Jun Zhu,Jing Xie,Heather Richter Lipford,Bill Chu

DOI: https://doi.org/10.1016/j.jare.2013.11.006

IF: 12.822

2014-01-01

Journal of Advanced Research

Abstract:Many security incidents are caused by software developers’ failure to adhere to secure programming practices. Static analysis tools have been used to detect software vulnerabilities. However, their wide usage by developers is limited by the special training required to write rules customized to application-specific logic. Our approach is interactive static analysis, to integrate static analysis into Integrated Development Environment (IDE) and provide in-situ secure programming support to help developers prevent vulnerabilities during code construction. No additional training is required nor are there any assumptions on ways programs are built. Our work is motivated in part by the observation that many vulnerabilities are introduced due to failure to practice secure programming by knowledgeable developers. We implemented a prototype interactive static analysis tool as a plug-in for Java in Eclipse. Our technical evaluation of our prototype detected multiple zero-day vulnerabilities in a large open source project. Our evaluations also suggest that false positives may be limited to a very small class of use cases.

Ruoyu Zhang,Shiqiu Huang,Zhengwei Qi,Haibin Guan

DOI: https://doi.org/10.1109/IMIS.2011.59

2011-01-01

Abstract:Dynamic taint analysis has been proved to be very effective in solving security problems recently, especially in software vulnerability detection and malicious behavior prevention. Unfortunately, most of current researches in this field focus on the runtime protection, and are incapable to discover the potential threat in the software. This paper describes a novel approach to overcome the limitation of traditional dynamic taint analysis by integrating static analysis into the system and presents framework SDCF. The framework translates the binary into assembly code and tracks the data flow. Then with static method, the system can get the important information which can't be gained at runtime, such as unexecuted part of the code. When this information is acquired, they will be provided to the client tools. The practicability of the framework is validated by implementing and evaluating a tool built on SDCF. The result of the experiments shows that our system is able to detect latent software vulnerabilities efficiently.

SUN Ming,GU Da-wu,LI Juan-ru,LUO Yu-hao

DOI: https://doi.org/10.3969/j.issn.1001-3695.2012.02.068

2012-01-01

Abstract:Static binary analysis methods cannot meet the demand for malicious code analysis,and the traditional dynamic analysis approaches cannot effectively find the critical information among the huge amount of dynamic binary code.This paper gave a kind of differential analysis approach on dynamic binary code and provided its model and method.This approach could effectively extract the sensitive information from malicious code and make the function module or data spread understood.Finally,it provided an experiment based on differential binary analysis system,which validated the capability and efficiency of the approach.

Chang Da,Li Zhou-jun,Yang Tian-fang,Hu Chao-jian

DOI: https://doi.org/10.3969/j.issn.1674-9456.2011.09.009

2011-01-01

Abstract:The differences of system platform,compiler and compilation options are likely to lead semantic differences between source code and executable code,only source code analysis may omit vulnerabilities hidden in executable code.Even source code analysis has verified the nature of the need for security,but yet it can not assure the security nature in the executable code are satisfied not contrary to.This paper designed and implemented a program execution tracer based on dynamic binary instrumentation.The results show our prototype tool can accurately trace in the execution path,and be able to filter out 90% to 99% secondary instructions.At last,this paper discussed other technical solutions,the shortcoming of current prototype tool and the future work.

Yong Wang,Hailin Yan,Zhenyan Liu,Jingfeng Xue,Changzhen Hu,Ming Li

DOI: https://doi.org/10.1109/3pgcic.2015.102

2015-01-01

Abstract:Memory corruption bugs are one of the most critical vulnerabilities in software security, which can be exploited to overwrite virtual tables (vtables) or virtual table pointers (vfptrs) and finally gain control over the programs at virtual function call sites (vtable hijacking). In this paper, we propose a novel approach to detect vtable hijacking attacks against C++ binary executables. We first analyze the programs to get vtable information of each class, and backup the original vtables and vfptrs at runtime, then instrument security checks dynamically before virtual function dispatches to validate vtables' integrity. We implement the proposed approach as a tool and use it to successfully detect vtable hijacking attacks on the version 11 of Microsoft's Internet Explorer.

