欢迎访问中国科学院大学学报,今天是

中国科学院大学学报 ›› 2017, Vol. 34 ›› Issue (5): 647-656.DOI: 10.7523/j.issn.2095-6134.2017.05.016

• 计算机科学 • 上一篇    

一种基于参数污点分析的软件行为模型

尹芷仪1, 沈嘉荟1, 郭晓博1, 查达仁1,2   

  1. 1 中国科学院信息工程研究所, 北京 100093;
    2 信息安全国家重点实验室, 北京 100093
  • 收稿日期:2016-07-03 修回日期:2016-11-14 发布日期:2017-09-15
  • 通讯作者: 沈嘉荟,E-mail:shenjiahui@iie.ac.cn
  • 基金资助:
    院部合作基金(AQ1703,AQ1708)资助

A software behavior model based on dynamic taint analysis

YIN Zhiyi1, SHEN Jiahui1, GUO Xiaobo1, ZHA Daren1,2   

  1. 1 Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;
    2 State Key Laboratory of Information Security, Beijing 100093, China
  • Received:2016-07-03 Revised:2016-11-14 Published:2017-09-15

摘要: 基于细粒度二进制动态分析平台,提出通过系统调用参数的污点分析构建软件行为模型的方法。该方法主要在指令级别监控应用程序运行,跟踪系统调用参数的污点传播获取参数与参数、局部变量和外部数据之间的关联关系,进而抽取出参数的污点传播链。其次,基于参数污点传播链和系统调用序列构造能够同时反映控制流和数据流特性的软件动态行为模型。最后,分析和验证该模型具备检测隐秘的非控制流数据攻击的能力。

关键词: 系统调用参数, 非控制数据, 虚拟机, 动态污点分析, 入侵检测

Abstract: Based on the fine-grained binary dynamic analysis platform,we propose a taint analysis method to construct the software behavior model using the system call arguments.Firstly,the method obtains the associations between the arguments,between an argument and a local variable,and between an argument and a foreign data through monitoring the applications running and tracking the taint propagation of system call arguments at the instruction level,and then the taint propagation chains between arguments are generated.Secondly,a software behavior model,which covers control-flow and data-flow,is built according to these chains and system call sequence.Finally,the experimental and analytical results demonstrate that this model can be used to detect stealthy non-control attacks.

Key words: system call arguments, non-control data, virtual machine, dynamic taint analysis, intrusion detection

中图分类号: