一种基于参数污点分析的软件行为模型

doi:10.7523/j.issn.2095-6134.2017.05.016

中国科学院大学学报 ›› 2017, Vol. 34 ›› Issue (5): 647-656.DOI: 10.7523/j.issn.2095-6134.2017.05.016

• 计算机科学 • 上一篇

一种基于参数污点分析的软件行为模型

尹芷仪¹, 沈嘉荟¹, 郭晓博¹, 查达仁^1,2

1 中国科学院信息工程研究所, 北京 100093;
2 信息安全国家重点实验室, 北京 100093

收稿日期:2016-07-03 修回日期:2016-11-14 发布日期:2017-09-15
通讯作者: 沈嘉荟,E-mail:shenjiahui@iie.ac.cn
基金资助:
院部合作基金（AQ1703，AQ1708）资助

A software behavior model based on dynamic taint analysis

YIN Zhiyi¹, SHEN Jiahui¹, GUO Xiaobo¹, ZHA Daren^1,2

1 Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;
2 State Key Laboratory of Information Security, Beijing 100093, China

Received:2016-07-03 Revised:2016-11-14 Published:2017-09-15

摘要/Abstract

摘要： 基于细粒度二进制动态分析平台，提出通过系统调用参数的污点分析构建软件行为模型的方法。该方法主要在指令级别监控应用程序运行，跟踪系统调用参数的污点传播获取参数与参数、局部变量和外部数据之间的关联关系，进而抽取出参数的污点传播链。其次，基于参数污点传播链和系统调用序列构造能够同时反映控制流和数据流特性的软件动态行为模型。最后，分析和验证该模型具备检测隐秘的非控制流数据攻击的能力。

关键词: 系统调用参数, 非控制数据, 虚拟机, 动态污点分析, 入侵检测

Abstract: Based on the fine-grained binary dynamic analysis platform,we propose a taint analysis method to construct the software behavior model using the system call arguments.Firstly,the method obtains the associations between the arguments,between an argument and a local variable,and between an argument and a foreign data through monitoring the applications running and tracking the taint propagation of system call arguments at the instruction level,and then the taint propagation chains between arguments are generated.Secondly,a software behavior model,which covers control-flow and data-flow,is built according to these chains and system call sequence.Finally,the experimental and analytical results demonstrate that this model can be used to detect stealthy non-control attacks.

Key words: system call arguments, non-control data, virtual machine, dynamic taint analysis, intrusion detection

中图分类号:

TP309

尹芷仪, 沈嘉荟, 郭晓博, 查达仁. 一种基于参数污点分析的软件行为模型[J]. 中国科学院大学学报, 2017, 34(5): 647-656.

YIN Zhiyi, SHEN Jiahui, GUO Xiaobo, ZHA Daren. A software behavior model based on dynamic taint analysis[J]. , 2017, 34(5): 647-656.

