缓冲区溢出检测技术综述

摘要/Abstract

摘要： 近年来随着信息社会软件规模不断扩大，缓冲区溢出漏洞的数目不减反增，亟需对已有缓冲区溢出漏洞检测技术进行脉络梳理、对比分析，以期取得技术创新与突破.针对上述问题，对缓冲区溢出漏洞检测技术进行梳理分析：将缓冲区溢出漏洞静态检测技术划分为特征分类和软件分析方法2类；将缓冲区溢出动态测试技术分为传统模糊测试、智能灰盒测试和输入变量覆盖率转换3类；将缓冲区漏洞运行防护技术划分为完整性防护、机密性防护和可用性防护3类；将自动利用技术划分为导致程序崩溃、劫持程序控制流、劫持程序数据流3类；将自动修复技术划分为单一修复策略和多元修复策略2类.在梳理分析的基础上，提出未来3个可能研究方向：1)优化静态检测技术；2)融合机器学习技术进行检测；3)多技术协同检测.

关键词: 缓冲区溢出, 静态检测, 动态测试, 运行时防护, 自动利用

Abstract: In recent years, with the continuous expansion of the scale of software in the information society, the number of buffer overflow vulnerabilities is not decreasing but increasing. It is urgent to sort out the context of the existing buffer overflow vulnerability detection technologies and make a comparative analysis, so as to achieve technical innovation and breakthrough. In view of the above problems, this paper analyzes the buffer overflow vulnerability analysis techniques: the static detection technology is divided into feature classification and software analysis methods. The dynamic testing technology is divided into traditional fuzzy testing, intelligent gray box testing and input variable coverage conversion. The operation protection technology is divided into integrity, confidentiality and availability protection. The automatic utilization technology is divided into causing program crash, hijacking program control flow and hijacking program data flow. Automatic repair technology can be divided into single or multiple repair strategy. On the basis of the analysis, this paper puts forward three possible research directions in the future: 1) optimizing static detection technology. 2) Integrating machine learning technology for analysis; 3) Analysis of multitechnology collaboration and mutual feeding.

Key words: buffer overflow, static detection, dynamic testing, runtime protection, automatic utilization

中图分类号:

TP309

邵思豪, 李国良, 朱宸锋, 李典恩, . 缓冲区溢出检测技术综述[J]. 信息安全研究, 2023, 9(12): 1180-.

