函数级数据依赖图及其在静态脆弱性分析中的应用  被引量：3

作　　者：陈千 程凯 郑尧文[1,2] 朱红松 孙利民[1,2] CHEN Qian;CHENG Kai;ZHENG Yao-Wen;ZHU Hong-Song;SUN Li-Min(Beijing Key Laboratory of IOT Information Security Technology(Institute of Information Engineering,Chinese Academy of Sciences),Beijing 100093,China;School of Cyber Security,University of Chinese Academy of Science,Beijing 100049,China;Qihoo 360 Technology Co.Ltd.,Beijing 100015,China)

机构地区：[1]物联网信息安全技术北京市重点实验室(中国科学院信息工程研究所),北京100093 [2]中国科学院大学网络空间安全学院,北京100049 [3]北京奇虎科技有限公司,北京100015

出　　处：《软件学报》2020年第11期3421-3435,共15页Journal of Software

基　　金：国家自然科学基金(U1766215,U1636120);中国科学院信息工程研究所国际合作项目(Y7Z0451104);国家电网公司科学技术项目(52110417001B)。

摘　　要：数据流分析是二进制程序分析的重要手段,但传统数据依赖图(DDG)构建的时间与空间复杂度较高,限制了可分析代码的规模.提出了函数级数据依赖图(FDDG)的概念,并设计了函数级数据依赖图的构建方法.在考虑函数参数及参数间相互依赖关系的基础上,将函数作为整体分析,忽略函数内部的具体实现,显著缩小了数据依赖图规模,降低了数据依赖图生成的时空复杂度.实验结果表明,与开源工具angr中的DDG生成方法相比,FDDG的生成时间性能普遍提升了3个数量级.同时,将FDDG应用于嵌入式二进制固件脆弱性分析,实现了嵌入式固件脆弱性分析原型系统FFVA,在对D-Link、NETGEAR、EasyN、uniview等品牌的设备固件分析中,发现了24个漏洞,其中14个属于未知漏洞,进一步验证了FDDG在静态脆弱性分析中的有效性.Data flow analysis plays an important role in binary code analysis.Due to consuming too much time and space,constructing the traditional data dependence graph(DDG)limits the size of the analyzed code thoroughly.This study introduces a novel graph model,function-level data dependence graph(FDDG),and proposes a corresponding construction method.The key insights behind FDDG lie in the following two points.First,FDDG focuses on the relationships between function parameters;Second,FDDG treats a function as a whole and ignores the details inside the function.As a result,the size of the data dependence graph is reduced significantly.Also,the time and space are saved greatly.The experimental results show the time performance of the method is improved by about three orders of magnitude compared to the method in angr.As an instance,FDDG is employed to analyze the vulnerability of embedded firmwares,and a firmware vulnerability analysis prototype system called FFVA is implemented.The implemented FFVA system is used to analyze firmwares from real embedded devices,and find a total of 24 vulnerabilities in the devices from D-Link,NETGEAR,EasyN,uniview,and so on,among which 14 are unknown vulnerabilities,thus validating the effectiveness of function-level data dependence graph in static vulnerability analysis.

关 键 词：数据流分析 函数级数据依赖图 脆弱性分析 固件 

分 类 号：TP311[自动化与计算机技术—计算机软件与理论]