基于程序建模的网络程序漏洞检测技术

邓兆琨; 陆余良; 黄钊; 黄晖; 朱凯龙

doi:10.13700/j.bh.1001-5965.2018.0436

基于程序建模的网络程序漏洞检测技术

doi: 10.13700/j.bh.1001-5965.2018.0436

国防科技大学电子对抗学院, 合肥 230037

基金项目:

国家重点研发计划 2017YFB0802905

详细信息

作者简介:
邓兆琨  男, 硕士研究生。主要研究方向:网络空间安全、二进制软件分析、程序漏洞挖掘与分析

陆余良  男，教授，博士生导师。主要研究方向：网络空间安全、漏洞挖掘与利用、网络态势感知

黄钊  女, 硕士研究生。主要研究方向:二进制软件分析

黄晖  男, 博士。主要研究方向:二进制软件分析; 朱凯龙, 男, 博士研究生。主要研究方向:二进制软件分析

朱凯龙  男，博士研究生。主要研究方向：二进制软件分析

通讯作者:
陆余良, E-mail: kivi_fruit@126.com

中图分类号: TP391
计量
- 文章访问数: 615
- HTML全文浏览量: 77
- PDF下载量: 342
- 被引次数: 0
出版历程
- 收稿日期: 2018-07-23
- 录用日期: 2018-12-07
- 网络出版日期: 2019-04-20

Network program vulnerability detection technology based on program modeling

Electronic Engineering Institute, National University of Defense Technology, Hefei 230037, China

Funds:

National Key R & D Program of China 2017YFB0802905

More Information

Corresponding author: LU Yuliang, E-mail: kivi_fruit@126.com

摘要

摘要:
研究和分析了网络程序漏洞检测方法，针对C/S结构下网络程序存在的二进制漏洞提出了一种基于程序建模的漏洞检测方法。该方法针对网络程序架构进行分析，通过抽取不同类型网络程序中的关键性系统函数，进行程序建模和检测系统执行模块开发。采用选择符号执行技术进行检测，通过函数挂钩的方式定制挂钩函数语义和函数执行触发的操作，引入符号化数据和引导符号执行过程。研究过程中基于该技术实现了一套网络程序漏洞检测系统，系统能够识别目标网络程序采用的I/O模型，根据目标网络程序的不同类型调取相应的系统执行模块，利用选择符号执行技术进行自动化漏洞检测过程。实验结果表明，相比于已有的检测工具，该系统在网络程序的漏洞检测方面针对性更强，程序代码的覆盖率更高，同时具有很好的可扩展性。
- 网络程序 /
- 漏洞检测 /
- C/S结构 /
- 架构模型 /
- 符号执行
Abstract:
By studying and analyzing the vulnerability detection method of network program, a vulnerability detection method based on program modeling was proposed, and this method is aimed at the binary network program vulnerability in the C/S structure. The method analyzes the network program architecture, extracts the key system functions in different types of network programs, and develops the program modeling and detection system execution module. The technique of selective symbolic execution is adopted for detection, the semantics of hook function and the operation of trigger are customized by means of function hooks, and the execution process of symbolic data and guiding symbol is introduced. Based on this technology, a network program vulnerability detection system is realized. This system can identify the target web application using the I/O model. According to the different types of target program, it can call the different detection modules and use selective symbolic execution technology to implement the automated vulnerability detection process. The experimental results show that, compared with the existing detection tools, the system is more targeted in the vulnerability detection of network programs with higher vulnerability detection rate and good scalability.
- network program /
- vulnerability detection /
- C/S structure /
- architecture model /
- symbolic execution

HTML全文

图 1 选择符号执行技术

Figure 1. Technology of selective symbolic execution

下载: 全尺寸图片幻灯片

图 2 选择符号执行系统运行过程

Figure 2. Operational process of selective symbolic execution system

下载: 全尺寸图片幻灯片

图 3 符号变元引入策略

Figure 3. Symbolic variable introduction policies

下载: 全尺寸图片幻灯片

图 4 阻塞通信模型

Figure 4. Blocking communication model

下载: 全尺寸图片幻灯片

图 5 阻塞通信模型执行模块部分代码

Figure 5. Part of execution module code of blocking communication model

下载: 全尺寸图片幻灯片

图 6 select模型执行过程

Figure 6. select model execution process

下载: 全尺寸图片幻灯片

图 7 系统原型架构

Figure 7. System prototype architecture

下载: 全尺寸图片幻灯片

图 8 实现函数挂钩

Figure 8. Function hook realization

下载: 全尺寸图片幻灯片

图 9 服务器端符号执行过程

Figure 9. Symbolic execution process of server

下载: 全尺寸图片幻灯片

图 10 客户端状态保存及回置

Figure 10. Client state savinges and restoringes

下载: 全尺寸图片幻灯片

表 1 实验环境配置

Table 1. Experimental environment configuration

节点	操作系统	主机型号	内存
Server	WindowsXP-SP3	Intel^® Core i7-5820 K 3.3 GHz CPU	4 GB
Client	WindowsXP-SP3	Intel^® Core i7-5820K 3.3 GHz CPU	4 GB

下载: 导出CSV

表 2 实验结果

Table 2. Experimental result

软件	漏洞编号	漏洞类型
Tftpd32	CVE-2006-6141	远程缓冲区溢出漏洞
Tftpd32	CVE-2013-6809	格式化字符串漏洞

下载: 导出CSV

参考文献(16)

