WO2024079803A1 - Vulnerability detection device, vulnerability detection method, and vulnerability detection program - Google Patents

Vulnerability detection device, vulnerability detection method, and vulnerability detection program Download PDF

Info

Publication number
WO2024079803A1
WO2024079803A1 PCT/JP2022/037943 JP2022037943W WO2024079803A1 WO 2024079803 A1 WO2024079803 A1 WO 2024079803A1 JP 2022037943 W JP2022037943 W JP 2022037943W WO 2024079803 A1 WO2024079803 A1 WO 2024079803A1
Authority
WO
WIPO (PCT)
Prior art keywords
unit
execution
virtual machine
instruction
branch
Prior art date
Application number
PCT/JP2022/037943
Other languages
French (fr)
Japanese (ja)
Inventor
利宣 碓井
裕平 川古谷
誠 岩村
Original Assignee
日本電信電話株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電信電話株式会社 filed Critical 日本電信電話株式会社
Priority to PCT/JP2022/037943 priority Critical patent/WO2024079803A1/en
Publication of WO2024079803A1 publication Critical patent/WO2024079803A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Definitions

  • the present invention relates to a vulnerability detection device, a vulnerability detection method, and a vulnerability detection program.
  • Dynamic testing includes software testing. Software testing is carried out by actually providing input values to the target program, running it, and observing its behavior.
  • code coverage also called code coverage rate. This evaluates the percentage of the code in the target program that has been tested.
  • Some dynamic tests use code coverage as an indicator to evaluate the progress of testing and to plan tests.
  • Fuzzing is a technique that discovers vulnerabilities by repeatedly generating or mutating input values while running the target program and observing the state of the program to search for inputs that cause problems such as crashes.
  • grey box fuzzing Unlike black box fuzzing, grey box fuzzing also observes the internal state of the program, i.e., the execution path, when it is executed. Grey box fuzzing then calculates the code coverage for the execution paths that have already been tested, and prioritizes the use of input values as seeds for generation and mutation so that this value is large.
  • Grey-box fuzzing allows for efficient searching for vulnerabilities in a wider range of programs.
  • Non-Patent Document 1 gray box fuzzing is used to discover vulnerabilities in web applications created with PHP scripts.
  • the method described in Non-Patent Document 1 measures code coverage by constructing an abstract syntax tree for the source code and implementing static instrumentation.
  • Non-Patent Document 2 employs gray box fuzzing to discover vulnerabilities in web applications written in JavaScript.
  • an abstract syntax tree is constructed for the JavaScript source code and static instrumentation is performed to measure code coverage, just like Non-Patent Document 1.
  • Non-Patent Documents 1 and 2 have the problem that it is not possible to comprehensively know all possible branches, so the code coverage for the branches must be estimated from other information.
  • the techniques described in Non-Patent Documents 1 and 2 are static instrumentation, so there is an issue that there are cases where code coverage cannot be measured, such as dynamically evaluated scripts.
  • the present invention has been made in consideration of the above, and aims to provide a vulnerability discovery device, a vulnerability discovery method, and a vulnerability discovery program that can realize gray box fuzzing based on accurate code coverage at runtime, without the need for manual individual analysis, design, and implementation, even for script engines that do not have support functions that can be used for code coverage measurement and whose internal specifications are unknown.
  • the vulnerability discovery device of the present invention is characterized by having a first analysis unit that analyzes the virtual machine of a script engine, a second analysis unit that analyzes the instruction set architecture, which is the instruction system of the virtual machine, to collect virtual machine instructions and determine the instruction contents of the collected virtual machine instructions, a calculation unit that constructs a first control flow graph showing an entire path based on the architecture information acquired by the first analysis unit and the second analysis unit, and a vulnerability discovery unit that mutates an input value based on the architecture information acquired by the first analysis unit and the second analysis unit, constructs a second control flow graph showing a path executed as a test by inputting the mutated input value to a script to be analyzed, calculates code coverage, which is the ratio of the path executed as the test to the entire path, and selects an input value based on the calculation result of the code coverage to perform fuzzing on the script to be analyzed executed on the virtual machine.
  • FIG. 1 is a diagram illustrating an example of the configuration of a script engine.
  • FIG. 2 is a diagram showing pseudo code of a VM included in the script engine.
  • FIG. 3 is a diagram illustrating an example of the configuration of a vulnerability detecting device according to an embodiment.
  • FIG. 4 is a diagram showing an example of a test script used to detect a virtual program counter (VPC).
  • FIG. 5 is a diagram showing an example of a test script used for detecting a branch VM instruction.
  • FIG. 6 is a diagram illustrating an example of an execution trace.
  • FIG. 7 illustrates an example of a VM execution trace.
  • FIG. 8 is a diagram illustrating the process of the VM instruction boundary detection unit.
  • FIG. 9 is a diagram for explaining the process of the virtual program counter detection unit.
  • FIG. 1 is a diagram illustrating an example of the configuration of a script engine.
  • FIG. 2 is a diagram showing pseudo code of a VM included in the script engine.
  • FIG. 10 is a diagram illustrating the process of the dispatcher detection unit.
  • FIG. 11 is a diagram illustrating the process of the code cache detection unit.
  • FIG. 12 is a diagram illustrating the process of the VM command determination unit.
  • FIG. 13 is a diagram illustrating the process of the VM branch trace construction unit.
  • FIG. 14 is a diagram for explaining the control flow graph construction unit.
  • FIG. 15 is a flowchart showing a processing procedure of the vulnerability discovering process according to the embodiment.
  • FIG. 16 is a flowchart showing a processing procedure of the vulnerability discovering process according to the embodiment.
  • FIG. 17 is a flowchart of the execution trace acquisition process shown in FIG.
  • FIG. 18 is a flowchart illustrating a procedure of the VM instruction boundary detection process illustrated in FIG. FIG.
  • FIG. 19 is a flowchart illustrating the processing procedure of the virtual program counter detection processing shown in FIG.
  • FIG. 20 is a diagram for explaining the dispatcher detection process shown in FIG.
  • FIG. 21 is a flowchart showing the procedure of the conditional branch flag detection process shown in FIG.
  • FIG. 22 is a flowchart illustrating the procedure of the code cache detection process shown in FIG.
  • FIG. 23 is a flowchart illustrating the procedure of the VM execution trace acquisition process illustrated in FIG. 15 .
  • FIG. 24 is a flowchart illustrating the procedure of the VM command collection process illustrated in FIG.
  • FIG. 25 is a flowchart illustrating a processing procedure of the VM command determination process shown in FIG.
  • FIG. 26 is a flowchart showing the procedure of the multi-path execution process shown in FIG. FIG.
  • FIG. 27 is a flowchart illustrating the procedure of the VM branch trace construction process illustrated in FIG. 15 .
  • FIG. 28 is a flowchart of the control flow graph construction process shown in FIG.
  • FIG. 29 is a flowchart showing the procedure of the mutation process shown in FIG.
  • FIG. 30 is a flowchart showing the procedure of the execution process shown in FIG.
  • FIG. 31 is a flowchart illustrating the procedure of the code coverage calculation process shown in FIG.
  • FIG. 32 is a diagram showing an example of a computer that realizes a vulnerability discovering device by executing a program.
  • the vulnerability detection device of the embodiment is a vulnerability detection device that can realize gray box fuzzing based on accurate code coverage at runtime, even for script engines that do not have support functions that can be used for code coverage measurement and whose internal specifications are unknown, without requiring individual manual analysis, design, and implementation.
  • the vulnerability discovery device executes test scripts while monitoring the binaries of the script engine, and obtains branch traces and memory access traces as execution traces.
  • the vulnerability discovery device analyzes the VM based on the execution traces, and obtains, as architecture information, VM instruction boundaries, a virtual program counter (VPC), a dispatcher, a conditional branch flag, and a code cache in which executed VM instructions are stored.
  • VPC virtual program counter
  • the vulnerability detection device executes the test script while monitoring the VPC and the dispatcher, and obtains a VM execution trace.
  • the vulnerability detection device collects VM instructions, determines the contents of the VM instructions, and obtains information on the instruction set architecture.
  • the vulnerability detection device constructs a first control flow graph that shows the entire path that was comprehensively executed in the multi-pass execution.
  • the vulnerability detection device then mutates the input values based on the acquired architecture information, and constructs a second control flow graph that shows the path that is executed by inputting the mutated input values into the script to be analyzed.
  • the vulnerability detection device calculates code coverage, selects input values based on the code coverage calculation results, and performs fuzzing on the script to be analyzed that is being executed on the VM. Code coverage is the ratio of paths executed as tests to the total paths.
  • the vulnerability detection device selectively chooses and mutates input values that will increase code coverage more based on the code coverage calculation results.
  • Figure 1 is a diagram for explaining an example of the configuration of a script engine.
  • script engine 1 has a bytecode compiler 2 and a VM 3.
  • bytecode compiler 2 has a syntax analysis unit 4 and a bytecode generation unit 5.
  • VM 3 has a code cache unit 6, a fetch unit 7, a decode unit 8, and an execution unit 9. These fetch unit 7, decode unit 8, and execution unit 9 are executed repeatedly and are called an interpreter loop. Then, script engine 1 accepts the input of a script.
  • the syntax analysis unit 4 receives the script as input, and through lexical and syntactic analysis generates an Abstract Syntax Tree (AST), which it outputs to the bytecode generation unit 5.
  • the bytecode generation unit 5 receives the AST as input, converts it into bytecode, and stores it in the code cache unit 6.
  • the fetch unit 7 fetches the VM opcode from the code cache unit 6 and outputs it to the decode unit 8.
  • the VM opcode refers to the opcode portion of the VM instruction.
  • the decode unit 8 receives the VM opcode as input, interprets the VM opcode using a decoder/dispatcher, and dispatches it to the corresponding program.
  • the execution unit 9 executes the program corresponding to the VM instruction. The contents written in the script are executed by executing the VM instructions one after another through a repeated interpreter loop.
  • FIG 2 is a diagram showing pseudocode for a VM in the script engine.
  • the pseudocode first initializes the VPC (line 1).
  • the while loop is the interpreter loop (line 2).
  • the VM opcode pointed to by the VPC is obtained from the code cache (line 3), and is decoded and dispatched using a Switch statement (lines 4, 5, and 7).
  • the program corresponding to the VM opcode that was dispatched is executed (lines 6 and 8).
  • a branch VM command is a VM command that causes a branch to occur within a script
  • a conditional branch flag is an area that holds a flag indicating whether or not a branch will be taken when a conditional branch occurs.
  • Fig. 3 is a diagram illustrating an example of the configuration of the vulnerability discovering device according to the embodiment.
  • the vulnerability discovery device 10 has an input unit 11, a control unit 12, a storage unit 13, and an output unit 14.
  • the vulnerability discovery device 10 accepts inputs of a test script, a script engine binary, and a script to be analyzed.
  • the input unit 11 is composed of input devices such as a keyboard and a mouse, and accepts information input from the outside and inputs it to the control unit 12.
  • the input unit 11 also has a communication interface for sending and receiving various information to and from other devices connected via a wired connection or a network, etc., and accepts input of information sent from other devices.
  • the input unit 11 accepts input of test scripts, script engine binaries, and scripts to be analyzed, and outputs them to the control unit 12.
  • the test script is a script that is input when dynamically analyzing the script engine to obtain an execution trace and a VM execution trace. Details of the test script are described later.
  • the script engine binary is an executable file that constitutes the script engine.
  • the script engine binary may be composed of multiple executable files.
  • the analysis target script is the script to be analyzed.
  • the control unit 12 has an internal memory for storing programs that define various processing procedures and the necessary data, and executes various processes using these.
  • the control unit 12 is an electronic circuit such as a CPU (Central Processing Unit) or an MPU (Micro Processing Unit).
  • the control unit 12 has a virtual machine analysis unit 121 (first analysis unit), an instruction set architecture analysis unit 122 (second analysis unit), a calculation unit 123, and a vulnerability discovery unit 124.
  • the virtual machine analysis unit 121 analyzes the VM of the script engine.
  • the virtual machine analysis unit 121 obtains multiple execution traces by changing the conditions at run time, analyzes the multiple execution traces using differential execution analysis, and obtains VPCs and conditional branch flags.
  • the virtual machine analysis unit 121 also analyzes the script engine binary to obtain VM instruction boundaries and dispatchers.
  • the virtual machine analysis unit 121 detects a code cache from the VM execution trace.
  • the VM instructions to be executed are stored in the code cache.
  • the virtual machine analysis unit 121 has an execution trace acquisition unit 1211 (first acquisition unit), a VM instruction boundary detection unit 1212 (first detection unit), a virtual program counter detection unit 1213 (second detection unit), a dispatcher detection unit 1214 (third detection unit), a conditional branch flag detection unit 1215 (fourth detection unit), and a code cache detection unit 1216.
  • the execution trace acquisition unit 1211 accepts the test script and the script engine binary as input.
  • the execution trace acquisition unit 1211 acquires an execution trace by executing the test script while monitoring the execution of the script engine binary.
  • An execution trace consists of a branch trace and a memory access trace.
  • a branch trace records the type of branch instruction at the time of execution, the branch source address, and the branch destination address.
  • a memory access trace records the type of memory operation and the memory address of the operation target. It is known that branch traces and memory access traces can be acquired by instruction hooks.
  • the execution trace acquired by the execution trace acquisition unit 1211 is stored in the execution trace DB 131.
  • the VM instruction boundary detection unit 1212 clusters the execution traces to detect the boundaries of each VM instruction.
  • the VM instruction boundary detection unit 1212 clusters the execution traces to detect clusters with a threshold or more of execution counts as VM instructions. In clustering, consecutive code regions that are executed multiple times are detected. For example, executed instructions that are close in distance to each other in the code may be grouped together, common subsequences of executed code blocks may be searched for, or other methods may be used.
  • the vulnerability discovery device 10 detects the start and end points of consecutive instruction sequences that make up the detected VM instruction as boundaries.
  • the VM instruction boundaries detected here are used in VPC detection and dispatcher detection.
  • the virtual program counter detection unit 1213 extracts and analyzes the execution trace for the first test script stored in the execution trace DB 131 to detect the VPC.
  • the virtual program counter detection unit 1213 analyzes multiple execution traces using differential execution analysis focusing on the number of memory reads and the boundaries of each VM instruction detected by the VM instruction boundary detection unit 1212 to detect the VPC.
  • the virtual program counter detection unit 1213 makes use of the fact that a read into the memory that holds the VPC always occurs after the execution of each VM instruction, and detects the VPC by discovering the destination of this read.
  • the virtual program counter detection unit 1213 uses differential execution analysis that focuses on the number of memory reads to detect VPCs.
  • the virtual program counter detection unit 1213 compares execution traces of multiple test scripts acquired using the test scripts, and finds memories whose memory read counts change in proportion to both the increase or decrease in the number of repetitions and the number of repeated statements.
  • the virtual program counter detection unit 1213 then refers to the boundaries of each VM instruction detected by the VM instruction boundary detection unit 1212, and narrows down the memory values that have been read to those that always point to the start point of the VM instruction.
  • the virtual program counter detection unit 1213 detects this memory as a VPC.
  • the dispatcher detection unit 1214 extracts each VM instruction portion from the script engine binary based on the boundaries of the VM instructions detected by the VM instruction boundary detection unit 1212, and detects the portions with high similarity between each VM instruction as dispatchers.
  • the dispatcher is realized by referencing the pointer cache and jumping to the pointer of the next VM instruction handler.
  • Dispatchers are placed in a distributed manner at the rear of each VM instruction handler, and the code therein is generally highly identical.
  • the vulnerability discovery device 10 detects dispatchers using a predetermined method by searching for code with high similarity that exists at the rear of such VM instruction handlers. To detect the portions with high similarity, for example, a series alignment algorithm may be used, or other methods may be used.
  • the conditional branch flag detection unit 1215 extracts and analyzes the execution trace for the second test script stored in the execution trace DB 131 to discover the conditional branch flag.
  • the conditional branch flag detection unit 1215 analyzes multiple execution traces using differential execution analysis that focuses on the number of times memory is read, and detects the conditional branch flag.
  • the conditional branch flag detection unit 1215 executes conditional branches in various patterns, and detects the memory that stores the conditional branch flag by comparing the pattern of memory changes at that time with the conditional branch pattern in the test script.
  • the code cache detection unit 1216 detects the code cache, which is a cache in which the VM instructions to be executed are stored, from the VM execution trace based on the execution trace, VPC, and VM execution trace.
  • the code cache detection unit 1216 detects the memory area pointed to by the VPC as a code cache from the VM execution trace.
  • the code cache detection unit 1216 detects the code location from which the memory allocation function that allocated this code cache was called from the execution trace.
  • the code cache detection unit 1216 detects all memory areas allocated at this code location from the VM execution trace as code caches.
  • the code cache detection unit 1216 detects code locations that are writing to the code cache from the execution trace.
  • the code cache detection unit 1216 detects writing by these code locations in the VM execution trace as updates to the code cache.
  • the instruction set architecture analysis unit 122 analyzes the instruction set architecture, which is the system of VM instructions.
  • the instruction set architecture analysis unit 122 collects VM instructions. It determines the instruction content of the collected VM instructions.
  • the instruction set architecture analysis unit 122 has a VM execution trace acquisition unit 1221 (second acquisition unit), a VM instruction collection unit 1222 (first collection unit), and a VM instruction determination unit 1223 (first determination unit).
  • VM execution trace acquisition unit 1221 accepts test scripts and script engine binaries as input.
  • VM execution trace acquisition unit 1221 acquires VM execution traces by monitoring VPCs and pointers to VM instruction handlers dispatched by the dispatcher.
  • VM execution trace acquisition unit 1221 acquires VM execution traces, which are execution traces executed on a VM, by executing test scripts while monitoring the execution of script engine binaries.
  • VM execution trace acquisition unit 1221 executes multiple test scripts to acquire VM execution traces.
  • VM execution trace acquisition unit 1221 links pointers to VM instructions with VM instructions, and virtually assigns VM opcodes as identifiers to each.
  • a VM execution trace is an execution trace executed in a VM, to which a VM opcode is virtually assigned as an identifier, and which records a pointer to the executed VM handler and a VPC.
  • a VM execution trace records a pointer to an executed VM instruction handler and a VPC.
  • a VM execution trace is composed of a VPC and a VM opcode for each executed VM instruction.
  • the VPC can be recorded by monitoring the memory of the VPC detected by the virtual program counter detection unit 1213.
  • a VM opcode is an identifier virtually assigned to each of the pointer to the VM instruction and the VM instruction that are linked together.
  • the VM execution trace acquired by the VM execution trace acquisition unit 1221 is stored in the VM execution trace DB 133.
  • the VM command collection unit 1222 receives the VPC and dispatcher as input, executes the script while monitoring the VPC and dispatcher, and obtains the VM execution trace.
  • the VM command collection unit 1222 collects VM commands from the VM execution trace.
  • the VM instruction determination unit 1223 determines the instruction content of the VM instructions collected by the VM instruction collection unit 1222.
  • the VM instruction determination unit 1223 detects branch VM instructions based on the variation in the amount of change in VPC for each VM opcode in the VM execution trace.
  • the VM instruction determination unit 1223 retrieves and analyzes the VM execution traces stored in the VM execution trace DB 133 to determine whether the VM instruction is a branch VM instruction. For each VM opcode assigned as an identifier, the VM instruction determination unit 1223 collects the amount of change in VPC before and after its execution. If the VM opcode is other than a branch VM instruction, the amount of change in VPC is almost constant. On the other hand, if the VM opcode is a branch VM instruction, the VPC varies depending on the branch destination.
  • the VM instruction determination unit 1223 therefore determines whether an instruction is a branch VM instruction based on the variance in the amount of change in the virtual program counter for each VM opcode in the VM execution trace.
  • the VM instruction determination unit 1223 focuses on the fact that the amount of variance in the VPC value differs between branch VM instructions and other VM instructions, determines a threshold value, and determines instructions with greater variance in the VPC value as branch VM instructions.
  • the VM instruction determination unit 1223 evaluates the variance in the amount of change in the VPC for each VM opcode using variance, and determines instructions with variance equal to or greater than a certain threshold as branch VM instructions.
  • the VM instruction determination unit 1223 determines which of the branch VM instructions are conditional branch VM instructions. When a conditional branch occurs, access to a conditional branch flag is always generated to determine the branch destination. Therefore, a conditional branch VM instruction can be determined by verifying whether the conditional branch flag is accessed when each branch VM instruction is executed. In other words, if the conditional branch flag is accessed when a branch VM instruction is executed, it can be determined that it is a conditional branch VM instruction, and if it is not accessed, it is not a conditional branch VM instruction. Therefore, the VM instruction determination unit 1223 determines that, among the branch VM instructions, those that involve access to a conditional branch flag are conditional branch VM instructions based on the VM execution trace and memory access trace.
  • the VM instruction determination unit 1223 also determines call and return VM instructions.
  • a branch caused by a call VM instruction is characterized in that the address immediately following the caller's bytecode is saved, and after the called subroutine is executed, the return VM instruction returns to that saved address.
  • the VM instruction determination unit 1223 determines that the pair of instructions 1 and 2 are call and return VM instructions.
  • the calculation unit 123 constructs a first control flow graph that indicates the entire path comprehensively executed by multi-pass execution, based on the architecture information acquired by the virtual machine analysis unit 121 and the instruction set architecture analysis unit 122.
  • the calculation unit 123 has a multi-pass execution unit 1231 (first execution unit), a VM branch trace construction unit 1232 (first construction unit), and a control flow graph construction unit 1233 (second construction unit).
  • the multi-path execution unit 1231 performs multi-path execution of the script to be analyzed while acquiring a VM execution trace based on the architecture information acquired by the virtual machine analysis unit 121 and the instruction set architecture analysis unit 122.
  • the multi-path execution unit 1231 monitors the VPC and VM instructions, and executes the script to be analyzed while acquiring a VM execution trace.
  • the multi-path execution unit 1231 forks the execution state for each conditional branch instruction, leaving one as is and rewriting the conditional branch flag for the other, thereby performing multi-path execution by comprehensively executing multiple execution paths.
  • the VM branch trace construction unit 1232 detects branch VM instructions from the VM execution trace 41, which records the opcodes and VPCs of executed VM instructions, and constructs a VM branch trace that associates the VPCs before and after the execution of the detected branch VM instructions.
  • the VM branch trace construction unit 1232 detects the branch VM instruction that was actually executed from the VM execution trace acquired by the multi-path execution unit 1231, and constructs a first VM branch trace that associates the VPC before and after the execution of the detected branch VM instruction.
  • the control flow graph construction unit 1233 uses the VM branch trace to construct a control flow graph in which basic blocks are nodes and branches resulting from execution of branch VM instructions are edges.
  • the control flow graph construction unit 1233 constructs a first control flow graph based on the first VM branch trace.
  • the first control flow graph is constructed based on information that was actually executed in multi-path execution, and is therefore a complete control flow graph in which all paths are shown.
  • the control flow graph construction unit 1233 may also construct the graph by scanning the detected code cache and taking into account branch instructions that were not actually executed.
  • the vulnerability discovery unit 124 constructs a second control flow graph indicating paths executed as tests based on the architecture information acquired by the virtual machine analysis unit 121 and the instruction set architecture analysis unit 122.
  • the vulnerability discovery unit 124 calculates code coverage based on the first control flow graph and the second control flow graph. Code coverage is the ratio of paths executed as tests to all paths. Based on the calculation result of code coverage, the vulnerability discovery unit 124 selectively chooses and mutates input values that will increase code coverage, and performs fuzzing on the analysis target script executed on the VM.
  • the vulnerability detection unit 124 has a mutation unit 1241, a fuzzing execution unit 1242 (second execution unit), a VM branch trace construction unit 1243 (third construction unit), a control flow graph construction unit 1244 (fourth construction unit), and a code coverage calculation unit 1245 (first calculation unit).
  • the mutation unit 1241 accepts a seed input value and mutates the input value.
  • the input value is a value to be input to the script to be analyzed. If the code coverage increases above a predetermined value, the vulnerability discovery unit 124 selects the mutated input value and adds it to a dictionary of input values. The mutation unit 1241 mutates the input value based on the dictionary to which the mutated input value has been added.
  • the fuzzing execution unit 1242 executes the test target based on the architecture information acquired by the virtual machine analysis unit 121 and the instruction set architecture analysis unit 122.
  • the fuzzing execution unit 1242 inputs the input value mutated by the mutation unit 1241 to the analysis target script and executes the test while acquiring a VM execution trace.
  • the fuzzing execution unit 1242 records the VM instructions executed during this execution and acquires the VM execution trace.
  • the VM branch trace construction unit 1243 detects the branch VM instruction that was actually executed as a test from the VM execution trace acquired by the fuzzing execution unit 1242, and constructs a second VM branch trace that associates the VPC before and after the execution of the detected branch VM instruction.
  • the control flow graph construction unit 1244 constructs a second control flow graph based on the second VM branch trace, in which basic blocks are nodes and branches resulting from execution of branch VM instructions are edges.
  • the code coverage calculation unit 1245 calculates code coverage based on the first control flow graph and the second control flow graph.
  • the code coverage calculation unit 1245 calculates, as code coverage, the ratio of the number of nodes and/or edges of the second control flow graph to the number of nodes and edges of the first control flow graph.
  • the storage unit 13 is realized by a semiconductor memory element such as a RAM (Random Access Memory) or a flash memory, or a storage device such as a hard disk or an optical disk, and stores the processing program that operates the vulnerability detection device 10 and data used during execution of the processing program.
  • the storage unit 13 has an execution trace database (DB) 131, a VM execution trace DB 133, and an architecture information DB 132 that stores architecture information acquired by the virtual machine analysis unit 121 and the instruction set architecture analysis unit 122.
  • DB execution trace database
  • the execution trace DB 131 and the VM execution trace DB 133 store the execution traces and VM execution traces acquired by the execution trace acquisition unit 1211 and the VM execution trace acquisition unit 1221, respectively.
  • the execution trace DB 131 and the VM execution trace DB 133 are managed by the vulnerability discovery device 10.
  • the execution trace DB 131 and the VM execution trace DB 133 may be managed by other devices (servers, etc.), in which case the execution trace acquisition units 1211 and 1221 output the acquired execution traces and VM execution traces to management servers, etc., of the execution trace DB 131 and the VM execution trace DB 133 via the communication interface of the output unit 14, and store them in the execution trace DB 131 and the VM execution trace DB 133.
  • the output unit 14 is, for example, an LCD display or a printer, and outputs various information including information related to the vulnerability detection device 10.
  • the output unit 14 may also be an interface that handles the input and output of various data between an external device, and may output various information to an external device.
  • test script configuration Let us now explain the test script.
  • a test script is a script that is input when dynamically analyzing a script engine. This test script focuses on the number of branch instruction executions and memory reads and writes, and is used to capture the difference in the behavior of the script engine that occurs when the test script is executed a different number of times. This test script is prepared in advance of the analysis and is created manually. Creating it requires knowledge of the specifications of the target script language.
  • Figure 4 shows an example of a test script (first test script) used to detect VPCs.
  • the first test script uses a repetitive process (line 2).
  • the first test script changes the execution conditions and generates differences by increasing or decreasing the number of repetitions (line 2) and the number of repeated statements (lines 3 to 5) in the test script.
  • FIG. 5 is a diagram showing an example of a test script (second test script) used to detect branch VM instructions.
  • the second test script uses multiple conditional branches (lines 4 to 8).
  • the branch conditions are controlled so that the multiple conditional branches are either taken or not taken in a specific order pattern (lines 1 and 5).
  • the number of conditional branches and the order pattern of branch success or failure are changed to generate differences.
  • Fig. 6 is a diagram showing an example of an execution trace. As described above, an execution trace is composed of a branch trace and a memory access trace. Fig. 6 shows an excerpt of an execution trace. The structure of an execution trace will be described below with reference to Fig. 6.
  • Trace indicates whether the log line is a branch trace or a memory access trace.
  • a branch trace log line has the format shown, for example, in lines 1 to 10 of Figure 6, and consists of three elements: type, src, and dst.
  • type indicates whether the executed branch instruction was a call instruction, a jmp instruction, or a ret instruction.
  • src indicates the address of the branch source, and dst indicates the address of the branch destination.
  • a log line of a memory access trace has the format shown, for example, in lines 11 to 13 of Figure 6, and consists of three elements: type, target, and value.
  • Type indicates whether the memory access is a read or write.
  • Target indicates the memory address that is the target of the memory access. Value stores the result of the memory access.
  • Fig. 7 is a diagram showing an example of a VM execution trace.
  • a VM execution trace is a record of a VM opcode and a VPC.
  • Fig. 7 shows a part of a VM execution trace. The configuration of a VM execution trace will be described below with reference to Fig. 7.
  • a log line of a VM execution trace is, for example, in the format shown in Figure 7, and consists of two elements: vpc and vmop (vm opcode).
  • vpc indicates the value of the VPC.
  • vmop indicates the value of the VM opcode that is virtually assigned to each pointer that points to the beginning of the VM instruction handler to be executed, obtained from the pointer cache.
  • the VM instruction boundary detection unit 1212 detects the boundaries of each VM instruction. At this time, the VM instruction boundary detection unit 1212 detects VM instructions and their boundaries for threaded code type VMs, which do not have an interpreter loop and therefore make it difficult to grasp the boundaries of VM instructions. Specifically, the VM instruction boundary detection unit 1212 extracts execution traces from the execution trace DB 131. Then, as shown in FIG. 8, the VM instruction boundary detection unit 1212 clusters the execution traces using a predetermined method, and detects clusters with a threshold or more of execution counts as VM instructions (e.g., VM instruction handlers 1 to 3). The VM instruction boundary detection unit 1212 detects the start and end points of the consecutive instruction strings that make up a VM instruction as boundaries.
  • VM instructions e.g., VM instruction handlers 1 to 3
  • the virtual program counter detection unit 1213 detects the VPC and the pointer cache. The detection of the virtual program counter is realized by analyzing the log of the memory access trace of the acquired execution trace. The virtual program counter detection unit 1213 uses differential execution analysis focusing on the number of times memory is read.
  • FIG. 9 is a diagram for explaining the processing of the virtual program counter detection unit 1213.
  • the virtual program counter detection unit 1213 extracts one execution trace by the first test script from the execution trace DB 131.
  • the number of times the VPC is read is proportional to the number of repetitions in the test script and the number of statements in the repetitive process. If the number of repetitions is N and the number of repeated statements is M, then approximately MN VPC reads will occur. For this reason, the virtual program counter detection unit 1213 extracts memory that has increased by 4MN and 9MN in the execution trace for the first test script in which N and M have been increased to 2N and 2M, respectively, and 3N and 3M. Specifically, as shown in FIG. 9, the virtual program counter detection unit 1213 extracts memory areas that have a monotonically increasing read/write for each VM instruction execution ((1) in FIG. 9).
  • the virtual program counter detection unit 1213 detects as a VPC a memory value that has been read and that always points to the start point of a VM instruction. Specifically, the virtual program counter detection unit 1213 compares the VPC's pointing destination with the address of the VM instruction handler, and narrows it down to matching memory areas ((2) in FIG. 9).
  • the dispatcher detection unit 1214 detects a dispatcher by analyzing the binary of the script engine using a predetermined method.
  • FIG. 10 is a diagram for explaining the process of the dispatcher detection unit 1214.