参考文献

［1］申培, 刘福龙, 桑海伟. 恶意代码检测研究综述［J］. 重庆理工大学学报: 自然科学版, 2022, 36(11): 212218［2］CWE. CWE Top 25 Most Dangerous Software Weaknesses［EBOL］. ［20220425］. http:cwe.mitre.org［3］国家计算机网络应急技术处理协调中心(CNCERTCC). 2021年上半年我国互联网网络安全监测数据分析报告［EBOL］. ［20220425］. http:www.cert.org.cn［4］高庆, 陈静, 许平, 等. 工业嵌入式软件开发安全漏洞模式研究［J］. 信息安全研究, 2022, 8(6): 595604［5］司徒凌云, 王林章, 李宣东, 等. 基于应用视角的缓冲区溢出检测技术与工具［J］. 软件学报, 2019, 30(6): 17211741［6］国家信息安全漏洞库(CNNVD). 信息安全漏洞通报2022年2月［ROL］. ［20220425］. http:www.cnnvd.org.cn［7］华驰, 鲁志萍, 王可. 缓冲区溢出漏洞分析及防范策略［J］. 信息安全研究, 2019, 5(9): 812819［8］Grieco G, Mounier L, Potet M L, et al. A stack model for symbolic buffer overflow exploitability analysis［C］ Proc of the 6th Int Conf on Software Testing, Verification and Validation Workshops. Piscataway, NJ: IEEE, 2013: 216217［9］梅宏, 王千祥, 张路, 等. 软件分析技术进展［J］. 计算机学报, 2009, 32(9): 16971710［10］刘泽润, 郑红, 邱俊杰. 基于抽象语法树裁剪的智能合约漏洞检测研究［J］. 计算机科学, 2023, 50(4): 317322［11］杨朝红, 宫云战, 肖庆, 等. 基于软件缺陷模型的测试系统［J］. 北京邮电大学学报, 2008, 31(5): 14［12］Liang D, Harrold M J. Slicing objects using system dependence graphs［C］ Proc of Int Conf on Software Maintenance (ICSM’98). Piscataway, NJ: IEEE, 1998: 358367［13］马森, 赵文, 习翔宇, 等. 基于值依赖分析的空指针解引用检测［J］. 电子学报, 2015, 43(4): 647651［14］Ganapathy V, Jha S, Chandler D, et al. Buffer overrun detection using linear programming and static analysis［C］ Proc of the 10th ACM Conf on Computer and Communications Security. New York: ACM, 2003: 345354［15］John V, Bloch J T, Tadayoshi K, et al. ITS4: A static vulnerability scanner for C and C++ code［C］ Proc of the 16th Annual Computer Security Applications Conf. Piscataway, NJ: IEEE, 2000: 257267［16］Viega J, Bloch J, Kohno T, et al. Tokenbased scanning of source code for security problems［J］. ACM Trans on Information and System Security, 2002, 5(3): 238261［17］FlawFinder. How does flawfinder work?［EBOL］.［20220425］. http:www.dwheeler.comflawfinder［18］Tevis J, Hamilton J. Static analysis of anomalies and security vulnerabilities in executable files［C］ Proc of the 44th Annual Southeast Regional Conf. New York: ACM, 2006: 560565［19］Padmanabhuni B M, Tan H B K. Predicting buffer overflow vulnerabilities through mining lightweight static code attributes［C］ Proc of 2014 IEEE Int Symp on Software Reliability Engineering Workshops. Piscataway, NJ: IEEE, 2014: 317322［20］Padmanabhuni B M, Tan H B K. Buffer overflow vulnerability prediction from x86 executables using static analysis and machine learning［C］ Proc of the 39th IEEE Annual Computer Software and Applications Conf. Piscataway, NJ: IEEE, 2015: 450459［21］Cousot P, Cousot R. Abstract interpretation: A unified lattice model for static analysisof programs by construction or approximation of fixpoints［C］ Proc of the 4th ACM Symp on Principles of Programming Languages Conf. New York: ACM, 1977: 238252［22］Wagner D, Foster J, Brewer E, et al. A first step towards automated detection of buffer overrun vulnerabilities［C］ Proc of Network and Distributed System Security Symp. New York: ACM, 2000: 317［23］Weber M, Shah V, Ren C. A case study in detecting software security vulnerabilities using constraint optimization［C］ Proc of the Workshop on Source Code Analysis and Manipulation. Piscataway, NJ: IEEE, 2001: 313［24］CodeSurfer［EBOL］.［20220425］. http:www.grammatech.comproductscodesurfer［25］Sotirov A I. Automatic vulnerability detection using static source code analysis［D］. University of Alabama, 2005［26］Wang Yawen, Yao Xinhong, Gong Yunzhan, et al. A method of buffer overflow detection based on static code analysis［J］. Journal of Computer Research and Development, 2012, 49(4): 839845［27］Brat G, Navas J A, Shi N, et al. IKOS: A framework for static analysis based on abstract interpretation［C］ Proc of Int Conf on Software Engineering. New York: ACM: 2014: 271277［28］高凤娟, 王豫, 陈天骄, 等. 