检索规则说明:AND代表“并且”;OR代表“或者”;NOT代表“不包含”;(注意必须大写,运算符两边需空一格)
检 索 范 例 :范例一: (K=图书馆学 OR K=情报学) AND A=范并思 范例二:J=计算机应用与软件 AND (U=C++ OR U=Basic) NOT M=Visual
作 者:黄克振 连一峰[1] 陈恺[1] 张颖君[1] 康恺[1,2]
机构地区:[1]中国科学院软件研究所,北京100190 [2]中国科学院研究生院,北京100049
出 处:《计算机科学》2014年第12期19-23,共5页Computer Science
基 金:国家自然科学基金项目(61100226);北京市自然科学基金项目(4122085);"十二五"国家科技支撑计划-IT产品信息安全认证关键技术研究(2012BAK26B01);国家高技术研究发展计划(863)(SQ2013GX02D01211;2013AA01A214)资助
摘 要:近几年,整数溢出漏洞数量居高不下,危害性较大。目前,漏洞分析定位的方法仅在补丁自动生成或漏洞触发样本文件自动生成中有所涉及,且这些方法大多利用缓冲区溢出会覆盖其邻接内存数据的特点来进行定位分析,而整数溢出漏洞不具有直接覆盖重要数据的特点,所以现有的方法不能对其进行有效的定位分析。现阶段对整数溢出漏洞的分析大多依靠人工完成,效率较低。为了提高分析人员的工作效率,提出了一种结合动态污点分析技术进行EFLAGS标志位信息比对的方法,来将溢出点锁定在少量的地址中。在此基础上实现了一套整数溢出漏洞溢出点定位系统,并对提出的方法进行了验证。In recent years,the number of integer overflow vulnerabilities is still high and they have great threat to security.However,in the previous study,methods of locating vulnerable code are only used when patches or vulnerabilities' proof of concept (POC) are automatically generated.Besides,when locating the vulnerable code,most of the previous methods tend to undermine buffer overflow that will cause its adjacent memory data to be overwritten.Integer overflow vulnerabilities,however,cannot directly overwrite important data,therefore,existing methods cannot locate integer overflow vulnerable code effectively.Currently,existing analysis of integer overflow vulnerabilities is inefficient and timeconsuming as they are mostly conducted manually by manpower.In the present study,consequently,a novel method was proposed to locate vulnerable code of integer overflow.With view to enhance the efficiency on the part of analysts,this method combines dynamic taint analysis and EFLAGS register comparison so that it will decrease the number of instructions which can be used to locate the overflow point.On the basis of that,a system was further implemented and several experiments were conducted to verify our proposed method.The results show that our method is effective and efficient.
分 类 号:TP393.08[自动化与计算机技术—计算机应用技术]
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在链接到云南高校图书馆文献保障联盟下载...
云南高校图书馆联盟文献共享服务平台 版权所有©
您的IP:216.73.216.222