Please wait a minute...
浙江大学学报(工学版)
自动化技术     
基于图模型的C程序数据流分析
常超, 刘克胜, 谭龙丹, 贾文超
解放军电子工程学院,安徽 合肥 230037
Data flow analysis for C program based on graph model
CHANG Chao, LIU Ke-sheng, TAN Long-dan, JIA Wen-chao
Electronics Engineering Institute of PLA, Hefei 230037, China
 全文: PDF(1312 KB)   HTML
摘要:

针对数据流分析常面临的高误报率等问题,提出基于图模型的C程序数据流分析方法,构建包含抽象语法树、控制流信息、程序依赖信息及函数调用信息的多维图模型,从安全敏感程序点(sink)溯源得到所有相关的外界可控输入源(source),通过基于图模型的过程内和过程间定值分析,实现对污点型缺陷的检测.结果表明,依赖完备的代码属性指导和区间运算支撑,可以有效降低数据流分析的误报率,减少人工审计代码的工作量.

Abstract: A dataflow analysis method based on graph model for C program was proposed to solve the problem of high false positive rate. A multi-dimensional property graph that includes abstract syntax tree, control flow graph, program dependence graph and function call graph was constrcheted. From the security sensitive program point (sink), the related external controllable input point (source) could be traced. The tainted-style vulnerabilities could be detected through intra-procedural and inter-procedural define analysis. Results show that the false positive rate of data flow analysis was effectively reduced relying on the complete code property guidance and interval operation support,  The method can reduce the workload of manual code audit.
出版日期: 2017-05-01
CLC:  TP 311  
基金资助:

国家自然科学基金资助项目(61272491).

通讯作者: 刘克胜,男,教授,博导. ORCID:0000-0003-2023-0826.     E-mail: ksliu1588@126.com
作者简介: 常超(1989—),男,博士生,从事程序分析、漏洞挖掘等研究. ORCID:0000-0002-4119-7933. E-mail:woshichangchao1@163.com
服务  
把本文推荐给朋友
加入引用管理器
E-mail Alert
作者相关文章  

引用本文:

常超, 刘克胜, 谭龙丹, 贾文超. 基于图模型的C程序数据流分析[J]. 浙江大学学报(工学版), 10.3785/j.issn.1008-973X.2017.05.022.

CHANG Chao, LIU Ke-sheng, TAN Long-dan, JIA Wen-chao. Data flow analysis for C program based on graph model. JOURNAL OF ZHEJIANG UNIVERSITY (ENGINEERING SCIENCE), 10.3785/j.issn.1008-973X.2017.05.022.

参考文献(References):
[1] WANG R, FENG D G, YANG Y, et al. Semantics-based malware behavior signature extraction and detection method [J]. Journal of Software, 2012 (2):378-393.
[2] 李舟军,张俊贤,廖湘科,等.软件安全漏洞检测技术[J].计算机学报,2015, 38(4): 717-732.
LI Zhou-jun, ZHANG Jun-xian, LIAO Xiang-ke, et al. Survey of software vulnerability detection techniques [J]. Chinese Journal of Computers, 2015, 38(4):717-732.
[3] YAMAGUCHI F, MAIER A, GASCON H, et al. Automatic inference of search patterns for taint-style vulnerabilities [C]∥ Ecurity and Privacy. San Jose, California: IEEE, 2015: 797-812.
[4] DAHSE J, HOLZ T. Simulation of Built-in PHP features for precise static code analysis [C]∥Network and Distributed System Security Symposium, San Diego, California : DNSS, 2014: 23-26.
[5] 万志远,周波.基于静态信息流跟踪的输入验证漏洞检测方法[J].浙江大学学报:工学版, 2015 (4): 683-691.
WAN Zhi-yuan, ZHOU Bo. Static information flow tracking based approach to detect input validation vulnerabilities[J]. Journal of Zhejiang University :Engineering Science, 2015 (4): 683-691.
[6] NECULA G C, MCPEAK S, RAHUL S P, et al. CIL: Intermediate language and tools for analysis and transformation of C programs[C]∥ Compiler Construction. Grenoble, France: IEEE, 2002: 213-228.
[7] CORBETT J C, DWYER M B, HATCLIFF J, et al. Bandera: Extracting finite-state models from Java source code[C]∥ Software Engineering. Buenos Aires, Argentina: IEEE, 2000: 439-448.
[8] YAMAGUCHI F, GOLDE N, ARP D, et al. Modeling and discovering vulnerabilities with code property graphs[C]∥Security and Privacy. San Diego, California: IEEE, 2014: 590-604.
[9] GNU Bash shellshock remote code execution vulnerability report[EB/OL]. [2014-09-09]. http:∥cve.mitre.org/cgi-bin/cvename.cgi?name=CVE2014-6271
[10] AHO A V, 阿霍, SETHI R,等. 编译原理[M].第2版,北京:机械工业出版社,2012: 382-393.
[11] 王雅文, 宫云战, 肖庆,等. 基于抽象解释的变量值范围分析及应用[J]. 电子学报, 2011(2): 296-303.
WANG Ya-wen, GONG Yun-zhan, XIAO Qing, et al. A method of variable range analysis based on abstract interpretation and its applications [J]. Acta Electronica Sinica, 2011(2): 296-303.
[12] 万志远,周波.支持局部调用图生成的指针分析[J].浙江大学学报:工学版,2015 (6): 1031-1040.
WAN Zhi-yuan, ZHOU Bo. Points-to analysis for partial call graph construction [J]. Journal of Zhejiang University :Engineering Science, 2015 (6): 1031-1040.
[13] 董玉坤,宫云战,金大海.基于区域内存模型的空指针引用缺陷检测[J].电子学报,2014, 42(9): 1744-1752.
DONF Yu-kun, GONG Yun-zhan, JIN Da-hai. Null pointer dereference defect detected based on region-based memory model [J]. Acta Electronica Sinica, 2014, 42(9): 1744-1752.
[14] HORWITZ S, REPS T, BINKLEY D. Interprocedural slicing using dependence graphs [J]. Transactions on Programming Languages and Systems, 1990, 12(1):26-60.
[15] 张迎周,符炜.一种过程间单子切片方法[J].电子学报,2013(8): 1457-1461.
ZHANG Ying-zhou, FU Wei. An approach of monadic slicing for interprocedural programs [J]. Acta Electronica Sinica, 2013(8): 1457-1461.
[16] GODEFROID P, LEVIN M Y, MOLNAR D. SAGE: whitebox fuzzing for security testing [J]. Queue, 2012, 10(1): 20.