基于污点分析的数组越界缺陷的静态检测方法［J］. 软件学报, 2020, 31(10): 29813003 ［29］Boyer R S, Elspas B, Levitt K N. SELECT—A formal system for testing and debugging programs by symbolic execution［J］. ACM SigPlan Notices, 1975, 10(6): 234245［30］Xie Y, Chou A, Engler D. ARCHER: Using symbolic, pathsensitive analysis to detect memory access errors［C］ Proc of the 9th European Software Engineering Conf. New York: ACM, 2003: 327336［31］Cova M, Felmetsger V, Banks G, et al. Static detection of vulnerabilities in x86 executables［C］ Proc of Computer Security Applications Conf. Los Alamitos, CA: IEEE Computer Society Press, 2006: 269278［32］Le W, Soffa M L. Marple: A demanddriven pathsensitive buffer overflow detector［C］ Proc of the 16th ACM SIGSOFT Int Symp on Foundations of Software Engineering. New York: ACM, 2008: 272282［33］Le W, Soffa M L. Marple: Detecting faults in path segments using automatically generated analyses［J］. ACM Trans on Software Engineering Methodol, 2013, 22(3): 18:118:38［34］Ding S, Tan H B K, Liu Kaiping, et al. Detection of buffer overflow vulnerabilities in CC++ with pattern based limited symbolic evaluation［C］ Proc of Computer Software & Applications Conf Workshops. Piscataway, NJ: IEEE, 2012: 559564［35］杨楷, 刘超, 金茂忠. 一种基于并发错误模式的Java并发程序动态测试方法［J］. 计算机工程与科学, 2006, 28(Z2): 2426, 78［36］Takanen A, Demott J, Miller C. Fuzzing for Software Security Testing and Quality Assurance［M］. Boston: Artech House, 2008［37］HotFuzz. HOTFUZZ［EBOL］. ［20220425］. http:hotfuzz.sourceforge.net［38］Sen K, Marinov D, Agha G. CUTE: A concolic unit testing engine for C［C］ Proc of European Software Engineering Conf Held Jointly with, ACM Sigsoft Int Symp on Foundations of Software Engineering. New York: ACM, 2005: 263272［39］Godefroid P, Levin M Y, Molnar D A. Automated whitebox fuzz testing［C］ Proc of Network and Distributed System Security Symp (NDSS 2008). San Diego, California, USA: DBLP, 2008: 116［40］Sen K. DART: Directed automated random testing［C］ Proc of Int Haifa Verification Conf on Hardware & Software: Verification & Testing (ACMPUB27). New York: ACM, 2005: 213223［41］Cadar C, Ganesh V, Pawlowski P M, et al. EXE: Automatically generating inputs of death［C］ Proc of the 13th ACM Conf on Computer and Communications Security. New York: ACM, 2006: 322335［42］Lanzi A, Martignoni L, Monga M, et al. A smart fuzzer for x86 executables［C］ Proc of Int Conf on Software Engineering Workshops. Los Alamitos, CA: IEEE Computer Society Press, 2007: 77［43］Haller I, Slowinska A, Neugschwandtner M, et al. Dowsing for overflows: A guided fuzzer to find buffer boundary violations［C］ Proc of the 22nd USENIX Conf on Security. New York: ACM, 2013: 4964［44］Padmanabhuni B M, Tan H B K. Lightweight rulebased test case generation for detecting buffer overflow vulnerabilities［C］ Proc of the 10th IEEEACM Int Workshop on Automation of Software Test. Piscataway, NJ: IEEE, 2015: 4852［45］Padmanabhuni B M, Tan H B K. Auditing buffer overflow vulnerabilities using hybrid staticdynamic analysis［C］ Proc of the 38th IEEE Annual Computer Software and Applications Conf. Piscataway, NJ: IEEE, 2014: 394399［46］Mouzarani M, Sadeghiyan B, Zolfaghari M. Smart fuzzing method for detecting stackbased buffer overflow in binary codes［J］. IET Software, 2016, 10(4): 96107［47］Wang Wenhua, Lei Yu, Liu Donggang, et al. A combinatorial approach to detecting buffer overflow vulnerabilities［C］ Proc of the 41st IEEEIFIP Int Conf on Dependable Systems & Networks (DSN). Piscataway, NJ: IEEE, 2011: 269278［48］Cowan C. StackGuard: Automatic