DOU Zeng-jie,WANG Zhen-yu,CHEN Nan,WANG Rui-min,TIAN Jia

DOI: https://doi.org/10.3969/j.issn.1000-3428.2010.21.011

2010-01-01

Abstract:In order to analyze program control flow precisely and depict program control structure correctly,this paper introduces an overall architecture for control flow analysis and proposes an algorithm to generate the control flow of executable code. Key techniques such as abstraction of executable code and program control flow generation are described. Simple Assembly language Intermediate Representation(SAIR) is presented. Without changing semantics of the disassembly code,SAIR ensures thesimplicity and stringentness of analysis. The functions that create program control flow are defined based on SAIR and the algorithm that generates the control flow is proposed. The example of analyzing program control flow is given.

唐和平,黄曙光,吴志勇

DOI: https://doi.org/10.3778/j.issn.1002-8331.2010.23.018

2010-01-01

Computer Engineering and Applications Journal

Abstract:In order to analyze executable file,this paper proposes a method of understanding program by data flow analysis. It firstly translates disassemble results into data flow descriptive language and gets Reach In and Out definition,builds intra-procedur data flow equations,and then solves equations to refer relation between function input and output.The method has been validated by experiment on string copy function without extra clue.

Wang Chunlei,Zhao Gang,Dai Yiqi

DOI: https://doi.org/10.1109/ICCSIT.2009.5234950

2009-01-01

Abstract:This paper proposes a control flow based security analysis approach for binary executables. Through deeply investigating the theory of control flow security, we develop the Control Flow Security Model (CFSM) which includes the formal definitions for program semantics and security properties for control flow. CFSM specifies that program execution dynamically follows only certain paths, in accordance with a statically declared security properties specified as Control Flow Constraint Specification (CFCS). We have proposed an efficient control flow security analysis algorithm for verifying that a particular control flow model satisfies the associated security properties. Our work contributes to bridging the gap between abstract specifications of control flow security properties and actual control flow security analysis for binary executables. The effectiveness and the practical usefulness of the approach are exemplified by an illustrative analysis of heap overflow vulnerability.

Lixin Li,Chao Wang

DOI: https://doi.org/10.1007/978-3-642-40787-1_31

2013-01-01

Abstract:Dynamic analysis techniques have made a significant impact in security practice, e.g. by automating some of the most tedious processes in detecting vulnerabilities. However, a significant gap remains between existing software tools and what many security applications demand. In this paper, we present our work on developing a cross-platform interactive analysis tool, which leverages techniques such as symbolic execution and taint tracking to analyze binary code on a range of platforms. The tool builds upon IDA, a popular reverse engineering platform, and provides a unified analysis engine to handle various instruction sets and operating systems. We have evaluated the tool on a set of real-world applications and shown that it can help identify the root causes of security vulnerabilities quickly.

HU Chaojian,ZHANG Jia,LI Zhoujun,SHI Zhiwei,ZHANG Yan

DOI: https://doi.org/10.3321/j.issn:1000-0054.2009.z2.017

2009-01-01

Abstract:Since there are semantic differences between a source code and its executable code, analysis of only the source code may miss some vulnerabilities in the executable code.Typical vulnerability patterns were analyzed to design a security vulnerability detection tool to work directly on executables.The system combines static disassembly analysis, dynamic auto-debugging and function based argument injection.The tool successfully found buffer overflow vulnerabilities in both a CVE (common vulnerabilities & exposures) benchmark and two real executables.The resuIts show that this detection method can be used to directly detect security vulnerabilities in executable codes.