  • the dispatcher detection unit 1214 detects dispatchers. Based on the boundaries of VM instructions detected by the VM instruction boundary detection unit 1212, the dispatcher detection unit 1214 extracts each VM instruction portion from the script engine binary. Then, based on the assumption that the similarity of dispatcher code is high ((1) in FIG. 10), the dispatcher detection unit 1214 calculates the similarity between the codes of each VM instruction and detects the portion with high similarity between all VM instructions as a dispatcher. The dispatcher detection unit 1214 can detect the code that is commonly executed in the latter half of the VM instructions as a dispatcher ((1) in FIG. 10).
  • the code cache detection unit 1216 detects the memory area pointed to by the VPC as a code cache from the VM execution trace ((1) in FIG. 11).
  • the code cache detection unit 1216 detects the code location that called the memory allocation function that allocated this code cache from the execution trace ((2) in FIG. 11).
  • the code cache detection unit 1216 detects all memory areas allocated at this code location from the VM execution trace as code caches ((3) in FIG. 11).
  • the code cache detection unit 1216 detects the code location that is writing to the code cache from the execution trace ((4) in FIG. 11). The code cache detection unit 1216 detects the writing by this code location in the VM execution trace as an update to the code cache ((5) in FIG. 11).
  • the VM instruction determination unit 1223 determines a branch VM instruction by analyzing the acquired VM execution trace log.
  • the test script here may be any script that includes a branch VM instruction and that includes a branch control syntax.
  • the test script is prepared by collecting information from the Internet or obtaining information from official documents.
  • the VM instruction determination unit 1223 associates a pointer to a VM instruction with a VM instruction for each VM execution trace in the VM execution trace DB 133, and virtually assigns a VM opcode as an identifier to each of them.
  • Figure 12 is a diagram explaining the processing of the VM instruction determination unit 1223.
  • a VM instruction is a branch instruction
  • the advance of the VPC changes depending on the branch destination.
  • the advance of the VPC changes depending on the size of the VM instruction. For this reason, when pairs of VM instruction opcodes and pointers to VM instructions are collected and the advance of the VPC is examined for each opcode, if it is a branch instruction, the advance of the VPC will vary depending on the branch destination.
  • the VM instruction determination unit 1223 uses variance to evaluate the variance of the pointer to this VM instruction.
  • the VM instruction determination unit 1223 calculates the variance of the amount of change in the VPC for each VM opcode, and narrows it down to only VM opcodes whose calculated variance is greater than a threshold value. In this way, the VM instruction determination unit 1223 associates the pointer with the VM instruction, and determines that a VM instruction with variance in the advance of the VPC (VM instruction handler 3 in the example of FIG. 12) is a branch VM instruction ((1) in FIG. 12).
  • the threshold value is set to a value that can divide the two groups that result by plotting the obtained variance value on a number line, for example.
  • VM branch trace construction unit 1232 and 1243 are a description of the processing of the VM branch trace construction units 1232 and 1243.
  • Fig. 13 is a diagram for explaining the processing of the VM branch trace construction units.
  • the VM branch trace construction units 1232 and 1243 detect a branch VM instruction from the VM execution trace 41 that records the opcode of the executed VM instruction and the VPC ((1) in FIG. 13).
  • the branch VM instruction can be recognized by referring to the branch VM instruction list 42 detected by the VM instruction determination unit 1223.
  • the VM branch trace construction units 1232, 1243 construct a VM branch trace 43 that associates the VPCs before and after the execution of the detected branch VM instruction ((2) in FIG. 13).
  • the VM branch trace construction units 1232, 1243 detect the branch VM instruction "0x1f" from line R41 of the VM execution trace, and construct the VM branch trace shown in line R61 based on line R41 and line R42, which is the line that follows line R42. That is, the VM branch trace construction units 1232, 1243 associate the branch source VPC "0x555c7e48" of line R41 with the branch source VPC "0x555c82a0" of line R42.
  • the VM branch trace construction units 1232, 1243 detect the branch VM instruction "0x21" from line R51 of the M execution trace, they associate the VPC "0x555c832c" of line R51 with the VPC "0x555c7514" of line R52 based on this line R51 and the next line R52 (line R71).
  • Control flow graph construction part 14 is a diagram illustrating the processing of the control flow graph construction units 1233, 1244.
  • the control flow graph construction units 1233, 1244 use the VM branch trace 43 constructed in the VM branch trace construction process to construct a control flow graph in which basic blocks are nodes and each branch of the VM branch trace 43 is an edge ((1) in FIG. 14).
  • control flow graph construction units 1233 and 1244 designate the branch shown in row R61 of the VM branch trace 43 as edge E61, the basic block from which edge E61 branches as node N61, and the basic block to which edge E61 branches as node N62.
  • the branch shown in row R71 of VM branch trace 43 is edge E71, the subblock from which edge 71 branches is node N71, and the basic block to which edge E71 branches is node N72.
  • edge E71 the branch shown in row R71 of VM branch trace 43
  • the subblock from which edge 71 branches is node N71
  • the basic block to which edge E71 branches is node N72.
  • node N71 has a branch shown in edge E72, and the basic block to which this branch is directed is indicated by node N73.
  • the control flow graph construction units 1233 and 1244 construct a control flow graph that expresses the branching of basic blocks in a graph structure based on the VM branch trace.
  • Fig. 15 and Fig. 16 are flowcharts showing the procedure of vulnerability discovering processing according to the embodiment.
  • the input unit 11 receives a test script and a script engine binary as input (step S1).
  • the execution trace acquisition unit 1211 performs an execution trace acquisition process in which the test script is executed while monitoring the binary of the script engine to acquire branch traces and memory access traces (step S2).
  • the VM instruction boundary detection unit 1212 detects VM instructions and performs VM instruction boundary detection processing to detect VM instruction boundaries (step S3).
  • the virtual program counter detection unit 1213 extracts and analyzes the execution trace for the first test script stored in the execution trace DB 131, and performs virtual program counter detection processing to discover the VPC (step S4).
  • the dispatcher detection unit 1214 performs dispatcher detection processing to extract each VM command portion from the script engine binary and detect the portion with high similarity between each VM command as a dispatcher (step S5).
  • the conditional branch flag detection unit 1215 performs a conditional branch detection process to extract and analyze the execution trace for the second test script stored in the execution trace DB 131 and discover the conditional branch flag (step S6).
  • the code cache detection unit 1216 performs a code cache detection process based on the execution trace and VPC to detect the area of the code location from which the memory allocation function was called as a code cache, and to detect the area in which writing is being done to the code location area as an update to the code cache (step S7).
  • the VM execution trace acquisition unit 1221 receives the test script and the script engine binary as input, and executes the test script while monitoring the execution of the script engine binary, thereby performing a VM execution trace acquisition process to acquire a VM execution trace (step S8).
  • the VM instruction collection unit 1222 performs a VM instruction collection process to acquire VM instructions from the VM execution trace (step S9).
  • the VM instruction determination unit 1223 performs a VM instruction determination process to determine the instruction content of the collected VM instructions (step S10).
  • the input unit 11 accepts input of a script to be analyzed (step S11).
  • the multi-pass execution unit 1231 executes the script to be analyzed in multiple passes while acquiring a VM execution trace, based on the architecture information acquired by the virtual machine analysis unit 121 and the instruction set architecture analysis unit 122 (step S12).
  • the VM branch trace construction unit 1232 detects a branch VM instruction from the VM execution trace, and executes a VM branch trace construction process to construct a VM branch trace that associates VPCs before and after the execution of the detected branch VM instruction (step S13). In step S13, the VM branch trace construction unit 1232 constructs a first VM branch trace based on the multi-path execution by the multi-path execution unit 1231.
  • the control flow graph construction unit 1233 performs a control flow graph construction process to construct a control flow graph using the VM branch trace (step S14). In step S14, the control flow graph construction unit 1233 constructs a first control flow graph based on the first VM branch trace.
  • the vulnerability discovery unit 124 accepts the input of a seed input value (step S15) and creates a dictionary of input values (step S16).
  • the mutation unit 1241 performs a mutation process to mutate the input value to be input to the analysis target script (step S17).
  • the fuzzing execution unit 1242 inputs the input value mutated by the mutation unit 1241 to the analysis target script and performs an execution process to execute a test while acquiring a VM execution trace (step S18).
  • the vulnerability discovery unit 124 determines whether a problem such as a crash has occurred (step S19). If a problem such as a crash has occurred (step S19: Yes), the vulnerability discovery unit 124 outputs the input value that caused the problem (step S25).
  • step S19: No the VM branch trace construction unit 1243 performs a VM branch trace construction process to construct a second VM branch trace by performing the same process as in step S13 on the VM execution trace acquired by the fuzzing execution unit 1242 (step S20).
  • the control flow graph construction unit 1244 performs a control flow graph construction process to construct a second control flow graph by performing the same process as step S14 on the second VM branch trace (step S21).
  • the code coverage calculation unit 1245 performs a code coverage calculation process to calculate the code coverage based on the first control flow graph and the second control flow graph (step S22).
  • the vulnerability discovery unit 124 determines whether the code coverage calculated in step S22 has increased beyond a predetermined value (step S23).
  • the predetermined value may be set in advance or may be set dynamically according to the processing history of the vulnerability discovery device 10.
  • step S23: Yes If the code coverage has increased above the predetermined value (step S23: Yes), the vulnerability discovery unit 124 selects the mutated input value and adds it to the dictionary of input values (step S24), and returns to step S17. Then, the vulnerability discovery unit 124 causes the mutation unit 1241 to mutate the input value based on the dictionary to which the mutated input value has been added. If the code coverage has not increased above the predetermined value (step S23: No), the vulnerability discovery unit 124 returns to step S17.
  • FIG. 17 is a flowchart showing the processing procedure of the execution trace acquisition process shown in Fig. 15.
  • the execution trace acquisition unit 1211 receives a test script and a script engine binary as input (step S31). Then, the execution trace acquisition unit 1211 hooks the received script engine to acquire a branch trace (step S32). The execution trace acquisition unit 1211 also hooks the received script engine to acquire a memory access trace (step S33).
  • the execution trace acquisition unit 1211 inputs the test script received in this state into the script engine for execution (step S34), and stores the execution trace acquired thereby in the execution trace DB 131 (step S35).
  • the execution trace acquisition unit 1211 determines whether or not all of the input test scripts have been executed (step S36). If all of the input test scripts have been executed (step S36: Yes), the execution trace acquisition unit 1211 ends the process. On the other hand, if all of the input test scripts have not been executed (step S36: No), the execution trace acquisition unit 1211 returns to the execution of the test scripts in step S34 and continues the process.
  • Fig. 18 is a flowchart showing the processing procedure of the VM instruction boundary detection process shown in Fig. 15.
  • the VM instruction boundary detection unit 1212 extracts execution traces from the execution trace DB 131 (step S41).
  • the VM instruction boundary detection unit 1212 clusters the execution traces using a predetermined method (step S42). Any method may be used for clustering.
  • the VM instruction boundary detection unit 1212 detects clusters whose execution count is equal to or exceeds a threshold as VM instructions (step S43). The VM instruction boundary detection unit 1212 then determines the start and end points of the continuous instruction sequence that constitutes the VM instruction as boundaries (step S44). The VM instruction boundary detection unit 1212 outputs the VM instruction boundary as a return value (step S45), and ends the VM instruction boundary detection process.
  • FIG. 19 is a flowchart showing the processing procedure of the virtual program counter detection process shown in Fig. 15.
  • the virtual program counter detection unit 1213 extracts one execution trace by the first test script from the execution trace DB 131 (step S51). Next, the virtual program counter detection unit 1213 focuses on memory access traces among the execution traces, and counts up the number of reads for each memory read destination (step S52).
  • the virtual program counter detection unit 1213 receives as input the first test script used to obtain the execution trace (step S53), and analyzes the first test script to obtain the number of repetitions and the number of repeated statements (step S54).
  • the virtual program counter detection unit 1213 extracts from the execution trace DB 131 another execution trace by the first test script, which has a different number of repetitions and number of repeated statements (step S55). Then, the virtual program counter detection unit 1213 focuses on the memory access trace and counts the number of reads for each memory read destination (step S56). The virtual program counter detection unit 1213 also receives as input the first test script used to obtain the execution trace (step S57), analyzes the test script, and obtains the number of repetitions and the number of repeated statements (step S58).
  • the virtual program counter detection unit 1213 narrows down the memory read destinations to only those whose read counts change in proportion to the number of repetitions or the increase or decrease in the number of repeated statements (step S59). Furthermore, the virtual program counter detection unit 1213 narrows down the memory read destinations narrowed down in step S59 to those whose read memory values always point to the start point of the VM instruction (step S60).
  • the virtual program counter detection unit 1213 determines whether the memory read destinations have been narrowed down to only one (step S61). If the virtual program counter detection unit 1213 has not narrowed down the memory read destinations to only one (step S61: No), the process returns to step S55, where the virtual program counter detection unit 1213 retrieves the next execution trace and continues processing. On the other hand, if the virtual program counter detection unit 1213 has narrowed down the memory read destinations to only one (step S61: Yes), the virtual program counter detection unit 1213 stores the narrowed down memory read destination as a virtual program counter in the architecture information DB 132 (step S62), and ends processing.
  • Fig. 20 is a flowchart showing the processing procedure of the dispatcher detection process shown in Fig. 15.
  • the dispatcher detection unit 1214 receives the script engine binary as input (step S71).
  • the dispatcher detection unit 1214 receives the boundaries of VM commands from the VM command boundary detection unit 1212 (step S72).
  • the dispatcher detection unit 1214 extracts each VM instruction portion from the script engine binary based on the boundaries of the VM instructions received from the VM instruction boundary detection unit 1212 (step S73).
  • the dispatcher detection unit 1214 calculates the similarity between the codes of each VM instruction using a predetermined method (step S74). Any method may be used to calculate the similarity, as long as it is capable of calculating the similarity between codes.
  • the dispatcher detection unit 1214 extracts the part with high similarity among all VM commands based on the similarity calculated in step S74 (step S75). The dispatcher detection unit 1214 then determines whether it is the end part of the VM command (step S76).
  • step S76: No If it is not the end of the VM command (step S76: No), the dispatcher detection unit 1214 returns to step S75 and continues processing. If it is the end of the VM command (step S76: Yes), the dispatcher detection unit 1214 outputs the extracted part as a dispatcher (step S77) and ends processing.
  • Fig. 21 is a flowchart showing the processing procedure of the conditional branch flag detection process shown in Fig. 15.
  • conditional branch flag detection unit 1215 extracts one execution trace by the second test script from the execution trace DB 131 (step S81). Then, the conditional branch flag detection unit 1215 focuses on the memory access trace and counts the number of reads for each memory read destination (step S82).
  • the conditional branch flag detection unit 1215 also receives as input the second test script used to obtain the execution trace (step S83), analyzes this second test script, and obtains the number of conditional branches and the True/False order pattern (step S84). The conditional branch flag detection unit 1215 then narrows down the memory read destinations to only those whose read count changes in proportion to the number of conditional branches (step S85). Furthermore, the conditional branch flag detection unit 1215 narrows down the memory read destinations to only those whose read memory value alternates between two values in accordance with the True/False order pattern (step S86).
  • the conditional branch flag detection unit 1215 determines whether the memory read destinations have been narrowed down to only one (step S87). If the conditional branch flag detection unit 1215 has not narrowed down the memory read destinations to only one (step S87: No), it returns to step S81, retrieves the next execution trace, and continues processing. On the other hand, if the conditional branch flag detection unit 1215 has narrowed down the memory read destinations to only one (step S87: Yes), it stores the narrowed down read destination in the architecture information DB 132 as a virtual program counter (step S88), and ends processing.
  • Fig. 22 is a flowchart showing the processing procedure of the code cache detection process shown in Fig. 15.
  • the code cache detection unit 1216 When the code cache detection unit 1216 receives an execution trace and a VM execution trace as input (step S91), it acquires the memory area pointed to by the VPC from the VM execution trace (step S92). The VM execution trace is acquired by the VM execution trace acquisition unit 1221.
  • the code cache detection unit 1216 obtains from the execution trace the code location of the caller of the memory allocation function that allocated the memory area obtained in step S92 (step S93).
  • the code cache detection unit 1216 detects, from the VM execution trace, all areas allocated at the code location obtained in step S93 as code caches (step S94).
  • the code cache detection unit 1216 acquires the code location that is writing to the code cache from the execution trace (step S95). The code cache detection unit 1216 detects all areas in the VM execution trace that are written to at the code location acquired in step S95 as code cache updates (step S96). The code cache detection unit 1216 returns the detected code cache and its updated location (step S97), and ends the code cache detection process.
  • Fig. 23 is a flowchart showing the procedure of the VM execution trace acquisition process shown in Fig. 15.
  • the VM execution trace acquisition unit 1221 receives a test script and a script engine binary as input (step S101). Then, the VM execution trace acquisition unit 1221 applies a hook to the received script engine to record the VPC and VM opcode (step S102).
  • the VM execution trace acquisition unit 1221 inputs the received test script in this state into the script engine for execution (step S103), and stores the VM execution trace acquired thereby in the VM execution trace DB 133 (step S104).
  • the VM execution trace acquisition unit 1221 determines whether or not all of the input test scripts have been executed (step S105). If all of the input test scripts have been executed (step S105: Yes), the VM execution trace acquisition unit 1221 ends the process. If all of the input test scripts have not been executed (step S105: No), the VM execution trace acquisition unit 1221 returns to the execution of the test scripts in step S103 and continues the process.
  • Fig. 24 is a flowchart showing the procedure of the VM command collection process shown in Fig. 15.
  • the VM command collection unit 1222 receives the VPC and dispatcher as input (step S111) and acquires various scripts from the Internet (step S112).
  • the VM command collection unit 1222 executes the scripts while monitoring the VPC and dispatcher, and acquires a VM execution trace (step S113).
  • the VM instruction collection unit 1222 acquires VM instructions from the VM execution trace (step S114) and adds them to a list of VM instructions (step S115). If the VM instruction collection unit 1222 finds a VM instruction that is not in the list (step S116: No), it returns to step S112. If the VM instruction collection unit 1222 finds no VM instructions that are not in the list (step S116: Yes), it returns the list of VM instructions (step S117) and ends the VM instruction collection process.
  • Fig. 25 is a flowchart showing the processing procedure of the VM command determination process shown in Fig. 15.
  • the VM instruction determination unit 1223 extracts one VM execution trace from the VM execution trace DB 133 (step S121).
  • the VM instruction determination unit 1223 associates a pointer to the VM instruction with the VM instruction, and assigns a VM opcode to each as an identifier (step S122). Then, the VM instruction determination unit 1223 counts the amount of change in VPC before and after execution for each VM opcode (step S123).
  • the VM instruction determination unit 1223 determines whether all VM execution traces in the VM execution trace DB 133 have been processed (step S124). If all VM execution traces in the VM execution trace DB 133 have not been processed (step S124: No), the VM instruction determination unit 1223 returns to step S121 and retrieves and processes the next VM execution trace.
  • the VM instruction determination unit 1223 calculates the variance of the amount of change in VPC for each VM opcode (step S125). Then, the VM instruction determination unit 1223 receives a threshold value as an input (step S126). The VM instruction determination unit 1223 narrows down to only VM opcodes whose variance is greater than the threshold value (step S127), stores them as branch VM instructions in the architecture information DB 132 (step S128), and ends the process.
  • Fig. 26 is a flowchart showing the processing procedure of the multi-pass execution process shown in Fig. 15.
  • the multi-path execution unit 1231 receives the script to be analyzed as input (step S131).
  • the multi-path execution unit 1231 receives the VPC, dispatcher, and conditional branch flag as input (step S132).
  • the multi-path execution unit 1231 monitors the VPC and VM instructions, and executes the script to be analyzed while acquiring the VM execution trace (step S133).
  • the multi-path execution unit 1231 forks the execution state for each conditional branch instruction, leaving one as is and rewriting the conditional branch flag for the other, thereby comprehensively executing multiple execution paths (step S134).
  • step S135 If all execution paths have not been exhaustively executed (step S135: No), the multi-path execution unit 1231 returns to step S133. If all execution paths have been exhaustively executed (step S135: Yes), the multi-path execution unit 1231 returns the VM execution trace (step S136) and ends the multi-path execution process.
  • Fig. 27 is a flowchart showing the processing procedure of the VM branch trace construction process shown in Fig. 15.
  • the VM branch trace construction units 1232 and 1243 receive the VM execution trace and the VM branch instruction list as input (step S141).
  • the VM branch trace construction units 1232 and 1243 extract the VM execution trace entries (step S142).
  • the VM branch trace construction units 1232 and 1243 determine whether the VM opcode is present in the VM branch instruction list (step S143).
  • step S143 If the VM opcode exists in the VM branch instruction list (step S143: Yes), the VM branch trace construction units 1232 and 1243 save the VPC as the branch source and the VPC of the next entry as the branch destination in the VM branch trace (step S144).
  • step S143 If the VM opcode does not exist in the VM branch instruction list (step S143: No), or after step S144 is completed, the VM branch trace construction units 1232 and 1243 determine whether all entries in the VM execution trace have been processed (step S145).
  • step S145 If not all entries in the VM execution trace have been processed (step S145: No), the VM branch trace construction units 1232 and 1243 extract the next entry in the VM execution trace (step S146). Then, the VM branch trace construction units 1232 and 1243 return to step S143 and determine whether the VM opcode for the next entry is present in the VM branch instruction list.
  • step S145 if all entries in the VM execution trace have been processed (step S145: Yes), the VM branch trace construction units 1232 and 1243 end the VM branch trace construction process.
  • Fig. 28 is a flowchart showing the processing procedure of the control flow graph construction process shown in Fig. 15.
  • control flow graph construction units 1233 and 1244 When the control flow graph construction units 1233 and 1244 receive a VM branch trace as input (step S151), they extract the VM branch trace entries (step S152).
  • the control flow graph construction units 1233 and 1244 add a basic block starting from the branch destination address as a node to the control flow graph (step S153).
  • the control flow graph construction units 1233 and 1244 add an edge from the branch source address to the branch destination address to the control flow graph (step S154).
  • the control flow graph construction units 1233 and 1244 determine whether all entries of the VM branch trace have been processed (step S155).
  • control flow graph construction units 1233 and 1244 If the control flow graph construction units 1233 and 1244 have not processed all the entries of the VM branch trace (step S155: No), they extract the next entry of the VM execution trace (step S156). Then, the control flow graph construction units 1233 and 1244 return to step S153 and add the basic block starting from the branch destination address of the next entry as a node to the control flow graph.
  • control flow graph construction units 1233 and 1244 output the constructed control flow graph (step S157).
  • Fig. 29 is a flowchart showing the processing procedure of the mutation process shown in Fig. 16.
  • the mutation unit 1241 accepts a dictionary of input values as input (step S161) and extracts one input value from the dictionary (step S162).
  • the mutation unit 1241 mutates the extracted input value using a predetermined method, such as randomly changing the value (step S163).
  • the mutation unit 1241 adds the mutated input value to the dictionary (step S164).
  • step S165 If the mutation unit 1241 has not mutated all of the input values to be mutated (step S165: No), it returns to step S163 and mutates the input values to be mutated. If the mutation unit 1241 has mutated all of the input values to be mutated (step S165: Yes), it returns the dictionary of updated input values (step S166) and ends the mutation process.
  • Fig. 30 is a flowchart showing the processing procedure of the execution process shown in Fig. 16.
  • the fuzzing execution unit 1242 receives the script to be analyzed as input (step S171).
  • the fuzzing execution unit 1242 receives the VPC, dispatcher, and conditional branch flag as input (step S172).
  • the fuzzing execution unit 1242 monitors the VM instructions and VPC being executed (step S173), and executes the script to be analyzed (step S174).
  • the fuzzing execution unit 1242 records the VM instructions executed during execution, and obtains a VM execution trace (step S175).
  • the fuzzing execution unit 1242 returns the VM execution trace (step S176), and ends the execution process.
  • Fig. 31 is a flowchart showing the processing procedure of the code coverage calculation process shown in Fig. 16.
  • the code coverage calculation unit 1245 counts the number of all nodes and edges in the first control flow graph (step S181).
  • the code coverage calculation unit 1245 counts the number of all nodes and edges in the second control flow graph (step S182).
  • the code coverage calculation unit 1245 calculates the ratio of the number of nodes and edges of the second control flow graph to the number of nodes and edges of the first control flow graph (step S183).
  • the code coverage calculation unit 1245 may calculate, as code coverage, both the number of nodes of the second control flow graph to the number of nodes of the first control flow graph and the ratio of the number of edges of the second control flow graph to the number of edges of the first control flow graph, or may calculate either one of them.
  • the code coverage calculation unit 1245 returns the calculated percentage as the code coverage (step S184) and ends the code coverage calculation process.
  • the vulnerability discovery device 10 analyzes the VM of the script engine, collects VM instructions, and determines the contents of the collected VM instructions to obtain information on the instruction set architecture, which is the system of VM instructions. Based on the obtained architecture information, the vulnerability discovery device 10 constructs a first control flow graph showing an entire path. Based on the obtained architecture information, the vulnerability discovery device 10 mutates an input value, and constructs a second control flow graph showing a path executed as a test by inputting the mutated input value to the analysis target script. The vulnerability discovery device 10 calculates code coverage, selects an input value based on the code coverage calculation result, and performs fuzzing on the analysis target script executed on the virtual machine.
  • the vulnerability discovery device 10 can analyze the VM of the script engine and obtain information on the instruction set architecture, which is the system of instructions for the VM, thereby achieving gray box fuzzing based on accurate code coverage at runtime without the need for individual manual analysis, design, and implementation.
  • the vulnerability discovery device 10 executes the test script while monitoring the binary of the script engine, and obtains branch traces and memory access traces as execution traces.
  • the vulnerability discovery device 10 analyzes the virtual machine based on the execution trace, and obtains architecture information of the VM instruction boundary, VPC, dispatcher, conditional branch flags, and code cache.
  • the vulnerability discovery device 10 executes the test script while monitoring the VPC and dispatcher, and obtains a VM execution trace. By analyzing the VM execution trace, the vulnerability discovery device 10 collects VM instructions, determines the contents of the VM instructions, and obtains information on the instruction set architecture.
  • the vulnerability detection device 10 can detect architecture information including information indicating where in the VM the bytecode generated by the script engine is stored, and information on the instruction set architecture of the bytecode that the VM can interpret.
  • the vulnerability discovery device 10 constructs a first control flow graph of the entire path comprehensively through multi-pass execution. Based on the acquired architecture information, the vulnerability discovery device 10 repeats the following steps to fuzz the script: mutating the input value, inputting the mutated input value into the script to be analyzed, executing the test, constructing a second control flow graph showing the path executed as the test, and calculating the code coverage.
  • the vulnerability detection device 10 can detect various architectural information by analyzing the execution trace and VM execution trace obtained, even for script engines whose VM internal specifications are unknown, and can perform gray-box fuzzing on running scripts without requiring manual reverse engineering.
  • the vulnerability detection device 10 selectively chooses and mutates input values that will increase the code coverage based on the results of the code coverage calculation, allowing for more appropriate execution of gray box fuzzing.
  • the vulnerability detection device 10 can automatically perform gray-box fuzzing on scripts for a variety of script engines as long as a test script is prepared, so that the fuzzing can be performed without the need for individual design or implementation.
  • the vulnerability detection device 10 can perform gray-box fuzzing on running scripts, even those written in various scripting languages, and discover potential vulnerabilities.
  • the vulnerability detection device 10 can perform gray-box fuzzing on scripts written in a wide variety of scripting languages by analyzing a script engine whose VM's internal specifications are unknown and acquiring information about the VM's architecture and instruction set architecture.
  • the vulnerability discovery device 10 is useful for discovering vulnerabilities in a wide variety of scripts, and is suitable for efficiently discovering vulnerabilities that lie in scripts by taking into account the code coverage executed by input values through gray box fuzzing.
  • the vulnerability discovery device 10 can be used to discover and fix potential vulnerabilities by performing gray box fuzzing on various scripts.
  • Each component of vulnerability discovery device 10 shown in Fig. 3 is a functional concept, and does not necessarily have to be physically configured as shown.
  • the specific form of distribution and integration of the functions of vulnerability discovery device 10 is not limited to that shown in the figure, and all or part of it can be functionally or physically distributed or integrated in any unit depending on various loads, usage conditions, etc.
  • each process performed by the vulnerability discovery device 10 may be realized, in whole or in part, by a CPU and a program analyzed and executed by the CPU. Furthermore, each process performed by the vulnerability discovery device 10 may be realized as hardware using wired logic.
  • [program] 32 is a diagram showing an example of a computer in which a program is executed to realize the vulnerability discovering device 10.
  • the computer 1000 has, for example, a memory 1010 and a CPU 1020.
  • the computer 1000 also has a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These components are connected by a bus 1080.
  • the memory 1010 includes a ROM 1011 and a RAM 1012.
  • the ROM 1011 stores a boot program such as a BIOS (Basic Input Output System).
  • BIOS Basic Input Output System
  • the hard disk drive interface 1030 is connected to a hard disk drive 1090.
  • the disk drive interface 1040 is connected to a disk drive 1100.
  • a removable storage medium such as a magnetic disk or optical disk is inserted into the disk drive 1100.
  • the serial port interface 1050 is connected to a mouse 1110 and a keyboard 1120, for example.
  • the video adapter 1060 is connected to a display 1130, for example.
  • the hard disk drive 1090 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. That is, the programs that define each process of the vulnerability detection device 10 are implemented as program modules 1093 in which code executable by the computer 1000 is written.
  • the program modules 1093 are stored, for example, in the hard disk drive 1090.
  • a program module 1093 for executing processes similar to the functional configuration of the vulnerability detection device 10 is stored in the hard disk drive 1090.
  • the hard disk drive 1090 may be replaced by an SSD (Solid State Drive).
  • the setting data used in the processing of the above-mentioned embodiment is stored as program data 1094, for example, in memory 1010 or hard disk drive 1090.
  • the CPU 1020 reads the program module 1093 or program data 1094 stored in memory 1010 or hard disk drive 1090 into RAM 1012 as necessary and executes it.
  • the program module 1093 and program data 1094 may not necessarily be stored in the hard disk drive 1090, but may be stored in a removable storage medium, for example, and read by the CPU 1020 via the disk drive 1100 or the like.
  • the program module 1093 and program data 1094 may be stored in another computer connected via a network (such as a LAN (Local Area Network), WAN (Wide Area Network)).
  • the program module 1093 and program data 1094 may then be read by the CPU 1020 from the other computer via the network interface 1070.
  • Vulnerability detection device 11 Input unit 12 Control unit 13 Memory unit 14 Output unit 121 Virtual machine analysis unit 122 Instruction set architecture analysis unit 123 Calculation unit 124 Vulnerability detection unit 131 Execution trace database (DB) 132 Architecture Information DB 133 VM execution trace DB 1211 Execution trace acquisition unit 1212 VM instruction boundary detection unit 1213 Virtual program counter detection unit 1214 Dispatcher detection unit 1215 Conditional branch flag detection unit 1216 Code cache detection unit 1221 VM execution trace acquisition unit 1222 VM instruction collection unit 1223 VM instruction determination unit 1231 Multi-path execution unit 1232, 1243 VM branch trace construction unit 1233, 1244 Control flow graph construction unit 1241 Mutation unit 1242 Fuzzing execution unit 1245 Code coverage calculation unit