[1] 王友卫,凤丽洲. 基于合群度-隶属度噪声检测及动态特征选择的改进AdaBoost算法[J]. 浙江大学学报(工学版), 2021, 55(2): 367-376.
[2] 廖佳豪,於志文,刘一萌,郭斌. 移动群智感知平台设计与实现[J]. 浙江大学学报(工学版), 2020, 54(10): 1915-1922.
[3] 纪子龙,冀俊忠. 基于双萤火虫种群并行搜索的脑效应连接网络学习方法[J]. 浙江大学学报(工学版), 2020, 54(4): 694-703.
[4] 王万良,杨小涵,赵燕伟,高楠,吕闯,张兆娟. 采用卷积自编码器网络的图像增强算法[J]. 浙江大学学报(工学版), 2019, 53(9): 1728-1740.
[5] 万志远,陶嘉恒,梁家坤,才振功,苌程,乔林,周巧妮. Stack Overflow上机器学习相关问题的大规模实证研究[J]. 浙江大学学报(工学版), 2019, 53(5): 819-828.
[6] 朱凯龙,陆余良,黄晖,邓兆琨,邓一杰. 基于混合分析的二进制程序控制流图构建方法[J]. 浙江大学学报(工学版), 2019, 53(5): 829-836.
[7] 袁友伟, 余佳, 郑宏升, 王娇娇. 基于新颖性排名和多服务质量的云工作流调度算法[J]. 浙江大学学报(工学版), 2017, 51(6): 1190-1196.
[8] 王海艳, 程严. 基于离散系数的双向服务选择方法[J]. 浙江大学学报(工学版), 2017, 51(6): 1197-1204.
[9] 许荣斌, 石军, 张鹏飞, 谢莹. Petri网的映射变迁关系相似性度量[J]. 浙江大学学报(工学版), 2017, 51(6): 1205-1213.
[10] 王继奎. 贝叶斯冲突Web数据可信度算法[J]. 浙江大学学报(工学版), 2016, 50(12): 2380-2385.
[11] 涂鼎, 陈岭, 陈根才, 吴勇, 王敬昌. 基于在线层次化非负矩阵分解的文本流主题检测[J]. 浙江大学学报(工学版), 2016, 50(8): 1618-1626.
[12] 杨莎, 叶振宇, 王淑刚, 陶海, 李石坚, 潘纲, 朱斌. 感认知增强的智能机械手系统[J]. 浙江大学学报(工学版), 2016, 50(6): 1155-1159.
[13] 罗林, 苏宏业, 班岚. Dirichlet过程混合模型在非线性过程监控中的应用[J]. 浙江大学学报(工学版), 2015, 49(11): 2230-2236.
[14] 汪宏浩, 王慧泉, 金仲和. 基于增量链接的可回滚星载软件在轨更新方法[J]. 浙江大学学报(工学版), 2015, 49(4): 724-731.
[15] 王继奎, 李少波. 基于真值发现的冲突数据源质量评价算法[J]. 浙江大学学报(工学版), 2015, 49(2): 303-318.