高级检索

    写污点值到污点地址漏洞模式检测

    Detecting the Vulnerability Pattern of Writing Tainted Value to Tainted Address

    • 摘要: 设备驱动是允许高级程序与硬件设备交互的底层程序.通常设备驱动中的漏洞较之应用程序中的漏洞对计算机系统的安全具有更大的破坏性.写污点值到污点地址是Windows设备驱动程序中频繁出现的一种漏洞模式.首次明确地对该种漏洞模式进行描述,提出一种针对二进制驱动程序中该种漏洞模式的自动检测方法,并实现相应的原型工具T2T-B2C.该方法基于反编译和静态污点分析技术,与其他方法相比,既可以分析C代码,也可以分析本地二进制代码.该工具由T2T和B2C两个组件组成:首先B2C基于反编译技术将二进制文件转换为C语言文件;然后T2T基于静态污点分析技术检测B2C生成的C代码中出现写污点值到污点地址漏洞模式的语句.使用多种反病毒程序中的二进制驱动对T2T-B2C进行了评估,发现了6个未公开漏洞.评估结果表明:该工具是一款可实际应用的漏洞检测工具,可应用于对较大规模的程序进行检测.

       

      Abstract: Device drivers are lower level computer programs, which allow higher level computer programs to interact with hardware devices. Commonly, vulnerabilities in device drivers would be more devastating than that in applications. “Writing tainted value to tainted address” is a kind of vulnerability pattern, frequently existing in Windows device driver programs. In this paper, we first time describe this kind of vulnerability pattern in so many words, present a systematic method to detect it in binary Windows device driver programs automatically, and implement our method in a prototype tool called T2T-B2C. The method bases on de-compiling and static taints analysis technologies. Compared with other methods, our method could analyze native binary code as well as C code. Accordingly, T2T-B2C consists of two components called T2T and B2C respectively. Firstly, B2C translates binary files to C files by de-compiling; and then T2T uses static taint analysis technology to detect the vulnerable statement, which is writing tainted value to tainted address in the C code that B2C produced. We evaluate T2T-B2C with binary device drivers of several Windows anti-virus programs, and find 6 uncovered vulnerabilities. The results show that T2T-B2C is an applied vulnerability detecting tool that could be scalable to large programs.

       

    /

    返回文章
    返回