基于函数摘要的二进制程序污点分析优化方法

doi:10.11959/j.issn.2096-109x.2023026

摘要/Abstract

摘要：

污点分析是一种常用的软件分析方法，在信息安全领域有较多的应用。现有的二进制程序动态污点分析大多采用指令级插桩的分析方法，通常会产生巨大的性能开销，使得程序执行效率大幅度降低，难以在复杂恶意样本和商业软件分析环境中有效应用。为了提升污点分析效率，降低指令级插桩分析带来的性能损耗，使污点分析更加广泛地应用在软件分析中，提出了基于函数摘要的二进制程序污点分析优化方法。所提方法使用函数污点传播规则代替指令污点传播规则，以减少数据流传播分析次数，有效提升污点分析效率。对于函数摘要，提出了函数摘要的定义；研究了不同函数结构的摘要生成算法。在函数内部，针对非循环结构，设计了路径敏感的分析方法；针对循环结构，设计了有限迭代的分析方法，将这两种分析方法相结合，解决混合结构函数的函数摘要生成。在函数摘要生成算法研究的基础上，进一步设计实现了由函数摘要生成模块、数据流记录模块、污点分析模块3个部分构成的通用污点分析框架FSTaint。对FSTaint的分析效率进行了评估，在分析真实APT恶意样本中，FSTaint的污点分析效率是libdft的7.75倍，分析效率较高；在准确性方面，FSTaint相对libdft在传播规则的准确性、完备性等方面也有所提高。

关键词: 函数摘要, 污点分析, 数据流分析, FSTaint

Abstract:

Taint analysis is a popular software analysis method, which has been widely used in the field of information security.Most of the existing binary program dynamic taint analysis frameworks use instruction-level instrumentation analysis methods, which usually generate huge performance overhead and reduce the program execution efficiency by several times or even dozens of times.This limits taint analysis technology’s wide usage in complex malicious samples and commercial software analysis.An optimization method of taint analysis based on function summary was proposed, to improve the efficiency of taint analysis, reduce the performance loss caused by instruction-level instrumentation analysis, and make taint analysis to be more widely used in software analysis.The taint analysis method based on function summary used function taint propagation rules instead of instruction taint propagation rules to reduce the number of data stream propagation analysis and effectively improve the efficiency of taint analysis.For function summary, the definition of function summary was proposed.And the summary generation algorithms of different function structures were studied.Inside the function, a path-sensitive analysis method was designed for acyclic structures.For cyclic structures, a finite iteration method was designed.Moreover, the two analysis methods were combined to solve the function summary generation of mixed structure functions.Based on this research, a general taint analysis framework called FSTaint was designed and implemented, consisting of a function summary generation module, a data flow recording module, and a taint analysis module.The efficiency of FSTaint was evaluated in the analysis of real APT malicious samples, where the taint analysis efficiency of FSTaint was found to be 7.75 times that of libdft, and the analysis efficiency was higher.In terms of accuracy, FSTaint has more accurate and complete propagation rules than libdft.

Key words: function summary, taint analysis, data flow analysis, FSTaint

中图分类号:

TP393

杨盼, 康绯, 舒辉, 黄宇垚, 吕小少. 基于函数摘要的二进制程序污点分析优化方法[J]. 网络与信息安全学报, 2023, 9(2): 115-131.

Pan YANG, Fei KANG, Hui SHU, Yuyao HUANG, Xiaoshao LYU. Binary program taint analysis optimization method based on function summary[J]. Chinese Journal of Network and Information Security, 2023, 9(2): 115-131.

图/表 27

图1

表1

表2

图2

图3

表3

图4

图5

图6

图7

图8

图9

图10

图11

图12

图13

图14

图15

表4

图16

表5

实验分析样本Table 5 Samples used in experiment"

