inc. | High performance software vulnerabilities detection system and methods |
US9454659B1 (en) | 2014-08-15 | 2016-09-27 | Securisea, Inc. | Software vulnerabilities detection system and methods |
US10599852B2 (en) | 2014-08-15 | 2020-03-24 | Securisea, Inc. | High performance software vulnerabilities detection system and methods |
US9363280B1 (en) | 2014-08-22 | 2016-06-07 | Fireeye, Inc. | System and method of detecting delivery of malware using cross-customer data |
EP2996034B1 (en) | 2014-09-11 | 2018-08-15 | Nxp B.V. | Execution flow protection in microcontrollers |
US10671726B1 (en) | 2014-09-22 | 2020-06-02 | Fireeye Inc. | System and method for malware analysis using thread-level event monitoring |
US9773112B1 (en) | 2014-09-29 | 2017-09-26 | Fireeye, Inc. | Exploit detection of malware and malware families |
US10027689B1 (en) | 2014-09-29 | 2018-07-17 | Fireeye, Inc. | Interactive infection visualization for improved exploit detection and signature generation for malware and malware families |
US9690933B1 (en) | 2014-12-22 | 2017-06-27 | Fireeye, Inc. | Framework for classifying an object as malicious with machine learning for deploying updated predictive models |
US10075455B2 (en) | 2014-12-26 | 2018-09-11 | Fireeye, Inc. | Zero-day rotating guest image profile |
US9934376B1 (en) | 2014-12-29 | 2018-04-03 | Fireeye, Inc. | Malware detection appliance architecture |
US9838417B1 (en) | 2014-12-30 | 2017-12-05 | Fireeye, Inc. | Intelligent context aware user interaction for malware detection |
US10148693B2 (en) | 2015-03-25 | 2018-12-04 | Fireeye, Inc. | Exploit detection system |
US9690606B1 (en) | 2015-03-25 | 2017-06-27 | Fireeye, Inc. | Selective system call monitoring |
US9438613B1 (en) | 2015-03-30 | 2016-09-06 | Fireeye, Inc. | Dynamic content activation for automated analysis of embedded objects |
US10474813B1 (en) | 2015-03-31 | 2019-11-12 | Fireeye, Inc. | Code injection technique for remediation at an endpoint of a network |
US9483644B1 (en) | 2015-03-31 | 2016-11-01 | Fireeye, Inc. | Methods for detecting file altering malware in VM based analysis |
US10417031B2 (en) | 2015-03-31 | 2019-09-17 | Fireeye, Inc. | Selective virtualization for security threat detection |
US9654485B1 (en) | 2015-04-13 | 2017-05-16 | Fireeye, Inc. | Analytics-based security monitoring system and method |
US9594904B1 (en) | 2015-04-23 | 2017-03-14 | Fireeye, Inc. | Detecting malware based on reflection |
US10642753B1 (en) | 2015-06-30 | 2020-05-05 | Fireeye, Inc. | System and method for protecting a software component running in virtual machine using a virtualization layer |
US10726127B1 (en) | 2015-06-30 | 2020-07-28 | Fireeye, Inc. | System and method for protecting a software component running in a virtual machine through virtual interrupts by the virtualization layer |
US11113086B1 (en) | 2015-06-30 | 2021-09-07 | Fireeye, Inc. | Virtual system and method for securing external network connectivity |
US10454950B1 (en) | 2015-06-30 | 2019-10-22 | Fireeye, Inc. | Centralized aggregation technique for detecting lateral movement of stealthy cyber-attacks |
US10715542B1 (en) | 2015-08-14 | 2020-07-14 | Fireeye, Inc. | Mobile application risk analysis |
US10176321B2 (en) | 2015-09-22 | 2019-01-08 | Fireeye, Inc. | Leveraging behavior-based rules for malware family classification |
US10033747B1 (en) | 2015-09-29 | 2018-07-24 | Fireeye, Inc. | System and method for detecting interpreter-based exploit attacks |
US10210329B1 (en) | 2015-09-30 | 2019-02-19 | Fireeye, Inc. | Method to detect application execution hijacking using memory protection |