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

A vulnerability detection device (10) comprises: a virtual machine analysis unit (121) that analyzes a VM of a script engine; an instruction set architecture analysis unit (122) that analyzes an instruction set architecture, which is a VM instruction system, that collects VM instructions, and that determines the instruction content of the collected VM instructions; a calculation unit (123) that, on the basis of the architecture information acquired by the virtual machine analysis unit (121) and the instruction set architecture analysis unit (122), constructs a first control flow graph indicating an overall path; and a vulnerability detection unit (124) that alters an input value, that constructs a second control flow graph indicating a path which is executed as a test and in which the altered input value input to an analysis target script, that calculates code coverage, and that, on the basis of the code coverage calculation result, selects a value to input and performs fuzzing of the analysis target script executed on the VM.

Description

脆弱性発見装置、脆弱性発見方法及び脆弱性発見プログラムVulnerability detection device, vulnerability detection method, and vulnerability detection program
 本発明は、脆弱性発見装置、脆弱性発見方法及び脆弱性発見プログラムに関する。 The present invention relates to a vulnerability detection device, a vulnerability detection method, and a vulnerability detection program.
 ソフトウェアに潜在する欠陥を発見するための技術として、動的テストと呼ばれるものがある。動的テストには、ソフトウェアテストが存在する。ソフトウェアテストは、対象のプログラムに実際に入力値を与えて実行し、その振る舞いを見ることでテストを実施する。 There is a technique called dynamic testing that can be used to discover potential defects in software. Dynamic testing includes software testing. Software testing is carried out by actually providing input values to the target program, running it, and observing its behavior.
 この動的テストが網羅的に実施されているかを計測する尺度の一つに、コードカバレッジ(コード網羅率とも呼ぶ)がある。これは、対象のプログラムのコードのうち、どの程度のコードをテストしたかの割合を評価するものである。 One of the measures to measure whether this dynamic testing has been performed comprehensively is code coverage (also called code coverage rate). This evaluates the percentage of the code in the target program that has been tested.
 そして、動的テストには、このコードカバレッジを指標として、テストの進行度合いを評価するものや、テストを計画するものがある。 Some dynamic tests use code coverage as an indicator to evaluate the progress of testing and to plan tests.
 その一つに、ソフトウェアに潜在する脆弱性を発見するための動的テスト技術の一つである、ファジングがある。ファジングは、入力値を繰り返し生成または変異させながら対象のプログラムに与えて実行し、そのプログラムの状態を観測して、クラッシュなどの問題が発生する入力を探索することで、脆弱性を発見する技術である。 One of these is fuzzing, a dynamic testing technique for discovering latent vulnerabilities in software. Fuzzing is a technique that discovers vulnerabilities by repeatedly generating or mutating input values while running the target program and observing the state of the program to search for inputs that cause problems such as crashes.
 この際、何を入力値とし、どのようにして入力値を生成または変異させていくかが、脆弱性の発見効率に関わる重要な要素となる。例えば、特定の入力値の範囲でなければ実行されない経路があり、そこに脆弱性が存在する場合には、その経路を辿るための入力値を効率よく発見しなければ、その脆弱性の発見に多大な時間を要してしまう。 In this case, what is used as the input value and how the input value is generated or mutated are important factors in determining the efficiency of vulnerability discovery. For example, if there is a path that can only be executed within a specific range of input values and a vulnerability exists there, it will take a long time to discover the vulnerability unless the input values required to follow that path can be found efficiently.
 ファジングにおいて、最も原始的には、入力値はランダムに生成されていた。また、プログラムの観測は、クラッシュなどが発生するかのみという、ブラックボックステストが採用されていた。 In the most primitive form of fuzzing, input values were generated randomly. In addition, black-box testing was used to observe the program only to see if a crash or other problem occurred.
 しかしながら、このような手法では、前述のような場合に脆弱性を効率よく発見できない。 However, this method cannot efficiently detect vulnerabilities in the cases mentioned above.
 そこで、グレーボックスファジングと呼ばれる技術が採用されている。グレーボックスファジングでは、ブラックボックスファジングと異なり、プログラムの実行時にその内部状態である実行経路もあわせて観測する。そして、グレーボックスファジングでは、既にテストした実行経路に対するコードカバレッジを算出し、その値が大きくなるように入力値を優先的に生成や変異の種に採用する。 For this reason, a technique called grey box fuzzing is used. Unlike black box fuzzing, grey box fuzzing also observes the internal state of the program, i.e., the execution path, when it is executed. Grey box fuzzing then calculates the code coverage for the execution paths that have already been tested, and prioritizes the use of input values as seeds for generation and mutation so that this value is large.
 したがって、グレーボックスファジングの実現には、実行経路を観測し、コードカバレッジを計算する必要がある。 Therefore, to implement gray-box fuzzing, it is necessary to observe the execution path and calculate code coverage.
 このグレーボックスファジングによれば、プログラムのより広い範囲に対して効率的に脆弱性を探索することができる。 Grey-box fuzzing allows for efficient searching for vulnerabilities in a wider range of programs.
 非特許文献1では、PHPのスクリプトで作成されたWebアプリケーションの脆弱性を発見するために、グレーボックスファジングを採用している。非特許文献1に記載の手法は、ソースコードに対して抽象構文木を構成し、静的な計装を実現することで、コードカバレッジを計測している。 In Non-Patent Document 1, gray box fuzzing is used to discover vulnerabilities in web applications created with PHP scripts. The method described in Non-Patent Document 1 measures code coverage by constructing an abstract syntax tree for the source code and implementing static instrumentation.
 非特許文献2では、JavaScriptで作成されたWebアプリケーションの脆弱性を発見するために、グレーボックスファジングを採用している。非特許文献2に記載の手法では、コードカバレッジの計測のために、非特許文献1と同様に、JavaScriptのソースコードに対して抽象構文木を構成し、静的な計装を実施している。 Non-Patent Document 2 employs gray box fuzzing to discover vulnerabilities in web applications written in JavaScript. In the method described in Non-Patent Document 2, an abstract syntax tree is constructed for the JavaScript source code and static instrumentation is performed to measure code coverage, just like Non-Patent Document 1.
 しかしながら、非特許文献1,2に記載の手法では、全てのあり得る分岐を網羅的に知ることができないため、分岐に関するコードカバレッジは他の情報から推測するしかない、という課題があった。また、非特許文献1,2に記載の手法は静的な計装であるため、例えば、動的に評価されるスクリプトなど、コードカバレッジを計測できない場合が存在する、という課題があった。 However, the techniques described in Non-Patent Documents 1 and 2 have the problem that it is not possible to comprehensively know all possible branches, so the code coverage for the branches must be estimated from other information. In addition, the techniques described in Non-Patent Documents 1 and 2 are static instrumentation, so there is an issue that there are cases where code coverage cannot be measured, such as dynamically evaluated scripts.
 スクリプトのコードカバレッジを正確に計測するには、動的な計装が必要となる。スクリプトに対して動的な計装を実現するには、バイトコードへの計装が必要となる。これには、一般に、スクリプトエンジンによって提供されているデバッガなどの支援機能を用いる必要がある。これは、スクリプトの実行を司るスクリプトエンジン内の仮想機械(VM)の内部仕様が公開されていない場合が多く、コードカバレッジの計測に要する実行経路の観測やバイトコードの解析を、支援機能なしに実現するのが難しいためである。 In order to accurately measure the code coverage of a script, dynamic instrumentation is required. To achieve dynamic instrumentation for a script, it is necessary to instrument the bytecode. This generally requires the use of support functions such as a debugger provided by the script engine. This is because the internal specifications of the virtual machine (VM) in the script engine that controls the execution of the script are often not made public, making it difficult to observe the execution path and analyze the bytecode required to measure code coverage without support functions.
 しかしながら、そうした支援機能が提供されていない場合、VMをリバースエンジニアリングして内部仕様を明らかにし、独自に実行経路の観測やバイトコードの解析を実現し、コードカバレッジを計算するための情報を獲得する必要がある。 However, if such support functions are not provided, it is necessary to reverse engineer the VM to reveal its internal specifications, independently observe the execution path and analyze the bytecode, and obtain the information needed to calculate code coverage.
 これをスクリプトエンジンに対して手動かつ個別に解析や設計及び実装をすることは、かかる労力の観点から、現実的でない。  Manually and individually analyzing, designing, and implementing this for script engines is not realistic given the amount of work involved.
 本発明は、上記に鑑みてなされたものであって、コードカバレッジ計測に活用できる支援機能がなく、内部仕様が未知のスクリプトエンジンに対しても、手動での個別の解析や設計及び実装を要さずに、実行時の正確なコードカバレッジに基づくグレーボックスファジングを実現することができる脆弱性発見装置、脆弱性発見方法及び脆弱性発見プログラムを提供することを目的とする。 The present invention has been made in consideration of the above, and aims to provide a vulnerability discovery device, a vulnerability discovery method, and a vulnerability discovery program that can realize gray box fuzzing based on accurate code coverage at runtime, without the need for manual individual analysis, design, and implementation, even for script engines that do not have support functions that can be used for code coverage measurement and whose internal specifications are unknown.
 上述した課題を解決し、目的を達成するために、本発明の脆弱性発見装置は、スクリプトエンジンの仮想機械を解析する第1の解析部と、前記仮想機械の命令の体系である命令セットアーキテクチャを解析して、仮想機械命令を収集し、収集した仮想機械命令の命令内容を判定する第2の解析部と、前記第1の解析部及び前記第2の解析部によって取得されたアーキテクチャ情報を基に、全体の経路を示す第1の制御フローグラフを構築する算出部と、前記第1の解析部及び前記第2の解析部によって取得されたアーキテクチャ情報を基に、入力値を変異させ、変異させた前記入力値を解析対象スクリプトへ入力してテストとして実行された経路を示す第2の制御フローグラフを構築し、前記全体の経路に対する、前記テストとして実行された経路の割合であるコードカバレッジを算出し、前記コードカバレッジの算出結果を基に、入力する値を選択して、仮想機械上で実行されている解析対象スクリプトに対するファジングを行う脆弱性発見部と、有することを特徴とする。  To solve the above problems and achieve the object, the vulnerability discovery device of the present invention is characterized by having a first analysis unit that analyzes the virtual machine of a script engine, a second analysis unit that analyzes the instruction set architecture, which is the instruction system of the virtual machine, to collect virtual machine instructions and determine the instruction contents of the collected virtual machine instructions, a calculation unit that constructs a first control flow graph showing an entire path based on the architecture information acquired by the first analysis unit and the second analysis unit, and a vulnerability discovery unit that mutates an input value based on the architecture information acquired by the first analysis unit and the second analysis unit, constructs a second control flow graph showing a path executed as a test by inputting the mutated input value to a script to be analyzed, calculates code coverage, which is the ratio of the path executed as the test to the entire path, and selects an input value based on the calculation result of the code coverage to perform fuzzing on the script to be analyzed executed on the virtual machine.
 本発明によれば、コードカバレッジ計測に活用できる支援機能がなく、内部仕様が未知のスクリプトエンジンに対しても、手動での個別の解析や設計及び実装を要さずに、実行時の正確なコードカバレッジに基づくグレーボックスファジングを実現することができる。 According to the present invention, even for script engines that do not have support functions that can be used for code coverage measurement and whose internal specifications are unknown, it is possible to achieve gray-box fuzzing based on accurate code coverage at runtime without the need for individual manual analysis, design, and implementation.
図1は、スクリプトエンジンの構成の一例を説明するための図である。FIG. 1 is a diagram illustrating an example of the configuration of a script engine. 図2は、スクリプトエンジンが有するVMの擬似コードを示す図である。FIG. 2 is a diagram showing pseudo code of a VM included in the script engine. 図3は、実施の形態に係る脆弱性発見装置の構成の一例を説明する図である。FIG. 3 is a diagram illustrating an example of the configuration of a vulnerability detecting device according to an embodiment. 図4は、仮想プログラムカウンタ(VPC)の検出に用いるテストスクリプトの一例を示す図である。FIG. 4 is a diagram showing an example of a test script used to detect a virtual program counter (VPC). 図5は、分岐VM命令検出に用いるテストスクリプトの一例を示す図である。FIG. 5 is a diagram showing an example of a test script used for detecting a branch VM instruction. 図6は、実行トレースの一例を示す図である。FIG. 6 is a diagram illustrating an example of an execution trace. 図7は、VM実行トレースの一例を示す図である。FIG. 7 illustrates an example of a VM execution trace. 図8は、VM命令境界検出部の処理を説明する図である。FIG. 8 is a diagram illustrating the process of the VM instruction boundary detection unit. 図9は、仮想プログラムカウンタ検出部の処理を説明する図である。FIG. 9 is a diagram for explaining the process of the virtual program counter detection unit. 図10は、ディスパッチャ検出部の処理を説明する図である。FIG. 10 is a diagram illustrating the process of the dispatcher detection unit. 図11は、コードキャッシュ検出部の処理を説明する図である。FIG. 11 is a diagram illustrating the process of the code cache detection unit. 図12は、VM命令判定部の処理を説明する図である。FIG. 12 is a diagram illustrating the process of the VM command determination unit. 図13は、VMブランチトレース構築部の処理を説明する図である。FIG. 13 is a diagram illustrating the process of the VM branch trace construction unit. 図14は、制御フローグラフ構築部を説明する図である。FIG. 14 is a diagram for explaining the control flow graph construction unit. 図15は、実施の形態に係る脆弱性発見処理の処理手順を示すフローチャートである。FIG. 15 is a flowchart showing a processing procedure of the vulnerability discovering process according to the embodiment. 図16は、実施の形態に係る脆弱性発見処理の処理手順を示すフローチャートである。FIG. 16 is a flowchart showing a processing procedure of the vulnerability discovering process according to the embodiment. 図17は、図15に示す実行トレース取得処理の処理手順を示すフローチャートである。FIG. 17 is a flowchart of the execution trace acquisition process shown in FIG. 図18は、図15に示すVM命令境界検出処理の処理手順を示すフローチャートである。FIG. 18 is a flowchart illustrating a procedure of the VM instruction boundary detection process illustrated in FIG. 図19は、図15に示す仮想プログラムカウンタ検出処理の処理手順を示すフローチャートである。FIG. 19 is a flowchart illustrating the processing procedure of the virtual program counter detection processing shown in FIG. 図20は、図15に示すディスパッチャ検出処理の処理を説明する図である。FIG. 20 is a diagram for explaining the dispatcher detection process shown in FIG. 図21は、図15に示す条件分岐フラグ検出処理の処理手順を示すフローチャートである。FIG. 21 is a flowchart showing the procedure of the conditional branch flag detection process shown in FIG. 図22は、図15に示すコードキャッシュ検出処理の処理手順の処理手順を示すフローチャートである。FIG. 22 is a flowchart illustrating the procedure of the code cache detection process shown in FIG. 図23は、図15に示すVM実行トレース取得処理の処理手順を示すフローチャートである。FIG. 23 is a flowchart illustrating the procedure of the VM execution trace acquisition process illustrated in FIG. 15 . 図24は、図15に示すVM命令収集処理の処理手順を示すフローチャートである。FIG. 24 is a flowchart illustrating the procedure of the VM command collection process illustrated in FIG. 図25は、図15に示すVM命令判定処理の処理手順を示すフローチャートである。FIG. 25 is a flowchart illustrating a processing procedure of the VM command determination process shown in FIG. 図26は、図15に示すマルチパス実行処理の処理手順を示すフローチャートである。FIG. 26 is a flowchart showing the procedure of the multi-path execution process shown in FIG. 図27は、図15に示すVMブランチトレース構築処理の処理手順を示すフローチャートである。FIG. 27 is a flowchart illustrating the procedure of the VM branch trace construction process illustrated in FIG. 15 . 図28は、図15に示す制御フローグラフ構築処理の処理手順を示すフローチャートである。FIG. 28 is a flowchart of the control flow graph construction process shown in FIG. 図29は、図16に示す変異処理の処理手順を示すフローチャートである。FIG. 29 is a flowchart showing the procedure of the mutation process shown in FIG. 図30は、図16に示す実行処理の処理手順を示すフローチャートである。FIG. 30 is a flowchart showing the procedure of the execution process shown in FIG. 図31は、図16に示すコードカバレッジ算出処理の処理手順を示すフローチャートである。FIG. 31 is a flowchart illustrating the procedure of the code coverage calculation process shown in FIG. 図32は、プログラムが実行されることにより、脆弱性発見装置が実現されるコンピュータの一例を示す図である。FIG. 32 is a diagram showing an example of a computer that realizes a vulnerability discovering device by executing a program.
 以下に、本願に係る脆弱性発見装置、脆弱性発見方法及び脆弱性発見プログラムの実施形態を図面に基づいて詳細に説明する。また、本発明は、以下に説明する実施形態により限定されるものではない。 Below, embodiments of the vulnerability discovery device, vulnerability discovery method, and vulnerability discovery program according to the present application are described in detail with reference to the drawings. Furthermore, the present invention is not limited to the embodiments described below.
[実施の形態]
 実施の形態に係る脆弱性発見装置は、コードカバレッジ計測に活用できる支援機能がなく、内部仕様が未知のスクリプトエンジンに対しても、手動での個別の解析や設計及び実装を要さずに、実行時の正確なコードカバレッジに基づくグレーボックスファジングを実現することができる脆弱性発見装置である。 [Embodiment]
The vulnerability detection device of the embodiment is a vulnerability detection device that can realize gray box fuzzing based on accurate code coverage at runtime, even for script engines that do not have support functions that can be used for code coverage measurement and whose internal specifications are unknown, without requiring individual manual analysis, design, and implementation.
 実施の形態に係る脆弱性発見装置は、スクリプトエンジンのバイナリを監視しながらテストスクリプトを実行して、ブランチトレース及びメモリアクセストレースを実行トレースとして取得する。脆弱性発見装置は、実行トレースに基づいてVMを解析し、アーキテクチャ情報として、VM命令境界、仮想プログラムカウンタ(VPC)、ディスパッチャ、条件分岐フラグ、及び、実行されるVM命令が保存されるコードキャッシュを取得する。 The vulnerability discovery device according to the embodiment executes test scripts while monitoring the binaries of the script engine, and obtains branch traces and memory access traces as execution traces. The vulnerability discovery device analyzes the VM based on the execution traces, and obtains, as architecture information, VM instruction boundaries, a virtual program counter (VPC), a dispatcher, a conditional branch flag, and a code cache in which executed VM instructions are stored.
 そして、脆弱性発見装置は、VPC及びディスパッチャを監視しながらテストスクリプトを実行して、VM実行トレースを取得する。脆弱性発見装置は、VM実行トレースを解析することで、VM命令を収集するとともに、VM命令の内容を判定し、命令セットアーキテクチャの情報を取得する。 Then, the vulnerability detection device executes the test script while monitoring the VPC and the dispatcher, and obtains a VM execution trace. By analyzing the VM execution trace, the vulnerability detection device collects VM instructions, determines the contents of the VM instructions, and obtains information on the instruction set architecture.
 続いて、脆弱性発見装置は、取得したアーキテクチャ情報を基に、マルチパス実行で網羅的に実行された全体の経路を示す第1の制御フローグラフを構築する。 Then, based on the acquired architecture information, the vulnerability detection device constructs a first control flow graph that shows the entire path that was comprehensively executed in the multi-pass execution.
 続いて、脆弱性発見装置は、取得したアーキテクチャ情報を基に、入力値を変異させ、変異させた入力値を解析対象スクリプトへ入力して実行された経路を示す第2の制御フローグラフを構築する。脆弱性発見装置は、コードカバレッジを算出し、コードカバレッジの算出結果を基に、入力する値を選択して、VM上で実行されている解析対象スクリプトに対するファジングを行う。コードカバレッジは、全体の経路に対する、テストとして実行された経路の割合である。この際、脆弱性発見装置は、コードカバレッジの算出結果を基に、コードカバレッジがより増加するような入力値を選択的に選んで変異させていく。 The vulnerability detection device then mutates the input values based on the acquired architecture information, and constructs a second control flow graph that shows the path that is executed by inputting the mutated input values into the script to be analyzed. The vulnerability detection device calculates code coverage, selects input values based on the code coverage calculation results, and performs fuzzing on the script to be analyzed that is being executed on the VM. Code coverage is the ratio of paths executed as tests to the total paths. At this time, the vulnerability detection device selectively chooses and mutates input values that will increase code coverage more based on the code coverage calculation results.
 図1及び図2を参照して、一般的なスクリプトエンジンの構成とそれらの働きについて説明する。図1は、スクリプトエンジンの構成の一例を説明するための図である。図1に示すように、スクリプトエンジン1は、バイトコードコンパイラ2とVM3を有する。また、バイトコードコンパイラ2は、構文解析部4、バイトコード生成部5を有する。また、VM3は、コードキャッシュ部6、フェッチ部7、デコード部8、実行部9を有する。これらのフェッチ部7、デコード部8、実行部9は、繰り返し実行され、インタプリタループと呼ばれる。そして、スクリプトエンジン1は、スクリプトの入力を受け付ける。 The configuration and function of a typical script engine will be described with reference to Figures 1 and 2. Figure 1 is a diagram for explaining an example of the configuration of a script engine. As shown in Figure 1, script engine 1 has a bytecode compiler 2 and a VM 3. Furthermore, bytecode compiler 2 has a syntax analysis unit 4 and a bytecode generation unit 5. Furthermore, VM 3 has a code cache unit 6, a fetch unit 7, a decode unit 8, and an execution unit 9. These fetch unit 7, decode unit 8, and execution unit 9 are executed repeatedly and are called an interpreter loop. Then, script engine 1 accepts the input of a script.
 構文解析部4は、スクリプトを入力として受け取り、字句解析及び構文解析を経て、抽象構文木(Abstract Syntax Tree:AST)を生成し、バイトコード生成部5に出力する。バイトコード生成部5は、ASTを入力として受け取り、バイトコードに変換してコードキャッシュ部6に格納する。 The syntax analysis unit 4 receives the script as input, and through lexical and syntactic analysis generates an Abstract Syntax Tree (AST), which it outputs to the bytecode generation unit 5. The bytecode generation unit 5 receives the AST as input, converts it into bytecode, and stores it in the code cache unit 6.
 フェッチ部7は、コードキャッシュ部6からVMオペコードをフェッチし、デコード部8に出力する。ここで、VMオペコードは、VM命令のオペコード部を指す。デコード部8は、VMオペコードを入力として受け取り、デコーダ・ディスパッチャを用いてVMオペコードを解釈し、対応したプログラムにディスパッチする。実行部9は、VM命令に対応したプログラムを実行する。インタプリタループの繰り返しにより、VM命令を次々に実行していくことで、スクリプトに記述した内容が実行される。 The fetch unit 7 fetches the VM opcode from the code cache unit 6 and outputs it to the decode unit 8. Here, the VM opcode refers to the opcode portion of the VM instruction. The decode unit 8 receives the VM opcode as input, interprets the VM opcode using a decoder/dispatcher, and dispatches it to the corresponding program. The execution unit 9 executes the program corresponding to the VM instruction. The contents written in the script are executed by executing the VM instructions one after another through a repeated interpreter loop.
 図2を参照して、スクリプトエンジンの構成要素の働きについて説明する。図2は、スクリプトエンジンが有するVMの擬似コードを示す図である。図2に示すように、まず、擬似コードは、VPCを初期化している(1行目)。擬似コードでは、while文のループがインタプリタループである(2行目)。擬似コードでは、コードキャッシュからVPCの指すVMオペコードが取得され(3行目)、Switch文を用いてデコード及びディスパッチされる(4、5、7行目)。そして、擬似コードでは、ディスパッチされた先の、VMオペコードに対応したプログラムが実行される(6、8行目)。 The functions of the components of the script engine will be described with reference to Figure 2. Figure 2 is a diagram showing pseudocode for a VM in the script engine. As shown in Figure 2, the pseudocode first initializes the VPC (line 1). In the pseudocode, the while loop is the interpreter loop (line 2). In the pseudocode, the VM opcode pointed to by the VPC is obtained from the code cache (line 3), and is decoded and dispatched using a Switch statement (lines 4, 5, and 7). Then, in the pseudocode, the program corresponding to the VM opcode that was dispatched is executed (lines 6 and 8).
 また、分岐VM命令とはスクリプト内で分岐を発生させるVM命令であり、条件分岐フラグは、条件分岐時に分岐がなされるか否かのフラグを保持する領域である。 In addition, a branch VM command is a VM command that causes a branch to occur within a script, and a conditional branch flag is an area that holds a flag indicating whether or not a branch will be taken when a conditional branch occurs.
[脆弱性発見装置の構成]
 続いて、図3を参照して、実施の形態に係る脆弱性発見装置10の構成について具体的に説明する。図3は、実施の形態に係る脆弱性発見装置の構成の一例を説明する図である。 [Configuration of vulnerability detection device]
Next, the configuration of the vulnerability discovering device 10 according to the embodiment will be specifically described with reference to Fig. 3. Fig. 3 is a diagram illustrating an example of the configuration of the vulnerability discovering device according to the embodiment.
 図3に示すように、脆弱性発見装置10は、入力部11、制御部12、記憶部13及び出力部14を有する。そして、脆弱性発見装置10は、テストスクリプト、スクリプトエンジンバイナリ及び解析対象スクリプトの入力を受け付ける。 As shown in FIG. 3, the vulnerability discovery device 10 has an input unit 11, a control unit 12, a storage unit 13, and an output unit 14. The vulnerability discovery device 10 accepts inputs of a test script, a script engine binary, and a script to be analyzed.
 入力部11は、キーボードやマウス等の入力デバイスで構成され、外部からの情報の入力を受け付け、制御部12に入力する。また、入力部11は、有線接続、或いは、ネットワーク等を介して接続された他の装置との間で、各種情報を送受信する通信インタフェースを有し、他の装置から送信された情報の入力を受け付ける。入力部11は、テストスクリプト、スクリプトエンジンバイナリ及び解析対象スクリプトの入力を受け付け、制御部12に出力する。 The input unit 11 is composed of input devices such as a keyboard and a mouse, and accepts information input from the outside and inputs it to the control unit 12. The input unit 11 also has a communication interface for sending and receiving various information to and from other devices connected via a wired connection or a network, etc., and accepts input of information sent from other devices. The input unit 11 accepts input of test scripts, script engine binaries, and scripts to be analyzed, and outputs them to the control unit 12.
 テストスクリプトは、スクリプトエンジンを動的解析して実行トレース及びVM実行トレースを取得する際に、入力されるスクリプトである。なお、テストスクリプトの詳細は後述する。スクリプトエンジンバイナリは、スクリプトエンジンを構成する実行可能ファイルである。スクリプトエンジンバイナリは、複数の実行可能ファイルによって構成される場合がある。解析対象スクリプトは、解析対象のスクリプトである。 The test script is a script that is input when dynamically analyzing the script engine to obtain an execution trace and a VM execution trace. Details of the test script are described later. The script engine binary is an executable file that constitutes the script engine. The script engine binary may be composed of multiple executable files. The analysis target script is the script to be analyzed.
 制御部12は、各種の処理手順などを規定したプログラム及び所要データを格納するための内部メモリを有し、これらによって種々の処理を実行する。例えば、制御部12は、CPU(Central Processing Unit)やMPU(Micro Processing Unit)などの電子回路である。制御部12は、仮想機械解析部121(第1の解析部)、命令セットアーキテクチャ解析部122(第2の解析部)、算出部123及び脆弱性発見部124を有する。 The control unit 12 has an internal memory for storing programs that define various processing procedures and the necessary data, and executes various processes using these. For example, the control unit 12 is an electronic circuit such as a CPU (Central Processing Unit) or an MPU (Micro Processing Unit). The control unit 12 has a virtual machine analysis unit 121 (first analysis unit), an instruction set architecture analysis unit 122 (second analysis unit), a calculation unit 123, and a vulnerability discovery unit 124.
 仮想機械解析部121は、スクリプトエンジンのVMを解析する。仮想機械解析部121は、実行時の条件を変えて複数の実行トレースを取得し、差分実行解析を用いて複数の実行トレースを解析し、VPC及び条件分岐フラグを取得する。また、仮想機械解析部121は、スクリプトエンジンバイナリを解析して、VM命令の境界及びディスパッチャを取得する。仮想機械解析部121は、VM実行トレースから、コードキャッシュを検出する。コードキャッシュには、実行されるVM命令が保存される。 The virtual machine analysis unit 121 analyzes the VM of the script engine. The virtual machine analysis unit 121 obtains multiple execution traces by changing the conditions at run time, analyzes the multiple execution traces using differential execution analysis, and obtains VPCs and conditional branch flags. The virtual machine analysis unit 121 also analyzes the script engine binary to obtain VM instruction boundaries and dispatchers. The virtual machine analysis unit 121 detects a code cache from the VM execution trace. The VM instructions to be executed are stored in the code cache.
 仮想機械解析部121は、実行トレース取得部1211(第1の取得部)、VM命令境界検出部1212(第1の検出部)、仮想プログラムカウンタ検出部1213(第2の検出部)、ディスパッチャ検出部1214(第3の検出部)、条件分岐フラグ検出部1215(第4の検出部)及びコードキャッシュ検出部1216を有する。 The virtual machine analysis unit 121 has an execution trace acquisition unit 1211 (first acquisition unit), a VM instruction boundary detection unit 1212 (first detection unit), a virtual program counter detection unit 1213 (second detection unit), a dispatcher detection unit 1214 (third detection unit), a conditional branch flag detection unit 1215 (fourth detection unit), and a code cache detection unit 1216.
 実行トレース取得部1211は、テストスクリプト及びスクリプトエンジンバイナリを入力として受け付ける。実行トレース取得部1211は、スクリプトエンジンバイナリの実行を監視しながら、テストスクリプトを実行することで、実行トレースを取得する。 The execution trace acquisition unit 1211 accepts the test script and the script engine binary as input. The execution trace acquisition unit 1211 acquires an execution trace by executing the test script while monitoring the execution of the script engine binary.
 実行トレースは、ブランチトレースとメモリアクセストレースとによって構成される。ブランチトレースは、実行の際の分岐命令の種類と、分岐元アドレスと分岐先アドレスを記録する。メモリアクセストレースは、メモリ操作の種類と、操作対象のメモリアドレスを記録する。ブランチトレース及びメモリアクセストレースは、命令フックによって取得可能であることが知られている。実行トレース取得部1211が取得した実行トレースは、実行トレースDB131に格納される。 An execution trace consists of a branch trace and a memory access trace. A branch trace records the type of branch instruction at the time of execution, the branch source address, and the branch destination address. A memory access trace records the type of memory operation and the memory address of the operation target. It is known that branch traces and memory access traces can be acquired by instruction hooks. The execution trace acquired by the execution trace acquisition unit 1211 is stored in the execution trace DB 131.
 VM命令境界検出部1212は、実行トレースをクラスタリングして、各VM命令の境界を検出する。VM命令境界検出部1212は、実行トレースをクラスタリングして、実行回数が閾値以上のクラスタをVM命令として検出する。クラスタリングでは、複数回実行される連続したコード領域を検出する。これには、例えば、実行された命令間のコード上の距離が近いものをまとめてもよいし、実行されたコードブロックの共通部分列を探してもよいし、他の方法によってもよい。脆弱性発見装置10は、検出したVM命令を構成する連続した命令列の開始点と終了点とを境界として検出する。ここで検出したVM命令の境界は、VPC検出、ディスパッチャ検出において用いられる。 The VM instruction boundary detection unit 1212 clusters the execution traces to detect the boundaries of each VM instruction. The VM instruction boundary detection unit 1212 clusters the execution traces to detect clusters with a threshold or more of execution counts as VM instructions. In clustering, consecutive code regions that are executed multiple times are detected. For example, executed instructions that are close in distance to each other in the code may be grouped together, common subsequences of executed code blocks may be searched for, or other methods may be used. The vulnerability discovery device 10 detects the start and end points of consecutive instruction sequences that make up the detected VM instruction as boundaries. The VM instruction boundaries detected here are used in VPC detection and dispatcher detection.
 仮想プログラムカウンタ検出部1213は、実行トレースDB131に格納された第1のテストスクリプトに対する実行トレースを取り出して解析し、VPCを検出する。仮想プログラムカウンタ検出部1213は、メモリの読み込み回数に着目した差分実行解析とVM命令境界検出部1212によって検出された各VM命令の境界とを用いて複数の実行トレースを解析し、VPCを検出する。仮想プログラムカウンタ検出部1213は、各VM命令の実行後には、必ずVPCを保持するメモリへの読み込みが発生することを利用し、この読み込み先を発見することで、VPCを検出する。 The virtual program counter detection unit 1213 extracts and analyzes the execution trace for the first test script stored in the execution trace DB 131 to detect the VPC. The virtual program counter detection unit 1213 analyzes multiple execution traces using differential execution analysis focusing on the number of memory reads and the boundaries of each VM instruction detected by the VM instruction boundary detection unit 1212 to detect the VPC. The virtual program counter detection unit 1213 makes use of the fact that a read into the memory that holds the VPC always occurs after the execution of each VM instruction, and detects the VPC by discovering the destination of this read.
 このため、仮想プログラムカウンタ検出部1213は、VPCの検出として、メモリの読み込み回数に着目した差分実行解析を用いる。仮想プログラムカウンタ検出部1213は、テストスクリプトを用いて取得された複数のテストスクリプトの実行トレースを比較し、メモリ読み込み回数が、繰り返される回数及び繰り返される文の数との双方の増減に比例して変化するメモリを発見する。そして、仮想プログラムカウンタ検出部1213は、VM命令境界検出部1212によって検出された各VM命令の境界を参照して、読み込んだメモリの値が常にVM命令の開始点を指しているものに絞り込む。仮想プログラムカウンタ検出部1213は、このメモリをVPCとして検出する。 For this reason, the virtual program counter detection unit 1213 uses differential execution analysis that focuses on the number of memory reads to detect VPCs. The virtual program counter detection unit 1213 compares execution traces of multiple test scripts acquired using the test scripts, and finds memories whose memory read counts change in proportion to both the increase or decrease in the number of repetitions and the number of repeated statements. The virtual program counter detection unit 1213 then refers to the boundaries of each VM instruction detected by the VM instruction boundary detection unit 1212, and narrows down the memory values that have been read to those that always point to the start point of the VM instruction. The virtual program counter detection unit 1213 detects this memory as a VPC.
 ディスパッチャ検出部1214は、VM命令境界検出部1212が検出したVM命令の境界を基に、スクリプトエンジンバイナリから各VM命令部分を切り出し、各VM命令間で類似度が高い部分をディスパッチャとして検出する。前提として、ディスパッチャは、ポインタキャッシュの参照と次のVM命令ハンドラのポインタへのジャンプで実現される。ディスパッチャは、各々のVM命令ハンドラの後部に分散的に配置されており、一般にそれらのコードの同一性は高い。こうしたVM命令ハンドラの後部に存在し、同一性の高いコードを探すことで、脆弱性発見装置10は、所定の方法でディスパッチャを検出する。類似度の高い部分の検出には、たとえば系列アライメントアルゴリズムを用いてもよく、その他の方法によってもよい。 The dispatcher detection unit 1214 extracts each VM instruction portion from the script engine binary based on the boundaries of the VM instructions detected by the VM instruction boundary detection unit 1212, and detects the portions with high similarity between each VM instruction as dispatchers. As a premise, the dispatcher is realized by referencing the pointer cache and jumping to the pointer of the next VM instruction handler. Dispatchers are placed in a distributed manner at the rear of each VM instruction handler, and the code therein is generally highly identical. The vulnerability discovery device 10 detects dispatchers using a predetermined method by searching for code with high similarity that exists at the rear of such VM instruction handlers. To detect the portions with high similarity, for example, a series alignment algorithm may be used, or other methods may be used.
