[1]申培, 刘福龙, 桑海伟. 恶意代码检测研究综述[J]. 重庆理工大学学报: 自然科学版, 2022, 36(11): 212218[2]CWE. CWE Top 25 Most Dangerous Software Weaknesses[EBOL]. [20220425]. http:cwe.mitre.org[3]国家计算机网络应急技术处理协调中心(CNCERTCC). 2021年上半年我国互联网网络安全监测数据分析报告[EBOL]. [20220425]. http:www.cert.org.cn[4]高庆, 陈静, 许平, 等. 工业嵌入式软件开发安全漏洞模式研究[J]. 信息安全研究, 2022, 8(6): 595604[5]司徒凌云, 王林章, 李宣东, 等. 基于应用视角的缓冲区溢出检测技术与工具[J]. 软件学报, 2019, 30(6): 17211741[6]国家信息安全漏洞库(CNNVD). 信息安全漏洞通报2022年2月[ROL]. [20220425]. http:www.cnnvd.org.cn[7]华驰, 鲁志萍, 王可. 缓冲区溢出漏洞分析及防范策略[J]. 信息安全研究, 2019, 5(9): 812819[8]Grieco G, Mounier L, Potet M L, et al. A stack model for symbolic buffer overflow exploitability analysis[C] Proc of the 6th Int Conf on Software Testing, Verification and Validation Workshops. Piscataway, NJ: IEEE, 2013: 216217[9]梅宏, 王千祥, 张路, 等. 软件分析技术进展[J]. 计算机学报, 2009, 32(9): 16971710[10]刘泽润, 郑红, 邱俊杰. 基于抽象语法树裁剪的智能合约漏洞检测研究[J]. 计算机科学, 2023, 50(4): 317322[11]杨朝红, 宫云战, 肖庆, 等. 基于软件缺陷模型的测试系统[J]. 北京邮电大学学报, 2008, 31(5): 14[12]Liang D, Harrold M J. Slicing objects using system dependence graphs[C] Proc of Int Conf on Software Maintenance (ICSM’98). Piscataway, NJ: IEEE, 1998: 358367[13]马森, 赵文, 习翔宇, 等. 基于值依赖分析的空指针解引用检测[J]. 电子学报, 2015, 43(4): 647651[14]Ganapathy V, Jha S, Chandler D, et al. Buffer overrun detection using linear programming and static analysis[C] Proc of the 10th ACM Conf on Computer and Communications Security. New York: ACM, 2003: 345354[15]John V, Bloch J T, Tadayoshi K, et al. ITS4: A static vulnerability scanner for C and C++ code[C] Proc of the 16th Annual Computer Security Applications Conf. Piscataway, NJ: IEEE, 2000: 257267[16]Viega J, Bloch J, Kohno T, et al. Tokenbased scanning of source code for security problems[J]. ACM Trans on Information and System Security, 2002, 5(3): 238261[17]FlawFinder. How does flawfinder work?[EBOL].[20220425]. http:www.dwheeler.comflawfinder[18]Tevis J, Hamilton J. Static analysis of anomalies and security vulnerabilities in executable files[C] Proc of the 44th Annual Southeast Regional Conf. New York: ACM, 2006: 560565[19]Padmanabhuni B M, Tan H B K. Predicting buffer overflow vulnerabilities through mining lightweight static code attributes[C] Proc of 2014 IEEE Int Symp on Software Reliability Engineering Workshops. Piscataway, NJ: IEEE, 2014: 317322[20]Padmanabhuni B M, Tan H B K. Buffer overflow vulnerability prediction from x86 executables using static analysis and machine learning[C] Proc of the 39th IEEE Annual Computer Software and Applications Conf. Piscataway, NJ: IEEE, 2015: 450459[21]Cousot P, Cousot R. Abstract interpretation: A unified lattice model for static analysisof programs by construction or approximation of fixpoints[C] Proc of the 4th ACM Symp on Principles of Programming Languages Conf. New York: ACM, 1977: 238252[22]Wagner D, Foster J, Brewer E, et al. A first step towards automated detection of buffer overrun vulnerabilities[C] Proc of Network and Distributed System Security Symp. New York: ACM, 2000: 317[23]Weber M, Shah V, Ren C. A case study in detecting software security vulnerabilities using constraint optimization[C] Proc of the Workshop on Source Code Analysis and Manipulation. Piscataway, NJ: IEEE, 2001: 313[24]CodeSurfer[EBOL].[20220425]. http:www.grammatech.comproductscodesurfer[25]Sotirov A I. Automatic vulnerability detection using static source code analysis[D]. University of Alabama, 2005[26]Wang Yawen, Yao Xinhong, Gong Yunzhan, et al. A method of buffer overflow detection based on static code analysis[J]. Journal of Computer Research and Development, 2012, 49(4): 839845[27]Brat G, Navas J A, Shi N, et al. IKOS: A framework for static analysis based on abstract interpretation[C] Proc of Int Conf on Software Engineering. New York: ACM: 2014: 271277[28]高凤娟, 王豫, 陈天骄, 等. 