Abstract A dataflow analysis method based on graph model for C program was proposed to solve the problem of high false positive rate. A multi-dimensional property graph that includes abstract syntax tree, control flow graph, program dependence graph and function call graph was constrcheted. From the security sensitive program point (sink), the related external controllable input point (source) could be traced. The tainted-style vulnerabilities could be detected through intra-procedural and inter-procedural define analysis. Results show that the false positive rate of data flow analysis was effectively reduced relying on the complete code property guidance and interval operation support, The method can reduce the workload of manual code audit.
CHANG Chao, LIU Ke-sheng, TAN Long-dan, JIA Wen-chao. Data flow analysis for C program based on graph model. JOURNAL OF ZHEJIANG UNIVERSITY (ENGINEERING SCIENCE), 2017, 51(5): 1007-1015.
参考文献(References):
[1] WANG R, FENG D G, YANG Y, et al. Semantics-based malware behavior signature extraction and detection method [J]. Journal of Software, 2012 (2):378-393.
[2] 李舟军,张俊贤,廖湘科,等.软件安全漏洞检测技术[J].计算机学报,2015, 38(4): 717-732.
LI Zhou-jun, ZHANG Jun-xian, LIAO Xiang-ke, et al. Survey of software vulnerability detection techniques [J]. Chinese Journal of Computers, 2015, 38(4):717-732.
[3] YAMAGUCHI F, MAIER A, GASCON H, et al. Automatic inference of search patterns for taint-style vulnerabilities [C]∥ Ecurity and Privacy. San Jose, California: IEEE, 2015: 797-812.
[4] DAHSE J, HOLZ T. Simulation of Built-in PHP features for precise static code analysis [C]∥Network and Distributed System Security Symposium, San Diego, California : DNSS, 2014: 23-26.
[5] 万志远,周波.基于静态信息流跟踪的输入验证漏洞检测方法[J].浙江大学学报:工学版, 2015 (4): 683-691.
WAN Zhi-yuan, ZHOU Bo. Static information flow tracking based approach to detect input validation vulnerabilities[J]. Journal of Zhejiang University :Engineering Science, 2015 (4): 683-691.
[6] NECULA G C, MCPEAK S, RAHUL S P, et al. CIL: Intermediate language and tools for analysis and transformation of C programs[C]∥ Compiler Construction. Grenoble, France: IEEE, 2002: 213-228.
[7] CORBETT J C, DWYER M B, HATCLIFF J, et al. Bandera: Extracting finite-state models from Java source code[C]∥ Software Engineering. Buenos Aires, Argentina: IEEE, 2000: 439-448.
[8] YAMAGUCHI F, GOLDE N, ARP D, et al. Modeling and discovering vulnerabilities with code property graphs[C]∥Security and Privacy. San Diego, California: IEEE, 2014: 590-604.
[9] GNU Bash shellshock remote code execution vulnerability report[EB/OL]. [2014-09-09]. http:∥cve.mitre.org/cgi-bin/cvename.cgi?name=CVE2014-6271
[10] AHO A V, 阿霍, SETHI R,等. 编译原理[M].第2版,北京:机械工业出版社,2012: 382-393.
[11] 王雅文, 宫云战, 肖庆,等. 基于抽象解释的变量值范围分析及应用[J]. 电子学报, 2011(2): 296-303.
WANG Ya-wen, GONG Yun-zhan, XIAO Qing, et al. A method of variable range analysis based on abstract interpretation and its applications [J]. Acta Electronica Sinica, 2011(2): 296-303.
[12] 万志远,周波.支持局部调用图生成的指针分析[J].浙江大学学报:工学版,2015 (6): 1031-1040.
WAN Zhi-yuan, ZHOU Bo. Points-to analysis for partial call graph construction [J]. Journal of Zhejiang University :Engineering Science, 2015 (6): 1031-1040.
[13] 董玉坤,宫云战,金大海.基于区域内存模型的空指针引用缺陷检测[J].电子学报,2014, 42(9): 1744-1752.
DONF Yu-kun, GONG Yun-zhan, JIN Da-hai. Null pointer dereference defect detected based on region-based memory model [J]. Acta Electronica Sinica, 2014, 42(9): 1744-1752.
[14] HORWITZ S, REPS T, BINKLEY D. Interprocedural slicing using dependence graphs [J]. Transactions on Programming Languages and Systems, 1990, 12(1):26-60.
[15] 张迎周,符炜.一种过程间单子切片方法[J].电子学报,2013(8): 1457-1461.
ZHANG Ying-zhou, FU Wei. An approach of monadic slicing for interprocedural programs [J]. Acta Electronica Sinica, 2013(8): 1457-1461.
[16] GODEFROID P, LEVIN M Y, MOLNAR D. SAGE: whitebox fuzzing for security testing [J]. Queue, 2012, 10(1): 20.
