Ting Wang,Songzheng Song,Jun Sun,Yang Liu,Jin Song Dong,Xinyu Wang,Shanping Li

DOI: https://doi.org/10.1007/978-3-642-34281-3_26

2012-01-01

Abstract:Refinement checking plays an important role in system verification. It establishes properties of an implementation by showing a refinement relationship between the implementation and a specification. Recently, it has been shown that anti-chain based approaches increase the efficiency of trace refinement checking significantly. In this work, we study the problem of adopting anti-chain for stable failures refinement checking, failures-divergence refinement checking and probabilistic refine checking (i.e., a probabilistic implementation against a non-probabilistic specification). We show that the first two problems can be significantly improved, because the state space of the product model may be reduced dramatically. Though applying anti-chain for probabilistic refinement checking is more complicated, we manage to show improvements in some cases. We have integrated these techniques into the PAT model checking framework. Experiments are conducted to demonstrate the efficiency of our approach.

WU Yongxing,CHEN Libo,JIANG Kaida

DOI: https://doi.org/10.11959/j.issn.2096-109x.2022009

2022-01-01

Abstract:Java deserialization vulnerabilities have become a common threat to Java application security nowadays.Finding out the gadget chain determines whether this type of vulnerability can be exploited.Due to the large code space of Java applications and dependent libraries and the polymorphism of Java itself, manual analysis of Java deserialization gadget chains consumes a lot of time and effort and it is highly dependent on the experienced knowledge.Therefore, it is crucial to study how to efficiently and accurately automate the discovery of gadget chains.Java deserialization gadget chain discovery method based on hybrid analysis was proposed.Call graph based on the variable declaration type was constructed, and then the deserialization entry functions that may reach the dangerous functions were screened using the call graph analysis.The screened entry functions were used as the entry point of the hybrid information flow analysis.The hybrid information flow analysis was carried out for both pointer and tainted variables.The tainted objects created implicitly were marked.The tainted information and the pointer information were propagated simultaneously to construct the hybrid information flow graph.The reachability of external taint data propagation to the dangerous function was judged based on the hybrid information flow graph.The corresponding deserialization gadget chain was constructed according to the taint propagation path.The hybrid analysis took into account the efficiency of call graph analysis and the accuracy of hybrid information flow analysis.The corresponding static analysis tool, namely GadgetSearch, was implemented based on the proposed hybrid analysis method.In the experimental evaluation, GadgetSearch had lower false positive and lower false negative than the existing tool GadgetInspector on four datasets of Ysoserial, Marshalsec, Jackson historical CVE, and XStream historical CVE.Additionally, GadgetSearch also found multiple undisclosed gadget chains.The experimental results show that the proposed method can efficiently and accurately discover the Java deserialization gadget chain in multiple practical Java applications.

Ruoyu Zhang,Shiqiu Huang,Zhengwei Qi,Haibing Guan

DOI: https://doi.org/10.1016/j.camwa.2011.08.001

IF: 3.218

2012-01-01

Computers & Mathematics with Applications

Abstract:The evolution of computer science has exposed us to the growing gravity of security problems and threats. Dynamic taint analysis is a prevalent approach to protect a program from malicious behaviors, but fails to provide any information about the code which is not executed. This paper describes a novel approach to overcome the limitation of traditional dynamic taint analysis by integrating static analysis into the system and presents framework SDCF to detect software vulnerabilities with high code coverage. Our experiments show that SDCF is not only able to provide efficient runtime protection by introducing an overhead of 4.16× based on the taint tracing technique, but is also capable of discovering latent software vulnerabilities which have not been exploited, and achieve code coverage of more than 90%.

Chengsong Wang,Xiaoguang Mao,Ziying Dai,Yan Lei

DOI: https://doi.org/10.1109/csae.2012.6272595

2012-01-01

Abstract:Because of inherent drawbacks of Software Engineering, no software is defect-free. If the defects are resulted from highly optimized compilers, or in software without source code, software maintainers may have to test and debug programs at binary level, considering the fact that there are not practical reverse engineering tools. We propose a dynamic and automatic instrumentation framework, DABITTD, to support bytecode programs testing and debugging. According to the user requirements, it can provide the program run-time information and alter program run-time behaviors as well. DABITTD works at bytecode level without needs to access source code and doesn't pollute the original class files. What is more, the whole process of instrumentation is performed fully automatically and dynamically. Meanwhile, in order to help maintainers fix defects, DABITTD can also directly edit class files on the disk statically.