Jinxin Ma,Zhoujun Li,Chaojian Hu

DOI: https://doi.org/10.1109/cicn.2012.216

2012-01-01

Abstract:Disassembly is the preparative and crucial phase in reverse engineering and it helps people obtain the high-level semantics of binaries. However, considerable obfuscation technologies are presented to prevent the binary from the disassembler for the benefit and safety consideration. Unfortunately, hackers also could disguise their malware with obfuscation to escape the detection. Therefore, substantial literatures are published to thwart the obfuscation. Without discussing which side is legitimate conceptually, the paper proposed a measure to improving the disassembly result especially for the obfuscated binaries. By adopting some brilliant thought from the preceding publications, the paper presented several solutions to improve the result. A novel technique of verification stack pointer which is utilized to distinguish the bounds of functions, moreover, bytes-based pattern matching assist the disassembler to construct intra-procedural control flow graph dramatically. An implementation is designed and developed with the technology and considerable evaluations were taken on it. An example was provided in the evaluation section and it turned out that our disassembler could perform effectively and accurately.

Tao Wei,Jian Mao,Wei Zou,Yu Chen

DOI: https://doi.org/10.1109/COMPSAC.2007.203

2007-01-01

Abstract:One of the major challenges of control flow analysis in decompilation is to structure 2-way branches into conditionals, loop conditionals and switches. In this paper, we propose a graph-based method to formally describe structures of 2-way branches via the introduction of concepts called "compound branch subgraph" and "cascade branch subgraph". We then present novel structuring algorithms based on such concepts. Compared with previous works, our algorithms are deterministic rather than heuristic, and they do not use complicated data structures such as Interval/DSG. We show that in theory our algorithm is more accurate and efficient than typical current approaches; furthermore, we have applied the algorithm to several real-world binary executables, and experimental results validate such theoretical analysis.

DENG Chao-guo,GU Da-wu,LI Juan-ru,SUN Ming

DOI: https://doi.org/10.3969/j.issn.1001-3695.2011.04.066

2011-01-01

Abstract:This paper proposed an approach of binary analysis based on full-system emulation and instruction-flow analysis technology.This approach ran executable binary code on a virtual machine which used full-system emulation technology,and then captured and analyzed runtime instruction-flow information to figure out this program's feature.This paper covered design and implement of such a binary code analysis system.Experiment result illustrates that it is more efficient and general to capture,extract and analyze runtime instruction-flow information by using this system.This approach is particularly effective to analyze binary code which uses anti-analysis technology.

Steven P. Reiss

DOI: https://doi.org/10.48550/arXiv.1909.13683

2019-09-30

Abstract:We introduce a tool that supports continuous flow analysis in order to detect security problems as the user edits. The tool uses abstract interpretation over both byte codes and abstract syntax trees to trace the flow of both type annotations and system states from their sources to security problems. The flow analysis achieves a balance between performance and accuracy in order to detect security vulnerabilities within seconds, and uses incremental update to provide immediate feedback to the programmer. Resource files are used to specify the specific security constraints of an application and to tune the analysis. The system can also provide detailed information to the programmer as to why it flagged a particular problem. The tool is integrated into the Code Bubbles development environment.

Software Engineering,Cryptography and Security

Chang Da,Li Zhou-jun,Yang Tian-fang,Hu Chao-jian

DOI: https://doi.org/10.3969/j.issn.1674-9456.2011.09.009

2011-01-01

Abstract:The differences of system platform,compiler and compilation options are likely to lead semantic differences between source code and executable code,only source code analysis may omit vulnerabilities hidden in executable code.Even source code analysis has verified the nature of the need for security,but yet it can not assure the security nature in the executable code are satisfied not contrary to.This paper designed and implemented a program execution tracer based on dynamic binary instrumentation.The results show our prototype tool can accurately trace in the execution path,and be able to filter out 90% to 99% secondary instructions.At last,this paper discussed other technical solutions,the shortcoming of current prototype tool and the future work.

唐和平,吴志勇,黄曙光,李永成

DOI: https://doi.org/10.3969/j.issn.1000-3428.2010.17.009

2010-01-01

Abstract:On the basis of data flow analysis,this paper translates program into data flow descriptive markers and obtains reach in and out definitions sets of basic blocks through data flow reach-definition anlysis.It establishes relation between function input and output to achieve static understanding.Experimental results demonstrate that string operating functions such as copy routine are correctly identified without extra clue by using this method.