US10706149B1 (en) | 2015-09-30 | 2020-07-07 | Fireeye, Inc. | Detecting delayed activation malware using a primary controller and plural time controllers |
US10817606B1 (en) | 2015-09-30 | 2020-10-27 | Fireeye, Inc. | Detecting delayed activation malware using a run-time monitoring agent and time-dilation logic |
US9825976B1 (en) | 2015-09-30 | 2017-11-21 | Fireeye, Inc. | Detection and classification of exploit kits |
US10601865B1 (en) | 2015-09-30 | 2020-03-24 | Fireeye, Inc. | Detection of credential spearphishing attacks using email analysis |
US9825989B1 (en) | 2015-09-30 | 2017-11-21 | Fireeye, Inc. | Cyber attack early warning system |
US10284575B2 (en) | 2015-11-10 | 2019-05-07 | Fireeye, Inc. | Launcher for setting analysis environment variations for malware detection |
US10846117B1 (en) | 2015-12-10 | 2020-11-24 | Fireeye, Inc. | Technique for establishing secure communication between host and guest processes of a virtualization architecture |
US10447728B1 (en) | 2015-12-10 | 2019-10-15 | Fireeye, Inc. | Technique for protecting guest processes using a layered virtualization architecture |
US10108446B1 (en) | 2015-12-11 | 2018-10-23 | Fireeye, Inc. | Late load technique for deploying a virtualization layer underneath a running operating system |
US10050998B1 (en) | 2015-12-30 | 2018-08-14 | Fireeye, Inc. | Malicious message analysis system |
US10565378B1 (en) | 2015-12-30 | 2020-02-18 | Fireeye, Inc. | Exploit of privilege detection framework |
US10133866B1 (en) | 2015-12-30 | 2018-11-20 | Fireeye, Inc. | System and method for triggering analysis of an object for malware in response to modification of that object |
US10621338B1 (en) | 2015-12-30 | 2020-04-14 | Fireeye, Inc. | Method to detect forgery and exploits using last branch recording registers |
US11552986B1 (en) | 2015-12-31 | 2023-01-10 | Fireeye Security Holdings Us Llc | Cyber-security framework for application of virtual features |
US10581874B1 (en) | 2015-12-31 | 2020-03-03 | Fireeye, Inc. | Malware detection system with contextual analysis |
US9824216B1 (en) | 2015-12-31 | 2017-11-21 | Fireeye, Inc. | Susceptible environment detection system |
US10671721B1 (en) | 2016-03-25 | 2020-06-02 | Fireeye, Inc. | Timeout management services |
US10785255B1 (en) | 2016-03-25 | 2020-09-22 | Fireeye, Inc. | Cluster configuration within a scalable malware detection system |
US10476906B1 (en) | 2016-03-25 | 2019-11-12 | Fireeye, Inc. | System and method for managing formation and modification of a cluster within a malware detection system |
US10601863B1 (en) | 2016-03-25 | 2020-03-24 | Fireeye, Inc. | System and method for managing sensor enrollment |
US10893059B1 (en) | 2016-03-31 | 2021-01-12 | Fireeye, Inc. | Verification and enhancement using detection systems located at the network periphery and endpoint devices |
US10826933B1 (en) | 2016-03-31 | 2020-11-03 | Fireeye, Inc. | Technique for verifying exploit/malware at malware detection appliance through correlation with endpoints |
US10169585B1 (en) | 2016-06-22 | 2019-01-01 | Fireeye, Inc. | System and methods for advanced malware detection through placement of transition events |
US10462173B1 (en) | 2016-06-30 | 2019-10-29 | Fireeye, Inc. | Malware detection verification and enhancement by coordinating endpoint and malware detection systems |
US10592678B1 (en) | 2016-09-09 | 2020-03-17 | Fireeye, Inc. | Secure communications between peers using a verified virtual trusted platform module |
US10491627B1 (en) | 2016-09-29 | 2019-11-26 | Fireeye, Inc. | Advanced malware detection using similarity analysis |