Binbin Li,Rui Ma,Xuefei Wang,Xiajing Wang,Jinyuan He

DOI: https://doi.org/10.1145/3380625.3380642

2020-01-01

Abstract:Since static taint analysis is performed prior to execution by considering all possible execution paths, it can discover potential security issues before the program running. Currently, many taint analysis tools pay more attention to data dependence in the program. Whereas implicit flow analysis based on control dependence is generally not considered owning to its complexity. Therefore, this paper presents a static taint analysis method named DepTaint, which expands the static checkers of LLVM, focuses on program dependence including data and control dependence in the program. DepTaint analyzes the taint variables propagated along explicit flows and implicit flows, especially commendably handles the under-taint in explicit flow analysis. Our evaluations demonstrate that, for 8 programs containing data and control dependence and 8 programs injected different common vulnerabilities (i.e., array bounds, double free, format string vulnerability, heap overflow, integer overflow, stack overflow, and UAF), DepTaint significantly outperforms LLVM's static checker both at marking taint variables and achieving more finegrained taint propagation paths. Specially, for the programs containing branch selection and loop structure, DepTaint on average marks 2X and 3.6X taint variables than LLVM's static checker.

Junjie Wu,Jingling Zhao,Junsong Fu

DOI: https://doi.org/10.1145/3548608.3559310

2022-01-01

Abstract:Java deserialization vulnerability has become a server security problem at present. An attacker can execute arbitrary commands by submitting a malicious object for deserialization. However, existing methods for detecting Java deserialization vulnerability only find program paths to deserialize input data, it doesn't consider whether the program itself can build malicious deserialization objects, which may bring false positives. In order to solve this problem, people need to discover gadget chains in the program manually, however, it takes a lot of time. In this paper, we present a method for discovering gadget chains automatically and build a tool named Hawk Gadget in practice. The method is based on static analysis that analyzes every method in the program with control flow graph. We also Compare the Hawk Gadget with Gadget Inspector that is a tool to find gadget chains, the result shows that Hawk Gadget can find more gadget chains and has a lower false-positive rate. In addition, we use gadget chains found by Hawk Gadget in Apache-commons-collections-3 to generate malicious objects for CVE-2016-4437, and verify the effectiveness of gadget chains.

Ruoyu Zhang,Shiqiu Huang,Zhengwei Qi,Haibin Guan

DOI: https://doi.org/10.1109/IMIS.2011.59

2011-01-01

Abstract:Dynamic taint analysis has been proved to be very effective in solving security problems recently, especially in software vulnerability detection and malicious behavior prevention. Unfortunately, most of current researches in this field focus on the runtime protection, and are incapable to discover the potential threat in the software. This paper describes a novel approach to overcome the limitation of traditional dynamic taint analysis by integrating static analysis into the system and presents framework SDCF. The framework translates the binary into assembly code and tracks the data flow. Then with static method, the system can get the important information which can't be gained at runtime, such as unexecuted part of the code. When this information is acquired, they will be provided to the client tools. The practicability of the framework is validated by implementing and evaluating a tool built on SDCF. The result of the experiments shows that our system is able to detect latent software vulnerabilities efficiently.

Lixin Li,Chao Wang

DOI: https://doi.org/10.1007/978-3-642-40787-1_31

2013-01-01

Abstract:Dynamic analysis techniques have made a significant impact in security practice, e.g. by automating some of the most tedious processes in detecting vulnerabilities. However, a significant gap remains between existing software tools and what many security applications demand. In this paper, we present our work on developing a cross-platform interactive analysis tool, which leverages techniques such as symbolic execution and taint tracking to analyze binary code on a range of platforms. The tool builds upon IDA, a popular reverse engineering platform, and provides a unified analysis engine to handle various instruction sets and operating systems. We have evaluated the tool on a set of real-world applications and shown that it can help identify the root causes of security vulnerabilities quickly.