基于污点分析的数组越界缺陷的静态检测方法[J]. 软件学报, 2020, 31(10): 29813003 [29]Boyer R S, Elspas B, Levitt K N. SELECT—A formal system for testing and debugging programs by symbolic execution[J]. ACM SigPlan Notices, 1975, 10(6): 234245[30]Xie Y, Chou A, Engler D. ARCHER: Using symbolic, pathsensitive analysis to detect memory access errors[C] Proc of the 9th European Software Engineering Conf. New York: ACM, 2003: 327336[31]Cova M, Felmetsger V, Banks G, et al. Static detection of vulnerabilities in x86 executables[C] Proc of Computer Security Applications Conf. Los Alamitos, CA: IEEE Computer Society Press, 2006: 269278[32]Le W, Soffa M L. Marple: A demanddriven pathsensitive buffer overflow detector[C] Proc of the 16th ACM SIGSOFT Int Symp on Foundations of Software Engineering. New York: ACM, 2008: 272282[33]Le W, Soffa M L. Marple: Detecting faults in path segments using automatically generated analyses[J]. ACM Trans on Software Engineering Methodol, 2013, 22(3): 18:118:38[34]Ding S, Tan H B K, Liu Kaiping, et al. Detection of buffer overflow vulnerabilities in CC++ with pattern based limited symbolic evaluation[C] Proc of Computer Software & Applications Conf Workshops. Piscataway, NJ: IEEE, 2012: 559564[35]杨楷, 刘超, 金茂忠. 一种基于并发错误模式的Java并发程序动态测试方法[J]. 计算机工程与科学, 2006, 28(Z2): 2426, 78[36]Takanen A, Demott J, Miller C. Fuzzing for Software Security Testing and Quality Assurance[M]. Boston: Artech House, 2008[37]HotFuzz. HOTFUZZ[EBOL]. [20220425]. http:hotfuzz.sourceforge.net[38]Sen K, Marinov D, Agha G. CUTE: A concolic unit testing engine for C[C] Proc of European Software Engineering Conf Held Jointly with, ACM Sigsoft Int Symp on Foundations of Software Engineering. New York: ACM, 2005: 263272[39]Godefroid P, Levin M Y, Molnar D A. Automated whitebox fuzz testing[C] Proc of Network and Distributed System Security Symp (NDSS 2008). San Diego, California, USA: DBLP, 2008: 116[40]Sen K. DART: Directed automated random testing[C] Proc of Int Haifa Verification Conf on Hardware & Software: Verification & Testing (ACMPUB27). New York: ACM, 2005: 213223[41]Cadar C, Ganesh V, Pawlowski P M, et al. EXE: Automatically generating inputs of death[C] Proc of the 13th ACM Conf on Computer and Communications Security. New York: ACM, 2006: 322335[42]Lanzi A, Martignoni L, Monga M, et al. A smart fuzzer for x86 executables[C] Proc of Int Conf on Software Engineering Workshops. Los Alamitos, CA: IEEE Computer Society Press, 2007: 77[43]Haller I, Slowinska A, Neugschwandtner M, et al. Dowsing for overflows: A guided fuzzer to find buffer boundary violations[C] Proc of the 22nd USENIX Conf on Security. New York: ACM, 2013: 4964[44]Padmanabhuni B M, Tan H B K. Lightweight rulebased test case generation for detecting buffer overflow vulnerabilities[C] Proc of the 10th IEEEACM Int Workshop on Automation of Software Test. Piscataway, NJ: IEEE, 2015: 4852[45]Padmanabhuni B M, Tan H B K. Auditing buffer overflow vulnerabilities using hybrid staticdynamic analysis[C] Proc of the 38th IEEE Annual Computer Software and Applications Conf. Piscataway, NJ: IEEE, 2014: 394399[46]Mouzarani M, Sadeghiyan B, Zolfaghari M. Smart fuzzing method for detecting stackbased buffer overflow in binary codes[J]. IET Software, 2016, 10(4): 96107[47]Wang Wenhua, Lei Yu, Liu Donggang, et al. A combinatorial approach to detecting buffer overflow