US10795991B1 (en) | 2016-11-08 | 2020-10-06 | Fireeye, Inc. | Enterprise search |
US10587647B1 (en) | 2016-11-22 | 2020-03-10 | Fireeye, Inc. | Technique for malware detection capability comparison of network security devices |
US10581879B1 (en) | 2016-12-22 | 2020-03-03 | Fireeye, Inc. | Enhanced malware detection for generated objects |
US10552610B1 (en) | 2016-12-22 | 2020-02-04 | Fireeye, Inc. | Adaptive virtual machine snapshot update framework for malware behavioral analysis |
US10523609B1 (en) | 2016-12-27 | 2019-12-31 | Fireeye, Inc. | Multi-vector malware detection and analysis |
US10904286B1 (en) | 2017-03-24 | 2021-01-26 | Fireeye, Inc. | Detection of phishing attacks using similarity analysis |
US10798112B2 (en) | 2017-03-30 | 2020-10-06 | Fireeye, Inc. | Attribute-controlled malware detection |
US10902119B1 (en) | 2017-03-30 | 2021-01-26 | Fireeye, Inc. | Data extraction system for malware analysis |
US10848397B1 (en) | 2017-03-30 | 2020-11-24 | Fireeye, Inc. | System and method for enforcing compliance with subscription requirements for cyber-attack detection service |
US10791138B1 (en) | 2017-03-30 | 2020-09-29 | Fireeye, Inc. | Subscription-based malware detection |
US10855700B1 (en) | 2017-06-29 | 2020-12-01 | Fireeye, Inc. | Post-intrusion detection of cyber-attacks during lateral movement within networks |
US10503904B1 (en) | 2017-06-29 | 2019-12-10 | Fireeye, Inc. | Ransomware detection and mitigation |
US10601848B1 (en) | 2017-06-29 | 2020-03-24 | Fireeye, Inc. | Cyber-security system and method for weak indicator detection and correlation to generate strong indicators |
US10893068B1 (en) | 2017-06-30 | 2021-01-12 | Fireeye, Inc. | Ransomware file modification prevention technique |
US10747872B1 (en) | 2017-09-27 | 2020-08-18 | Fireeye, Inc. | System and method for preventing malware evasion |
US10805346B2 (en) | 2017-10-01 | 2020-10-13 | Fireeye, Inc. | Phishing attack detection |
US11108809B2 (en) | 2017-10-27 | 2021-08-31 | Fireeye, Inc. | System and method for analyzing binary code for malware classification using artificial neural network techniques |
US11271955B2 (en) | 2017-12-28 | 2022-03-08 | Fireeye Security Holdings Us Llc | Platform and method for retroactive reclassification employing a cybersecurity-based global data store |
US11240275B1 (en) | 2017-12-28 | 2022-02-01 | Fireeye Security Holdings Us Llc | Platform and method for performing cybersecurity analyses employing an intelligence hub with a modular architecture |
US11005860B1 (en) | 2017-12-28 | 2021-05-11 | Fireeye, Inc. | Method and system for efficient cybersecurity analysis of endpoint events |
US10826931B1 (en) | 2018-03-29 | 2020-11-03 | Fireeye, Inc. | System and method for predicting and mitigating cybersecurity system misconfigurations |
US10956477B1 (en) | 2018-03-30 | 2021-03-23 | Fireeye, Inc. | System and method for detecting malicious scripts through natural language processing modeling |
US11003773B1 (en) | 2018-03-30 | 2021-05-11 | Fireeye, Inc. | System and method for automatically generating malware detection rule recommendations |
US11558401B1 (en) | 2018-03-30 | 2023-01-17 | Fireeye Security Holdings Us Llc | Multi-vector malware detection data sharing system for improved detection |
US11075930B1 (en) | 2018-06-27 | 2021-07-27 | Fireeye, Inc. | System and method for detecting repetitive cybersecurity attacks constituting an email campaign |
US11314859B1 (en) | 2018-06-27 | 2022-04-26 | FireEye Security Holdings, Inc. | Cyber-security system and method for detecting escalation of privileges within an access token |