CHEN Yan-ling,ZHAO Jing

DOI: https://doi.org/10.3724/sp.j.1087.2011.02367

2011-01-01

Abstract:The record of the current taint analysis tool is not accurate.To solve this,dynamic taint analysis based on the virtual technology was studied and implemented.A virtualization based dynamic taint analysis framework was designed,and two kinds of taint signature models based on Hook technology and Hash-traversal technology were given respectively for memory taint and hard disk taint.A taint propagation strategy was put forward according to the instruction type which was classified by instruction encoding format of InterAMD,and a taint record strategy based on instruction filtering was given to solve the problem of redundant information records.The experimental results prove that the proposed method is effective,and can be well used in test case generation and vulnerability detection of fuzzy test.

Haibin Shen,Jimin Wang,Lingdi Ping,Kang Sun

DOI: https://doi.org/10.1007/11689522_32

2006-01-01

Abstract:Flexible features of C can be misused and result in potential vulnerabilities which are hard to detect by performing only static checking. Existing tools either give up run-time type checking or employ a type system whose granularity is too coarse (it does not differentiate between pointer types) so that many errors may go undetected. This paper presents a dynamic checking approach to conquer them. A type system that is based on the physical layout of data types and has the proper granularity has been employed. Rules for propagating dynamic types and checking for compatibility of types during execution of the target program are also set up. Then a model of dynamic type checking on this type system to capture run-time type errors is built. Experimental results show that it can catch most errors, including those may become system vulnerabilities and the overhead is moderate.

孔德光,郑烇,帅建梅,陈超,葛瑶

2009-01-01

Abstract:Static analysis technology is a significant method to detect software vulnerabilities. To cope with the problem of untrusting data inputs leading to software vulnerabilities, presents a vulnerability detection method based on taint analysis. It tracks various kinds of input including program parameters and environment variables ,marks the type of input, after constructing the control flow graph, makes use of dataflow information, propagating the taint data to the vulnerability functions, to settle the problem of buffer overflow and format string. It utilizes the related information of control flow and dataflow during this process, thus improves the accuracy and decreases the false negatives. It is proved by experiment that this technology is an effective vulnerability analysis method.

Kai Cheng,Qiang Li,Lei Wang,Qian Chen,Yaowen Zheng,Limin Sun,Zhenkai Liang

DOI: https://doi.org/10.1109/DSN.2018.00052

2018-01-01

Abstract:A rising number of embedded devices are reachable in the cyberspace, such as routers, cameras, printers, etc. Those devices usually run firmware whose code is proprietary with few public documents. Furthermore, most of the firmware images cannot be analyzed in dynamic analysis due to various hardware-specific peripherals. As a result, it hinders traditional static analysis and dynamic analysis techniques. In this paper, we propose a static binary analysis approach, DTaint, to detect taint-style vulnerabilities in the firmware. The taint-style vulnerability is a typical class of weakness, where the input data reaches a sensitive sink through an unsafe path. Specifically, we generate data dependency in a bottom-up manner through traversing callees before callers. To reduce the influence of the binary firmware, DTaint identifies pointer aliasing, interprocedural data flow, and similarity of the data structure layout. We have implemented a prototype of DTaint and conducted experiments to evaluate its performance. Our results show that DTaint discovers more vulnerabilities in less time, compared with the existing techniques. Furthermore, we illustrate the effectiveness of DTaint through applying it over six firmware images from four manufacturers. We have found 21 vulnerabilities, where 13 of them are previously-unknown and zero-day vulnerabilities.