参考文献

[1] Tandon G, Chan P K. On the learning of system call attributes for host-based anomaly detection[J]. International Journal on Artificial Intelligence Tools, 2006, 15(6):875-892.
[2] Kruegel C, Mutz D, Valeur F, et al. On the detection of anomalous system call arguments//Snekkenes E, Gollmann D. Computer Security-Esorics 2003, Proceedings.Berlin:Springer-Verlag Berlin, 2003:326-343.
[3] Oyama Y, Yonezawa A. Prevention of code-injection attacks by encrypting system call arguments. University of Tokyo, 2006. https://www.researchgate.net/profile/Akinori_Yonezawa2/publication/228576079_Prevention_of_code-injection_attacks_by_encrypting_system_call_arguments/links/53eaf9ee0cf2fb1b9b6ad0fd.pdf.
[4] Sufatrio, Yap R H C. Improving host-based IDS with argument abstraction to prevent mimicry attacks//Valdes A, Zamboni D. Recent Advances in Intrusion Detection.Berlin:Springer-Verlag Berlin, 2006:146-164.
[5] Demay J C, Totel E, Tronel F. SIDAN:a tool dedicated to software instrumentation for detecting attacks on non-control-data//Risks and Security of Internet and Systems (CRiSIS), 2009 Fourth International Conference on. IEEE, 2009:51-58.
[6] Bhatkar S, Chaturvedi A, Sekar R, et al. Dataflow anomaly detection//2006 IEEE Symposium on Security and Privacy, Proceedings.Los Alamitos:Ieee Computer Soc, 2006:48-62.
[7] Li P, Park H, Gao D, et al. Bridging the gap between data-flow and control-flow analysis for anomaly detection//24th Annual Computer Security Applications Conference, Proceedings.Los Alamitos:Ieee Computer Soc, 2008:392-401.
[8] Clause J, Li W, Orso A. Dytan:a generic dynamic taint analysis framework//Proceedings of the 2007 international symposium on Software testing and analysis. ACM, 2007:196-206.
[9] Newsome J, Song D. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software//Proceedings of NDSS' 05.San Diego, California, USA:2005.
[10] Chen K, Feng D, Su P, et al. Black-box testing based on colorful taint analysis[J]. Science China Information Sciences, 2012, 55(1):171-183.
[11] Ma J X, Zhang P H, Dong G W, et al. TWalker:an efficient taint analysis tool//201410th International Conference on Information Assurance and Security.New York:Ieee, 2014:18-22.
[12] Haller I, Slowinska A, Neugschwandtner M, et al. Dowsing for overflows:a guided fuzzer to find buffer boundary violations//22nd USENIX Security Symposium (USENIX Security 13). 2013:49-64.
[13] Kong J, Zou CC, Zhou H. Improving software security via runtime instruction-level taint checking//Proceedings of the 1st workshop on Architectural and system support for improving software dependability. ACM, 2006:18-24.
[14] Qin F, Wang C, Li Z, et al. LIFT:a low-overhead practical information flow tracking system for detecting security attacks//200639th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO'06). 2006:135-148.
[15] Halfond W G J, Orso A, Manolios P. Using positive tainting and syntax-aware evaluation to counter SQL injection attacks//Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering.Portland, Oregon, USA:ACM, 2006:175-185.
[16] Kiezun A, Guo PJ, Jayaraman K, et al. Automatic creation of SQL injection and cross-site scripting attacks//200931st International Conference on Software Engineering, Proceedings.New York:Ieee, 2009:199-209.
[17] Vogt P, Nentwich F, Jovanovic N, et al. Cross site scripting prevention with dynamic data tainting and static analysis//NDSS. 2007:12.
[18] Yin H, Song D, Egele M, et al. Panorama:capturing system-wide information flow for malware detection and analysis//Proceedings of the 14th ACM conference on Computer and communications security.Alexandria, Virginia, USA:ACM, 2007:116-127.
[19] Song D, Brumley D, Yin H, et al. Information systems security:4th International Conference, ICISS 2008, Hyderabad, India, December 16-20, 2008 Proceedings[M]. Berlin, Heidelberg:Springer Berlin Heidelberg, 2008:1-25.
[20] Sekar R, Bendre M, Dhurjati D, et al. A fast automaton-based method for detecting anomalous program behaviors//2001 Ieee Symposium on Security and Privacy, Proceedings.Los Alamitos:Ieee Computer Soc, 2001:144-155.
[21] Chen S, Xu J, Sezer E C, et al. Non-control-data attacks are realistic threats//USENIX Association Proceedings of the 14th USENIX Security Symposium.Berkeley:Usenix Assoc, 2005:177-191.
[22] Hu H, Shinde S, Adrian S, et al. Data-oriented programming:on the expressiveness of non-control data attacks//2016 IEEE Symposium on Security and Privacy (SP).San Jose, USA:2016:969-986.
[23] Delamore B, Ko R K L. A global, empirical analysis of the shellshock vulnerability in web applications//Trustcom/BigDataSE/ISPA, 2015 IEEE. 2015:1129-1135.
[24] Zalewski M. SSH1 CRC-32 compensation attack detector vulnerability. (2001). http://www.securityfocus.com/advisories/3088.

一种基于参数污点分析的软件行为模型

A software behavior model based on dynamic taint analysis

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 4

编辑推荐

Metrics

本文评价

访问统计

联系我们

[1]	赖训飞, 梁旭文, 谢卓辰, 李宗旺. 基于实体嵌入和长短时记忆网络的入侵检测方法[J]. 中国科学院大学学报, 2020, 37(4): 553-561.
[2]	王卫平; 朱卫未; 陈文惠; 梁樑. 基于网络的入侵检测系统数据包采样策略研究[J]. 中国科学院大学学报, 2006, 23(4): 534-542.
[3]	连一峰. 分布式入侵检测系统的协作交互研究[J]. 中国科学院大学学报, 2005, 22(2): 202-209.
[4]	连一峰, 戴英侠, 王航. 托管式安全监控系统[J]. 中国科学院大学学报, 2001, 18(2): 167-171.