Xiajing Wang,Rui Ma,Bowen Dou,Zefeng Jian,Hongzhou Chen

DOI: https://doi.org/10.1155/2018/7693861

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:Dynamic taint analysis is a powerful technique for tracking the flow of sensitive information. Different approaches have been proposed to accelerate this process in an online or offline manner. Unfortunately, most of these approaches still have performance bottlenecks and thus reduce analytical efficiency. To address this limitation, we present OFFDTAN, a new approach of offline dynamic taint analysis for binaries. OFFDTAN can be described in terms of four stages: dynamic information acquisition, vulnerability modeling, offline analysis, and backtrace analysis. It first records program runtime information and models the stack buffer overflow vulnerabilities and controlled jump vulnerabilities. Then it performs offline analysis and backtrace analysis to locate vulnerabilities. We implement OFFDTAN on the basis of QEMU virtual machine and apply it to off-the-shelf applications. In order to illustrate how our approach works, we first employ a case study. Furthermore, six applications have been verified so as to evaluate our approach. Experimental results demonstrate that our approach is correct and effective. Compared with other offline analysis tools, OFFDTAN has much lower application runtime overhead.

Ruoyu Zhang,Shiqiu Huang,Zhengwei Qi,Haibing Guan

DOI: https://doi.org/10.1016/j.camwa.2011.08.001

IF: 3.218

2012-01-01

Computers & Mathematics with Applications

Abstract:The evolution of computer science has exposed us to the growing gravity of security problems and threats. Dynamic taint analysis is a prevalent approach to protect a program from malicious behaviors, but fails to provide any information about the code which is not executed. This paper describes a novel approach to overcome the limitation of traditional dynamic taint analysis by integrating static analysis into the system and presents framework SDCF to detect software vulnerabilities with high code coverage. Our experiments show that SDCF is not only able to provide efficient runtime protection by introducing an overhead of 4.16× based on the taint tracing technique, but is also capable of discovering latent software vulnerabilities which have not been exploited, and achieve code coverage of more than 90%.

Ulrich Bayer,Andreas Moser,Christopher Kruegel,Engin Kirda

DOI: https://doi.org/10.1007/s11416-006-0012-2

2006-05-16

Journal in Computer Virology

Abstract:Malware analysis is the process of determining the purpose and functionality of a given malware sample (such as a virus, worm, or Trojan horse). This process is a necessary step to be able to develop effective detection techniques for malicious code. In addition, it is an important prerequisite for the development of removal tools that can thoroughly delete malware from an infected machine. Traditionally, malware analysis has been a manual process that is tedious and time-intensive. Unfortunately, the number of samples that need to be analyzed by security vendors on a daily basis is constantly increasing. This clearly reveals the need for tools that automate and simplify parts of the analysis process. In this paper, we present TTAnalyze, a tool for dynamically analyzing the behavior of Windows executables. To this end, the binary is run in an emulated operating system environment and its (security-relevant) actions are monitored. In particular, we record the Windows native system calls and Windows API functions that the program invokes. One important feature of our system is that it does not modify the program that it executes (e.g., through API call hooking or breakpoints), making it more difficult to detect by malicious code. Also, our tool runs binaries in an unmodified Windows environment, which leads to excellent emulation accuracy. These factors make TTAnalyze an ideal tool for quickly understanding the behavior of an unknown malware.

J. Vadayath,Kyle Zeng,Christophe Hauser,Ruoyu Wang,Y. Fratantonio,Tiffany Bao,Adam Doupé,Nicolaas Weideman,Yan Shoshitaishvili,Moritz Eckert,Gokulkrishna Praveen Menon,D. Balzarotti

Abstract:In spite of their effectiveness in the context of vulnerability discovery, current state-of-the-art binary program analysis approaches are limited by inherent trade-offs between accuracy and scalability. In this paper, we identify a set of vulnerability properties that can aid both static and dynamic vulnerability detection techniques, improving the precision of the former and the scalability of the latter. By carefully integrating static and dynamic techniques, we detect vulnerabilities that exhibit these properties in real-world programs at a large scale. We implemented our technique, making several advancements in the analysis of binary code, and created a prototype called A RBITER . We demonstrate the effectiveness of our approach with a large-scale evaluation on four common vulnerability classes: CWE-131 (Incorrect Calculation of Buffer Size), CWE-252 (Unchecked Return Value), CWE-134 (Un-controlled Format String), and CWE-337 (Predictable Seed in Pseudo-Random Number Generator). We evaluated our approach on more than 76,516 x86-64 binaries in the Ubuntu repositories and discovered new vulnerabilities, including a flaw inserted into programs during compilation.

Computer Science

Haizhou Wang,Nanqing Luo,Peng LIu

2024-11-09

Abstract:Sandboxes and other dynamic analysis processes are prevalent in malware detection systems nowadays to enhance the capability of detecting 0-day malware. Therefore, techniques of anti-dynamic analysis (TADA) are prevalent in modern malware samples, and sandboxes can suffer from false negatives and analysis failures when analyzing the samples with TADAs. In such cases, human reverse engineers will get involved in conducting dynamic analysis manually (i.e., debugging, patching), which in turn also gets obstructed by TADAs. In this work, we propose a Large Language Model (LLM) based workflow that can pinpoint the location of the TADA implementation in the code, to help reverse engineers place breakpoints used in debugging. Our evaluation shows that we successfully identified the locations of 87.80% known TADA implementations adopted from public repositories. In addition, we successfully pinpoint the locations of TADAs in 4 well-known malware samples that are documented in online malware analysis blogs.