adaptive detection and prevention of bufferoverflow attacks［C］ Proc of the 7th Conf on USENIX Security Symp. Berkeley, CA: USENIX Association, 1998: 55［49］Etoh H. GCC extension for protecting applications from stacksmashing attacks［EBOL］. ［20220425］. http:www.trl.ibm.comprojectssecurityssp［50］Vendicator. Stack shield technical info file v0.7［EBOL］. ［20220425］. http:www.angelfire.comskstackshield［51］Hasabnis N, Misra A, Sekar R. Lightweight bounds checking［C］ Proc of Annual IEEEACM Int Symp on Code Generation and Optimization(CGO’12). New York: ACM, 2012: 135144［52］Duck J G, Yap H C R. Heap bounds protection with low fat pointers［C］ Proc of of the 25th Int Conf on Compiler Construction (CC 2016). New York: ACM, 2016: 132142［53］Gregory J Duck, Roland H C Yap, Cavallaro L. Stack bounds protection with low fat pointers［C］ Proc of Symp on Network and Distributed System Security. New York: ACM, 2017: 115［54］Cowan C. PointGuardTM: Protecting pointers from buffer overflow vulnerabilities［C］ Proc of the 12th USENIX Security Symposium. Berkeley, CA: USENIX Association, 2003: 720［55］Bhatkar S, Duvarney D C, Sekar R C. Address obfuscation: An efficient approach to combat a broad range of memory error exploits［C］ Proc of the 12th USENIX Security Symposium. Berkeley, CA: USENIX Association, 2003: 823［56］Use of ASLR, David LeBlanc etc［EBOL］. ［20220425］. http:blogs.msdn.comdavid_leblancarchive20080314useofaslrnxetc.aspx［57］Chen X, Slowinska A, Andriesse D, et al. StackArmor: Comprehensive protection from stackbased memory error vulnerabilities for binaries［C］ Proc of 2015 Network and Distributed System Security Symposium. New York: ACM, 2015: 115［58］Torvalds L. Message archived in Linux weekly news［EBOL］.［20220425］. http:lwn.net980806alinusnoexec.html［59］Baratloo A, Singh N, Tsai T. Transparent runtime defense against stack smashing attacks［C］ Proc of the 2000 USENIX Technical Conf. Berkeley, CA: USENIX Association, 2000［60］Chen Gang, Jin Hai, Zou Deqing, et al. SafeStack: Automatically patching stackbased buffer overflow vulnerabilities［J］. IEEE Trans on Dependable and Secure Computing, 2013, 10(6): 368379［61］Bishop M, Engle S, Howard D, et al. A taxonomy of buffer overflow characteristics［J］. IEEE Trans on Dependable and Secure Computing, 2012, 9(3): 305317［62］Brumley D, Poosankam P, Song D, et al. Automatic patchbased exploit generation is possible: Techniques and implications［C］ Proc of 2008 IEEE Symp on Security and Privacy. Piscataway, NJ: IEEE, 2008: 143157［63］Avgerinos T, Cha S K, Rebert A, et al. Automatic exploit generation［C］ Proc of Association for Computing Machinery. New York: ACM, 2014: 7484［64］Hu H, Chua Z L, Adrian S, et al. Automatic generation of dataoriented exploits［C］ Proc of the USENIX Security Symp. New York: ACM, 2015: 177192［65］Arcuri A. On the automation of fixing software bugs［C］ Proc of the 30th Int Conf on Software Engineering. New York: ACM, 2008 10031006［66］SidiroglouDouskos S, Lahtinen E, Rinard M. Automatic discovery and patching of buffer and integer overflow errors［JOL］. ［20230425］. https:dspace.mit.eduhandle1721.197087［67］Gao F, Wang L, Li X. BovInspector: Automatic inspection and repair of buffer overflow vulnerabilities［C］ Proc of the 31st IEEEACM Int Conf on Automated Software Engineering. New York: ACM, 2016: 786791［68］王剑, 匡洪宇, 李瑞林, 等. 基于CNNGAP可解释性模型的软件源码漏洞检测方法［J］. 电子与信息学报, 2022, 44(7): 25682575

[1]	李祥乾, 凌惜沫, . 云原生 DevSecOps 落地实践[J]. 信息安全研究, 2022, 8(E1): 27-.
[2]	陈畅, 刘福来, . 基于智能电网内部数据流分析的内存泄露检测方法研究[J]. 信息安全研究, 2022, 8(1): 85-.
[3]	华驰鲁志萍王可. 缓冲区溢出漏洞分析及防范策略[J]. 信息安全研究, 2019, 5(9): 812-819.
[4]	孙伟. 一种静态Android重打包恶意应用检测方法[J]. 信息安全研究, 2017, 3(8): 0-0.