基于函数语义分析的软件补丁比对技术

doi:10.11959/j.issn.2096-109x.2019051

网络与信息安全学报 ›› 2019, Vol. 5 ›› Issue (5): 56-63.doi: 10.11959/j.issn.2096-109x.2019051

基于函数语义分析的软件补丁比对技术

曹琰¹(), 刘龙¹, 王禹², 王清贤¹

¹ 数学工程与先进计算国家重点实验室，河南郑州 450000
² 河南工程学院，河南郑州 450000

修回日期:2019-01-14 出版日期:2019-10-15 发布日期:2019-11-02
作者简介:曹琰（1983- ），男，河南郑州人，博士，数学工程与先进计算国家重点实验室讲师，主要研究方向为网络空间安全。|刘龙（1983- ），男，河南尉氏人，数学工程与先进计算国家重点实验室讲师，主要研究方向为网络空间安全和机器学习。|王禹（1984- ），男，河北博野人，博士，河南工程学院讲师，主要研究方向为网络空间安全和IPv6。|王清贤（1960- ），男，河南新乡人，数学工程与先进计算国家重点实验室教授、博士生导师，主要研究方向为网络空间安全和软件分析。
基金资助:
国家重点研发计划基金资助项目(2017YFB0803202);国家重点研发计划基金资助项目(2016QY07X1404)

Software patch comparison technology through semantic analysis on function

Yan CAO¹(), Long LIU¹, Yu WANG², Qingxian WANG¹

¹ State Key Laboratory of Mathematical Engineering ＆Advanced Computing,Zhengzhou 450000,China
² Henan University of Engineering,Zhengzhou 450000,China

Revised:2019-01-14 Online:2019-10-15 Published:2019-11-02
Supported by:
The National Key Plan R＆D Program of China(2017YFB0803202);The National Key Plan R＆D Program of China(2016QY07X1404)

摘要/Abstract

摘要：

基于结构化的补丁比对是软件漏洞辅助分析的重要方法。在分析总结已有补丁比对技术及反补丁比对技术的基础上，针对结构化比对存在无法进行语义分析而导致误报的问题，提出了基于函数语义分析的软件补丁比对方法。利用传统的结构化比对方法，在函数级进行语法差异比较得到最大同构子图；通过程序依赖分析，构建函数输入输出之间的路径包络，基于符号执行以包络为对象计算函数输出特征；通过函数摘要进行语义级比对，结合最大同构子图的匹配函数结果，进一步分析得出发生语义变化的函数。最终，通过实验比对测试，验证了所提方法的可行性和优势。

关键词: 漏洞分析, 补丁比对, 符号执行, 语义分析

Abstract:

Patch comparison provides support for software vulnerability,and structural comparison has been developed.Based on summarizing binary files comparison and anti-comparison methods,comparison technology was proposed by semantic analysis on function to address the issue that structural comparison cannot carry on semantic analysis.Through traditional structural comparison,syntax differences in function-level were analyzed to find the maximum common subgraph.Then,the path cluster was built between the input and output of the function depend on program dependency analysis.Function output characteristics was established based on symbolic execution.Semantic differences of functions were compared by functional summaries.Based on the maximum isomorphic subgraph,the matched functions which there are possible semantic changes between was further analyzed.Ultimately,the experimental results showed the feasibility and advantages of the proposed method.

Key words: vulnerability analysis, patch comparison, symbolic execution, semantic analysis

中图分类号:

TP393

曹琰, 刘龙, 王禹, 王清贤. 基于函数语义分析的软件补丁比对技术[J]. 网络与信息安全学报, 2019, 5(5): 56-63.

Yan CAO, Long LIU, Yu WANG, Qingxian WANG. Software patch comparison technology through semantic analysis on function[J]. Chinese Journal of Network and Information Security, 2019, 5(5): 56-63.

图/表 9

图1

图2

图3

表1

表2

表3

表4

表5

表6

比对测试结果"

文件名	工具	漏洞/修补函数对x	M_C函数对y	$\frac{x}{y}$ 的比值
CVE-20063439	SymDiff	1	7	14.3%
	PatchDiff2	1	7	14.3%
CVE-20084205	SymDiff	1	2	50%
	PatchDiff2	1	3	33.3%
CVE-20102746	SymDiff	1	2	50%
	PatchDiff2	1	3	33.3%
CVE-20176178	SymDiff	5	6	83.3%
	PatchDiff2	5	8	62.5%

