高级检索

    基于控制流和数据流分析的内存拷贝类函数识别技术

    Memory Copy Function Identification Technique with Control Flow and Data Flow Analysis

    • 摘要: 内存错误漏洞仍是当前网络攻击中造成危害最严重的漏洞之一.内存错误漏洞的产生往往与对内存拷贝类函数的误用有关.目前针对内存拷贝类函数的识别主要借助于符号表和代码特征模式匹配,具有较高的误报率和漏报率,并且适用性较差.提出了一种内存拷贝类函数识别技术CPYFinder(copy function finder).该技术在内存拷贝类函数控制流特征的基础上,将二进制代码转换为中间语言表示VEX IR(intermediate representation)进行数据流的构建和分析,根据内存拷贝类函数在数据流上的特征进行识别.该技术能够在较低的运行时间下对多种指令集架构(x86,ARM,MIPS,PowerPC)的二进制程序中的内存拷贝类函数进行识别.实验结果表明,相比于最新的工作BootStomp和SaTC,CPYFinder在对内存拷贝类函数识别上具有更好的表现,在精准率和召回率上得到更好的平衡,并且运行时间与SaTC几乎相等,仅相当于BootStomp耗时的19%.此外,CPYFinder在漏洞函数识别上也具有更好的表现.

       

      Abstract: Memory error vulnerability is still one of the most widely used and harmful vulnerabilities in current cyber-attacks, whose timely discovery and repair in binary programs bear great value in preventing cyber-attacks. Memory error vulnerabilities are often associated with the misuse of memory copy functions. However, the current identification techniques of memory copy functions mainly rely on the matching of symbol tables and code feature pattern, which have high false positive and false negative rates and poor applicability, and there are still many problems to be solved. To address the above problems, we propose a memory copy function identification technology CPYFinder, based on the control flow of memory copy functions. CPYFinder lifts the binary code into the VEX IR (Intermediate Representation) code to construct and analyze the data flow, and identifies binary code according to the pattern of the memory copy function on the data flow. This method can identify the memory copy functions in stripped binary executables of various instruction set architectures (i.e. x86, ARM, MIPS and PowerPC) in a short runtime. Experimental results show that CPYFinder has better performance in identifying memory copy functions in C libraries and user-defined implementations. Compared with the state-of-the-art works BootStomp and SaTC, CPYFinder gets a better balance between precision and recall, and has equal time consumption compared with SaTC and its runtime only amounts to 19% of BootStomp. In addition, CPYFinder also has better performance in vulnerability function identification.

       

    /

    返回文章
    返回