[1]	高瑞, 周彩兰, 朱荣.网络应用程序漏洞挖掘技术研究[J].现代电子技术, 2018, 41(3):115-119. http://d.old.wanfangdata.com.cn/Periodical/xddzjs201803027 GAO R, ZHOU C L, ZHU R. Research on vulnerability mining technology of network application program[J].Modern Electronics Technique, 2018, 41(3):115-119(in Chinese). http://d.old.wanfangdata.com.cn/Periodical/xddzjs201803027
[2]	刘红梅.基于C/S和B/S体系结构应用系统的开发方法[J].计算机与现代化, 2007(11):52-54. doi: 10.3969/j.issn.1006-2475.2007.11.019 LIU H M.Development of application system based on C/S and B/S architecture[J].Computer and Modernization, 2007(11):52-54(in Chinese). doi: 10.3969/j.issn.1006-2475.2007.11.019
[3]	薛卫萍, 陈文生.基于C/S结构的即时通信系统的设计与实现[J].信息通信, 2015(3):113-114. doi: 10.3969/j.issn.1673-1131.2015.03.076 XUE W P, CHEN W S.Design and implementation of real-time communication system based on C/S structure[J].Information & Communications, 2015(3):113-114(in Chinese). doi: 10.3969/j.issn.1673-1131.2015.03.076
[4]	洪学海, 朱彤.基于C/S体系结构应用系统的研究与开发[J].物探化探计算技术, 1999, 21(1):59-65. doi: 10.3969/j.issn.1001-1749.1999.01.011 HONG X H, ZHU T.Research and development of C/S architecture application system[J].Computer Techniques for Giophysical and Geochenical Explopation, 1999, 21(1):59-65(in Chinese). doi: 10.3969/j.issn.1001-1749.1999.01.011
[5]	LI P, MA Z, YANG H, et al.Research and design of power quality account management system based on B/S architecture[J].Electrical Engineering, 2017(10):110-114.
[6]	金海, 廖小飞.P2P技术原理及应用[J].中兴通讯技术, 2007, 13(6):1-5. doi: 10.3969/j.issn.1009-6868.2007.06.001 JIN H, LIAO X F.Pinciples and application of P2P technology[J].ZTE Communications, 2007, 13(6):1-5(in Chinese). doi: 10.3969/j.issn.1009-6868.2007.06.001
[7]	伊玮珑.基于B/S结构的web漏洞检测系统的设计[D].哈尔滨: 哈尔滨理工大学, 2015. YIN W L.Design of web vulnerabilities detection system based on browser/server structure[D].Harbin: Harbin University of Science & Technology, 2015(in Chinese).
[8]	杨丁宁, 肖晖, 张玉清.基于Fuzzing的ActiveX控件漏洞挖掘技术研究[J].计算机研究与发展, 2012, 49(7):1525-1532. http://d.old.wanfangdata.com.cn/Periodical/jsjyjyfz201207016 YANG D N, XIAO H, ZHAN Y Q.Vulnerability detection in ActiveX controls based on Fuzzing technology[J].Journal of Computer Research and Development, 2012, 49(7):1525-1532(in Chinese). http://d.old.wanfangdata.com.cn/Periodical/jsjyjyfz201207016
[9]	吴小伟.基于动态污点分析的网络程序漏洞挖掘方法[D].武汉: 华中科技大学, 2012. WU X W.A network software vulnerabilities discovery method based on dynamic taint analysis[D].Wuhan: Huazhong University of Science and Technology, 2012(in Chinese).
[10]	王江.基于QEMU的二进制程序离线动态污点分析方法研究[D].北京: 北京理工大学, 2016. WANG J.Research on offline dynamic taint analysis of binary program based on QEMU[D].Beijing: Beijing Institute of Technology, 2016(in Chinese).
[11]	冯震, 聂森, 王轶骏, 等.基于S2E的Use-After-Free漏洞检测方案[J].计算机应用与软件, 2016, 33(4):273-276. doi: 10.3969/j.issn.1000-386x.2016.04.064 FENG Z, NIE S, WANG Y J, et al.Use-After-Free vulnerabilities detection scheme based on S2E[J].Computer Applications and Software, 2016, 33(4):273-276(in Chinese). doi: 10.3969/j.issn.1000-386x.2016.04.064
[12]	CHIPOUNOV V, KUZNETSOV V, CANDEA G.S2E:A platform for in-vivo multi-path analysis of software systems[J].ACM SIGPLAN Notices, 2011, 47(4):265-278. http://d.old.wanfangdata.com.cn/Periodical/xxwlaq201207004
[13]	CHIPOUNOV V, GEORGESCU V, ZAMFIR C, et al.Selective symbolic execution[C]//The Workshop on Hot Topics in System Dependability, 2009: 1286-1299.
[14]	CADAR C, SEN K.Symbolic execution for software testing:Three decades later[J].Communications of the ACM, 2013, 56(2):82-90. doi: 10.1145/2408776
[15]	SONG J S, KIM H, PARK S.Enhancing conformance testing using symbolic execution for network protocols[J].IEEE Transactions on Reliability, 2015, 64(3):1024-1037. doi: 10.1109/TR.2015.2443392
[16]	PISTOIA M, CHANDRA S, FINK S J, et al.A survey of static analysis methods for identifying security vulnerabilities in software systems[J].IBM Systems Journal, 2007, 46(2):265-288. doi: 10.1147/sj.462.0265