基于渐进扩展的二进制程序数据流分析方法  被引量：1

作　　者：潘家晔 庄毅[2] 孙炳林 PAN Jia-Ye;ZHUANG Yi;SUN Bing-Lin(School of Modern Posts,Nanjing University of Posts and Telecommunications,Nanjing 210003,China;College of Computer Science and Technology,Nanjing University of Aeronautics and Astronautics,Nanjing 210016,China)

机构地区：[1]南京邮电大学现代邮政学院,江苏南京210003 [2]南京航空航天大学计算机科学与技术学院,江苏南京210016

出　　处：《软件学报》2022年第9期3249-3270,共22页Journal of Software

基　　金：国家自然科学基金(61572253);江苏省研究生科研创新计划(KYLX16_0384)。

摘　　要：二进制程序分析技术广泛应用于软件的安全性评估,恶意代码分析等领域.动态分析技术能够准确体现程序真实的运行状态,但面临目标程序运行负载过高、难以深入了解内部结构信息等挑战.提出一种基于渐进扩展的二进制程序数据流分析方法.方法旨在充分利用在线数据流分析的能力,在局部细粒度分析的基础上逐渐扩展分析范围,从而使分析能够覆盖整个目标程序.通过设计的分治策略,可降低对目标程序运行时的性能影响,从而可使对延迟敏感的目标代码段能成功地执行.并在此基础上,进一步提出基于内存引用关系的函数参数相关性分析方法,从函数调用层面获取数据流传递信息,可辅助恢复参数的内部结构信息.通过对大量真实案例进行研究和实验,验证了所提出方法的可行性与有效性,在降低对目标程序影响的同时未引入显著的额外分析开销,能够用于实际环境下二进制程序的分析.Binary program analysis techniques are widely applied in software security testing, malware analysis and detection, etc.Dynamic analysis is an important analysis method that can accurately show the running status of programs. However, it is confronted with some challenges, such as too high load during target program running and difficulty in dissecting the data structure information in detail.This study proposes a new data flow analysis method based on progressive expansion for binary programs. By taking full advantage of the ability of online data flow analysis, it focuses on the fine-grained analysis for partial program and expands the analysis range progressively to cover the entire program. The method utilizes a divide-and-conquer strategy that can reduce the performance impact on the runtime of the target program and thereby enable the execution of the target code segment sensitive to delay. Meanwhile, this study also presents a correlation analysis method for function parameters based on the memory reference relationship. It can detect the data flow propagation at the function call level and aid in the recovery of the internal data structures of parameters. In the end, this study shows the results of the experiments on the programs in the real environment, which suggest the feasibility and effectiveness of the proposed method. This method does not introduce significant extra analysis overhead while reducing the performance impact on the target program, capable of being applied in binary program analyses in practice.

关 键 词：二进制程序 数据流分析 污点跟踪 恶意代码 逆向分析 

分 类 号：TP311[自动化与计算机技术—计算机软件与理论]