 条件分岐フラグ検出部1215は、実行トレースDB131に格納された第2のテストスクリプトに対する実行トレースを取り出して解析し、条件分岐フラグを発見する。条件分岐フラグ検出部1215は、メモリの読み込み回数に着目した差分実行解析を用いて、複数の実行トレースを解析し、条件分岐フラグを検出する。条件分岐フラグ検出部1215は、様々なパターンで条件分岐を実行し、その際のメモリの変化のパターンをテストスクリプト上の条件分岐のパターンと照らし合わせることで、条件分岐フラグを格納するメモリを検出する。 The conditional branch flag detection unit 1215 extracts and analyzes the execution trace for the second test script stored in the execution trace DB 131 to discover the conditional branch flag. The conditional branch flag detection unit 1215 analyzes multiple execution traces using differential execution analysis that focuses on the number of times memory is read, and detects the conditional branch flag. The conditional branch flag detection unit 1215 executes conditional branches in various patterns, and detects the memory that stores the conditional branch flag by comparing the pattern of memory changes at that time with the conditional branch pattern in the test script.
 コードキャッシュ検出部1216は、実行トレース、VPC及びVM実行トレースを基に、VM実行トレースから、実行されるVM命令が保存されるキャッシュであるコードキャッシュを検出する。 The code cache detection unit 1216 detects the code cache, which is a cache in which the VM instructions to be executed are stored, from the VM execution trace based on the execution trace, VPC, and VM execution trace.
 コードキャッシュ検出部1216は、VPCが指すメモリ領域をコードキャッシュとしてVM実行トレースから検出する。コードキャッシュ検出部1216は、このコードキャッシュを確保したメモリ割り当て関数の呼び出し元のコード箇所を、実行トレースから検出する。コードキャッシュ検出部1216は、VM実行トレースのうち、このコード箇所で確保された全てのメモリ領域をコードキャッシュとして検出する。 The code cache detection unit 1216 detects the memory area pointed to by the VPC as a code cache from the VM execution trace. The code cache detection unit 1216 detects the code location from which the memory allocation function that allocated this code cache was called from the execution trace. The code cache detection unit 1216 detects all memory areas allocated at this code location from the VM execution trace as code caches.
 コードキャッシュ検出部1216は、コードキャッシュに書き込みをしているコード箇所を実行トレースから検出する。コードキャッシュ検出部1216は、VM実行トレースのうち、このコード箇所による書き込みをコードキャッシュの更新として検出する。 The code cache detection unit 1216 detects code locations that are writing to the code cache from the execution trace. The code cache detection unit 1216 detects writing by these code locations in the VM execution trace as updates to the code cache.
 命令セットアーキテクチャ解析部122は、VMの命令の体系である命令セットアーキテクチャを解析する。命令セットアーキテクチャ解析部122は、VM命令を収集する。収集したVM命令の命令内容を判定する。 The instruction set architecture analysis unit 122 analyzes the instruction set architecture, which is the system of VM instructions. The instruction set architecture analysis unit 122 collects VM instructions. It determines the instruction content of the collected VM instructions.
 命令セットアーキテクチャ解析部122は、VM実行トレース取得部1221(第2の取得部)、VM命令収集部1222(第1の収集部)及びVM命令判定部1223(第1の判定部)を有する。 The instruction set architecture analysis unit 122 has a VM execution trace acquisition unit 1221 (second acquisition unit), a VM instruction collection unit 1222 (first collection unit), and a VM instruction determination unit 1223 (first determination unit).
 VM実行トレース取得部1221は、実行トレース取得部1211と同じく、テストスクリプト及びスクリプトエンジンバイナリを入力として受け付ける。VM実行トレース取得部1221は、VPCの監視と、ディスパッチャがディスパッチするVM命令ハンドラのポインタの監視により、VM実行トレースを取得する。VM実行トレース取得部1221は、スクリプトエンジンバイナリの実行を監視しながら、テストスクリプトを実行することで、VM上で実行された実行トレースであるVM実行トレースを取得する。VM実行トレース取得部1221は、分岐VM命令の検出において、多数のテストスクリプトを実行して、VM実行トレースを取得する。VM実行トレース取得部1221は、VM命令へのポインタとVM命令とを紐づけ、各々に識別子としてVMオペコードを仮想的に割り振る。 Like execution trace acquisition unit 1211, VM execution trace acquisition unit 1221 accepts test scripts and script engine binaries as input. VM execution trace acquisition unit 1221 acquires VM execution traces by monitoring VPCs and pointers to VM instruction handlers dispatched by the dispatcher. VM execution trace acquisition unit 1221 acquires VM execution traces, which are execution traces executed on a VM, by executing test scripts while monitoring the execution of script engine binaries. When detecting branch VM instructions, VM execution trace acquisition unit 1221 executes multiple test scripts to acquire VM execution traces. VM execution trace acquisition unit 1221 links pointers to VM instructions with VM instructions, and virtually assigns VM opcodes as identifiers to each.
 VM実行トレースは、VMにおいて実行された実行トレースであって、識別子としてVMオペコードが仮想的に割り振られ、実行されたVMハンドラのポインタとVPCとを記録したものである。VM実行トレースは、実行されたVM命令ハンドラのポインタと、VPCを記録したものである。具体的には、VM実行トレースは、実行されたVM命令ごとのVPCとVMオペコードで構成される。VPCの記録は、仮想プログラムカウンタ検出部1213で検出されたVPCのメモリを監視することで実現できる。VMオペコードは、VM命令へのポインタとVM命令とを紐づけた各々に仮想的に割り振られた識別子である。VM実行トレース取得部1221が取得したVM実行トレースは、VM実行トレースDB133に格納される。 A VM execution trace is an execution trace executed in a VM, to which a VM opcode is virtually assigned as an identifier, and which records a pointer to the executed VM handler and a VPC. A VM execution trace records a pointer to an executed VM instruction handler and a VPC. Specifically, a VM execution trace is composed of a VPC and a VM opcode for each executed VM instruction. The VPC can be recorded by monitoring the memory of the VPC detected by the virtual program counter detection unit 1213. A VM opcode is an identifier virtually assigned to each of the pointer to the VM instruction and the VM instruction that are linked together. The VM execution trace acquired by the VM execution trace acquisition unit 1221 is stored in the VM execution trace DB 133.
 VM命令収集部1222は、VPC及びディスパッチャを入力として受け付け、VPC及びディスパッチャを監視しながらスクリプトを実行しVM実行トレースを取得する。VM命令収集部1222は、VM実行トレースからVM命令を収集する。 The VM command collection unit 1222 receives the VPC and dispatcher as input, executes the script while monitoring the VPC and dispatcher, and obtains the VM execution trace. The VM command collection unit 1222 collects VM commands from the VM execution trace.
 VM命令判定部1223は、VM命令収集部1222が収集したVM命令の命令内容を判定する。VM命令判定部1223は、VM実行トレースのVMオペコードごとのVPCの変化量のばらつきによって、分岐VM命令を検出する。 The VM instruction determination unit 1223 determines the instruction content of the VM instructions collected by the VM instruction collection unit 1222. The VM instruction determination unit 1223 detects branch VM instructions based on the variation in the amount of change in VPC for each VM opcode in the VM execution trace.
 VM命令判定部1223は、VM実行トレースDB133に格納されたVM実行トレースを取り出して解析し、分岐VM命令を判定する。VM命令判定部1223は、識別子として割り振られたVMオペコードごとに、その実行の前後でのVPCの変化量を収集する。VMオペコードが分岐VM命令以外のものの場合、VPCの変化量は、ほぼ一定である。一方、VMオペコードが分岐VM命令のものの場合、VPCは分岐先によってばらつきが生じる。 The VM instruction determination unit 1223 retrieves and analyzes the VM execution traces stored in the VM execution trace DB 133 to determine whether the VM instruction is a branch VM instruction. For each VM opcode assigned as an identifier, the VM instruction determination unit 1223 collects the amount of change in VPC before and after its execution. If the VM opcode is other than a branch VM instruction, the amount of change in VPC is almost constant. On the other hand, if the VM opcode is a branch VM instruction, the VPC varies depending on the branch destination.
 そこで、VM命令判定部1223は、VM実行トレースのVMオペコードごとの仮想プログラムカウンタの変化量のばらつきによって、分岐VM命令を判定する。VM命令判定部1223は、分岐VM命令とそれ以外のVM命令とではVPCの値のばらつきの大きさが異なることに着目し、閾値を決めて、よりVPCの値のばらつきの大きいものを分岐VM命令として判定する。具体的には、VM命令判定部1223は、VMオペコードごとVPCの変化量のばらつきを分散で評価し、分散が一定の閾値以上のものを、分岐VM命令として判定する。 The VM instruction determination unit 1223 therefore determines whether an instruction is a branch VM instruction based on the variance in the amount of change in the virtual program counter for each VM opcode in the VM execution trace. The VM instruction determination unit 1223 focuses on the fact that the amount of variance in the VPC value differs between branch VM instructions and other VM instructions, determines a threshold value, and determines instructions with greater variance in the VPC value as branch VM instructions. Specifically, the VM instruction determination unit 1223 evaluates the variance in the amount of change in the VPC for each VM opcode using variance, and determines instructions with variance equal to or greater than a certain threshold as branch VM instructions.
 また、VM命令判定部1223は、精緻な制御フローグラフの構築のために、分岐VM命令のうち、条件分岐VM命令であるものを判定する。条件分岐の際には、分岐先を決定するために、必ず条件分岐フラグへのアクセスが発生する。そのため、各分岐VM命令の実行の際に、条件分岐フラグにアクセスしているかを検証することで、条件分岐VM命令を判定できる。言い換えると、分岐VM命令の実行の際に、条件分岐フラグにアクセスしていれば条件分岐VM命令であり、アクセスしていなければ、条件分岐VM命令ではないと判定できる。そこで、VM命令判定部1223は、VM実行トレースとメモリアクセストレースに基づいて、分岐VM命令のうち、条件分岐フラグへのアクセスを伴うものを、条件分岐VM命令と判定する。 In addition, in order to construct an accurate control flow graph, the VM instruction determination unit 1223 determines which of the branch VM instructions are conditional branch VM instructions. When a conditional branch occurs, access to a conditional branch flag is always generated to determine the branch destination. Therefore, a conditional branch VM instruction can be determined by verifying whether the conditional branch flag is accessed when each branch VM instruction is executed. In other words, if the conditional branch flag is accessed when a branch VM instruction is executed, it can be determined that it is a conditional branch VM instruction, and if it is not accessed, it is not a conditional branch VM instruction. Therefore, the VM instruction determination unit 1223 determines that, among the branch VM instructions, those that involve access to a conditional branch flag are conditional branch VM instructions based on the VM execution trace and memory access trace.
 さらに、VM命令判定部1223は、コール及びリターンのVM命令も判定する。コールVM命令による分岐では、呼び出し元のバイトコード上での直後のアドレスが保存され、呼び出されたサブルーチンの実行後には、リターンVM命令によって、その保存されたアドレスに戻ってくる特徴がある。そこで、VM命令判定部1223は、ある分岐VM命令を命令1とし、以後の他の分岐VM命令を命令2として、命令2によって命令1のバイトコード上での直後のアドレスに戻る場合に、命令1と命令2の組を、コール及びリターンのVM命令と判定する。 Furthermore, the VM instruction determination unit 1223 also determines call and return VM instructions. A branch caused by a call VM instruction is characterized in that the address immediately following the caller's bytecode is saved, and after the called subroutine is executed, the return VM instruction returns to that saved address. Thus, when a certain branch VM instruction is designated as instruction 1, and another subsequent branch VM instruction is designated as instruction 2, and instruction 2 returns to the address immediately following instruction 1's bytecode, the VM instruction determination unit 1223 determines that the pair of instructions 1 and 2 are call and return VM instructions.
 算出部123は、仮想機械解析部121及び命令セットアーキテクチャ解析部122によって取得されたアーキテクチャ情報を基に、マルチパス実行で網羅的に実行された全体の経路を示す第1の制御フローグラフを構築する。算出部123は、マルチパス実行部1231(第1の実行部)、VMブランチトレース構築部1232(第1の構築部)及び制御フローグラフ構築部1233(第2の構築部)を有する。 The calculation unit 123 constructs a first control flow graph that indicates the entire path comprehensively executed by multi-pass execution, based on the architecture information acquired by the virtual machine analysis unit 121 and the instruction set architecture analysis unit 122. The calculation unit 123 has a multi-pass execution unit 1231 (first execution unit), a VM branch trace construction unit 1232 (first construction unit), and a control flow graph construction unit 1233 (second construction unit).
 マルチパス実行部1231は、仮想機械解析部121及び命令セットアーキテクチャ解析部122によって取得されたアーキテクチャ情報を基に、VM実行トレースを取得しながら解析対象スクリプトをマルチパス実行する。マルチパス実行部1231は、VPC及びVM命令を監視し、VM実行トレースを取得しながら解析対象スクリプトを実行する。マルチパス実行部1231は、条件分岐命令のたびに実行状態をフォークし、一方はそのまま、もう一方は条件分岐フラグを書き換えることで、複数の実行経路を網羅的に実行することでマルチパス実行を行う。 The multi-path execution unit 1231 performs multi-path execution of the script to be analyzed while acquiring a VM execution trace based on the architecture information acquired by the virtual machine analysis unit 121 and the instruction set architecture analysis unit 122. The multi-path execution unit 1231 monitors the VPC and VM instructions, and executes the script to be analyzed while acquiring a VM execution trace. The multi-path execution unit 1231 forks the execution state for each conditional branch instruction, leaving one as is and rewriting the conditional branch flag for the other, thereby performing multi-path execution by comprehensively executing multiple execution paths.
 VMブランチトレース構築部1232は、実行されたVM命令のオペコードと、VPCとを記録したVM実行トレース41から分岐VM命令を検出し、検出した分岐VM命令の実行前後のVPCを対応付けたVMブランチトレースを構築する。 The VM branch trace construction unit 1232 detects branch VM instructions from the VM execution trace 41, which records the opcodes and VPCs of executed VM instructions, and constructs a VM branch trace that associates the VPCs before and after the execution of the detected branch VM instructions.
 VMブランチトレース構築部1232は、マルチパス実行部1231によって取得されたVM実行トレースから、実際に実行された分岐VM命令を検出し、検出した分岐VM命令の実行前後のVPCを対応付けた第1のVMブランチトレースを構築する。 The VM branch trace construction unit 1232 detects the branch VM instruction that was actually executed from the VM execution trace acquired by the multi-path execution unit 1231, and constructs a first VM branch trace that associates the VPC before and after the execution of the detected branch VM instruction.
 制御フローグラフ構築部1233は、VMブランチトレースを用いて、基本ブロックをノードとし、分岐VM命令の実行による分岐をエッジとした制御フローグラフを構築する。制御フローグラフ構築部1233は、第1のVMブランチトレースを基に、第1の制御フローグラフを構築する。第1の制御フローグラフは、マルチパス実行において実際に実行された情報に基づいて、構築されるため、全ての経路が示された完全な制御フローグラフである。なお、制御フローグラフ構築部1233は、検出されたコードキャッシュを走査して、実際には実行されなかった分岐命令も考慮しながら、グラフを構築してもよい。 The control flow graph construction unit 1233 uses the VM branch trace to construct a control flow graph in which basic blocks are nodes and branches resulting from execution of branch VM instructions are edges. The control flow graph construction unit 1233 constructs a first control flow graph based on the first VM branch trace. The first control flow graph is constructed based on information that was actually executed in multi-path execution, and is therefore a complete control flow graph in which all paths are shown. The control flow graph construction unit 1233 may also construct the graph by scanning the detected code cache and taking into account branch instructions that were not actually executed.
 脆弱性発見部124は、仮想機械解析部121及び命令セットアーキテクチャ解析部122によって取得されたアーキテクチャ情報を基に、テストとして実行された経路を示す第2の制御フローグラフを構築する。脆弱性発見部124は、第1の制御フローグラフと第2の制御フローグラフとを基に、コードカバレッジを算出する。コードカバレッジは、全体の経路に対する、テストとして実行された経路の割合である。脆弱性発見部124は、コードカバレッジの算出結果を基に、コードカバレッジがより増加するような入力値を選択的に選んで変異させて、VM上で実行されている解析対象スクリプトに対するファジングを実行する。 The vulnerability discovery unit 124 constructs a second control flow graph indicating paths executed as tests based on the architecture information acquired by the virtual machine analysis unit 121 and the instruction set architecture analysis unit 122. The vulnerability discovery unit 124 calculates code coverage based on the first control flow graph and the second control flow graph. Code coverage is the ratio of paths executed as tests to all paths. Based on the calculation result of code coverage, the vulnerability discovery unit 124 selectively chooses and mutates input values that will increase code coverage, and performs fuzzing on the analysis target script executed on the VM.
 脆弱性発見部124は、変異部1241、ファジング実行部1242(第2の実行部)、VMブランチトレース構築部1243(第3の構築部)、制御フローグラフ構築部1244(第4の構築部)及びコードカバレッジ算出部1245(第1の算出部)を有する。 The vulnerability detection unit 124 has a mutation unit 1241, a fuzzing execution unit 1242 (second execution unit), a VM branch trace construction unit 1243 (third construction unit), a control flow graph construction unit 1244 (fourth construction unit), and a code coverage calculation unit 1245 (first calculation unit).
 変異部1241は、シード入力値を受け付け、入力値を変異させる。入力値は、解析対象スクリプトへ入力する値である。コードカバレッジが所定値よりも増加した場合、脆弱性発見部124は、変異させた入力値を選択して、入力値の辞書に追加する。変異部1241は、変異後の入力値が追加された辞書を基に、入力値を変異させる。 The mutation unit 1241 accepts a seed input value and mutates the input value. The input value is a value to be input to the script to be analyzed. If the code coverage increases above a predetermined value, the vulnerability discovery unit 124 selects the mutated input value and adds it to a dictionary of input values. The mutation unit 1241 mutates the input value based on the dictionary to which the mutated input value has been added.
 ファジング実行部1242は、仮想機械解析部121及び命令セットアーキテクチャ解析部122によって取得されたアーキテクチャ情報を基に、テスト対象の実行を実行する。ファジング実行部1242は、変異部1241が変異させた入力値を解析対象スクリプトに入力して、VM実行トレースを取得しながらテストを実行する。ファジング実行部1242は、この実行中に実行されたVM命令を記録し、VM実行トレースを取得する。 The fuzzing execution unit 1242 executes the test target based on the architecture information acquired by the virtual machine analysis unit 121 and the instruction set architecture analysis unit 122. The fuzzing execution unit 1242 inputs the input value mutated by the mutation unit 1241 to the analysis target script and executes the test while acquiring a VM execution trace. The fuzzing execution unit 1242 records the VM instructions executed during this execution and acquires the VM execution trace.
 VMブランチトレース構築部1243は、ファジング実行部1242によって取得されたVM実行トレースから、実際にテストとして実行された分岐VM命令を検出し、検出した分岐VM命令の実行前後のVPCを対応付けた第2のVMブランチトレースを構築する。 The VM branch trace construction unit 1243 detects the branch VM instruction that was actually executed as a test from the VM execution trace acquired by the fuzzing execution unit 1242, and constructs a second VM branch trace that associates the VPC before and after the execution of the detected branch VM instruction.
 制御フローグラフ構築部1244は、第2のVMブランチトレースを基に、基本ブロックをノードとし、分岐VM命令の実行による分岐をエッジとした第2の制御フローグラフを構築する。 The control flow graph construction unit 1244 constructs a second control flow graph based on the second VM branch trace, in which basic blocks are nodes and branches resulting from execution of branch VM instructions are edges.
 コードカバレッジ算出部1245は、第1の制御フローグラフと第2の制御フローグラフとを基に、コードカバレッジを算出する。コードカバレッジ算出部1245は、コードカバレッジとして、第1の制御フローグラフのノード数及びエッジ数に対する第2の制御フローグラフのノード数及び/またはエッジ数の割合を算出する。 The code coverage calculation unit 1245 calculates code coverage based on the first control flow graph and the second control flow graph. The code coverage calculation unit 1245 calculates, as code coverage, the ratio of the number of nodes and/or edges of the second control flow graph to the number of nodes and edges of the first control flow graph.
 記憶部13は、RAM(Random Access Memory)、フラッシュメモリ(Flash Memory)等の半導体メモリ素子、または、ハードディスク、光ディスク等の記憶装置によって実現され、脆弱性発見装置10を動作させる処理プログラムや、処理プログラムの実行中に使用されるデータなどが記憶される。記憶部13は、実行トレースデータベース(DB)131、VM実行トレースDB133、及び、仮想機械解析部121及び命令セットアーキテクチャ解析部122によって取得されたアーキテクチャ情報を記憶するアーキテクチャ情報DB132を有する。 The storage unit 13 is realized by a semiconductor memory element such as a RAM (Random Access Memory) or a flash memory, or a storage device such as a hard disk or an optical disk, and stores the processing program that operates the vulnerability detection device 10 and data used during execution of the processing program. The storage unit 13 has an execution trace database (DB) 131, a VM execution trace DB 133, and an architecture information DB 132 that stores architecture information acquired by the virtual machine analysis unit 121 and the instruction set architecture analysis unit 122.
 実行トレースDB131及びVM実行トレースDB133は、それぞれ実行トレース取得部1211及びVM実行トレース取得部1221によって取得された実行トレース及びVM実行トレースを格納する。実行トレースDB131及びVM実行トレースDB133は、脆弱性発見装置10によって管理される。もちろん、実行トレースDB131及びVM実行トレースDB133は、他の装置(サーバ等)によって管理されていてもよく、この場合には、実行トレース取得部1211及びVM実行トレース取得部1221は、出力部14の通信インタフェースを介して、取得した実行トレース及びVM実行トレースを、実行トレースDB131及びVM実行トレースDB133の管理サーバ等に出力して、実行トレースDB131及びVM実行トレースDB133に記憶させる。 The execution trace DB 131 and the VM execution trace DB 133 store the execution traces and VM execution traces acquired by the execution trace acquisition unit 1211 and the VM execution trace acquisition unit 1221, respectively. The execution trace DB 131 and the VM execution trace DB 133 are managed by the vulnerability discovery device 10. Of course, the execution trace DB 131 and the VM execution trace DB 133 may be managed by other devices (servers, etc.), in which case the execution trace acquisition units 1211 and 1221 output the acquired execution traces and VM execution traces to management servers, etc., of the execution trace DB 131 and the VM execution trace DB 133 via the communication interface of the output unit 14, and store them in the execution trace DB 131 and the VM execution trace DB 133.
 出力部14は、例えば、液晶ディスプレイやプリンタ等であって、脆弱性発見装置10に関する情報を含む各種情報を出力する。また、出力部14は、外部装置との間で、各種データの入出力を司るインタフェースであってもよく、外部装置に各種情報を出力してもよい。 The output unit 14 is, for example, an LCD display or a printer, and outputs various information including information related to the vulnerability detection device 10. The output unit 14 may also be an interface that handles the input and output of various data between an external device, and may output various information to an external device.
[テストスクリプトの構成]
 テストスクリプトについて説明する。テストスクリプトは、スクリプトエンジンを動的解析する際に入力されるスクリプトである。このテストスクリプトは、分岐命令の実行やメモリ読み書きの回数に着目し、異なる回数のテストスクリプトを実行したときに生じるスクリプトエンジンの挙動の差分を捉えるために用いられる。このテストスクリプトは、解析の事前に準備するものであり、手動で作成するものである。この作成には、対象のスクリプト言語の仕様に関する知識が必要となる。 [Test script configuration]
Let us now explain the test script. A test script is a script that is input when dynamically analyzing a script engine. This test script focuses on the number of branch instruction executions and memory reads and writes, and is used to capture the difference in the behavior of the script engine that occurs when the test script is executed a different number of times. This test script is prepared in advance of the analysis and is created manually. Creating it requires knowledge of the specifications of the target script language.
 図4は、VPCの検出に用いるテストスクリプト(第1のテストスクリプト)の一例を示す図である。第1のテストスクリプトでは、繰り返し処理を用いる(2行目)。第1のテストスクリプトでは、テストスクリプト内の繰り返し回数(2行目)や繰り返される文の数(3行目から5行目)を増減させることで、実行時の条件を変更し、差分を発生させる。 Figure 4 shows an example of a test script (first test script) used to detect VPCs. The first test script uses a repetitive process (line 2). The first test script changes the execution conditions and generates differences by increasing or decreasing the number of repetitions (line 2) and the number of repeated statements (lines 3 to 5) in the test script.
 図5は、分岐VM命令検出に用いるテストスクリプト(第2のテストスクリプト)の一例を示す図である。第2のテストスクリプトでは、複数回の条件分岐を用いる(4行目から8行目)。第2のテストスクリプトにおいて、この複数回の条件分岐では、特定の順序のパターンで分岐がなされたり、なされなかったりするように、分岐条件を制御する(1行目、5行目)。第2のテストスクリプトでは、条件分岐の回数や、分岐の成否の順序パターンを変更し、差分を発生させる。 FIG. 5 is a diagram showing an example of a test script (second test script) used to detect branch VM instructions. The second test script uses multiple conditional branches (lines 4 to 8). In the second test script, the branch conditions are controlled so that the multiple conditional branches are either taken or not taken in a specific order pattern (lines 1 and 5). In the second test script, the number of conditional branches and the order pattern of branch success or failure are changed to generate differences.
[実行トレースの構成]
 次に、実行トレースについて説明する。図6は、実行トレースの一例を示す図である。実行トレースは、前述の通り、ブランチトレースとメモリアクセストレースによって構成されている。図6は、実行トレースの一部を切り出したものである。以降、図6を用いて実行トレースの構成を示す。 Execution Trace Configuration
Next, the execution trace will be described. Fig. 6 is a diagram showing an example of an execution trace. As described above, an execution trace is composed of a branch trace and a memory access trace. Fig. 6 shows an excerpt of an execution trace. The structure of an execution trace will be described below with reference to Fig. 6.
 実行トレースは、traceという要素を有する。traceには、そのログ行がブランチトレースか、メモリアクセストレースかが示される。 An execution trace has an element called trace. Trace indicates whether the log line is a branch trace or a memory access trace.
 ブランチトレースのログ行は、例えば、図6の1行目から10行目に記載の書式になっており、type、src、dstの三つの要素からなる。typeは、実行された分岐命令がcall命令によるものか、jmp命令によるものか、ret命令によるものかを示す。また、srcは、分岐元のアドレスを示し、dstは、分岐先のアドレスを示す。 A branch trace log line has the format shown, for example, in lines 1 to 10 of Figure 6, and consists of three elements: type, src, and dst. type indicates whether the executed branch instruction was a call instruction, a jmp instruction, or a ret instruction. src indicates the address of the branch source, and dst indicates the address of the branch destination.
 メモリアクセストレースのログ行は、たとえば、図6の11行目から13行目に記載の書式になっており、type、target、valueの三つの要素からなる。typeは、メモリアクセスが読み込みか書き込みかを示す。targetは、メモリアクセスの対象となるメモリアドレスを示す。また、valueには、メモリアクセスの結果の値が格納される。 A log line of a memory access trace has the format shown, for example, in lines 11 to 13 of Figure 6, and consists of three elements: type, target, and value. Type indicates whether the memory access is a read or write. Target indicates the memory address that is the target of the memory access. Value stores the result of the memory access.
[VM実行トレースの構成]
 次に、VM実行トレースについて説明する。図7は、VM実行トレースの一例を示す図である。VM実行トレースは、前述の通り、VMオペコードとVPCとを記録したものである。図7は、VM実行トレースの一部を切り出したものである。以降、図7を用いてVM実行トレースの構成を示す。 [VM Execution Trace Configuration]
Next, a VM execution trace will be described. Fig. 7 is a diagram showing an example of a VM execution trace. As described above, a VM execution trace is a record of a VM opcode and a VPC. Fig. 7 shows a part of a VM execution trace. The configuration of a VM execution trace will be described below with reference to Fig. 7.
 VM実行トレースのログ行は、たとえば、図7に記載の書式になっており、vpc及びvmop(vm opcode)の二つの要素からなる。vpcは、VPCの値を示す。また、vmopは、ポインタキャッシュから取得された、実行されるVM命令ハンドラの先頭を指すポインタごとに仮想的に割り振られたVMオペコードの値を示す。 A log line of a VM execution trace is, for example, in the format shown in Figure 7, and consists of two elements: vpc and vmop (vm opcode). vpc indicates the value of the VPC. Also, vmop indicates the value of the VM opcode that is virtually assigned to each pointer that points to the beginning of the VM instruction handler to be executed, obtained from the pointer cache.
[VM命令境界検出部の処理]
 次に、VM命令境界検出部1212の処理について説明する。図8は、VM命令境界検出部1212の処理を説明する図である。 [Processing of VM instruction boundary detection unit]
Next, a description will be given of the processing of the VM instruction boundary detection unit 1212. FIG.
 VM命令境界検出部1212は、各VM命令の境界を検出する。この時、VM命令境界検出部1212は、インタプリタループを持たないためにVM命令の境界の把握が難しいスレッデッドコード型VMのために、VM命令とその境界の検出を行う。具体的には、VM命令境界検出部1212は、実行トレースDB131から実行トレースを取り出す。そして、図8に示すように、VM命令境界検出部1212は、実行トレースを、所定の方法でクラスタリングして、実行回数が閾値以上のクラスタをVM命令(例えば、VM命令ハンドラ1~3)として検出する。VM命令境界検出部1212は、VM命令を構成する連続した命令列の開始点と終了点とを境界として検出する。 The VM instruction boundary detection unit 1212 detects the boundaries of each VM instruction. At this time, the VM instruction boundary detection unit 1212 detects VM instructions and their boundaries for threaded code type VMs, which do not have an interpreter loop and therefore make it difficult to grasp the boundaries of VM instructions. Specifically, the VM instruction boundary detection unit 1212 extracts execution traces from the execution trace DB 131. Then, as shown in FIG. 8, the VM instruction boundary detection unit 1212 clusters the execution traces using a predetermined method, and detects clusters with a threshold or more of execution counts as VM instructions (e.g., VM instruction handlers 1 to 3). The VM instruction boundary detection unit 1212 detects the start and end points of the consecutive instruction strings that make up a VM instruction as boundaries.
[仮想プログラムカウンタ検出部の処理]
 次に、仮想プログラムカウンタ検出部1213の処理について説明する。仮想プログラムカウンタ検出部1213は、VPC、ポインタキャッシュの検出を行う。仮想プログラムカウンタの検出は、取得した実行トレースのメモリアクセストレースのログを解析することで実現される。仮想プログラムカウンタ検出部1213は、メモリの読み込み回数に着目した差分実行解析を用いる。図9は、仮想プログラムカウンタ検出部1213の処理を説明する図である。 [Processing of Virtual Program Counter Detection Unit]
Next, the processing of the virtual program counter detection unit 1213 will be described. The virtual program counter detection unit 1213 detects the VPC and the pointer cache. The detection of the virtual program counter is realized by analyzing the log of the memory access trace of the acquired execution trace. The virtual program counter detection unit 1213 uses differential execution analysis focusing on the number of times memory is read. FIG. 9 is a diagram for explaining the processing of the virtual program counter detection unit 1213.
 仮想プログラムカウンタ検出部1213は、実行トレースDB131から第1のテストスクリプトによる実行トレースを一つ取り出す。VPCの読み込みの回数は、テストスクリプト内の繰り返し回数及び、繰り返し処理の中の文の数に比例する。繰り返しの回数をN、繰り返される文の数をMとしたとき、概ねMN程度のVPCの読み込みが発生する。このため、仮想プログラムカウンタ検出部1213は、N及びMをそれぞれ2Nと2M、3Nと3Mと増やした第1のテストスクリプトに対する実行トレースにおいて、4MN、9MNという増え方をしたメモリを抽出する。具体的には、図9に示すように、仮想プログラムカウンタ検出部1213は、1VM命令実行毎にRead/Writeがあり、単調増加するメモリ領域を抽出する(図9の(1))。 The virtual program counter detection unit 1213 extracts one execution trace by the first test script from the execution trace DB 131. The number of times the VPC is read is proportional to the number of repetitions in the test script and the number of statements in the repetitive process. If the number of repetitions is N and the number of repeated statements is M, then approximately MN VPC reads will occur. For this reason, the virtual program counter detection unit 1213 extracts memory that has increased by 4MN and 9MN in the execution trace for the first test script in which N and M have been increased to 2N and 2M, respectively, and 3N and 3M. Specifically, as shown in FIG. 9, the virtual program counter detection unit 1213 extracts memory areas that have a monotonically increasing read/write for each VM instruction execution ((1) in FIG. 9).
 そして、仮想プログラムカウンタ検出部1213は、読み込んだメモリの値が常にVM命令の開始点を指しているものを、VPCとして検出する。具体的には、仮想プログラムカウンタ検出部1213は、VPCの指し先とVM命令ハンドラのアドレスとを照合して、一致するメモリ領域に絞り込む(図9の(2))。 Then, the virtual program counter detection unit 1213 detects as a VPC a memory value that has been read and that always points to the start point of a VM instruction. Specifically, the virtual program counter detection unit 1213 compares the VPC's pointing destination with the address of the VM instruction handler, and narrows it down to matching memory areas ((2) in FIG. 9).
[ディスパッチャ検出部の処理]
 次に、ディスパッチャ検出部1214の処理について説明する。ディスパッチャ検出部1214は、スクリプトエンジンのバイナリを所定の手法で解析することで、ディスパッチャを検出する。図10は、ディスパッチャ検出部1214の処理を説明する図である。 [Dispatcher Detection Processing]
Next, a description will be given of the process of the dispatcher detection unit 1214. The dispatcher detection unit 1214 detects a dispatcher by analyzing the binary of the script engine using a predetermined method. FIG. 10 is a diagram for explaining the process of the dispatcher detection unit 1214.
 ディスパッチャ検出部1214は、ディスパッチャの検出を行う。ディスパッチャ検出部1214は、VM命令境界検出部1212が検出したVM命令の境界を基に、スクリプトエンジンバイナリから各VM命令部分を切り出す。そして、ディスパッチャ検出部1214は、ディスパッチャのコードの類似性は高いとした仮定の基(図10の(1))、各VM命令間でコード間の類似度を算出し、全VM命令間で類似度が高い部分を、ディスパッチャとして検出する。ディスパッチャ検出部1214は、VM命令の後半部で共通的に実行されるコードを、ディスパッチャとして検出できる(図10の(1))。 The dispatcher detection unit 1214 detects dispatchers. Based on the boundaries of VM instructions detected by the VM instruction boundary detection unit 1212, the dispatcher detection unit 1214 extracts each VM instruction portion from the script engine binary. Then, based on the assumption that the similarity of dispatcher code is high ((1) in FIG. 10), the dispatcher detection unit 1214 calculates the similarity between the codes of each VM instruction and detects the portion with high similarity between all VM instructions as a dispatcher. The dispatcher detection unit 1214 can detect the code that is commonly executed in the latter half of the VM instructions as a dispatcher ((1) in FIG. 10).
[コードキャッシュ検出部]
 次に、コードキャッシュ検出部1216の処理について説明する。図11は、コードキャッシュ検出部1216の処理を説明する図である。 [Code cache detection part]
Next, a description will be given of the processing of the code cache detection unit 1216. FIG.
 コードキャッシュ検出部1216は、VPCが指すメモリ領域をコードキャッシュとしてVM実行トレースから検出する(図11の(1))。 The code cache detection unit 1216 detects the memory area pointed to by the VPC as a code cache from the VM execution trace ((1) in FIG. 11).