US11228491B1 (en) | 2018-06-28 | 2022-01-18 | Fireeye Security Holdings Us Llc | System and method for distributed cluster configuration monitoring and management |
EP3588900B1 (en) * | 2018-06-29 | 2022-10-05 | AO Kaspersky Lab | System and method of analyzing the content of encrypted network traffic |
US11316900B1 (en) | 2018-06-29 | 2022-04-26 | FireEye Security Holdings Inc. | System and method for automatically prioritizing rules for cyber-threat detection and mitigation |
RU2706894C1 (ru) | 2018-06-29 | 2019-11-21 | Акционерное общество "Лаборатория Касперского" | Система и способ анализа содержимого зашифрованного сетевого трафика |
US11182473B1 (en) | 2018-09-13 | 2021-11-23 | Fireeye Security Holdings Us Llc | System and method for mitigating cyberattacks against processor operability by a guest process |
US11763004B1 (en) | 2018-09-27 | 2023-09-19 | Fireeye Security Holdings Us Llc | System and method for bootkit detection |
US11108675B2 (en) | 2018-10-31 | 2021-08-31 | Keysight Technologies, Inc. | Methods, systems, and computer readable media for testing effects of simulated frame preemption and deterministic fragmentation of preemptable frames in a frame-preemption-capable network |
US11368475B1 (en) | 2018-12-21 | 2022-06-21 | Fireeye Security Holdings Us Llc | System and method for scanning remote services to locate stored objects with malware |
US12074887B1 (en) | 2018-12-21 | 2024-08-27 | Musarubra Us Llc | System and method for selectively processing content after identification and removal of malicious content |
US11258806B1 (en) | 2019-06-24 | 2022-02-22 | Mandiant, Inc. | System and method for automatically associating cybersecurity intelligence to cyberthreat actors |
US11556640B1 (en) | 2019-06-27 | 2023-01-17 | Mandiant, Inc. | Systems and methods for automated cybersecurity analysis of extracted binary string sets |
US11392700B1 (en) | 2019-06-28 | 2022-07-19 | Fireeye Security Holdings Us Llc | System and method for supporting cross-platform data verification |
US11886585B1 (en) | 2019-09-27 | 2024-01-30 | Musarubra Us Llc | System and method for identifying and mitigating cyberattacks through malicious position-independent code execution |
US11637862B1 (en) | 2019-09-30 | 2023-04-25 | Mandiant, Inc. | System and method for surfacing cyber-security threats with a self-learning recommendation engine |
CN112306888B (zh) * | 2020-11-13 | 2022-05-10 | 武汉天喻信息产业股份有限公司 | 一种基于设备库文件接口的测试系统和方法 |
US11321218B1 (en) * | 2021-03-08 | 2022-05-03 | Correct Computation, Inc. | Automated generation of source code models from machine code for code analysis |
US20230095080A1 (en) * | 2021-09-30 | 2023-03-30 | Mcafee, Llc | Object inspection via operating system share function |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH10289102A (ja) * | 1997-02-17 | 1998-10-27 | Nippon Steel Corp | プログラムのデータフロー解析装置 |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6442752B1 (en) * | 1999-08-26 | 2002-08-27 | Unisys Corporation | Method, apparatus, and computer program product for replacing a dynamic link library (dll) of a first computing environment with a dll of a second computing environment that can be invoked from the first computing environment in a transparent manner |
US7644441B2 (en) * | 2003-09-26 | 2010-01-05 | Cigital, Inc. | Methods for identifying malicious software |
US7770154B2 (en) * | 2005-07-01 | 2010-08-03 | Oracle International Corporation | Lightweight highly available infrastructure to trace program execution |
-
2010
- 2010-05-18 WO PCT/JP2010/003346 patent/WO2010134325A1/ja active Application Filing
- 2010-05-18 US US13/321,753 patent/US20120066698A1/en not_active Abandoned
