写污点值到污点地址漏洞模式检测  被引量：9

作　　者：忽朝俭[1] 李舟军[1] 郭涛[2] 时志伟[2] 

机构地区：[1]北京航空航天大学计算机学院,北京100191 [2]中国信息安全测评中心,北京100085

出　　处：《计算机研究与发展》2011年第8期1455-1463,共9页Journal of Computer Research and Development

基　　金：国家自然科学基金项目(90718017;60973105;90818021)

摘　　要：设备驱动是允许高级程序与硬件设备交互的底层程序.通常设备驱动中的漏洞较之应用程序中的漏洞对计算机系统的安全具有更大的破坏性.写污点值到污点地址是Windows设备驱动程序中频繁出现的一种漏洞模式.首次明确地对该种漏洞模式进行描述,提出一种针对二进制驱动程序中该种漏洞模式的自动检测方法,并实现相应的原型工具T2T-B2C.该方法基于反编译和静态污点分析技术,与其他方法相比,既可以分析C代码,也可以分析本地二进制代码.该工具由T2T和B2C两个组件组成:首先B2C基于反编译技术将二进制文件转换为C语言文件;然后T2T基于静态污点分析技术检测B2C生成的C代码中出现写污点值到污点地址漏洞模式的语句.使用多种反病毒程序中的二进制驱动对T2T-B2C进行了评估,发现了6个未公开漏洞.评估结果表明:该工具是一款可实际应用的漏洞检测工具,可应用于对较大规模的程序进行检测.Device drivers are lower level computer programs, which allow higher level computer programs to interact with hardware devices. Commonly, vulnerabilities in device drivers would be more devastating than that in applications. ＂Writing tainted value to tainted address＂ is a kind of vulnerability pattern, frequently existing in Windows device driver programs. In this paper, we first time describe this kind of vulnerability pattern in so many words, present a systematic method to detect it in binary Windows device driver programs automatically, and implement our method in a prototype tool called T2T-B2C. The method bases on de-compiling and static taints analysis technologies. Compared with other methods, our method could analyze native binary code as well as C code. Accordingly, T2T-BgC consists of two components called T2T and B2C respectively. Firstly,,, B2C translates binary files to C files by de-compiling; and then T2T uses static taint analysis technology to detect the vulnerable statement, which is writing tainted value to tainted address in the C code that B2C produced. We evaluate T2T-B2C with binary device drivers of several Windows anti- virus programs, and find 6 uncovered vulnerabilities. The results show that T2T-B2C is an applied vulnerability detecting tool that could be scalable to large programsl.

关 键 词：漏洞 二进制 设备驱动 反编译 污点分析 

分 类 号：TP311.1[自动化与计算机技术—计算机软件与理论]