 コードキャッシュ検出部1216は、このコードキャッシュを確保したメモリ割り当て関数の呼び出し元のコード箇所を、実行トレースから検出する(図11の(2))。コードキャッシュ検出部1216は、VM実行トレースのうち、このコード箇所で確保された全てのメモリ領域をコードキャッシュとして検出する(図11の(3))。 The code cache detection unit 1216 detects the code location that called the memory allocation function that allocated this code cache from the execution trace ((2) in FIG. 11). The code cache detection unit 1216 detects all memory areas allocated at this code location from the VM execution trace as code caches ((3) in FIG. 11).
 コードキャッシュ検出部1216は、コードキャッシュに書き込みをしているコード箇所を実行トレースから検出する(図11の(4))。コードキャッシュ検出部1216は、VM実行トレースのうち、このコード箇所による書き込みをコードキャッシュの更新として検出する(図11(5))。 The code cache detection unit 1216 detects the code location that is writing to the code cache from the execution trace ((4) in FIG. 11). The code cache detection unit 1216 detects the writing by this code location in the VM execution trace as an update to the code cache ((5) in FIG. 11).
[VM命令判定部]
 次に、VM命令判定部1223の処理について説明する。VM命令判定部1223は、取得したVM実行トレースのログを解析することで分岐VM命令を判定する。ここでのテストスクリプトは、分岐VM命令が含まれていればよいため、分岐の制御構文を含むスクリプトでありさえすればどのようなものでもよい。例えば、インターネット上から収集したり、公式ドキュメントから取得したりしてテストスクリプトを準備する。 [VM command determination unit]
Next, the process of the VM instruction determination unit 1223 will be described. The VM instruction determination unit 1223 determines a branch VM instruction by analyzing the acquired VM execution trace log. The test script here may be any script that includes a branch VM instruction and that includes a branch control syntax. For example, the test script is prepared by collecting information from the Internet or obtaining information from official documents.
 まず、VM命令判定部1223は、VM実行トレースDB133の各VM実行トレースに対し、VM命令へのポインタとVM命令とを紐づけ、各々に識別子として、VMオペコードを仮想的に割り振る。図12は、VM命令判定部1223の処理を説明する図である。 First, the VM instruction determination unit 1223 associates a pointer to a VM instruction with a VM instruction for each VM execution trace in the VM execution trace DB 133, and virtually assigns a VM opcode as an identifier to each of them. Figure 12 is a diagram explaining the processing of the VM instruction determination unit 1223.
 ここで、あるVM命令が分岐命令のとき、VPCの進みは、分岐先に依存して変化する。一方、分岐命令以外のときは、VPCの進みは、VM命令のサイズに依存して変化する。このため、VM命令のオペコードとVM命令へのポインタとの組を収集し、オペコードごとにVPCの進みを見たとき、分岐命令であれば分岐先によってVPCの進みにばらつきがみられる。 Here, if a VM instruction is a branch instruction, the advance of the VPC changes depending on the branch destination. On the other hand, if it is not a branch instruction, the advance of the VPC changes depending on the size of the VM instruction. For this reason, when pairs of VM instruction opcodes and pointers to VM instructions are collected and the advance of the VPC is examined for each opcode, if it is a branch instruction, the advance of the VPC will vary depending on the branch destination.
 したがって、VM命令判定部1223は、このVM命令へのポインタのばらつきを評価するため、分散を用いる。VM命令判定部1223は、VMオペコード毎にVPCの変化量の分散を算出し、算出した分散が閾値よりも大きいVMオペコードのみに絞り込む。これによって、VM命令判定部1223は、ポインタとVM命令を対応付けつつ、VPCの進みにばらつきのあるVM命令(図12の例では、VM命令ハンドラ3)を、分岐VM命令として判定する(図12の(1))。 Therefore, the VM instruction determination unit 1223 uses variance to evaluate the variance of the pointer to this VM instruction. The VM instruction determination unit 1223 calculates the variance of the amount of change in the VPC for each VM opcode, and narrows it down to only VM opcodes whose calculated variance is greater than a threshold value. In this way, the VM instruction determination unit 1223 associates the pointer with the VM instruction, and determines that a VM instruction with variance in the advance of the VPC (VM instruction handler 3 in the example of FIG. 12) is a branch VM instruction ((1) in FIG. 12).
 あるオペコードに対するVPCの進みの集合OをO={o,o,・・・,o}(VPCoの平均は(1)式を参照)とし、tを閾値としたとき、分岐命令か否かは、分散s((2)式を参照)を基に、(3)式のように判定される。これによって、VM命令判定部1223は、分岐VM命令を判定する。 When the set O of VPC advances for a certain opcode is O={ o0 , o1 , ..., oN } (see equation (1) for the average of VPCo) and t is a threshold, whether or not an instruction is a branch instruction is determined based on the variance s (see equation (2)) as shown in equation (3). In this way, the VM instruction determination unit 1223 determines whether an instruction is a branch VM instruction.
Figure JPOXMLDOC01-appb-M000001
Figure JPOXMLDOC01-appb-M000001
Figure JPOXMLDOC01-appb-M000002
Figure JPOXMLDOC01-appb-M000002
Figure JPOXMLDOC01-appb-M000003
Figure JPOXMLDOC01-appb-M000003
 なお、分岐以外のVM命令では、ばらつきがほとんど見られず、分岐VM命令とそれ以外のVM命令との境界は明確であることが多い。このため、閾値として、例えば、得られた分散の値を数直線上にプロットして、できた二つの群を分割可能な値が設定される。 In addition, for VM instructions other than branches, there is almost no variation, and the boundary between branch VM instructions and other VM instructions is often clear. For this reason, the threshold value is set to a value that can divide the two groups that result by plotting the obtained variance value on a number line, for example.
[VMブランチトレース構築部の処理]
 次に、VMブランチトレース構築部1232,1243の処理を説明する。図13は、VMブランチトレース構築部の処理を説明する図である。 [Processing of VM branch trace construction unit]
Next, a description will be given of the processing of the VM branch trace construction units 1232 and 1243. Fig. 13 is a diagram for explaining the processing of the VM branch trace construction units.
 VMブランチトレース構築部1232,1243は、図13に示すように、実行されたVM命令のオペコードと、VPCを記録したVM実行トレース41から分岐VM命令を検出する(図13の(1))。分岐VM命令は、VM命令判定部1223によって検出された分岐VM命令リスト42を参照することで認識することができる。 As shown in FIG. 13, the VM branch trace construction units 1232 and 1243 detect a branch VM instruction from the VM execution trace 41 that records the opcode of the executed VM instruction and the VPC ((1) in FIG. 13). The branch VM instruction can be recognized by referring to the branch VM instruction list 42 detected by the VM instruction determination unit 1223.
 そして、VMブランチトレース構築部1232,1243は、検出した分岐VM命令の実行前後のVPCを対応付けたVMブランチトレース43を構築する(図13の(2))。VMブランチトレース構築部1232,1243は、例えば、VM実行トレースの行R41から分岐VM命令「0x1f」を検出し、行R41及び行R42の次の行R42を基に、行R61に示すVMブランチトレースを構築する。すなわち、VMブランチトレース構築部1232,1243は、行R41の分岐元のVPC「0x555c7e48」と、行R42の分岐元のVPC「0x555c82a0」とを対応付ける。 Then, the VM branch trace construction units 1232, 1243 construct a VM branch trace 43 that associates the VPCs before and after the execution of the detected branch VM instruction ((2) in FIG. 13). For example, the VM branch trace construction units 1232, 1243 detect the branch VM instruction "0x1f" from line R41 of the VM execution trace, and construct the VM branch trace shown in line R61 based on line R41 and line R42, which is the line that follows line R42. That is, the VM branch trace construction units 1232, 1243 associate the branch source VPC "0x555c7e48" of line R41 with the branch source VPC "0x555c82a0" of line R42.
 同様に、VMブランチトレース構築部1232,1243は、M実行トレースの行R51から分岐VM命令「0x21」を検出すると、この行R51及び次の行R52を基に、行R51のVPC「0x555c832c」と、行R52のVPC「0x555c7514」とを対応付ける(行R71)。 Similarly, when the VM branch trace construction units 1232, 1243 detect the branch VM instruction "0x21" from line R51 of the M execution trace, they associate the VPC "0x555c832c" of line R51 with the VPC "0x555c7514" of line R52 based on this line R51 and the next line R52 (line R71).
[制御フローグラフ構築部の処理]
 図14は、制御フローグラフ構築部1233,1244の処理を説明する図である。制御フローグラフ構築部1233,1244は、VMブランチトレース構築処理において構築したVMブランチトレース43を用いて、基本ブロックをノードとし、VMブランチトレース43の各分岐をエッジとした制御フローグラフを構築する(図14の(1))。 [Processing of control flow graph construction part]
14 is a diagram illustrating the processing of the control flow graph construction units 1233, 1244. The control flow graph construction units 1233, 1244 use the VM branch trace 43 constructed in the VM branch trace construction process to construct a control flow graph in which basic blocks are nodes and each branch of the VM branch trace 43 is an edge ((1) in FIG. 14).
 具体的には、制御フローグラフ構築部1233,1244は、VMブランチトレース43の行R61に示す分岐をエッジE61とし、エッジE61の分岐元の基本ブロックをノードN61とし、エッジE61の分岐先の基本ブロックをノードN62とする。 Specifically, the control flow graph construction units 1233 and 1244 designate the branch shown in row R61 of the VM branch trace 43 as edge E61, the basic block from which edge E61 branches as node N61, and the basic block to which edge E61 branches as node N62.
 そして、VMブランチトレース43の行R71に示す分岐をエッジE71とし、エッジ71の分岐元の小本ブロックをノードN71とし、エッジE71の分岐先の基本ブロックをノードN72とする。なお、図14の制御フローグラフの例では、ノードN71には、エッジE71のほかにエッジE72に示す分岐があり、この分岐先の基本ブロックはノードN73で示されている。このように、制御フローグラフ構築部1233,1244は、VMブランチトレースを基に、基本ブロックの分岐をグラフ構造で表現した制御フローグラフを構築する。 Then, the branch shown in row R71 of VM branch trace 43 is edge E71, the subblock from which edge 71 branches is node N71, and the basic block to which edge E71 branches is node N72. In the example of the control flow graph in FIG. 14, in addition to edge E71, node N71 has a branch shown in edge E72, and the basic block to which this branch is directed is indicated by node N73. In this way, the control flow graph construction units 1233 and 1244 construct a control flow graph that expresses the branching of basic blocks in a graph structure based on the VM branch trace.
[脆弱性発見装置の処理手順]
 次に、脆弱性発見装置10による脆弱性発見処理の処理手順について説明する。図15及び図16は、実施の形態に係る脆弱性発見処理の処理手順を示すフローチャートである。 [Processing procedure of vulnerability detection device]
Next, there will be described the procedure of vulnerability discovering processing by the vulnerability discovering device 10. Fig. 15 and Fig. 16 are flowcharts showing the procedure of vulnerability discovering processing according to the embodiment.
 まず、入力部11は、テストスクリプト及びスクリプトエンジンバイナリを入力として受け取る(ステップS1)。 First, the input unit 11 receives a test script and a script engine binary as input (step S1).
 そして、実行トレース取得部1211は、スクリプトエンジンのバイナリを監視しながらテストスクリプトを実行してブランチトレースとメモリアクセストレースを取得する実行トレース取得処理を行う(ステップS2)。 Then, the execution trace acquisition unit 1211 performs an execution trace acquisition process in which the test script is executed while monitoring the binary of the script engine to acquire branch traces and memory access traces (step S2).
 VM命令境界検出部1212は、VM命令を検出し、VM命令の境界を検出するVM命令境界検出処理を行う(ステップS3)。仮想プログラムカウンタ検出部1213は、実行トレースDB131に格納された第1のテストスクリプトに対する実行トレースを取り出して解析し、VPCを発見する仮想プログラムカウンタ検出処理を行う(ステップS4)。 The VM instruction boundary detection unit 1212 detects VM instructions and performs VM instruction boundary detection processing to detect VM instruction boundaries (step S3). The virtual program counter detection unit 1213 extracts and analyzes the execution trace for the first test script stored in the execution trace DB 131, and performs virtual program counter detection processing to discover the VPC (step S4).
 ディスパッチャ検出部1214は、スクリプトエンジンバイナリから各VM命令部分を切り出し、各VM命令間で類似度が高い部分をディスパッチャとして検出するディスパッチャ検出処理を行う(ステップS5)。 The dispatcher detection unit 1214 performs dispatcher detection processing to extract each VM command portion from the script engine binary and detect the portion with high similarity between each VM command as a dispatcher (step S5).
 条件分岐フラグ検出部1215は、実行トレースDB131に格納された第2のテストスクリプトに対する実行トレースを取り出して解析し、条件分岐フラグを発見する条件分岐検出処理を行う(ステップS6)。 The conditional branch flag detection unit 1215 performs a conditional branch detection process to extract and analyze the execution trace for the second test script stored in the execution trace DB 131 and discover the conditional branch flag (step S6).
 コードキャッシュ検出部1216は、実行トレース及びVPCを基に、メモリ割り当て関数の呼び出し元のコード箇所の領域をコードキャッシュとして検出し、コード箇所の領域に書き込みをしている領域をコードキャッシュの更新として検出するコードキャッシュ検出処理を行う(ステップS7)。 The code cache detection unit 1216 performs a code cache detection process based on the execution trace and VPC to detect the area of the code location from which the memory allocation function was called as a code cache, and to detect the area in which writing is being done to the code location area as an update to the code cache (step S7).
 VM実行トレース取得部1221は、テストスクリプト及びスクリプトエンジンバイナリを入力として受け付け、スクリプトエンジンバイナリの実行を監視しながら、テストスクリプトを実行することで、VM実行トレースを取得するVM実行トレース取得処理を行う(ステップS8)。 The VM execution trace acquisition unit 1221 receives the test script and the script engine binary as input, and executes the test script while monitoring the execution of the script engine binary, thereby performing a VM execution trace acquisition process to acquire a VM execution trace (step S8).
 VM命令収集部1222は、VM実行トレースからVM命令を取得するVM命令収集処理を行う(ステップS9)。VM命令判定部1223は、収集したVM命令の命令内容を判定するVM命令判定処理を行う(ステップS10)。 The VM instruction collection unit 1222 performs a VM instruction collection process to acquire VM instructions from the VM execution trace (step S9). The VM instruction determination unit 1223 performs a VM instruction determination process to determine the instruction content of the collected VM instructions (step S10).
 入力部11は、解析対象スクリプトの入力を受け付ける(ステップS11)。マルチパス実行部1231は、仮想機械解析部121及び命令セットアーキテクチャ解析部122によって取得されたアーキテクチャ情報を基に、VM実行トレースを取得しながら解析対象スクリプトをマルチパス実行する(ステップS12)。 The input unit 11 accepts input of a script to be analyzed (step S11). The multi-pass execution unit 1231 executes the script to be analyzed in multiple passes while acquiring a VM execution trace, based on the architecture information acquired by the virtual machine analysis unit 121 and the instruction set architecture analysis unit 122 (step S12).
 VMブランチトレース構築部1232は、VM実行トレースから分岐VM命令を検出し、検出した分岐VM命令の実行前後のVPCを対応付けたVMブランチトレースを構築するVMブランチトレース構築処理を実行する(ステップS13)。VMブランチトレース構築部1232は、ステップS13では、マルチパス実行部1231によるマルチパス実行に基づく第1のVMブランチトレースを構築する。 The VM branch trace construction unit 1232 detects a branch VM instruction from the VM execution trace, and executes a VM branch trace construction process to construct a VM branch trace that associates VPCs before and after the execution of the detected branch VM instruction (step S13). In step S13, the VM branch trace construction unit 1232 constructs a first VM branch trace based on the multi-path execution by the multi-path execution unit 1231.
 制御フローグラフ構築部1233は、VMブランチトレースを用いて制御フローグラフを構築する制御フローグラフ構築処理を行う(ステップS14)。制御フローグラフ構築部1233は、ステップS14では、第1のVMブランチトレースを基に、第1の制御フローグラフを構築する。 The control flow graph construction unit 1233 performs a control flow graph construction process to construct a control flow graph using the VM branch trace (step S14). In step S14, the control flow graph construction unit 1233 constructs a first control flow graph based on the first VM branch trace.
 脆弱性発見部124は、シード入力値の入力を受け付け(ステップS15)、入力値の辞書を作成する(ステップS16)。 The vulnerability discovery unit 124 accepts the input of a seed input value (step S15) and creates a dictionary of input values (step S16).
 変異部1241は、解析対象スクリプトへ入力する入力値を変異させる変異処理を行う(ステップS17)。ファジング実行部1242は、変異部1241が変異させた入力値を解析対象スクリプトへ入力して、VM実行トレースを取得しながらテストを実行する実行処理を行う(ステップS18)。 The mutation unit 1241 performs a mutation process to mutate the input value to be input to the analysis target script (step S17). The fuzzing execution unit 1242 inputs the input value mutated by the mutation unit 1241 to the analysis target script and performs an execution process to execute a test while acquiring a VM execution trace (step S18).
 脆弱性発見部124は、クラッシュなどの問題が発生したか否かを判定する(ステップS19)。クラッシュなどの問題が発生した場合(ステップS19:Yes)、問題が発生した入力値を出力する(ステップS25)。 The vulnerability discovery unit 124 determines whether a problem such as a crash has occurred (step S19). If a problem such as a crash has occurred (step S19: Yes), the vulnerability discovery unit 124 outputs the input value that caused the problem (step S25).
 クラッシュなどの問題が発生していない場合(ステップS19:No)、VMブランチトレース構築部1243は、ファジング実行部1242によって取得されたVM実行トレースに対し、ステップS13と同様の処理を行うことで、第2のVMブランチトレースを構築するVMブランチトレース構築処理を実行する(ステップS20)。 If no problem such as a crash has occurred (step S19: No), the VM branch trace construction unit 1243 performs a VM branch trace construction process to construct a second VM branch trace by performing the same process as in step S13 on the VM execution trace acquired by the fuzzing execution unit 1242 (step S20).
 制御フローグラフ構築部1244は、第2のVMブランチトレースに対し、ステップS14と同様の処理を行うことで、第2の制御フローグラフを構築する制御フローグラフ構築処理を行う(ステップS21)。 The control flow graph construction unit 1244 performs a control flow graph construction process to construct a second control flow graph by performing the same process as step S14 on the second VM branch trace (step S21).
 コードカバレッジ算出部1245は、第1の制御フローグラフと第2の制御フローグラフとを基に、コードカバレッジを算出するコードカバレッジ算出処理を行う(ステップS22)。 The code coverage calculation unit 1245 performs a code coverage calculation process to calculate the code coverage based on the first control flow graph and the second control flow graph (step S22).
 脆弱性発見部124は、ステップS22において算出されたコードカバレッジが所定値よりも増加したか否かを判定する(ステップS23)。所定値は、予め設定されてもよいし、脆弱性発見装置10の処理履歴に応じて動的に設定されてもよい。 The vulnerability discovery unit 124 determines whether the code coverage calculated in step S22 has increased beyond a predetermined value (step S23). The predetermined value may be set in advance or may be set dynamically according to the processing history of the vulnerability discovery device 10.
 コードカバレッジが所定値よりも増加した場合(ステップS23:Yes)、脆弱性発見部124は、変異させた入力値を選択して、入力値の辞書に追加し(ステップS24)、ステップS17に戻る。そして、脆弱性発見部124は、変異後の入力値が追加された辞書を基に、変異部1241に入力値の変異を実行させる。コードカバレッジが所定値よりも増加していない場合(ステップS23:No)、脆弱性発見部124は、ステップS17に戻る。 If the code coverage has increased above the predetermined value (step S23: Yes), the vulnerability discovery unit 124 selects the mutated input value and adds it to the dictionary of input values (step S24), and returns to step S17. Then, the vulnerability discovery unit 124 causes the mutation unit 1241 to mutate the input value based on the dictionary to which the mutated input value has been added. If the code coverage has not increased above the predetermined value (step S23: No), the vulnerability discovery unit 124 returns to step S17.
[実行トレース取得処理の処理手順]
 次に、図15に示す実行トレース取得処理の流れについて説明する。図17は、図15に示す実行トレース取得処理の処理手順を示すフローチャートである。 [Processing procedure for execution trace acquisition processing]
Next, a flow of the execution trace acquisition process shown in Fig. 15 will be described below. Fig. 17 is a flowchart showing the processing procedure of the execution trace acquisition process shown in Fig. 15.
 まず、実行トレース取得部1211は、テストスクリプト及びスクリプトエンジンバイナリを入力として受け取る(ステップS31)。そして、実行トレース取得部1211は、受け取ったスクリプトエンジンに対して、ブランチトレースを取得するためのフックを施す(ステップS32)。また、実行トレース取得部1211は、受け取ったスクリプトエンジンに対して、メモリアクセストレースを取得するためのフックも施す(ステップS33)。 First, the execution trace acquisition unit 1211 receives a test script and a script engine binary as input (step S31). Then, the execution trace acquisition unit 1211 hooks the received script engine to acquire a branch trace (step S32). The execution trace acquisition unit 1211 also hooks the received script engine to acquire a memory access trace (step S33).
 そして、実行トレース取得部1211は、その状態で受け取ったテストスクリプトをスクリプトエンジンに入力して実行させ(ステップS34)、それによって取得される実行トレースを実行トレースDB131に格納する(ステップS35)。 Then, the execution trace acquisition unit 1211 inputs the test script received in this state into the script engine for execution (step S34), and stores the execution trace acquired thereby in the execution trace DB 131 (step S35).
 実行トレース取得部1211は、入力されたテストスクリプトを全て実行し終えているか否かを判定する(ステップS36)。実行トレース取得部1211は、入力されたテストスクリプトを全て実行し終えている場合(ステップS36:Yes)、処理を終了する。これに対し、実行トレース取得部1211は、入力されたテストスクリプトを全て実行していない場合(ステップS36:No)、ステップS34のテストスクリプトの実行に戻って処理を続ける。 The execution trace acquisition unit 1211 determines whether or not all of the input test scripts have been executed (step S36). If all of the input test scripts have been executed (step S36: Yes), the execution trace acquisition unit 1211 ends the process. On the other hand, if all of the input test scripts have not been executed (step S36: No), the execution trace acquisition unit 1211 returns to the execution of the test scripts in step S34 and continues the process.
[VM命令境界検出処理の処理手順]
 次に、図15に示すVM命令境界検出処理の流れについて説明する。図18は、図15に示すVM命令境界検出処理の処理手順を示すフローチャートである。 [Procedure of VM instruction boundary detection process]
Next, a description will be given of the flow of the VM instruction boundary detection process shown in Fig. 15. Fig. 18 is a flowchart showing the processing procedure of the VM instruction boundary detection process shown in Fig. 15.
 まず、VM命令境界検出部1212は、実行トレースDB131から実行トレースを取り出す(ステップS41)。VM命令境界検出部1212は、実行トレースを所定の方法でクラスタリングする(ステップS42)。クラスタリングは、いずれの手法を用いてもよい。 First, the VM instruction boundary detection unit 1212 extracts execution traces from the execution trace DB 131 (step S41). The VM instruction boundary detection unit 1212 clusters the execution traces using a predetermined method (step S42). Any method may be used for clustering.
 VM命令境界検出部1212は、実行回数が閾値以上のクラスタをVM命令として検出する(ステップS43)。そして、VM命令境界検出部1212は、VM命令を構成する連続した命令列の開始点と終了点とを境界とする(ステップS44)。VM命令境界検出部1212は、VM命令の境界を返り値として出力して(ステップS45)、VM命令境界検出処理を終了する。 The VM instruction boundary detection unit 1212 detects clusters whose execution count is equal to or exceeds a threshold as VM instructions (step S43). The VM instruction boundary detection unit 1212 then determines the start and end points of the continuous instruction sequence that constitutes the VM instruction as boundaries (step S44). The VM instruction boundary detection unit 1212 outputs the VM instruction boundary as a return value (step S45), and ends the VM instruction boundary detection process.
[仮想プログラムカウンタ検出処理の処理手順]
 次に、図15に示す仮想プログラムカウンタ検出処理の流れについて説明する。図19は、図15に示す仮想プログラムカウンタ検出処理の処理手順を示すフローチャートである。 [Procedure for Virtual Program Counter Detection Processing]
Next, a description will be given of the flow of the virtual program counter detection process shown in Fig. 15. Fig. 19 is a flowchart showing the processing procedure of the virtual program counter detection process shown in Fig. 15.
 まず、仮想プログラムカウンタ検出部1213は、実行トレースDB131から第1のテストスクリプトによる実行トレースを一つ取り出す(ステップS51)。続いて、仮想プログラムカウンタ検出部1213は、実行トレースのうちのメモリアクセストレースに着目し、メモリ読み込み先ごとに読み込み回数を数え上げる(ステップS52)。 First, the virtual program counter detection unit 1213 extracts one execution trace by the first test script from the execution trace DB 131 (step S51). Next, the virtual program counter detection unit 1213 focuses on memory access traces among the execution traces, and counts up the number of reads for each memory read destination (step S52).
 仮想プログラムカウンタ検出部1213は、実行トレースの取得に用いた第1のテストスクリプトを入力として受け取り(ステップS53)、その第1のテストスクリプトを解析して繰り返しの回数と繰り返される文の数とを取得する(ステップS54)。 The virtual program counter detection unit 1213 receives as input the first test script used to obtain the execution trace (step S53), and analyzes the first test script to obtain the number of repetitions and the number of repeated statements (step S54).
 続いて、仮想プログラムカウンタ検出部1213は、実行トレースDB131から、繰り返し回数や繰り返される文の数の異なる第1のテストスクリプトによる実行トレースを、さらに一つ取り出す(ステップS55)。そして、仮想プログラムカウンタ検出部1213は、メモリアクセストレースに着目し、メモリ読み込み先ごとに読み込み回数を数え上げる(ステップS56)。また、仮想プログラムカウンタ検出部1213は、実行トレースの取得に用いた第1のテストスクリプトを入力として受け取り(ステップS57)、テストスクリプトを解析して、繰り返しの回数と繰り返される文の数とを取得する(ステップS58)。 Then, the virtual program counter detection unit 1213 extracts from the execution trace DB 131 another execution trace by the first test script, which has a different number of repetitions and number of repeated statements (step S55). Then, the virtual program counter detection unit 1213 focuses on the memory access trace and counts the number of reads for each memory read destination (step S56). The virtual program counter detection unit 1213 also receives as input the first test script used to obtain the execution trace (step S57), analyzes the test script, and obtains the number of repetitions and the number of repeated statements (step S58).
 ここで、仮想プログラムカウンタ検出部1213は、繰り返し回数や繰り返される文の増減に比例して読み込み回数が変化するメモリ読み込み先のみに絞り込む(ステップS59)。さらに、仮想プログラムカウンタ検出部1213は、ステップS59において絞り込んだメモリ読み込み先を、読み込んだメモリの値が常にVM命令の開始点を指しているものに絞り込む(ステップS60)。 Here, the virtual program counter detection unit 1213 narrows down the memory read destinations to only those whose read counts change in proportion to the number of repetitions or the increase or decrease in the number of repeated statements (step S59). Furthermore, the virtual program counter detection unit 1213 narrows down the memory read destinations narrowed down in step S59 to those whose read memory values always point to the start point of the VM instruction (step S60).
 そして、仮想プログラムカウンタ検出部1213は、メモリ読み込み先を一つのみに絞り込めたか否かを判定する(ステップS61)。仮想プログラムカウンタ検出部1213は、メモリ読み込み先を一つのみに絞り込めていない場合(ステップS61:No)、ステップS55に戻り、次の実行トレースを一つ取り出して処理を継続する。一方、仮想プログラムカウンタ検出部1213は、メモリ読み込み先を一つのみに絞り込めた場合(ステップS61:Yes)、絞り込まれたメモリ読み込み先を仮想プログラムカウンタとしてアーキテクチャ情報DB132に格納して(ステップS62)、処理を終了する。 Then, the virtual program counter detection unit 1213 determines whether the memory read destinations have been narrowed down to only one (step S61). If the virtual program counter detection unit 1213 has not narrowed down the memory read destinations to only one (step S61: No), the process returns to step S55, where the virtual program counter detection unit 1213 retrieves the next execution trace and continues processing. On the other hand, if the virtual program counter detection unit 1213 has narrowed down the memory read destinations to only one (step S61: Yes), the virtual program counter detection unit 1213 stores the narrowed down memory read destination as a virtual program counter in the architecture information DB 132 (step S62), and ends processing.
[ディスパッチャ検出処理の処理手順]
 次に、図15に示すディスパッチャ検出処理の流れについて説明する。図20は、図15に示すディスパッチャ検出処理の処理手順を示すフローチャートである。 [Processing procedure for dispatcher detection processing]
Next, a description will be given of the flow of the dispatcher detection process shown in Fig. 15. Fig. 20 is a flowchart showing the processing procedure of the dispatcher detection process shown in Fig. 15.
 まず、ディスパッチャ検出部1214は、スクリプトエンジンバイナリを入力として受け取る(ステップS71)。ディスパッチャ検出部1214は、VM命令境界検出部1212から、VM命令の境界を受け取る(ステップS72)。 First, the dispatcher detection unit 1214 receives the script engine binary as input (step S71). The dispatcher detection unit 1214 receives the boundaries of VM commands from the VM command boundary detection unit 1212 (step S72).
 ディスパッチャ検出部1214は、VM命令境界検出部1212から受け取ったVM命令の境界を基に、スクリプトエンジンバイナリから各VM命令部分を切り出す(ステップS73)。ディスパッチャ検出部1214は、各VM命令間でコード間の類似度を所定の方法で算出する(ステップS74)。類似度の算出手法は、コード間の類似度を算出できる手法であれば、どの手法でもよい。 The dispatcher detection unit 1214 extracts each VM instruction portion from the script engine binary based on the boundaries of the VM instructions received from the VM instruction boundary detection unit 1212 (step S73). The dispatcher detection unit 1214 calculates the similarity between the codes of each VM instruction using a predetermined method (step S74). Any method may be used to calculate the similarity, as long as it is capable of calculating the similarity between codes.
 ディスパッチャ検出部1214は、ステップS74において算出した類似度を基に、全VM命令間で類似度が高い部分を取り出す(ステップS75)。そして、ディスパッチャ検出部1214は、VM命令の終端部分であるかを判定する(ステップS76)。 The dispatcher detection unit 1214 extracts the part with high similarity among all VM commands based on the similarity calculated in step S74 (step S75). The dispatcher detection unit 1214 then determines whether it is the end part of the VM command (step S76).
 VM命令の終端部分でない場合(ステップS76:No)、ディスパッチャ検出部1214は、ステップS75に戻り処理を続ける。また、VM命令の終端部分である場合(ステップS76:Yes)、ディスパッチャ検出部1214は、取り出した部分をディスパッチャとして出力して(ステップS77)、処理を終了する。 If it is not the end of the VM command (step S76: No), the dispatcher detection unit 1214 returns to step S75 and continues processing. If it is the end of the VM command (step S76: Yes), the dispatcher detection unit 1214 outputs the extracted part as a dispatcher (step S77) and ends processing.
[条件分岐フラグ検出処理の処理手順]
 次に、図15に示す条件分岐フラグ検出処理の流れについて説明する。図21は、図15に示す条件分岐フラグ検出処理の処理手順を示すフローチャートである。 [Conditional Branch Flag Detection Processing Procedure]
Next, a description will be given of the flow of the conditional branch flag detection process shown in Fig. 15. Fig. 21 is a flowchart showing the processing procedure of the conditional branch flag detection process shown in Fig. 15.
 まず、条件分岐フラグ検出部1215は、実行トレースDB131から第2のテストスクリプトによる実行トレースを一つ取り出す(ステップS81)。そして、条件分岐フラグ検出部1215は、メモリアクセストレースに着目し、メモリ読み込み先ごとに読み込み回数を数え上げる(ステップS82)。 First, the conditional branch flag detection unit 1215 extracts one execution trace by the second test script from the execution trace DB 131 (step S81). Then, the conditional branch flag detection unit 1215 focuses on the memory access trace and counts the number of reads for each memory read destination (step S82).
 また、条件分岐フラグ検出部1215は、実行トレースの取得に用いた第2のテストスクリプトを、入力として受け取り(ステップS83)、この第2のテストスクリプトを解析して、条件分岐の回数とTrue/Falseの順序パターンを取得する(ステップS84)。そして、条件分岐フラグ検出部1215は、条件分岐の回数に比例して読み込み回数が変化するメモリ読み込み先のみに絞り込む(ステップS85)。さらに、条件分岐フラグ検出部1215は、読み込んだメモリの値がTrue/Falseの順序パターンに合わせて二つの値を行き来しているメモリ読み込み先のみに絞り込む(ステップS86)。 The conditional branch flag detection unit 1215 also receives as input the second test script used to obtain the execution trace (step S83), analyzes this second test script, and obtains the number of conditional branches and the True/False order pattern (step S84). The conditional branch flag detection unit 1215 then narrows down the memory read destinations to only those whose read count changes in proportion to the number of conditional branches (step S85). Furthermore, the conditional branch flag detection unit 1215 narrows down the memory read destinations to only those whose read memory value alternates between two values in accordance with the True/False order pattern (step S86).
 条件分岐フラグ検出部1215は、メモリ読み込み先を一つのみに絞り込めたか否かを判定する(ステップS87)。条件分岐フラグ検出部1215は、メモリ読み込み先を一つのみに絞り込めていない場合(ステップS87:No)、ステップS81に戻り、次の実行トレースを一つ取り出して処理を継続する。一方、条件分岐フラグ検出部1215は、メモリ読み込み先を一つのみに絞り込めた場合(ステップS87:Yes)、絞り込まれた読み込み先を仮想プログラムカウンタとしてアーキテクチャ情報DB132に格納し(ステップS88)、処理を終了する。 The conditional branch flag detection unit 1215 determines whether the memory read destinations have been narrowed down to only one (step S87). If the conditional branch flag detection unit 1215 has not narrowed down the memory read destinations to only one (step S87: No), it returns to step S81, retrieves the next execution trace, and continues processing. On the other hand, if the conditional branch flag detection unit 1215 has narrowed down the memory read destinations to only one (step S87: Yes), it stores the narrowed down read destination in the architecture information DB 132 as a virtual program counter (step S88), and ends processing.
[コードキャッシュ検出処理の処理手順]
 次に、図15に示すコードキャッシュ検出処理の流れについて説明する。図22は、図15に示すコードキャッシュ検出処理の処理手順の処理手順を示すフローチャートである。 [Code cache detection process procedure]
Next, a description will be given of the flow of the code cache detection process shown in Fig. 15. Fig. 22 is a flowchart showing the processing procedure of the code cache detection process shown in Fig. 15.
 コードキャッシュ検出部1216は、実行トレース及びVM実行トレースを入力として受け付けると(ステップS91)、VPCが指すメモリ領域をVM実行トレースから取得する(ステップS92)。VM実行トレースは、VM実行トレース取得部1221によって取得される。 When the code cache detection unit 1216 receives an execution trace and a VM execution trace as input (step S91), it acquires the memory area pointed to by the VPC from the VM execution trace (step S92). The VM execution trace is acquired by the VM execution trace acquisition unit 1221.
 コードキャッシュ検出部1216は、ステップS92において取得した該メモリ領域を確保したメモリ割り当て関数の呼び出し元のコード箇所を実行トレースから取得する(ステップS93)。コードキャッシュ検出部1216は、VM実行トレースのうち、ステップS93において取得した該コード箇所で確保された全ての領域をコードキャッシュとして検出する(ステップS94)。 The code cache detection unit 1216 obtains from the execution trace the code location of the caller of the memory allocation function that allocated the memory area obtained in step S92 (step S93). The code cache detection unit 1216 detects, from the VM execution trace, all areas allocated at the code location obtained in step S93 as code caches (step S94).