- 2010-05-18 JP JP2011514329A patent/JP5459313B2/ja not_active Expired - Fee Related
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH10289102A (ja) * | 1997-02-17 | 1998-10-27 | Nippon Steel Corp | プログラムのデータフロー解析装置 |
Non-Patent Citations (2)
Title |
---|
SACHIKO YOSHIHAMA: "Language-based Information Flow Control in Dynamic Approach", TRANSACTIONS OF INFORMATION PROCESSING SOCIETY OF JAPAN, INFORMATION PROCESSING SOCIETY OF JAPAN, vol. 48, no. 9, 15 September 2007 (2007-09-15), pages 3060 - 3072 * |
SATOSHI KATSUNUMA: "Adress Offset ni Chakumoku shita Data Flow Tsuiseki ni yoru Chunyu Kogeki no Kenshutsu", SYMPOSIUM ON ADVANCED COMPUTING SYSTEMS AND INFRASTRUCTURES SACSIS2006 RONBUNSHU, INFORMATION PROCESSING SOCIETY OF JAPAN, vol. 2006, no. 5, 22 May 2006 (2006-05-22), pages 515 - 524 * |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2016103299A (ja) * | 2011-01-07 | 2016-06-02 | アビニシオ テクノロジー エルエルシー | フロー分析計装 |
WO2014185165A1 (ja) * | 2013-05-16 | 2014-11-20 | 日本電信電話株式会社 | 情報処理装置、および、情報処理方法 |
JP2014225160A (ja) * | 2013-05-16 | 2014-12-04 | 日本電信電話株式会社 | 情報処理装置および情報処理方法 |
JP6023317B2 (ja) * | 2013-05-16 | 2016-11-09 | 日本電信電話株式会社 | 情報処理装置、および、情報処理方法 |
US10129275B2 (en) | 2013-05-16 | 2018-11-13 | Nippon Telegraph And Telephone Corporation | Information processing system and information processing method |
WO2020252698A1 (zh) * | 2019-06-19 | 2020-12-24 | 深圳开源互联网安全技术有限公司 | 一种数据流跟踪方法、系统、存储介质和服务器 |
CN116467712A (zh) * | 2023-04-23 | 2023-07-21 | 北京安普诺信息技术有限公司 | 动态污点追踪方法、装置及相关污点传播分析系统 |
CN116467712B (zh) * | 2023-04-23 | 2023-12-01 | 北京安普诺信息技术有限公司 | 动态污点追踪方法、装置及相关污点传播分析系统 |
Also Published As
Publication number | Publication date |
---|---|
JPWO2010134325A1 (ja) | 2012-11-08 |
JP5459313B2 (ja) | 2014-04-02 |
US20120066698A1 (en) | 2012-03-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP5459313B2 (ja) | 動的データフロー追跡方法、動的データフロー追跡プログラム、動的データフロー追跡装置 | |
US10891369B2 (en) | Dynamic switching between pointer authentication regimes | |
US11507669B1 (en) | Characterizing, detecting and healing vulnerabilities in computer code | |
US10102373B2 (en) | Method and apparatus for capturing operation in a container-based virtualization system | |
US8839215B2 (en) | String cache file for optimizing memory usage in a java virtual machine | |
WO2010134330A1 (ja) | 分岐予測装置、その分岐予測方法、コンパイラ、そのコンパイル方法及び分岐予測プログラム記録媒体 | |
WO2022180702A1 (ja) | 解析機能付与装置、解析機能付与プログラム及び解析機能付与方法 | |
CN113961919B (zh) | 恶意软件检测方法和装置 | |
US10311233B2 (en) | Generic unpacking of program binaries | |
US9027145B2 (en) | Method and apparatus for detecting leak of information resource of device | |
JP6023317B2 (ja) | 情報処理装置、および、情報処理方法 | |
KR101851330B1 (ko) | 코드 재사용 공격 탐지 장치 및 그 방법 | |
JP5952218B2 (ja) | 情報処理装置および情報処理方法 | |
KR100961146B1 (ko) | 악성 스크립트 코드 복호화 방법 및 시스템 | |
WO2023067665A1 (ja) | 解析機能付与方法、解析機能付与装置及び解析機能付与プログラム | |
CN114491557A (zh) | 一种基于容器环境java内存木马威胁检测方法 | |
CN114091111B (zh) | 一种区块链智能合约的存储方法及装置 | |
US12050687B1 (en) | Systems and methods for malware detection in portable executable files | |
KR101003097B1 (ko) | 폴리몰픽 쉘코드 탐지방법 | |
JP6163678B2 (ja) | プログラムバイナリの汎用的なアンパッキング | |
JP2024072010A (ja) | プログラム、命令実行制御装置、及び命令実行制御方法 | |
WO2024137374A1 (en) | Processor with delayed instruction pipeline flush |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 10777563 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2011514329 Country of ref document: JP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 13321753 Country of ref document: US |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 10777563 Country of ref document: EP Kind code of ref document: A1 |