基于静态和动态混合分析的内存拷贝类函数识别  

作　　者：尹小康 蔡瑞杰 杨启超 刘胜利[1] YIN Xiao-Kang;CAI Rui-Jie;YANG Qi-Chao;LIU Sheng-Li(State Key Laboratory of Mathematical Engineering and Advanced Computing(Information Engineering University),Zhengzhou 450001,China)

机构地区：[1]数学工程与先进计算国家重点实验室(信息工程大学),河南郑州450001

出　　处：《软件学报》2024年第7期3291-3313,共23页Journal of Software

基　　金：科技委基础加强重点项目(2019-JCJQ-ZD-113)。

摘　　要：缓冲区溢出等内存错误漏洞的产生往往来自对内存拷贝类函数的不当使用.对二进制程序中的内存拷贝类函数进行识别有利于发现内存错误漏洞.目前针对二进制程序中内存拷贝类函数的识别方法主要借助静态分析来提取函数的特征、控制流、数据流等信息进行识别,具有较高的误报率和漏报率.为了提高对内存拷贝类函数识别的效果,提出一种基于静态和动态混合分析的技术CPSeeker.所提方法结合静态分析和动态分析各自的优势,分阶段对函数的全局静态信息和局部执行信息进行搜集,对提取到的信息进行融合分析,进而识别二进制程序中的内存拷贝类函数.实验结果表明,尽管CPSeeker在运行时间上有所增加,但在内存拷贝类函数识别的效果上,其F1值达到了0.96,远优于最新的工作BootStomp、SaTC、CPYFinder以及Gemini,并且不受编译环境(编译器版本、编译器种类、编译器优化等级)的影响.此外,CPSeeker在真实的固件测试中也有更好的表现.Memory error vulnerabilities(e.g.,buffer overflow)are often caused by improper use of memory copy functions.The identification of memory copy functions in binary programs is beneficial for finding memory error vulnerabilities.However,current methods for identifying memory copy functions in binary programs mainly rely on static analysis to extract functions’features,control flow,data flow,and other information,with a high false positive and false negative.This study proposes a technique,namely CPSeeker,based on hybrid static and dynamic analysis to improve the effectiveness of identifying memory copy functions.CPSeeker combines the advantages of static analysis and dynamic analysis,collects the global static information and local execution information of functions in stages,and fuses the extracted information to identify memory copy functions in binary programs.The experimental results show that CPSeeker outperforms the state-of-the-art BootStomp,SaTC,CPYFinder,and Gemini in identifying memory copy functions,despite its increased runtime consumption,and its F1 value reaches 0.96.Furthermore,CPSeeker is not affected by the compilation environment(compiler version,compiler type,and compiler optimization level).In addition,CPSeeker has a better performance in actual firmware tests.

关 键 词：静态分析 动态分析 仿真执行 内存拷贝类函数 函数识别 

分 类 号：TP311[自动化与计算机技术—计算机软件与理论]