WANG Chun-lei,LIU Qiang,ZHAO Gang,DAI Yi-qi

DOI: https://doi.org/10.3969/j.issn.1002-137X.2010.04.031

2010-01-01

Computer Science

Abstract:In order to analyze vulnerabilities in executable programs,a vulnerability analysis framework for binaries based upon model checking was proposed.Firstly,the abstract model of binary was defined,and the formal models of vulnerabilities based upon finite state automaton and the representations of software security attributes based upon event system were described.Then,the model checking based vulnerability analysis process and algorithm were proposed with respect to the abstract models of binaries and the security attributes to be checked.After that,the prototype of vulnerability analysis tool was designed and implemented based upon the framework.The illustrative sample program was analyzed to show in detail the principles of the framework,and the experimental results show the effectiveness of the analysis method.

李广旭,李伟华,潘炜,史豪斌

DOI: https://doi.org/10.3778/j.issn.1002-8331.2008.32.019

2008-01-01

Computer Engineering and Applications Journal

Abstract:A program structure parsing model for binary file reverse analysis is presented.The model disassembles a binary file to generate a corresponding assembly file,eliminates redundant information from the assembly file,and then statically analyzes the assembly file to construct basic blocks with index-dependent information.It extracts control flow and function call information of binary file based on basic blocks,and creates control flow and function call graphs.The model does not depend on source code, but shows better practicability and generality.Our experiments demonstrate that the proposed model has a high accuracy in pars- ing program structure of binary file.

马金鑫,忽朝俭,李舟军

DOI: https://doi.org/10.16511/j.cnki.qhdxxb.2011.10.003

2011-01-01

Abstract:Disassembly plays a fundamental and important role in reverse engineering.A static disassembly method based on a refining control flow graph was developed to improve disassembly accuracy and efficiency.The method slices the binary into functions and constructs an intra-procedure control flow graph for each function.Then,it extracts the real control flow graph as per graph theory and the assembly code features.This program evaluated 22 coreutils programs between these two linear sweep algorithms and is 63.2% faster than Objdump for drawing accurate control flow graphs.Therefore,it is more efficient and accurate.

Nicolas Boltz,Sebastian Hahner,Christopher Gerking,Robert Heinrich

2024-03-14

Abstract:The growing interconnection between software systems increases the need for security already at design time. Security-related properties like confidentiality are often analyzed based on data flow diagrams (DFDs). However, manually analyzing DFDs of large software systems is bothersome and error-prone, and adjusting an already deployed software is costly. Additionally, closed analysis ecosystems limit the reuse of modeled information and impede comprehensive statements about a system's security. In this paper, we present an open and extensible framework for data flow analysis. The central element of our framework is our new implementation of a well-validated data-flow-based analysis approach. The framework is compatible with DFDs and can also extract data flows from the Palladio architectural description language. We showcase the extensibility with multiple model and analysis extensions. Our evaluation indicates that we can analyze similar scenarios while achieving higher scalability compared to previous implementations.

Software Engineering,Cryptography and Security

Yun-Peng WAN,Yi DENG,Dong-Hui SHI,Liang CHENG,Yang ZHANG

DOI: https://doi.org/10.15888/j.cnki.csa.005991

2017-01-01

Abstract:In this paper we present BAEG,a system to automatically look for exploitable bugs in the binary program.Every bug reported by BAEG is accompanied by the control flow hijacking exploit.The working exploits ensure robustness that each bug report is security-critical and exploitable.Giving BAEG a vulnerable program and an input crash,the challenges are:1) how to replay crash and get the state of crash;2) how to automatically generate exploit.For the first challenge,we present a path-guided algorithm,take crash input as symbolic data,and replay crash path.For the second challenge,we summarize the principles of multiple control-flow hijack and establish the corresponding exploit generation model.Besides,BAEG can explore deep code especially for invalid symbolic read and symbolic write,which can help us decide whether there still are exploits at deeper code.