Cryptography and Security,Artificial Intelligence

Erzhou Zhu,Xuejun Li,Feng Liu,Xuejian Li,Zhujuan Ma

DOI: https://doi.org/10.4304/jcp.9.3.566-575

2014-01-01

Journal of Computers

Abstract:For the purpose of discovering security flaws in software, many dynamic and static taint analyzing techniques have been proposed. By analyzing information flow at runtime, dynamic taint analysis can precisely find security flaws of software. However, on one hand, it suffers from substantial runtime overhead and is incapable of discovering the potential threats. On the other hand, static taint analysis analyzes program’s code without actually executing it which incurs no runtime overhead, and can cover all the code, but it is often not accurate enough. In addition, since the source code of most software is hard to acquire and intruders simply do not attach target program’s source code in practice, software flaw tracking becomes rather complicated. In order to cope with these issues, this paper proposes HYBit, a novel hybrid framework which integrates dynamic and static taint analysis to diagnose the flaws or vulnerabilities for binary programs. In the framework, the source binary is first analyzed by the dynamic taint analyzer. Then, with the runtime information provided by its dynamic counterpart, the static taint analyzer can process the unexecuted part of the target program easily. Furthermore, a taint behavior filtration mechanism is proposed to optimize the performance of the framework. We evaluate our framework from three perspectives: efficiency, coverage, and effectiveness. The results are encouraging.

Erzhou Zhu,Peng Wen,Kanqi Ni,Ruhui Ma

DOI: https://doi.org/10.1016/j.cose.2019.05.018

IF: 5.105

2019-01-01

Computers & Security

Abstract:With the increasing availability of the computational power and constraint solving technology, the symbolic execution technology has regained interest in recent years. However, it still suffers from state explosion and low efficiency issues due to the large number of paths that need to be analyzed and the complexity of the constraints generated. Meanwhile, most of the present symbolic execution techniques are working on the source code, but the source code of most software is hard to acquire in practice. In order to cope with these issues, this paper presents BinSE, a lightweight dynamic symbolic execution framework for analyzing x86 binary programs. The framework adapts the dynamic analysis model, which combines symbolic execution with concrete execution to simplify the complexity of the path conditions. Furthermore, the hierarchical backward program slicing and the revised irrelevant API filtration mechanisms are introduced to optimize the performance of the framework. According to the experimental results, the proposed framework is efficient and can cover almost all the effective paths of the target program. Meanwhile, it also holds a promise to provide novel solutions to a broad spectrum of security problems. To demonstrate our technique, we apply the framework to detect buffer overflow vulnerability from binary executables.

V. V. Kuliamin

DOI: https://doi.org/10.1134/s0361768824010079

2024-05-23

Programming and Computer Software

Abstract:A review of software dynamic analysis methods is presented, mainly focusing on the methods supported by tools targeted on software security verification and applicable to system software. Fuzzing, runtime verification and dynamic symbolic execution techniques are considered in detail. Dynamic taint data analysis methods and tools are excluded since gathering technical details on them is complicated. The review of fuzzing and dynamic symbolic execution is focused mostly on the techniques to solve various problems that arise during operation of the tools rather than the particular tools that amount to a number greater than 100. In addition, the fuzzing counteraction techniques are considered.

computer science, software engineering

Chengsong Wang,Xiaoguang Mao,Ziying Dai,Yan Lei

DOI: https://doi.org/10.1109/csae.2012.6272595

2012-01-01

Abstract:Because of inherent drawbacks of Software Engineering, no software is defect-free. If the defects are resulted from highly optimized compilers, or in software without source code, software maintainers may have to test and debug programs at binary level, considering the fact that there are not practical reverse engineering tools. We propose a dynamic and automatic instrumentation framework, DABITTD, to support bytecode programs testing and debugging. According to the user requirements, it can provide the program run-time information and alter program run-time behaviors as well. DABITTD works at bytecode level without needs to access source code and doesn't pollute the original class files. What is more, the whole process of instrumentation is performed fully automatically and dynamically. Meanwhile, in order to help maintainers fix defects, DABITTD can also directly edit class files on the disk statically.