序号	MD5	序号	MD5	序号	MD5
1	03bd34a9ba4890f37ac8fed78feac199	35	64ff0a8730472e36e62ce29a20f61529	69	ae004a5d4f1829594d830956c55d6ae4
2	048271f7f2f8d900485dd020cdea2dd9	36	6590830061f85c0acc5259013555d079	70	ae84767abec5a769b0c7cb5a356d74c5
3	081e2ce7e2a603a78cc6c20a05b08ca8	37	6983f7001de10f4d19fc2d794c3eb534	71	b2b51a85bdad70ff19534cd013c07f24
4	0b2733ffa73ecfc16224ce409da93b70	38	6fbccda7837bccd2ed9b3f69872d6ece	72	b80aa583591eaf758fd95ab4ea7afe39
5	0ba6bb2ad05d86207b5303657e3f6874	39	7525bc47e2828464ce07fa8a0db6844f	73	c1ab32afb0e2d7b7b1cad3fb831e9373
6	133a159e86ff48c59e79e67a3b740c1e	40	76f099ad94acf28d3eb1341804855824	74	c3dd32551450e15e7e81bb523dba7124
7	171ffa1fb15a298bcca8d8108fe913a9	41	773adf87ee49f9bf32851d33662dea79	75	c43edb579e43aaeb6f0c0703f84e43f7
8	1e217668d89b480ad42e230e8c2c4d97	42	78450806e56b1f224d00455efcd04ce3	76	ce26e91fc13ccb1be4b6bf6f55165410
9	22dfdcddd4f4da04b9ef7d10b27d84bc	43	7affcfb9857cc14dcc07fb8d226f03e0	77	ce5a7612892f27299362ae0569507e04
10	2366918da9a484735ec3a9808296aab8	44	7b6ca860c3e6bdc75b0be26db70a603a	78	cfb08ee3399604d37470797d49c01f72
11	23ae20329174d44ebc8dbfa9891c6260	45	7b973145f7e1b59330ca4dd1f86b3d55	79	d31e57fcb728a4f36e21764b164a9e57
12	23e27e5482e3f55bf828dab885569033	46	8674e3c77e8051cfdf1c4d321a7188bf	80	d3e2c0943952285ce359fcbf28472491
13	2798b66475cf0794e9b868d656defca7	47	89081f2e14e9266de8c042629b764926	81	d4c93b85ffe88ddd552860b148831026
14	28c6f235946fd694d2634c7a2f24c1ba	48	8b6d824619e993f74973eedfaf18be78	82	d5e45a9db7f739979105e000d042f1fe
15	31c81459c10d3f001d2ccef830239c16	49	8e3e4b006af3c1835ef3b7b4dcd3f1de	83	d61f883a59c3e0729a3ecf78b70044cf
16	36524c90ca1fac2102e7653dfadb31b2	50	8e744f7b07484afcf87c454c6292e944	84	d661dc2ad44bd056f7ca292727007693
17	36d99c1b915544c1bc9110b22e884acb	51	8f54cf08ee45a8d5eb31d05dbab4b561	85	dc5695024cd23c90883db145cb236490
18	39c361abb74f9a338ea42a083e6c7df8	52	90508ff4d2fc7bc968636c716d84e6b4	86	de82407423aadb8009e378e406515c92
19	3a4e1f3f7e1baab8b02f3a8ee20f98c9	53	9070f7100fa2f41c2c0757b34e0a401c	87	e598898f04596623ebe5bf9d168611d4
20	3a8d74bc002e1acae49a64f3f77aac0b	54	914151fa49be06ab570bb0db77ce6960	88	e5db592704f30d42537b1257e79ff223
21	40528e368d323db0ac5c3f5e1efe4889	55	92274d90c221b0aad382f816026a4781	89	e6348ee5beb9c581eeeaf4e076c5d631
22	40e698f961eb796728a57ddf81f52b9a	56	9227678b90869c5a67a05defcaf21dfb	90	ea726d3e8f6516807366584f3c5b5e2a
23	4489d5077c5d2396e3a94d652adae1ca	57	947892152b8419a2dfe498be5063c1da	91	eac0e57a22936d4c777aa121f799fee6
24	4585b2f7e7909bcb12528a0b383133d2	58	9617f3948b1886ebc95689c02d2cf264	92	eb0fd733a3f3ec67cce7f09f1c5f6428
25	460cebaa45f98070a3b5abf7f578645a	59	961cef5861317dd9966dc3f6eb5387d8	93	ef1b7fd90b274d872ee15a3f2ca35193
26	48971e0e71300c99bb585d328b08bc88	60	97aaf130cfa251e5207ea74b2558293d	94	f01a9a2d1e31332ed36c1a4d2839f412
27	49b1ca0752d166c2cc5e04cbab8b71ee	61	97e49353a25c3f1d81a6139735697940	95	f172ad4e906d97ed8f071896fc6789dc
28	56450799fe4e44d7c5aff84d173760e8	62	98a073e1e545075aa0030995cc07745a	96	f267e9b788eb1ffa509d0d88e0c0cecc
29	595e43cdf0edcaa31525d7aad87b7be4	63	991ffdbf860756a4589164de26dd7ccf	97	f2b63405dba8c2c1867234f1172bb34d
30	5a4d42e7cf6b6f188821a854f1829df3	64	9a8f39ebcc580aa56d6ddaf5804eae61	98	faea496c34cdc5a401badcdebbd4a87e
31	603935efa89d93ea39b4b4d4a52ec529	65	9d1a09bb98bf1ee31f390b60b0cf724d	99	fc9e7dc13ce7edc590ef7dfce12fe017
32	60ddb540da1aefee1e14f12578eafda8	66	9d3c177cbd83d31e61fb12f6a40c295f	100	fcd912fd7ed80e2cdf905873c6ced4ad
33	61e3571b8d9b2e9ccfadc3dde10fb6e1	67	9e05a9c264c8a908a8e79450fcbff047
34	626270d5bf16eb2c4dda2d9f6e0c4ef9	68	9f022df0bcfded9377baf4da1fbe7b8c