 コードキャッシュ検出部1216は、コードキャッシュに書き込みをしているコード箇所を実行トレースから取得する(ステップS95)。コードキャッシュ検出部1216は、VM実行トレースのうち、ステップS95において取得した該コード箇所で書き込みされた全ての領域をコードキャッシュの更新として検出する(ステップS96)。コードキャッシュ検出部1216は、検出したコードキャッシュ及びその更新箇所を返し(ステップS97)、コードキャッシュ検出処理を終了する。 The code cache detection unit 1216 acquires the code location that is writing to the code cache from the execution trace (step S95). The code cache detection unit 1216 detects all areas in the VM execution trace that are written to at the code location acquired in step S95 as code cache updates (step S96). The code cache detection unit 1216 returns the detected code cache and its updated location (step S97), and ends the code cache detection process.
[VM実行トレース取得処理の処理手順]
 次に、図15に示すVM実行トレース取得処理の流れについて説明する。図23は、図15に示すVM実行トレース取得処理の処理手順を示すフローチャートである。 [Procedure of VM Execution Trace Acquisition Processing]
Next, a description will be given of the flow of the VM execution trace acquisition process shown in Fig. 15. Fig. 23 is a flowchart showing the procedure of the VM execution trace acquisition process shown in Fig. 15.
 まず、VM実行トレース取得部1221は、テストスクリプト及びスクリプトエンジンバイナリを入力として受け取る(ステップS101)。そして、VM実行トレース取得部1221は、受け取ったスクリプトエンジンに対して、VPC及びVMオペコードを記録するためのフックを施す(ステップS102)。 First, the VM execution trace acquisition unit 1221 receives a test script and a script engine binary as input (step S101). Then, the VM execution trace acquisition unit 1221 applies a hook to the received script engine to record the VPC and VM opcode (step S102).
 VM実行トレース取得部1221は、その状態で受け取ったテストスクリプトをスクリプトエンジンに入力して実行させ(ステップS103)、それによって取得されるVM実行トレースをVM実行トレースDB133に格納する(ステップS104)。 The VM execution trace acquisition unit 1221 inputs the received test script in this state into the script engine for execution (step S103), and stores the VM execution trace acquired thereby in the VM execution trace DB 133 (step S104).
 VM実行トレース取得部1221は、入力されたテストスクリプトを全て実行したか否かを判定する(ステップS105)。VM実行トレース取得部1221は、入力されたテストスクリプトを全て実行し終えている場合(ステップS105:Yes)、処理を終了する。VM実行トレース取得部1221は、入力されたテストスクリプトを全て実行し終えていない場合(ステップS105:No)、ステップS103のテストスクリプトの実行に戻って処理を続ける。 The VM execution trace acquisition unit 1221 determines whether or not all of the input test scripts have been executed (step S105). If all of the input test scripts have been executed (step S105: Yes), the VM execution trace acquisition unit 1221 ends the process. If all of the input test scripts have not been executed (step S105: No), the VM execution trace acquisition unit 1221 returns to the execution of the test scripts in step S103 and continues the process.
[VM命令収集処理の処理手順]
 次に、図15に示すVM命令収集処理の流れについて説明する。図24は、図15に示すVM命令収集処理の処理手順を示すフローチャートである。 [Procedure of VM command collection process]
Next, a description will be given of the flow of the VM command collection process shown in Fig. 15. Fig. 24 is a flowchart showing the procedure of the VM command collection process shown in Fig. 15.
 VM命令収集部1222は、VPC及びディスパッチャを入力として受け付ける(ステップS111)、インターネット上から多様なスクリプトを取得する(ステップS112)。VM命令収集部1222は、VPC及びディスパッチャを監視しながらスクリプトを実行しVM実行トレースを取得する(ステップS113)。 The VM command collection unit 1222 receives the VPC and dispatcher as input (step S111) and acquires various scripts from the Internet (step S112). The VM command collection unit 1222 executes the scripts while monitoring the VPC and dispatcher, and acquires a VM execution trace (step S113).
 VM命令収集部1222は、VM実行トレースからVM命令を取得し(ステップS114)、VM命令のリストに追加する(ステップS115)。VM命令収集部1222は、リストにないVM命令が見られた場合(ステップS116:No)、ステップS112に戻る。VM命令収集部1222は、リストにないVM命令が見られなくなった場合(ステップS116:Yes)、VM命令のリストを返し(ステップS117)、VM命令収集処理を終了する。 The VM instruction collection unit 1222 acquires VM instructions from the VM execution trace (step S114) and adds them to a list of VM instructions (step S115). If the VM instruction collection unit 1222 finds a VM instruction that is not in the list (step S116: No), it returns to step S112. If the VM instruction collection unit 1222 finds no VM instructions that are not in the list (step S116: Yes), it returns the list of VM instructions (step S117) and ends the VM instruction collection process.
[VM命令判定処理の処理手順]
 次に、図15に示すVM命令判定処理の流れについて説明する。図25は、図15に示すVM命令判定処理の処理手順を示すフローチャートである。 [Processing Procedure of VM Command Determination Processing]
Next, a description will be given of the flow of the VM command determination process shown in Fig. 15. Fig. 25 is a flowchart showing the processing procedure of the VM command determination process shown in Fig. 15.
 VM命令判定部1223は、VM実行トレースDB133から、VM実行トレースを一つ取り出す(ステップS121)。VM命令判定部1223は、VM命令へのポインタとVM命令を紐付け、各々に識別子としてVMオペコードを割り振る(ステップS122)。そして、VM命令判定部1223は、VMオペコードごとに、実行の前後でのVPCの変化量を集計する(ステップS123)。 The VM instruction determination unit 1223 extracts one VM execution trace from the VM execution trace DB 133 (step S121). The VM instruction determination unit 1223 associates a pointer to the VM instruction with the VM instruction, and assigns a VM opcode to each as an identifier (step S122). Then, the VM instruction determination unit 1223 counts the amount of change in VPC before and after execution for each VM opcode (step S123).
 VM命令判定部1223は、VM実行トレースDB133の全てのVM実行トレースを処理し終えたか否かを判定する(ステップS124)。VM実行トレースDB133の全てのVM実行トレースを処理し終えていない場合(ステップS124:No)、VM命令判定部1223は、ステップS121に戻り、次のVM実行トレースを一つ取り出して処理する。 The VM instruction determination unit 1223 determines whether all VM execution traces in the VM execution trace DB 133 have been processed (step S124). If all VM execution traces in the VM execution trace DB 133 have not been processed (step S124: No), the VM instruction determination unit 1223 returns to step S121 and retrieves and processes the next VM execution trace.
 VM実行トレースDB133の全てのVM実行トレースを処理し終えている場合(ステップS124:Yes)、VM命令判定部1223は、VMオペコードごとにVPCの変化量の分散を算出する(ステップS125)。そして、VM命令判定部1223は、閾値を入力として受け取る(ステップS126)。VM命令判定部1223は、分散が閾値よりも大きいVMオペコードのみに絞り込み(ステップS127)、それらを分岐VM命令としてアーキテクチャ情報DB132に格納して(ステップS128)、処理を終了する。 If all VM execution traces in the VM execution trace DB 133 have been processed (step S124: Yes), the VM instruction determination unit 1223 calculates the variance of the amount of change in VPC for each VM opcode (step S125). Then, the VM instruction determination unit 1223 receives a threshold value as an input (step S126). The VM instruction determination unit 1223 narrows down to only VM opcodes whose variance is greater than the threshold value (step S127), stores them as branch VM instructions in the architecture information DB 132 (step S128), and ends the process.
[マルチパス実行処理の処理手順]
 次に、図15に示すマルチパス実行処理の流れについて説明する。図26は、図15に示すマルチパス実行処理の処理手順を示すフローチャートである。 [Processing procedure for multi-path execution processing]
Next, a description will be given of the flow of the multi-pass execution process shown in Fig. 15. Fig. 26 is a flowchart showing the processing procedure of the multi-pass execution process shown in Fig. 15.
 マルチパス実行部1231は、解析対象スクリプトを入力として受け付ける(ステップS131)。マルチパス実行部1231は、VPC、ディスパッチャ及び条件分岐フラグを入力として受け付ける(ステップS132)。 The multi-path execution unit 1231 receives the script to be analyzed as input (step S131). The multi-path execution unit 1231 receives the VPC, dispatcher, and conditional branch flag as input (step S132).
 マルチパス実行部1231は、VPC及びVM命令を監視し、VM実行トレースを取得しながら解析対象スクリプトを実行する(ステップS133)。マルチパス実行部1231は、条件分岐命令のたびに実行状態をフォークし、一方はそのまま、もう一方は条件分岐フラグを書き換えることで、複数の実行経路を網羅的に実行する(ステップS134)。 The multi-path execution unit 1231 monitors the VPC and VM instructions, and executes the script to be analyzed while acquiring the VM execution trace (step S133). The multi-path execution unit 1231 forks the execution state for each conditional branch instruction, leaving one as is and rewriting the conditional branch flag for the other, thereby comprehensively executing multiple execution paths (step S134).
 全ての実行経路を網羅的に実行していない場合(ステップS135:No)、マルチパス実行部1231は、ステップS133に戻る。全ての実行経路を網羅的に実行した場合(ステップS135:Yes)、マルチパス実行部1231は、VM実行トレースを返し(ステップS136)、マルチパス実行処理を終了する。 If all execution paths have not been exhaustively executed (step S135: No), the multi-path execution unit 1231 returns to step S133. If all execution paths have been exhaustively executed (step S135: Yes), the multi-path execution unit 1231 returns the VM execution trace (step S136) and ends the multi-path execution process.
[VMブランチトレース構築処理の処理手順]
 次に、図15に示すVMブランチトレース構築処理の流れについて説明する。図27は、図15に示すVMブランチトレース構築処理の処理手順を示すフローチャートである。 [Procedure of VM branch trace construction process]
Next, a description will be given of the flow of the VM branch trace construction process shown in Fig. 15. Fig. 27 is a flowchart showing the processing procedure of the VM branch trace construction process shown in Fig. 15.
 VMブランチトレース構築部1232,1243は、VM実行トレースとVM分岐命令リストとを入力として受け取る(ステップS141)。 The VM branch trace construction units 1232 and 1243 receive the VM execution trace and the VM branch instruction list as input (step S141).
 VMブランチトレース構築部1232,1243は、VM実行トレースのエントリを取り出す(ステップS142)。VMブランチトレース構築部1232,1243は、VMオペコードがVM分岐命令リストに存在するか判定する(ステップS143)。 The VM branch trace construction units 1232 and 1243 extract the VM execution trace entries (step S142). The VM branch trace construction units 1232 and 1243 determine whether the VM opcode is present in the VM branch instruction list (step S143).
 VMブランチトレース構築部1232,1243は、VMオペコードがVM分岐命令リストに存在する場合(ステップS143:Yes)、VPCを分岐元とし、次のエントリのVPCを分岐先としてVMブランチトレースに保存する(ステップS144)。 If the VM opcode exists in the VM branch instruction list (step S143: Yes), the VM branch trace construction units 1232 and 1243 save the VPC as the branch source and the VPC of the next entry as the branch destination in the VM branch trace (step S144).
 VMブランチトレース構築部1232,1243は、VMオペコードがVM分岐命令リストに存在しない場合(ステップS143:No)、または、ステップS144終了後、VM実行トレースの全てのエントリを処理したか否かを判定する(ステップS145)。 If the VM opcode does not exist in the VM branch instruction list (step S143: No), or after step S144 is completed, the VM branch trace construction units 1232 and 1243 determine whether all entries in the VM execution trace have been processed (step S145).
 VMブランチトレース構築部1232,1243は、VM実行トレースの全てのエントリを処理していない場合(ステップS145:No)、VM実行トレースの次のエントリを取り出す(ステップS146)。そして、VMブランチトレース構築部1232,1243は、ステップS143に戻り、次のエントリについて、VMオペコードがVM分岐命令リストに存在するか判定する。 If not all entries in the VM execution trace have been processed (step S145: No), the VM branch trace construction units 1232 and 1243 extract the next entry in the VM execution trace (step S146). Then, the VM branch trace construction units 1232 and 1243 return to step S143 and determine whether the VM opcode for the next entry is present in the VM branch instruction list.
 一方、VM実行トレースの全てのエントリを処理した場合(ステップS145:Yes)、VMブランチトレース構築部1232,1243は、VMブランチトレース構築処理を終了する。 On the other hand, if all entries in the VM execution trace have been processed (step S145: Yes), the VM branch trace construction units 1232 and 1243 end the VM branch trace construction process.
[制御フローグラフ構築処理の処理手順]
 次に、図15に示す制御フローグラフ構築処理の流れについて説明する。図28は、図15に示す制御フローグラフ構築処理の処理手順を示すフローチャートである。 [Processing procedure for constructing control flow graph]
Next, a flow of the control flow graph construction process shown in Fig. 15 will be described below. Fig. 28 is a flowchart showing the processing procedure of the control flow graph construction process shown in Fig. 15.
 制御フローグラフ構築部1233,1244は、VMブランチトレースを入力として受け取ると(ステップS151)、VMブランチトレースのエントリを取り出す(ステップS152)。 When the control flow graph construction units 1233 and 1244 receive a VM branch trace as input (step S151), they extract the VM branch trace entries (step S152).
 制御フローグラフ構築部1233,1244は、分岐先アドレスを起点とする基本ブロックをノードとして制御フローグラフに追加する(ステップS153)。制御フローグラフ構築部1233,1244は、分岐元アドレスから分岐先アドレスへのエッジを制御フローグラフに追加する(ステップS154)。制御フローグラフ構築部1233,1244は、VMブランチトレースの全てのエントリを処理したか否かを判定する(ステップS155)。 The control flow graph construction units 1233 and 1244 add a basic block starting from the branch destination address as a node to the control flow graph (step S153). The control flow graph construction units 1233 and 1244 add an edge from the branch source address to the branch destination address to the control flow graph (step S154). The control flow graph construction units 1233 and 1244 determine whether all entries of the VM branch trace have been processed (step S155).
 制御フローグラフ構築部1233,1244は、VMブランチトレースの全てのエントリを処理していない場合(ステップS155:No)、VM実行トレースの次のエントリを取り出す(ステップS156)。そして、制御フローグラフ構築部1233,1244は、ステップS153に戻り、次のエントリについて、分岐先アドレスを起点とする基本ブロックをノードとして制御フローグラフに追加する。 If the control flow graph construction units 1233 and 1244 have not processed all the entries of the VM branch trace (step S155: No), they extract the next entry of the VM execution trace (step S156). Then, the control flow graph construction units 1233 and 1244 return to step S153 and add the basic block starting from the branch destination address of the next entry as a node to the control flow graph.
 制御フローグラフ構築部1233,1244は、VMブランチトレースの全てのエントリを処理した場合(ステップS155:Yes)、構築した制御フローグラフを出力する(ステップS157)。 When all entries of the VM branch trace have been processed (step S155: Yes), the control flow graph construction units 1233 and 1244 output the constructed control flow graph (step S157).
[変異処理の処理手順]
 次に、図16に示す変異処理の流れについて説明する。図29は、図16に示す変異処理の処理手順を示すフローチャートである。 [Mutation processing procedure]
Next, a flow of the mutation process shown in Fig. 16 will be described below. Fig. 29 is a flowchart showing the processing procedure of the mutation process shown in Fig. 16.
 変異部1241は、入力値の辞書を入力として受け付け(ステップS161)、辞書から入力値を一つ取り出す(ステップS162)。 The mutation unit 1241 accepts a dictionary of input values as input (step S161) and extracts one input value from the dictionary (step S162).
 変異部1241は、値をランダムに変更するなど所定の方法で、取り出した入力値を変異させる(ステップS163)。変異部1241は、変異された入力値を辞書に追加する(ステップS164)。 The mutation unit 1241 mutates the extracted input value using a predetermined method, such as randomly changing the value (step S163). The mutation unit 1241 adds the mutated input value to the dictionary (step S164).
 変異部1241は、変異対象の入力値を全て変異させていない場合(ステップS165:No)、ステップS163に戻り、変異対象の入力値の変異を実行する。変異部1241は、変異対象の入力値を全て変異させた場合(ステップS165:Yes)、更新された入力値の辞書を返し(ステップS166)、変異処理を終了する。 If the mutation unit 1241 has not mutated all of the input values to be mutated (step S165: No), it returns to step S163 and mutates the input values to be mutated. If the mutation unit 1241 has mutated all of the input values to be mutated (step S165: Yes), it returns the dictionary of updated input values (step S166) and ends the mutation process.
[実行処理の処理手順]
 次に、図16に示す実行処理の流れについて説明する。図30は、図16に示す実行処理の処理手順を示すフローチャートである。 [Execution process procedure]
Next, a description will be given of the flow of the execution process shown in Fig. 16. Fig. 30 is a flowchart showing the processing procedure of the execution process shown in Fig. 16.
 ファジング実行部1242は、解析対象スクリプトを入力として受け付ける(ステップS171)。ファジング実行部1242は、VPC、ディスパッチャ、及び、条件分岐フラグを入力として受け付ける(ステップS172)。 The fuzzing execution unit 1242 receives the script to be analyzed as input (step S171). The fuzzing execution unit 1242 receives the VPC, dispatcher, and conditional branch flag as input (step S172).
 ファジング実行部1242は、実行されるVM命令とVPCを監視し(ステップS173)、解析対象スクリプトを実行する(ステップS174)。ファジング実行部1242は、実行中に実行されたVM命令を記録し、VM実行トレースを取得する(ステップS175)。ファジング実行部1242は、VM実行トレースを返却し(ステップS176)、実行処理を終了する。 The fuzzing execution unit 1242 monitors the VM instructions and VPC being executed (step S173), and executes the script to be analyzed (step S174). The fuzzing execution unit 1242 records the VM instructions executed during execution, and obtains a VM execution trace (step S175). The fuzzing execution unit 1242 returns the VM execution trace (step S176), and ends the execution process.
[コードカバレッジ算出処理の処理手順]
 次に、図16に示すコードカバレッジ算出処理の流れについて説明する。図31は、図16に示すコードカバレッジ算出処理の処理手順を示すフローチャートである。 [Code coverage calculation process procedure]
Next, a description will be given of the flow of the code coverage calculation process shown in Fig. 16. Fig. 31 is a flowchart showing the processing procedure of the code coverage calculation process shown in Fig. 16.
 コードカバレッジ算出部1245は、第1の制御フローグラフの全ノード、エッジの数を数える(ステップS181)。コードカバレッジ算出部1245は、第2の制御フローグラフの全ノード、エッジの数を数える(ステップS182)。 The code coverage calculation unit 1245 counts the number of all nodes and edges in the first control flow graph (step S181). The code coverage calculation unit 1245 counts the number of all nodes and edges in the second control flow graph (step S182).
 コードカバレッジ算出部1245は、第1の制御フローグラフのノード数、エッジ数に対する第2の制御フローグラフのノード数、エッジ数の割合を算出する(ステップS183)。コードカバレッジ算出部1245は、コードカバレッジとして、第1の制御フローグラフのノード数に対する第2の制御フローグラフのノード数と、第1の制御フローグラフのエッジ数に対する第2の制御フローグラフのエッジ数の割合との双方を計算してもよいし、いずれか一方を計算してもよい。 The code coverage calculation unit 1245 calculates the ratio of the number of nodes and edges of the second control flow graph to the number of nodes and edges of the first control flow graph (step S183). The code coverage calculation unit 1245 may calculate, as code coverage, both the number of nodes of the second control flow graph to the number of nodes of the first control flow graph and the ratio of the number of edges of the second control flow graph to the number of edges of the first control flow graph, or may calculate either one of them.
 コードカバレッジ算出部1245は、算出した割合をコードカバレッジとしてリターンし(ステップS184)、コードカバレッジ算出処理を終了する。 The code coverage calculation unit 1245 returns the calculated percentage as the code coverage (step S184) and ends the code coverage calculation process.
[実施の形態の効果]
 このように、実施の形態に係る脆弱性発見装置10は、スクリプトエンジンのVMを解析し、VM命令を収集し、収集したVM命令の命令内容を判定して、VMの命令の体系である命令セットアーキテクチャの情報を取得する。脆弱性発見装置10は、取得されたアーキテクチャ情報を基に、全体の経路を示す第1の制御フローグラフを構築する。脆弱性発見装置10は、取得したアーキテクチャ情報を基に、入力値を変異させ、変異させた入力値を解析対象スクリプトへ入力してテストとして実行された経路を示す第2の制御フローグラフを構築する。脆弱性発見装置10は、コードカバレッジを算出し、コードカバレッジの算出結果を基に、入力する値を選択して、仮想機械上で実行されている解析対象スクリプトに対するファジングを行う。 [Effects of the embodiment]
In this way, the vulnerability discovery device 10 according to the embodiment analyzes the VM of the script engine, collects VM instructions, and determines the contents of the collected VM instructions to obtain information on the instruction set architecture, which is the system of VM instructions. Based on the obtained architecture information, the vulnerability discovery device 10 constructs a first control flow graph showing an entire path. Based on the obtained architecture information, the vulnerability discovery device 10 mutates an input value, and constructs a second control flow graph showing a path executed as a test by inputting the mutated input value to the analysis target script. The vulnerability discovery device 10 calculates code coverage, selects an input value based on the code coverage calculation result, and performs fuzzing on the analysis target script executed on the virtual machine.
 このため、脆弱性発見装置10は、コードカバレッジ計測に活用できる支援機能がなく、内部仕様が未知のスクリプトエンジンに対しても、スクリプトエンジンのVMを解析し、VMの命令の体系である命令セットアーキテクチャの情報を取得することで、手動での個別の解析や設計及び実装を要さずに、実行時の正確なコードカバレッジに基づくグレーボックスファジングを実現することができる。 For this reason, even for script engines that do not have support functions that can be used for code coverage measurement and whose internal specifications are unknown, the vulnerability discovery device 10 can analyze the VM of the script engine and obtain information on the instruction set architecture, which is the system of instructions for the VM, thereby achieving gray box fuzzing based on accurate code coverage at runtime without the need for individual manual analysis, design, and implementation.
 具体的には、脆弱性発見装置10は、スクリプトエンジンのバイナリを監視しながらテストスクリプトを実行し、ブランチトレースとメモリアクセストレースを実行トレースとして取得する。脆弱性発見装置10は、その実行トレースに基づいて仮想機械を解析し、VM命令境界、VPC、ディスパッチャ、条件分岐フラグ及びコードキャッシュのアーキテクチャ情報を取得する。さらに、脆弱性発見装置10は、VPC及びディスパッチャを監視しながらテストスクリプトを実行して、VM実行トレースを取得する。脆弱性発見装置10は、VM実行トレースを解析することで、VM命令を収集するとともに、VM命令の内容を判定し、命令セットアーキテクチャの情報を取得する。 Specifically, the vulnerability discovery device 10 executes the test script while monitoring the binary of the script engine, and obtains branch traces and memory access traces as execution traces. The vulnerability discovery device 10 analyzes the virtual machine based on the execution trace, and obtains architecture information of the VM instruction boundary, VPC, dispatcher, conditional branch flags, and code cache. Furthermore, the vulnerability discovery device 10 executes the test script while monitoring the VPC and dispatcher, and obtains a VM execution trace. By analyzing the VM execution trace, the vulnerability discovery device 10 collects VM instructions, determines the contents of the VM instructions, and obtains information on the instruction set architecture.
 このように、脆弱性発見装置10は、VMの内部仕様が未知のスクリプトエンジンに対しても、スクリプトエンジンによって生成されたバイトコードがVMのどこに格納されるかを示す情報を含むアーキテクチャ情報、及び、VMが解釈できるバイトコードの命令セットアーキテクチャの情報を検出することができる。 In this way, even for a script engine whose VM's internal specifications are unknown, the vulnerability detection device 10 can detect architecture information including information indicating where in the VM the bytecode generated by the script engine is stored, and information on the instruction set architecture of the bytecode that the VM can interpret.
 そして、脆弱性発見装置10は、取得したアーキテクチャ情報を基に、マルチパス実行で網羅的な全体の経路の第1の制御フローグラフを構築する。脆弱性発見装置10は、取得したアーキテクチャ情報を基に、入力値の変異、変異した入力値の解析対象スクリプトへの入力、テストの実行、テストとして実行された経路を示す第2の制御フローグラフの構築、コードカバレッジの算出を繰り返し、スクリプトのファジングを実現する。 Then, based on the acquired architecture information, the vulnerability discovery device 10 constructs a first control flow graph of the entire path comprehensively through multi-pass execution. Based on the acquired architecture information, the vulnerability discovery device 10 repeats the following steps to fuzz the script: mutating the input value, inputting the mutated input value into the script to be analyzed, executing the test, constructing a second control flow graph showing the path executed as the test, and calculating the code coverage.
 これによって、脆弱性発見装置10は、VMの内部仕様が未知のスクリプトエンジンに対しても、実行トレース及びVM実行トレースの取得に基づく解析により各種アーキテクチャ情報を検出し、人手でのリバースエンジニアリングを要することなく、実行中のスクリプトへのグレーボックスファジングを実現できる。 As a result, the vulnerability detection device 10 can detect various architectural information by analyzing the execution trace and VM execution trace obtained, even for script engines whose VM internal specifications are unknown, and can perform gray-box fuzzing on running scripts without requiring manual reverse engineering.
 また、脆弱性発見装置10は、コードカバレッジの算出結果を基に、コードカバレッジがより増加するような入力値を選択的に選んで変異させていくため、グレーボックスファジングをより適切に実行することができる。 In addition, the vulnerability detection device 10 selectively chooses and mutates input values that will increase the code coverage based on the results of the code coverage calculation, allowing for more appropriate execution of gray box fuzzing.
 また、脆弱性発見装置10は、多様なスクリプトエンジンに対して、テストスクリプトさえ用意すれば自動でスクリプトへのグレーボックスファジングを実現できるため、個別の設計や実装を要することなく、当該のファジングを実現できる。 Furthermore, the vulnerability detection device 10 can automatically perform gray-box fuzzing on scripts for a variety of script engines as long as a test script is prepared, so that the fuzzing can be performed without the need for individual design or implementation.
 これにより、脆弱性発見装置10は、様々なスクリプト言語で作成されたスクリプトに対しても、実行中のスクリプトへのグレーボックスファジングを実現し、潜在する脆弱性を発見することが可能となる。 As a result, the vulnerability detection device 10 can perform gray-box fuzzing on running scripts, even those written in various scripting languages, and discover potential vulnerabilities.
 このように、本実施の形態に係る脆弱性発見装置10によれば、VMの内部仕様が未知のスクリプトエンジンを解析し、VMのアーキテクチャと命令セットアーキテクチャに関する情報を獲得することにより、多種多様なスクリプト言語で作成されたスクリプトに対して、グレーボックスファジングを実現できる。 In this way, the vulnerability detection device 10 according to this embodiment can perform gray-box fuzzing on scripts written in a wide variety of scripting languages by analyzing a script engine whose VM's internal specifications are unknown and acquiring information about the VM's architecture and instruction set architecture.
 また、本実施の形態に係る脆弱性発見装置10は、多種多様なスクリプトにおける脆弱性の発見に有用であり、グレーボックスファジングによって、入力値によって実行されるコードカバレッジを考慮し、スクリプトに潜在する脆弱性を効率的に発見することに適している。 In addition, the vulnerability discovery device 10 according to this embodiment is useful for discovering vulnerabilities in a wide variety of scripts, and is suitable for efficiently discovering vulnerabilities that lie in scripts by taking into account the code coverage executed by input values through gray box fuzzing.
 このため、本実施の形態に係る脆弱性発見装置10は、様々なスクリプトにグレーボックスファジングを実施することで、潜在する脆弱性を発見して修正するなどの対策に生かすことが可能である。 Therefore, the vulnerability discovery device 10 according to this embodiment can be used to discover and fix potential vulnerabilities by performing gray box fuzzing on various scripts.
[実施形態のシステム構成について]
 図3に示す脆弱性発見装置10の各構成要素は機能概念的なものであり、必ずしも物理的に図示のように構成されていることを要しない。すなわち、脆弱性発見装置10の機能の分散及び統合の具体的形態は図示のものに限られず、その全部または一部を、各種の負荷や使用状況などに応じて、任意の単位で機能的または物理的に分散または統合して構成することができる。 [System configuration of the embodiment]
Each component of vulnerability discovery device 10 shown in Fig. 3 is a functional concept, and does not necessarily have to be physically configured as shown. In other words, the specific form of distribution and integration of the functions of vulnerability discovery device 10 is not limited to that shown in the figure, and all or part of it can be functionally or physically distributed or integrated in any unit depending on various loads, usage conditions, etc.
 また、脆弱性発見装置10においておこなわれる各処理は、全部または任意の一部が、CPU及びCPUにより解析実行されるプログラムにて実現されてもよい。また、脆弱性発見装置10においておこなわれる各処理は、ワイヤードロジックによるハードウェアとして実現されてもよい。 Furthermore, each process performed by the vulnerability discovery device 10 may be realized, in whole or in part, by a CPU and a program analyzed and executed by the CPU. Furthermore, each process performed by the vulnerability discovery device 10 may be realized as hardware using wired logic.
 また、実施の形態において説明した各処理のうち、自動的におこなわれるものとして説明した処理の全部または一部を手動的に行うこともできる。もしくは、手動的におこなわれるものとして説明した処理の全部または一部を公知の方法で自動的に行うこともできる。この他、上述及び図示の処理手順、制御手順、具体的名称、各種のデータやパラメータを含む情報については、特記する場合を除いて適宜変更することができる。 Furthermore, among the processes described in the embodiments, all or part of the processes described as being performed automatically can be performed manually. Alternatively, all or part of the processes described as being performed manually can be performed automatically using known methods. In addition, the information including the processing procedures, control procedures, specific names, various data, and parameters described above and illustrated in the drawings can be changed as appropriate unless otherwise specified.
[プログラム]
 図32は、プログラムが実行されることにより、脆弱性発見装置10が実現されるコンピュータの一例を示す図である。コンピュータ1000は、例えば、メモリ1010、CPU1020を有する。また、コンピュータ1000は、ハードディスクドライブインタフェース1030、ディスクドライブインタフェース1040、シリアルポートインタフェース1050、ビデオアダプタ1060、ネットワークインタフェース1070を有する。これらの各部は、バス1080によって接続される。 [program]
32 is a diagram showing an example of a computer in which a program is executed to realize the vulnerability discovering device 10. The computer 1000 has, for example, a memory 1010 and a CPU 1020. The computer 1000 also has a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These components are connected by a bus 1080.
 メモリ1010は、ROM1011及びRAM1012を含む。ROM1011は、例えば、BIOS(Basic Input Output System)等のブートプログラムを記憶する。ハードディスクドライブインタフェース1030は、ハードディスクドライブ1090に接続される。ディスクドライブインタフェース1040は、ディスクドライブ1100に接続される。例えば磁気ディスクや光ディスク等の着脱可能な記憶媒体が、ディスクドライブ1100に挿入される。シリアルポートインタフェース1050は、例えばマウス1110、キーボード1120に接続される。ビデオアダプタ1060は、例えばディスプレイ1130に接続される。 The memory 1010 includes a ROM 1011 and a RAM 1012. The ROM 1011 stores a boot program such as a BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to a hard disk drive 1090. The disk drive interface 1040 is connected to a disk drive 1100. A removable storage medium such as a magnetic disk or optical disk is inserted into the disk drive 1100. The serial port interface 1050 is connected to a mouse 1110 and a keyboard 1120, for example. The video adapter 1060 is connected to a display 1130, for example.
 ハードディスクドライブ1090は、例えば、OS1091、アプリケーションプログラム1092、プログラムモジュール1093、プログラムデータ1094を記憶する。すなわち、脆弱性発見装置10の各処理を規定するプログラムは、コンピュータ1000により実行可能なコードが記述されたプログラムモジュール1093として実装される。プログラムモジュール1093は、例えばハードディスクドライブ1090に記憶される。例えば、脆弱性発見装置10における機能構成と同様の処理を実行するためのプログラムモジュール1093が、ハードディスクドライブ1090に記憶される。なお、ハードディスクドライブ1090は、SSD(Solid State Drive)により代替されてもよい。 The hard disk drive 1090 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. That is, the programs that define each process of the vulnerability detection device 10 are implemented as program modules 1093 in which code executable by the computer 1000 is written. The program modules 1093 are stored, for example, in the hard disk drive 1090. For example, a program module 1093 for executing processes similar to the functional configuration of the vulnerability detection device 10 is stored in the hard disk drive 1090. The hard disk drive 1090 may be replaced by an SSD (Solid State Drive).
 また、上述した実施の形態の処理で用いられる設定データは、プログラムデータ1094として、例えばメモリ1010やハードディスクドライブ1090に記憶される。そして、CPU1020が、メモリ1010やハードディスクドライブ1090に記憶されたプログラムモジュール1093やプログラムデータ1094を必要に応じてRAM1012に読み出して実行する。 Furthermore, the setting data used in the processing of the above-mentioned embodiment is stored as program data 1094, for example, in memory 1010 or hard disk drive 1090. Then, the CPU 1020 reads the program module 1093 or program data 1094 stored in memory 1010 or hard disk drive 1090 into RAM 1012 as necessary and executes it.
 なお、プログラムモジュール1093やプログラムデータ1094は、ハードディスクドライブ1090に記憶される場合に限らず、例えば着脱可能な記憶媒体に記憶され、ディスクドライブ1100等を介してCPU1020によって読み出されてもよい。あるいは、プログラムモジュール1093及びプログラムデータ1094は、ネットワーク(LAN(Local Area Network)、WAN(Wide Area Network)等)を介して接続された他のコンピュータに記憶されてもよい。そして、プログラムモジュール1093及びプログラムデータ1094は、他のコンピュータから、ネットワークインタフェース1070を介してCPU1020によって読み出されてもよい。 The program module 1093 and program data 1094 may not necessarily be stored in the hard disk drive 1090, but may be stored in a removable storage medium, for example, and read by the CPU 1020 via the disk drive 1100 or the like. Alternatively, the program module 1093 and program data 1094 may be stored in another computer connected via a network (such as a LAN (Local Area Network), WAN (Wide Area Network)). The program module 1093 and program data 1094 may then be read by the CPU 1020 from the other computer via the network interface 1070.
 以上、本発明者によってなされた発明を適用した実施の形態について説明したが、本実施の形態による本発明の開示の一部をなす記述及び図面により本発明は限定されることはない。すなわち、本実施の形態に基づいて当業者等によりなされる他の実施の形態、実施例及び運用技術等はすべて本発明の範疇に含まれる。 The above describes an embodiment of the invention made by the inventor, but the present invention is not limited to the descriptions and drawings that form part of the disclosure of the present invention according to this embodiment. In other words, other embodiments, examples, and operational techniques made by those skilled in the art based on this embodiment are all included in the scope of the present invention.
 10 脆弱性発見装置
 11 入力部
 12 制御部
 13 記憶部
 14 出力部
 121 仮想機械解析部
 122 命令セットアーキテクチャ解析部
 123 算出部
 124 脆弱性発見部
 131 実行トレースデータベース(DB)
 132 アーキテクチャ情報DB
 133 VM実行トレースDB
 1211 実行トレース取得部
 1212 VM命令境界検出部
 1213 仮想プログラムカウンタ検出部
 1214 ディスパッチャ検出部
 1215 条件分岐フラグ検出部
 1216 コードキャッシュ検出部
 1221 VM実行トレース取得部
 1222 VM命令収集部
 1223 VM命令判定部
 1231 マルチパス実行部
 1232,1243 VMブランチトレース構築部
 1233,1244 制御フローグラフ構築部
 1241 変異部
 1242 ファジング実行部
 1245 コードカバレッジ算出部 REFERENCE SIGNS LIST 10 Vulnerability detection device 11 Input unit 12 Control unit 13 Memory unit 14 Output unit 121 Virtual machine analysis unit 122 Instruction set architecture analysis unit 123 Calculation unit 124 Vulnerability detection unit 131 Execution trace database (DB)
132 Architecture Information DB
133 VM execution trace DB
1211 Execution trace acquisition unit 1212 VM instruction boundary detection unit 1213 Virtual program counter detection unit 1214 Dispatcher detection unit 1215 Conditional branch flag detection unit 1216 Code cache detection unit 1221 VM execution trace acquisition unit 1222 VM instruction collection unit 1223 VM instruction determination unit 1231 Multi-path execution unit 1232, 1243 VM branch trace construction unit 1233, 1244 Control flow graph construction unit 1241 Mutation unit 1242 Fuzzing execution unit 1245 Code coverage calculation unit