郑举育,管海兵,梁阿磊

DOI: https://doi.org/10.3969/j.issn.1000-3428.2009.02.099

2009-01-01

Abstract:Common dynamic binary translation system is lack of debugging tools or only provides primitive debugging supports,so debugging technology becomes the bottleneck of developing system software or large scale software.This paper introduces a new debugging technology on dynamic binary translation platform,including reverse executing,debugging script and other new concepts.The debugger implemented on Crossbit is proved that it reduces the time for developer to locate bugs sharply.

HU Chaojian,ZHANG Jia,LI Zhoujun,SHI Zhiwei,ZHANG Yan

DOI: https://doi.org/10.3321/j.issn:1000-0054.2009.z2.017

2009-01-01

Abstract:Since there are semantic differences between a source code and its executable code, analysis of only the source code may miss some vulnerabilities in the executable code.Typical vulnerability patterns were analyzed to design a security vulnerability detection tool to work directly on executables.The system combines static disassembly analysis, dynamic auto-debugging and function based argument injection.The tool successfully found buffer overflow vulnerabilities in both a CVE (common vulnerabilities & exposures) benchmark and two real executables.The resuIts show that this detection method can be used to directly detect security vulnerabilities in executable codes.

Ting Chen,Youzheng Feng,Xingwei Lin,Zihao Li,Xiaosong Zhang

DOI: https://doi.org/10.1007/978-3-030-02744-5_27

2018-01-01

Abstract:Dynamic binary analysis is difficult and burdensome. In practice, analysts always develop dynamic binary analyzers (DBAs) based on binary instrumentation tools (BITs), which are responsible for extracting information from a binary, monitoring or altering the execution of the binary. However, existing BITs either expose machine instructions to analysts or lack user-friendly APIs. Such problems result in a steep learning curve to grasp BITs and difficulties in eliminating bugs in DBAs. This work designs DBAF, a dynamic binary analysis framework that instruments binaries dynamically, conducts an online translation from machine code into an easy-to-handle intermediate representation (IR) and provides tens of APIs for IR processing. With DBAF, analysts can process binaries in the level of IR without the troubles to interpret machine instructions. Then, we develop five DBAs on top of DBAF, which are a division-by-zero protector, an IR counter, a memory tracer, a taint analyzer and a concolic executor. It demonstrates that DBAF can reduce the development effort for DBAs, especially the ones requiring semantic interpretation of instructions. Experiments show that DBAF brings about reasonable overhead in online translation.

Bo Wu,Mengjun Li,Bin Zhang,Quan Zhang,Chaojing Tang

DOI: https://doi.org/10.1109/iweca.2014.6845694

2014-01-01

Abstract:Despite more than two decades of independent, academic, and industry-related research, software vulnerabilities remain the main reason that undermine the security of our systems. Taint analysis and symbolic execution are among the most promising approaches for vulnerability detection, but either one can't remit the problem separately. In this paper, we try to combine taint analysis and symbolic execution for binary vulnerability mining and proposed a method named directed symbolic execution. Our three-step approach firstly adopts dynamic taint analysis technology to identify the safety-related data, and then uses symbolic execution system to execute the binary software while marks those safety-related data as symbols, and finally discovers vulnerabilities with our check-model. The evaluation shows that our method can be used to detect vulnerabilities in binary software more efficiently.

Zheng SONG,Yongjian WANG,Bo JIN,Jiuchuan LIN

DOI: https://doi.org/10.3969/j.issn.1671-1122.2016.03.013

2016-01-01

Abstract:With the network security situation becoming increasingly worsening, detection technology that can timely and effectivly discover exploits and related advanced persistent threat(APT) attacks is of vital importance for network security. Dynamic taint analysis, which is one of the reliable exploit detection solutions, is a method that marks the non-trusted input source as tainted data, and tracks its spread with the execution of program to get the key position and data associated with the input. This paper ifrstly introduces the principle of dynamic taint analysis of binary programs and its development status in several typical systems, then analyzes existing problems with dynamic taint analysis of binary programs, and ifnally introduces the application of dynamic taint analysis. In this paper, the dynamic taint analysis technology of binary program is introduced in details, which is helpful to improve the network security protection level for important information system.

Lizhe YAO,Qiang WU,Changyu LIANG,Qingkai ZENG

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.09.055

2006-01-01

Abstract:With the development of Internet and distributed systems,software security is becoming a research hotspot.However in the past several years,most researches focused on the static code analysis.In this paper,a method of dynamic code analysis is proposed to apply the model checking into interpreted languages.The classification and formal description of temporal safety properties are discussed for managing and maintaining them.In practice,the method is applied in the Perl interpreter to implement dynamic analysis on CGI scripts.