vulnerabilities[C] Proc of the 41st IEEEIFIP Int Conf on Dependable Systems & Networks (DSN). Piscataway, NJ: IEEE, 2011: 269278[48]Cowan C. StackGuard: Automatic adaptive detection and prevention of bufferoverflow attacks[C] Proc of the 7th Conf on USENIX Security Symp. Berkeley, CA: USENIX Association, 1998: 55[49]Etoh H. GCC extension for protecting applications from stacksmashing attacks[EBOL]. [20220425]. http:www.trl.ibm.comprojectssecurityssp[50]Vendicator. Stack shield technical info file v0.7[EBOL]. [20220425]. http:www.angelfire.comskstackshield[51]Hasabnis N, Misra A, Sekar R. Lightweight bounds checking[C] Proc of Annual IEEEACM Int Symp on Code Generation and Optimization(CGO’12). New York: ACM, 2012: 135144[52]Duck J G, Yap H C R. Heap bounds protection with low fat pointers[C] Proc of of the 25th Int Conf on Compiler Construction (CC 2016). New York: ACM, 2016: 132142[53]Gregory J Duck, Roland H C Yap, Cavallaro L. Stack bounds protection with low fat pointers[C] Proc of Symp on Network and Distributed System Security. New York: ACM, 2017: 115[54]Cowan C. PointGuardTM: Protecting pointers from buffer overflow vulnerabilities[C] Proc of the 12th USENIX Security Symposium. Berkeley, CA: USENIX Association, 2003: 720[55]Bhatkar S, Duvarney D C, Sekar R C. Address obfuscation: An efficient approach to combat a broad range of memory error exploits[C] Proc of the 12th USENIX Security Symposium. Berkeley, CA: USENIX Association, 2003: 823[56]Use of ASLR, David LeBlanc etc[EBOL]. [20220425]. http:blogs.msdn.comdavid_leblancarchive20080314useofaslrnxetc.aspx[57]Chen X, Slowinska A, Andriesse D, et al. StackArmor: Comprehensive protection from stackbased memory error vulnerabilities for binaries[C] Proc of 2015 Network and Distributed System Security Symposium. New York: ACM, 2015: 115[58]Torvalds L. Message archived in Linux weekly news[EBOL].[20220425]. http:lwn.net980806alinusnoexec.html[59]Baratloo A, Singh N, Tsai T. Transparent runtime defense against stack smashing attacks[C] Proc of the 2000 USENIX Technical Conf. Berkeley, CA: USENIX Association, 2000[60]Chen Gang, Jin Hai, Zou Deqing, et al. SafeStack: Automatically patching stackbased buffer overflow vulnerabilities[J]. IEEE Trans on Dependable and Secure Computing, 2013, 10(6): 368379[61]Bishop M, Engle S, Howard D, et al. A taxonomy of buffer overflow characteristics[J]. IEEE Trans on Dependable and Secure Computing, 2012, 9(3): 305317[62]Brumley D, Poosankam P, Song D, et al. Automatic patchbased exploit generation is possible: Techniques and implications[C] Proc of 2008 IEEE Symp on Security and Privacy. Piscataway, NJ: IEEE, 2008: 143157[63]Avgerinos T, Cha S K, Rebert A, et al. Automatic exploit generation[C] Proc of Association for Computing Machinery. New York: ACM, 2014: 7484[64]Hu H, Chua Z L, Adrian S, et al. Automatic generation of dataoriented exploits[C] Proc of the USENIX Security Symp. New York: ACM, 2015: 177192[65]Arcuri A. On the automation of fixing software bugs[C] Proc of the 30th Int Conf on Software Engineering. New York: ACM, 2008 10031006[66]SidiroglouDouskos S, Lahtinen E, Rinard M. Automatic discovery and patching of buffer and integer overflow errors[JOL]. [20230425]. https:dspace.mit.eduhandle1721.197087[67]Gao F, Wang L, Li X. BovInspector: Automatic inspection and repair of buffer overflow vulnerabilities[C] Proc of the 31st IEEEACM Int Conf on Automated Software Engineering. New York: ACM, 2016: 786791[68]王剑, 匡洪宇, 李瑞林, 等. 基于CNNGAP可解释性模型的软件源码漏洞检测方法[J]. 电子与信息学报, 2022, 44(7): 25682575
|