Erzhou Zhu,Feng Liu,Zuo Wang,Alei Liang,Yiwen Zhang,Xuejian Li,Xuejun Li

DOI: https://doi.org/10.1016/j.cose.2015.03.008

IF: 5.105

2015-01-01

Computers & Security

Abstract:By analyzing information flow at runtime, dynamic taint analysis can precisely detect a wide range of vulnerabilities of software. However, it suffers from substantial runtime overhead and is incapable of discovering potential threats. Yet, realistically, the interested analyst doesn't have access to the source code of the malware. Therefore, the task of software flaw tracking becomes rather complicated. In order to cope with these issues, this paper proposes Dytaint, a novel lightweight 3-state dynamic taint analysis framework, for diagnosing more software vulnerabilities with lower runtime overhead. The framework works for the x86 binary executables and requires no special hardware assistance. Besides the tainted and the untainted states that are discussed by many popularly used taint analysis tools, the third state, controlled-taint state, is proposed to detect more types of software vulnerabilities. The new Chaining Hash Table which reduces the space for storing taint information without increasing the accessing time is also incorporated in the framework. Furthermore, two mechanisms, namely, the irrelevant API filtering based on the function recognition method and basic block handling, are introduced to optimize the runtime performance of our framework. The testing results by running SPEC CINT2006 benchmarks and various popular software have demonstrated that Dytaint is efficient which incurs only 3.1 times overhead to the native on average and practical which is able to discover not only all the real threats but also most of the potential ones.

Erzhou Zhu,Xuejun Li,Feng Liu,Xuejian Li,Zhujuan Ma

DOI: https://doi.org/10.4304/jcp.9.3.566-575

2014-01-01

Journal of Computers

Abstract:For the purpose of discovering security flaws in software, many dynamic and static taint analyzing techniques have been proposed. By analyzing information flow at runtime, dynamic taint analysis can precisely find security flaws of software. However, on one hand, it suffers from substantial runtime overhead and is incapable of discovering the potential threats. On the other hand, static taint analysis analyzes program’s code without actually executing it which incurs no runtime overhead, and can cover all the code, but it is often not accurate enough. In addition, since the source code of most software is hard to acquire and intruders simply do not attach target program’s source code in practice, software flaw tracking becomes rather complicated. In order to cope with these issues, this paper proposes HYBit, a novel hybrid framework which integrates dynamic and static taint analysis to diagnose the flaws or vulnerabilities for binary programs. In the framework, the source binary is first analyzed by the dynamic taint analyzer. Then, with the runtime information provided by its dynamic counterpart, the static taint analyzer can process the unexecuted part of the target program easily. Furthermore, a taint behavior filtration mechanism is proposed to optimize the performance of the framework. We evaluate our framework from three perspectives: efficiency, coverage, and effectiveness. The results are encouraging.

Liu Xin,Cai Wandong

DOI: https://doi.org/10.1109/iccsn.2011.6013559

2011-01-01

Abstract:In this article we address program errors, and through the static code analysis. First, we use inter-procedural based on analysis and blunt insensitive vulnerability testing model, — extracted from the source code. Second, we use of model checking to solve the model. In addition, we do alias analysis method is correct and accuracy testing model. This paper proposed concepts are aimed at those general class buffer of those loopholes and can be applied to the detection of buffer overrun vulnerabilities types such as format string of attacks, and the test code injection. In order to evaluate the effectiveness of CodeAuditor, use the tool to detect the loophole few C affinity grams. We take six open source applications as a test. Experimental results show that, 18 previously unknown vulnerabilities in six open source applications have found our tools. The observation is false positives in about 23%.

Huaien Zhang,Yu Pei,Shuyun Liang,Shin Hwei Tan

2024-02-22

Abstract:Static analyzers can reason about the properties and behaviors of programs and detect various issues without executing them. Hence, they should extract the necessary information to understand the analyzed program well. Annotation has been a widely used feature for different purposes in Java since the introduction of Java 5. Annotations can change program structures and convey semantics information without awareness of static analyzers, consequently leading to imprecise analysis results. This paper presents the first comprehensive study of annotation-induced faults (AIF) by analyzing 246 issues in six open-source and popular static analyzers (i.e., PMD, SpotBugs, CheckStyle, Infer, SonarQube, and Soot). We analyzed the issues' root causes, symptoms, and fix strategies and derived ten findings and some practical guidelines for detecting and repairing annotation-induced faults. Moreover, we developed an automated testing framework called AnnaTester based on three metamorphic relations originating from the findings. AnnaTester generated new tests based on the official test suites of static analyzers and unveiled 43 new faults, 20 of which have been fixed. The results confirm the value of our study and its findings.