表6

参考文献 17

[1]	WANG Z , PIERCE K , MCFARLING S . BMAT-a binary matching tool for stale profile propagation[J]. The Journal of Instruction-Level Parallelism (JILP), 2000,2: 1-20.
[2]	FLAKE H , . Structural comparison of executable objects[C]// Dortmund GI SIG SIDAR Workshop, 2004.
[3]	潘璠, 吴礼发, 孙传鲁 ,等. 一种改进的补丁比较模型的研究与实现[J]. 南京邮电大学学报（自然科学版）, 2012,32(2): 75-83.
	PAN F , WU L F , SUN C L ,et al. Research and implementation of an improved patch comparison technique[J]. Journal of Nanjing University of Posts and Telecommunications(Natural Science), 2012,32(2): 75-83.
[4]	肖雅娟 . 二进制代码函数相似度匹配技术研究[D]. 济南:山东大学, 2016.
	XIAO Y J . Research on similarity matching technology of binary code function[M]. Jinan:Shandong University. 2016.
[5]	LIU B C , BINGCHANG L , WEI H , CHAO Z ,et al. α Diff:cross-version binary code similarity detection with DNN[C]// IEEE ACM Automated Software Engineering (ASE’18). 2018.
[6]	XU X J , LIU C , FENG Q ,et al. Neural network-based graph embedding for cross-platform binary code similarity detection[C]// The 2017 ACM SIGSAC Conference on Computer and Communications Security. 2017.
[7]	王欣, 郭涛, 董国伟 ,等. 基于补丁比对的Concolic测试方法[J]. 清华大学学报（自然科学版）, 2013,53(12): 1737-1742.
	WANG X , GUO T , DONG G W ,et al. Concolic test method based on patch matching[J]. Journal of Tsinghua University(Science and Technology), 2013,53(12): 1737-1742.
[8]	王嘉捷, 郭涛, 张普含 ,等. 基于软件代码差异分析的智能模糊测试[J]. 清华大学学报（自然科学版）, 2013,53(12): 1726-1730.
	WANG J J , GUO T , ZHANG P H ,et al. Intelligent fuzzy test based on software code difference analysis[J]. Journal of Tsinghua University(Science and Technology), 2013,53(12): 1726-1730.
[9]	SHAHZAD M , SHAFIQ M Z , LIU A.X . A large scale exploratory analysis of software vulnerability life cycles[C]// International Conference on Software Engineering. 2012: 771-781.
[10]	FREI S , MAY M , FIEDLER U ,et al. Large-scale vulnerability analysis[C]// SIGCOMM Workshop on Large-Scale Attack Defense. 2006: 131-138.
[11]	BRUMLEY D , POOSANKAM P , SONG D ,et al. Automatic patch-based exploit generation is possible:techniques and implication[C]// Security ＆ Privac. 2008.
[12]	AVERY J , SPAFFORD E H . Ghost patches:fake patches for fake vulnerabilities[C]// International Conference on ICT Systems Security and Privacy Protection. 2017: 399-412.
[13]	JEONG W O , CHEN S . Binary and anti-binary comparison[C]// XCon Information Security Conference. 2013: 1-27.
[14]	DEBIN G , MICHAEL K R , DAWN S . BinHunt:automatically finding semantic differences in binary programs[C]// The 10th International Conference on Information and Communications Security. 2008.
[15]	LANNAN L , JIANG M , DINGHAO W ,et al. Semantics-based obfuscation-resilient binary code similarity comparison with applications to software plagiarism detection[J]. IEEE Transactions on Software Engineering, 2017,43(12): 1157-1177.
[16]	ZHENG Z X , BIHUAN C , MAHINTHAN C , LIU Y ,et al. SPAIN:security patch analysis for binaries towards understanding the pain and pills[C]// The 39th International Conference on Software Engineering. 2017.
[17]	CAO Y , WEI Q , WANG Q X . Research on parallel symbolic execution through program dependence analysis[C]// The Fifth International Symposium on Computational Intelligence and Design. 2012: 222-226.

工具名称	来源
SymDiff	自主研发
PatchDiff2	由Tenable Network Security发布的免费比对工具

文件类型	文件名称	版本
原文件	netapi32.dll	5.00.2195.6949
补丁文件		5.00.2195.7105

文件类型	文件名称	版本
原文件	netapi32.dll	5.1.2600.2180
补丁文件		5.1.2600.2952

文件类型	文件名称	版本
原文件	comctl32.dll	6.00.2900.5512
补丁文件		6.00.2900.6028

文件类型	文件名称	版本
原文件	USBPcap.sys	1.0.0.7
补丁文件		1.2.0.1

基于函数语义分析的软件补丁比对技术

Software patch comparison technology through semantic analysis on function

在线阅读

pdf下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 9

参考文献 17

相关文章 7

Metrics

推荐阅读 0

[1]	肖玉强, 郭云飞, 王亚文. 基于符号执行和N-scope复杂度的代码混淆度量方法[J]. 网络与信息安全学报, 2022, 8(6): 123-134.
[2]	张协力, 祝跃飞, 顾纯祥, 陈熹. 模型学习与符号执行结合的安全协议代码分析技术[J]. 网络与信息安全学报, 2021, 7(5): 93-104.
[3]	耿普,祝跃飞. 分支混淆中的条件异常代码构造研究[J]. 网络与信息安全学报, 2020, 6(6): 25-34.
[4]	耿普,祝跃飞. 路径分支混淆研究综述[J]. 网络与信息安全学报, 2020, 6(2): 12-18.
[5]	颜慧颖,周振吉,吴礼发,洪征,孙贺. 基于符号执行的Android原生代码控制流图提取方法[J]. 网络与信息安全学报, 2017, 3(7): 33-46.
[6]	张朋辉,田曦,楼康威. 基于软硬件协同形式验证的固件漏洞分析技术[J]. 网络与信息安全学报, 2016, 2(7): 59-68.
[7]	乐德广,章亮,龚声蓉,郑力新,吴少刚. 面向RTF的OLE对象漏洞分析研究[J]. 网络与信息安全学报, 2016, 2(1): 34-45.