Claims (9)

  1.  スクリプトエンジンの仮想機械を解析する第1の解析部と、
     前記仮想機械の命令の体系である命令セットアーキテクチャを解析して、仮想機械命令を収集し、収集した仮想機械命令の命令内容を判定する第2の解析部と、
     前記第1の解析部及び前記第2の解析部によって取得されたアーキテクチャ情報を基に、全体の経路を示す第1の制御フローグラフを構築する算出部と、
     前記第1の解析部及び前記第2の解析部によって取得されたアーキテクチャ情報を基に、入力値を変異させ、変異させた前記入力値を解析対象スクリプトへ入力してテストとして実行された経路を示す第2の制御フローグラフを構築し、前記全体の経路に対する、前記テストとして実行された経路の割合であるコードカバレッジを算出し、前記コードカバレッジの算出結果を基に、入力する値を選択して、仮想機械上で実行されている前記解析対象スクリプトに対するファジングを行う脆弱性発見部と、
    を有することを特徴とする脆弱性発見装置。     a first analysis unit that analyzes a virtual machine of a script engine;
    a second analysis unit that analyzes an instruction set architecture, which is an instruction system of the virtual machine, collects virtual machine instructions, and determines instruction contents of the collected virtual machine instructions;
    a calculation unit that constructs a first control flow graph that indicates an entire path based on architecture information acquired by the first analysis unit and the second analysis unit;
    a vulnerability discovery unit that mutates an input value based on architecture information acquired by the first analysis unit and the second analysis unit, constructs a second control flow graph showing a path executed as a test by inputting the mutated input value to an analysis target script, calculates code coverage which is a ratio of the path executed as the test to the entire path, selects an input value based on a calculation result of the code coverage, and performs fuzzing on the analysis target script executed on a virtual machine;
    A vulnerability detection device comprising:
  2.  前記算出部は、前記第1の解析部及び前記第2の解析部によって取得されたアーキテクチャ情報を基に、マルチパス実行で網羅的に実行された全体の経路を示す前記第1の制御フローグラフを構築することを特徴とする請求項1に記載の脆弱性発見装置。 The vulnerability detection device according to claim 1, characterized in that the calculation unit constructs the first control flow graph showing the entire path comprehensively executed by multi-pass execution based on the architecture information acquired by the first analysis unit and the second analysis unit.
  3.  前記脆弱性発見部は、前記コードカバレッジが、所定値よりも増加した場合に、前記変異させた入力値を選択して前記入力値に追加し、追加した前記入力値を変異させた前記入力値を前記解析対象スクリプトへ入力することを特徴とする請求項1に記載の脆弱性発見装置。 The vulnerability detection device according to claim 1, characterized in that, when the code coverage increases above a predetermined value, the vulnerability detection unit selects the mutated input value, adds it to the input value, and inputs the mutated input value of the added input value to the analysis target script.
  4.  前記第1の解析部は、実行時の条件を変えて取得した複数の実行トレースを、差分実行解析を用いて解析し、実行状態の条件分岐時に分岐がなされるか否かのフラグを保持する領域である条件分岐フラグを検出することを特徴とする請求項1に記載の脆弱性発見装置。 The vulnerability discovery device according to claim 1, characterized in that the first analysis unit uses differential execution analysis to analyze multiple execution traces obtained by changing execution conditions, and detects a conditional branch flag, which is an area that holds a flag indicating whether or not a branch is taken when a conditional branch occurs in the execution state.
  5.  前記第1の解析部は、
     実行時の条件を変えて複数の実行トレースを取得する第1の取得部と、
     前記実行トレースをクラスタリングして、各仮想機械命令の境界を検出する第1の検出部と、
     メモリの読み込み回数に着目した差分実行解析と前記第1の検出部によって検出された各仮想機械命令の境界とを用いて前記複数の実行トレースを解析し、次に実行される前記仮想機械の命令を指し示す変数である仮想プログラムカウンタを検出する第2の検出部と、
     前記第1の検出部によって検出された各仮想機械命令の境界を基に、スクリプトエンジンのバイナリを解析し、ディスパッチャを検出する第3の検出部と、
     メモリの読み込み回数に着目した差分実行解析を用いて前記複数の実行トレースを解析し、実行状態の条件分岐時に分岐がなされるか否かのフラグを保持する領域である条件分岐フラグを検出する第4の検出部と、
     を有することを特徴とする請求項4に記載の脆弱性発見装置。     The first analysis unit
    a first acquisition unit that acquires a plurality of execution traces by changing execution conditions;
    a first detector for clustering the execution trace to detect boundaries of each virtual machine instruction;
    a second detection unit that analyzes the execution traces using a differential execution analysis focusing on the number of memory reads and the boundaries of each virtual machine instruction detected by the first detection unit, and detects a virtual program counter that is a variable indicating the next instruction of the virtual machine to be executed;
    a third detection unit that analyzes the binary of the script engine based on the boundaries of each virtual machine instruction detected by the first detection unit and detects a dispatcher;
    a fourth detection unit that analyzes the plurality of execution traces using differential execution analysis focusing on the number of memory reads and detects a conditional branch flag that is an area that holds a flag indicating whether or not a branch is to be taken at the time of a conditional branch in an execution state;
    5. The vulnerability discovering device according to claim 4, further comprising:
  6.  前記第2の解析部は、
     前記仮想機械において実行された実行トレースである仮想機械実行トレースを取得する第2の取得部と、
     前記仮想プログラムカウンタ及び前記ディスパッチャを監視しながらテストスクリプトを実行して前記仮想機械実行トレースを取得し、前記仮想機械実行トレースから仮想機械命令を収集する第1の収集部と、
     前記仮想機械実行トレースの仮想機械オペコードごとの仮想プログラムカウンタの変化量のばらつきによって、分岐仮想機械命令を判定する第1の判定部と、
     を有することを特徴とする請求項5に記載の脆弱性発見装置。     The second analysis unit includes:
    a second acquisition unit that acquires a virtual machine execution trace, which is an execution trace executed in the virtual machine;
    a first collection unit that executes a test script while monitoring the virtual program counter and the dispatcher to obtain the virtual machine execution trace, and collects virtual machine instructions from the virtual machine execution trace;
    a first determination unit that determines whether a virtual machine instruction is a branch virtual machine instruction based on a variation in a change amount of a virtual program counter for each virtual machine opcode of the virtual machine execution trace;
    6. The vulnerability discovering device according to claim 5, further comprising:
  7.  前記算出部は、
     前記第1の解析部及び前記第2の解析部によって取得されたアーキテクチャ情報を基に、前記仮想機械において実行された実行トレースである仮想機械実行トレースを取得しながら解析対象スクリプトをマルチパス実行する第1の実行部と、
     前記第1の実行部によって取得された仮想機械実行トレースから分岐仮想機械命令を検出し、検出した分岐仮想機械命令の実行前後の仮想プログラムカウンタを対応付けた第1の仮想機械ブランチトレースを構築する第1の構築部と、
     前記第1の仮想機械ブランチトレースを基に、基本ブロックをノードとし、分岐仮想機械命令の実行による分岐をエッジとした前記第1の制御フローグラフを構築する第2の構築部と、
     を有し、
     前記脆弱性発見部は、
     入力値を変異させる変異部と、
     前記変異させた前記入力値を前記解析対象スクリプトに入力して、仮想機械実行トレースを取得しながら前記テストを実行する第2の実行部と、
     前記第2の実行部によって取得された仮想機械実行トレースから分岐仮想機械命令を検出し、検出した分岐仮想機械命令の実行前後の仮想プログラムカウンタを対応付けた第2の仮想機械ブランチトレースを構築する第3の構築部と、
     前記第2の仮想機械ブランチトレースを基に、基本ブロックをノードとし、分岐仮想機械命令の実行による分岐をエッジとした前記第2の制御フローグラフを構築する第4の構築部と、
     前記コードカバレッジとして、前記第1の制御フローグラフのノード数及び/またはエッジ数に対する前記第2の制御フローグラフのノード数及び/またはエッジ数の割合を算出する第1の算出部と、
     を有し、
     前記脆弱性発見部は、前記コードカバレッジが所定値よりも増加した場合に、前記変異させた入力値を選択して前記入力値に追加し、前記変異部に変異させ、
     前記第1の実行部は、前記変異させた前記入力値を前記解析対象スクリプトに入力して前記テストを実行する
     ことを特徴とする請求項6に記載の脆弱性発見装置。     The calculation unit is
    a first execution unit that executes a script to be analyzed in multiple passes while acquiring a virtual machine execution trace, which is an execution trace executed in the virtual machine, based on architecture information acquired by the first analysis unit and the second analysis unit;
    a first construction unit that detects a branch virtual machine instruction from the virtual machine execution trace acquired by the first execution unit and constructs a first virtual machine branch trace in which virtual program counters before and after execution of the detected branch virtual machine instruction are associated with each other;
    a second construction unit that constructs the first control flow graph based on the first virtual machine branch trace, with basic blocks as nodes and branches resulting from execution of branch virtual machine instructions as edges;
    having
    The vulnerability detection unit is
    A mutation unit that mutates an input value;
    a second execution unit that inputs the mutated input value into the analysis target script and executes the test while acquiring a virtual machine execution trace;
    a third construction unit that detects a branch virtual machine instruction from the virtual machine execution trace acquired by the second execution unit and constructs a second virtual machine branch trace in which virtual program counters before and after execution of the detected branch virtual machine instruction are associated with each other;
    a fourth construction unit that constructs the second control flow graph based on the second virtual machine branch trace, with basic blocks as nodes and branches resulting from execution of branch virtual machine instructions as edges;
    a first calculation unit that calculates, as the code coverage, a ratio of a number of nodes and/or a number of edges of the second control flow graph to a number of nodes and/or a number of edges of the first control flow graph;
    having
    the vulnerability discovery unit, when the code coverage increases to a value greater than a predetermined value, selects the mutated input value, adds it to the input value, and mutates it into the mutation unit;
    7. The vulnerability discovering device according to claim 6, wherein the first execution unit inputs the mutated input value into the analysis target script and executes the test.
  8.  脆弱性発見装置が実行する脆弱性発見方法であって、
     スクリプトエンジンの仮想機械を解析する第1の解析工程と、
     前記仮想機械の命令の体系である命令セットアーキテクチャを解析して、仮想機械命令を収集し、収集した仮想機械命令の命令内容を判定する第2の解析工程と、
     前記第1の解析工程及び前記第2の解析工程において取得されたアーキテクチャ情報を基に、全体の経路を示す第1の制御フローグラフを構築する算出工程と、
     前記第1の解析工程及び前記第2の解析工程において取得されたアーキテクチャ情報を基に、入力値を変異させ、変異させた前記入力値を解析対象スクリプトへ入力してテストとして実行された経路を示す第2の制御フローグラフを構築し、前記全体の経路に対する、前記テストとして実行された経路の割合であるコードカバレッジを算出し、前記コードカバレッジの算出結果を基に、入力する値を選択して、仮想機械上で実行されている前記解析対象スクリプトに対するファジングを行う実行工程と、
     を含んだことを特徴とする脆弱性発見方法。     A vulnerability discovery method executed by a vulnerability discovery device, comprising:
    a first analysis step of analyzing a virtual machine of a script engine;
    a second analysis step of analyzing an instruction set architecture, which is an instruction system of the virtual machine, to collect virtual machine instructions and determine the instruction contents of the collected virtual machine instructions;
    a calculation step of constructing a first control flow graph showing an entire path based on architecture information acquired in the first analysis step and the second analysis step;
    an execution step of mutating an input value based on architecture information acquired in the first analysis step and the second analysis step, constructing a second control flow graph showing a path executed as a test by inputting the mutated input value to an analysis target script, calculating a code coverage that is a ratio of the path executed as the test to the entire path, selecting an input value based on a calculation result of the code coverage, and performing fuzzing on the analysis target script executed on a virtual machine;
    A vulnerability discovery method comprising:
  9.  スクリプトエンジンの仮想機械を解析する第1の解析ステップと、
     前記仮想機械の命令の体系である命令セットアーキテクチャを解析して、仮想機械命令を収集し、収集した仮想機械命令の命令内容を判定する第2の解析ステップと、
     前記第1の解析ステップ及び前記第2の解析ステップにおいて取得されたアーキテクチャ情報を基に、全体の経路を示す第1の制御フローグラフを構築する算出ステップと、
     前記第1の解析ステップ及び前記第2の解析ステップにおいて取得されたアーキテクチャ情報を基に、入力値を変異させ、変異させた前記入力値を解析対象スクリプトへ入力してテストとして実行された経路を示す第2の制御フローグラフを構築し、前記全体の経路に対する、前記テストとして実行された経路の割合であるコードカバレッジを算出し、前記コードカバレッジの算出結果を基に、入力する値を選択して、仮想機械上で実行されている前記解析対象スクリプトに対するファジングを行う実行ステップと、
     をコンピュータに実行させるための脆弱性発見プログラム。     a first analysis step of analyzing a virtual machine of a script engine;
    a second analysis step of analyzing an instruction set architecture, which is an instruction system of the virtual machine, to collect virtual machine instructions and determine instruction contents of the collected virtual machine instructions;
    a calculation step of constructing a first control flow graph showing an entire path based on architecture information acquired in the first analysis step and the second analysis step;
    an execution step of mutating an input value based on architecture information acquired in the first analysis step and the second analysis step, constructing a second control flow graph showing a path executed as a test by inputting the mutated input value to an analysis target script, calculating code coverage which is the ratio of the path executed as the test to the entire path, selecting an input value based on a calculation result of the code coverage, and performing fuzzing on the analysis target script executed on a virtual machine;
    A vulnerability detection program that causes a computer to run the following:
PCT/JP2022/037943 2022-10-11 2022-10-11 Vulnerability detection device, vulnerability detection method, and vulnerability detection program WO2024079803A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2022/037943 WO2024079803A1 (en) 2022-10-11 2022-10-11 Vulnerability detection device, vulnerability detection method, and vulnerability detection program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2022/037943 WO2024079803A1 (en) 2022-10-11 2022-10-11 Vulnerability detection device, vulnerability detection method, and vulnerability detection program