表5

图17

图19

图20

图18

图21

图22

参考文献 21

[1]	SCHWARTZ E J , AVGERINOS T , BRUMLEY D . All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask)[C]// Proceedings of 31st IEEE Symposium on Security and Privacy. 2010: 16-19.
[2]	郭方方, 王欣悦, 王慧强 ,等. 基于最大频繁子图挖掘的动态污点分析方法[J]. 计算机研究与发展, 2020,57(3): 631-638.
	GUO F F , WANG X Y , WANG H Q ,et al. A dynamic stain analysis method on maximal frequent sub graph mining[J]. Journal of Computer Research and Development, 2020,57(3): 631-638.
[3]	KORCZYNSKI D , YIN H . Capturing malware propagations with code injections and code-reuse attacks[C]// Proceedings of 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS ＇17). 2017: 691-1708.
[4]	CABALLERO J , GRIECO G , MARRON M ,et al. Undangle:early detection of dangling pointers in use-after-free and double-free vulnerabilities[C]// Proceedings of the 2012 International Symposium on Software Testing and Analysis - ISSTA 2012. 2012: 133-143.
[5]	CHEN P , CHEN H . Angora:efficient fuzzing by principled search[C]// Proceedings of 2018 IEEE Symposium on Security and Privacy. 2018: 711-725.
[6]	DUMITRU C . Detecting software vulnerabilities static taint analysis[D]. Bucharest :University Politehnica of Bucharest, 2009.
[7]	高凤娟, 王豫, 陈天骄 ,等. 基于污点分析的数组越界缺陷的静态检测方法[J]. 软件学报, 2020,31(10): 2983-3003.
	GAO F J , WANG Y , CHEN T J ,et al. Static checking of array index out of bounds defects in C programs based on taint analysis[J]. Journal of Software, 2020,31(10): 2983-3003.
[8]	JANG D , JHALA R , LERNER S ,et al. An empirical study of privacy-violating information flows in JavaScript web applications[C]// Proceedings of the 17th ACM Conference on Computer and Communications Security - CCS ＇10. 2010: 270-283.
[9]	WANG X J , MA R , DOU B W ,et al. OFFDTAN:a new approach of offline dynamic taint analysis for binaries[J]. Security and Communication Networks,2018, 2018:7693861.
[10]	LUK C K , COHN R , MUTH R ,et al. Pin:building customized program analysis tools with dynamic instrumentation[C]// Proceedings of 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ＇05). 2005: 190-200.
[11]	BRUENING D , ZHAO Q , AMARASINGHE S . Transparent dynamic instrumentation[C]// Proceedings of the 8th ACM SIGPLAN/SIGOPS Conference on Virtual Execution Environments VEE ＇12. New York:ACM Press, 2012: 133-144.
[12]	CLAUSE J , LI W C , ORSO A . Dytan:a generic dynamic taint analysis framework[C]// Proceedings of the 2007 International Symposium on Software Testing and Analysis - ISSTA ＇07. 2007: 196-206.
[13]	KEMERLIS V P , PORTOKALIDIS G , JEE K ,et al. Libdft[J]. ACM SIGPLAN Notices, 2012,47(7): 121-132.
[14]	GALEA J , KROENING D . The taint rabbit:optimizing generic taint analysis with dynamic fast path generation[EB].
[15]	JIANG M , WU D H , XIAO G Y ,et al. TaintPipe:pipelined symbolic taint analysis[C]// Proceedings of 24th USENIX Conference on Security Symposium (SEC＇15). 2015: 65-80.
[16]	CHABBI M . Efficient dynamic taint analysis using multicore machines[D]. Arizona:The University of Arizona, 2015.
[17]	代伟, 刘智, 刘益和 . 基于二进制代码的动态污点分析[J]. 计算机应用研究, 2014,31(8): 2497-2501,2505.
	DAI W , LIU Z , LIU Y H . Binary code-based dynamic taint analysis[J]. Application Research of Computers, 2014,31(8): 2497-2501,2505.
[18]	YAN S , WANG R , SALLS C ,et al. SOK:(State of) The Art of War:Offensive Techniques in Binary Analysis[C]// Proceedings of IEEE Security ＆ Privacy. 2016: 138-157.
[19]	NGUYEN A Q , DANG H V . Unicorn:next generation CPU emulator framework[C]// Proceedings of BlackHat USA. 2015.
[20]	Capstone[EB].
[21]	dftwin[EB].

参数a污点状态	参数b污点状态	返回值污点状态
否	否	否
是	否	是
否	是	是
是	是	是

程序语句	污点符号集合	运算类型
x=imm	S_x= {}	赋值（常数）
x=y	S _x =S_y	赋值
	S _x=S_x	为任意一元运算
	S _x =S_y∪S_z	为任意二元运算

执行路径	污点传播摘要
①②③⑤	{（d,{t_a,t_c}）}
①②④⑤	{（d,{t_b,t_c}）}

API接口	说明
SetSourceIndex	通过Index设置Source点（Index为基本块执行过程中的序号）
SetSinkIndex	通过Index设置Sink点
SetTaintMemory	设置污点内存
SetSourceByBBLAddress	通过基本块地址设置Source点
SetSinkByBBLAddress	通过基本块地址设置Sink点
SetSourceIndexByAPIID	通过API调用序号设置Source点
SetSinkIndexByAPIID	通过API调用序号设置Sink点
DoAnalysis	开始污点分析
ShowTaintMemory	获取分析结束后的污点内存