Ye ZHANG,Yuliang LU

DOI: https://doi.org/10.11772/j.issn.1001-9081.2017.12.3581

2018-01-01

Abstract:Programmable Logic Controller (PLC) is one of the most important components of industrial control system,which controls varieties of physical equipments and production processes.The faults of PLC control program caused by malicious tempering of attacker and programming errors of internal personnel will seriously threaten equipment safety and personal safety in industrial field.In order to solve this problem,a control flow analysis method of PLC program was proposed.Firstly,the lexical and syntactic structure of source code were analyzed by using flex and bison.Then,the intermediate representation without instruction side effects was generated and optimized by analyzing the Abstract Syntax Tree (AST).Finally,the basic blocks were divided on the basis of intermediate representation,and the control flow graph of the program was constructed by taking basic block as the basic unit.The experimental results show that,the proposed method can restore the control flow structure of PLC program in the form of statement table,and provide the basis for program understanding and security analysis.

Bo Wu,Mengjun Li,Bin Zhang,Quan Zhang,Chaojing Tang

DOI: https://doi.org/10.1109/iweca.2014.6845694

2014-01-01

Abstract:Despite more than two decades of independent, academic, and industry-related research, software vulnerabilities remain the main reason that undermine the security of our systems. Taint analysis and symbolic execution are among the most promising approaches for vulnerability detection, but either one can't remit the problem separately. In this paper, we try to combine taint analysis and symbolic execution for binary vulnerability mining and proposed a method named directed symbolic execution. Our three-step approach firstly adopts dynamic taint analysis technology to identify the safety-related data, and then uses symbolic execution system to execute the binary software while marks those safety-related data as symbols, and finally discovers vulnerabilities with our check-model. The evaluation shows that our method can be used to detect vulnerabilities in binary software more efficiently.

Chaojian Hu,Zhoujun Li,Jinxin Ma,Tao Guo,Zhiwei Shi

DOI: https://doi.org/10.1109/tase.2012.13

2012-01-01

Abstract:Symbolic execution simulates program execution by replacing concrete values with symbolic variables for inputs. It could be used in software behavior analysis, vulnerability detection and software security assessment. In this paper, we analyze the path explosion problem encountered in vulnerability detection with the state-of-the-art symbolic execution technology for large scale file parsing programs. We also propose 4 alleviations to ease the problem, i.e. loop controlling, irrelevant path elimination, path selecting and parallel symbolic execution. Based on these alleviations, we implemented a prototype tool to detect file parsing vulnerability in large scale programs automatically, and evaluate it with a suit of benchmarks chosen from open source programs. Our tool detected not only all reported vulnerabilities of memory overflow in the benchmarks, but also some unreported vulnerabilities. The evaluation results show these alleviations could effectively ease the path explosion problem while analyzing large scale file parsing programs.

Zhifei Chen,Lin Chen,Baowen Xu

DOI: https://doi.org/10.1109/WISA.2014.26

2014-01-01

Abstract:Python is widely used to create and manage complex, database-driven websites. However, due to dynamic features such as dynamic typing of variables, Python programs pose a serious security risk to web applications. Most security vulnerabilities result from the fact that unsafe data input reaches security-sensitive operations. To address this problem, information flow analysis for Python programs is proposed to enforce this property. Information flow can capture the fact that a particular value affects another value in the program. In this paper, we present a novel approach for analyzing information flow in Python byte code which is a low-level language and is more widely broadcast. Our approach performs a hybrid of static and dynamic control/data flow analysis. Static analysis is used to study implicit flow, while dynamic analysis efficiently tracks execution information and determines definition-use pair. To the best of our knowledge, it is the first one for Python byte code.