Software Engineering

Sicong Cao,Xiaobing Sun,Xiaoxue Wu,Lili Bo,Bin Li,Rongxin Wu,Wei Liu,Biao He,Yu Ouyang,Jiajia Li

DOI: https://doi.org/10.48550/arXiv.2303.07593

2023-04-04

Abstract:Java (de)serialization is prone to causing security-critical vulnerabilities that attackers can invoke existing methods (gadgets) on the application's classpath to construct a gadget chain to perform malicious behaviors. Several techniques have been proposed to statically identify suspicious gadget chains and dynamically generate injection objects for fuzzing. However, due to their incomplete support for dynamic program features (e.g., Java runtime polymorphism) and ineffective injection object generation for fuzzing, the existing techniques are still far from satisfactory. In this paper, we first performed an empirical study to investigate the characteristics of Java deserialization vulnerabilities based on our manually collected 86 publicly known gadget chains. The empirical results show that 1) Java deserialization gadgets are usually exploited by abusing runtime polymorphism, which enables attackers to reuse serializable overridden methods; and 2) attackers usually invoke exploitable overridden methods (gadgets) via dynamic binding to generate injection objects for gadget chain construction. Based on our empirical findings, we propose a novel gadget chain mining approach, \emph{GCMiner}, which captures both explicit and implicit method calls to identify more gadget chains, and adopts an overriding-guided object generation approach to generate valid injection objects for fuzzing. The evaluation results show that \emph{GCMiner} significantly outperforms the state-of-the-art techniques, and discovers 56 unique gadget chains that cannot be identified by the baseline approaches.

Cryptography and Security,Software Engineering

Dalin Zhang,Gang Yin,Dahai Jin,Yunzhan Gong,Tianshuang Wu,Hailong Zhang

DOI: https://doi.org/10.1145/2875913.2875928

2015-01-01

Abstract:In this paper, we propose a hybrid refinement approach to improve the accuracy of static analysis. It keeps condition constraints information during forward dataflow analysis and gets the satisfiability of a warning by a constraint solver taking as input such information and path conditions; data regression analysis can remedy the capability of handling loops and library calls of abstract interpretation technique. It has been implemented in our static analysis tool, Defect Testing System (DTS) and deployed on a internetware environment TRUSTIE. Experiment on a large number of C open source projects shows the great improvement this strategy makes.

Jingling Zhao,Junxin Qi,Liang Zhou,Baojiang Cui

DOI: https://doi.org/10.1109/IMIS.2016.46

2016-01-01

Abstract:With the continuous development of J2EE technology, frequent attacks using security vulnerabilities in web applications have caused enormous economic loss to the users. Dynamic taint tracking is an important part to analyze the program dynamically. In this paper, we put forward a new dynamic solution in the Java virtual machine, warning external attacks and recording specific taint propagation path. This scheme combines static analysis techniques to collect reachable "source-derivation-sink" taint flow and reduce the runtime overhead. With the help of AOP (aspect-oriented programming) technology, we could only insert monitor codes to interested taint paths to improve the efficiency of instrumentation. Finally, we implemented this dynamic taint tracking approach to explore SQL injection and XSS vulnerabilities in web applications based on the Java Servlet Specification and proved practicality.

Zhang Xing,Zhang Bin,Feng Chao,Zhang Quan

DOI: https://doi.org/10.1051/itmconf/20160703003

2016-01-01

ITM Web of Conferences

Abstract:Nowadays binary static analysis uses dangerous system library function to detect stack overflow vulnerary in program and there is no effective way to dig out the function which can cause stack overflow issue. List necessarily characteristics of the function which may cause stack overflow vulnerary and define stack overflow dangerous function(SODF). Then introduce static taint analysis to detect SODF include taint introduction, taint propagation and taint checking stragety. Next describe the particular process of detecting SODF in the program with static taint analysis. Finally choose 4 runtime library and 2 binary software, and detect whether the chosen software has SODF and locate the name of SODF with static taint analysis. Testing result shows that the algorithm can detect and locate plenty of SODF in test program which means the algorithm can work efficiently.