基于局部路径图的自动化漏洞成因分析方法  

作　　者：余媛萍 苏璞睿[1,2] 贾相堃 黄桦烽 YU Yuan-Ping;SU Pu-Rui;JIA Xiang-Kun;HUANG Hua-Feng(Trusted Computing and Information Assurance Laboratory,Institute of Software,Chinese Academy of Sciences,Beijing 100190,China;School of Computer Science and Technology,University of Chinese Academy of Sciences,Beijing 100049,China)

机构地区：[1]中国科学院软件研究所可信计算与信息保障实验室,北京100190 [2]中国科学院大学计算机科学与技术学院,北京100049

出　　处：《软件学报》2024年第10期4555-4572,共18页Journal of Software

基　　金：国家自然科学基金(62232016,62102406,61902384);中国科学院战略性先导科技专项(XDC02020300);前沿科技创新专项(2019QY1403)。

摘　　要：快速的漏洞成因分析是漏洞修复中的关键一环,也一直是学术界和工业界关注的热点.现有基于大量测试样本执行记录进行统计特征分析的漏洞成因分析方法,存在随机性噪声、重要逻辑关联指令缺失等问题,其中根据测试集测量,现有统计方法中的随机性噪声占比达到了61%以上.针对上述问题,提出一种基于局部路径图的漏洞成因分析方法,其从执行路径中,提取函数间调用图和函数内控制流转移图等漏洞关联信息.并以此为基础筛除漏洞成因无关指令(即噪声指令),构建成因点逻辑关系并补充缺失的重要指令,实现一个面向二进制软件的自动化漏洞成因分析系统LGBRoot.系统在20个公开的CVE内存破坏漏洞数据集上进行验证.单个样本成因分析平均耗时12.4 s,实验数据表明,系统可以自动剔除56.2%噪声指令和补充并联结20个可视化漏洞成因相关点指令间的逻辑结构,加快分析人员的漏洞分析速度.Fast vulnerability root cause analysis is crucial for patching vulnerabilities and has always been a hotspot in academia and industry.The existing vulnerability root cause analysis methods based on the statistical feature analysis of a large number of test sample execution records have problems such as random noise and missing important logical correlation instructions.According to the test set measurement in this study,the proportion of random noise in the existing statistical methods reaches more than 61%.To solve the above problems,this study proposes a vulnerability root cause analysis method based on the local path graph,which extracts vulnerability-related information such as the inter-function call graph and intra-function control flow transfer graph from the execution paths.The local path graph is utilized for eliminating irrelevant instruction(i.e.,noise instructions)elimination,constructing the logic relations for vulnerability root cause relevant points,and adding missing critical instructions.An automated root cause analysis system for binary software,LGBRoot,has been implemented.The effectiveness of the system has been evaluated on a dataset of 20 public CVE memory corruption vulnerabilities.The average time for single-sample root cause analysis is 12.4 seconds.The experimental data show that the system can automatically eliminate 56.2%of noise instructions,and mend as well as visualize the 20 logical structures of vulnerability root cause relevant points,speeding up the vulnerability analysis of analysts.

关 键 词：漏洞分析 成因分析 函数间调用图 函数内控制流转移图 统计分析 

分 类 号：TP311[自动化与计算机技术—计算机软件与理论]