Publications (1)

Publication Number Publication Date
WO2024079803A1 true WO2024079803A1 (en) 2024-04-18

Family

ID=90668954

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2022/037943 WO2024079803A1 (en) 2022-10-11 2022-10-11 Vulnerability detection device, vulnerability detection method, and vulnerability detection program

Country Status (1)

Country Link
WO (1) WO2024079803A1 (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022180702A1 (en) * 2021-02-24 2022-09-01 日本電信電話株式会社 Analysis function addition device, analysis function addition program, and analysis function addition method

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022180702A1 (en) * 2021-02-24 2022-09-01 日本電信電話株式会社 Analysis function addition device, analysis function addition program, and analysis function addition method

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
HIRAMATSU, HAYATO; ISHIGURO, KENTA; KONO, KENJI: "A Fuzzing Method Specialized in the In-Kernel Interpreter", IPSJ COMPUTER SECURITY SYMPOSIUM (CSS 2021); OCTOBER 26-29, 2021, INFORMATION PROCESSING SOCIETY OF JAPAN, vol. 2021, 19 October 2021 (2021-10-19) - 29 October 2021 (2021-10-29), pages 395 - 402, XP009554373 *
USUI TOSHINOBU, FURUKAWA WAKI, ​​OTSUKI HAYATO, KAWAFURUYA YUHEI, IWAMURA SEI, MIYOSHI JUN, MATSUURA KANTA MATSUURA: "Automatically appending multi-path execution functionality to vanilla script engines", PROCEEDINGS OF COMPUTER SECURITY SYMPOSIUM 2019; OCTOBER 21-24, 2019, IPSJ, JAPAN, 14 October 2019 (2019-10-14) - 24 October 2019 (2019-10-24), Japan , pages 961 - 968, XP009539387 *
USUI, TOSHINORI; IKUSE, TOMONORI; KAWAKOYA, YUHEI; IWAMURA, MAKOTO; MATSUURA, KANTA: "Automatically Appending Execution Stall/Stop Prevention to Vanilla Script Engines", IPSJ COMPUTER SECURITY SYMPOSIUM (CSS 2021); OCTOBER 26-29, 2021, INFORMATION PROCESSING SOCIETY OF JAPAN (IPSJ), vol. 2021, 1 January 2021 (2021-01-01) - 29 October 2021 (2021-10-29), pages 794 - 801, XP009554372 *

Similar Documents

Publication Publication Date Title
Hemmati How effective are code coverage criteria?
TWI553503B (en) Method of generating in-kernel hook point candidates to detect rootkits and system thereof
Shen et al. Automating performance bottleneck detection using search-based application profiling
WO2022180702A1 (en) Analysis function addition device, analysis function addition program, and analysis function addition method
US8683282B2 (en) Automatic identification of information useful for generation-based functional verification
JP7287480B2 (en) Analysis function imparting device, analysis function imparting method and analysis function imparting program
CN110765459A (en) Malicious script detection method and device and storage medium
JP6904043B2 (en) Input discovery for unknown program binaries
US10754744B2 (en) Method of estimating program speed-up in highly parallel architectures using static analysis
Gu et al. Deepprof: Performance analysis for deep learning applications via mining gpu execution patterns
Wu et al. Homi: Searching higher order mutants for software improvement
Zhao et al. Suzzer: A vulnerability-guided fuzzer based on deep learning
CN116702157B (en) Intelligent contract vulnerability detection method based on neural network
CN111428247B (en) Method for improving computer leak library
WO2024079803A1 (en) Vulnerability detection device, vulnerability detection method, and vulnerability detection program
Ngo et al. Ranking warnings of static analysis tools using representation learning
Mariano et al. Analyzing graph-based algorithms employed to generate test cases from finite state machines
WO2015163914A1 (en) Statistics-based data trace classification
WO2024079804A1 (en) Analysis function addition device, analysis function addition method, and analysis function addition program
WO2023067668A1 (en) Analysis function addition method, analysis function addition device, and analysis function addition program
CN116522345A (en) Vulnerability discovery method, device, equipment and readable storage medium
Godboley et al. Ssg-afl: Vulnerability detection for reactive systems using static seed generator based afl
CN113127342B (en) Defect prediction method and device based on power grid information system feature selection
WO2024079793A1 (en) Vulnerability discovery device, vulnerability discovery method, and vulnerability discovery program
GB2577102A (en) Generation of code coverage information during testing of a code sequence

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22962023

Country of ref document: EP

Kind code of ref document: A1