一种基于参数污点分析的软件行为模型
|
摘要
基于细粒度二进制动态分析平台,提出通过系统调用参数的污点分析构建软件行为模型的方法。该方法主要在指令级别监控应用程序运行,跟踪系统调用参数的污点传播获取参数与参数、局部变量和外部数据之间的关联关系,进而抽取出参数的污点传播链。其次,基于参数污点传播链和系统调用序列构造能够同时反映控制流和数据流特性的软件动态行为模型。最后,分析和验证该模型具备检测隐秘的非控制流数据攻击的能力。
Based on the fine-grained binary dynamic analysis platform,we propose a taint analysis method to construct the software behavior model using the system call arguments. Firstly,the method obtains the associations between the arguments,between an argument and a local variable,and between an argument and a foreign data through monitoring the applications running and tracking the taint propagation of system call arguments at the instruction level,and then the taint propagation chains between arguments are generated. Secondly, a software behavior model, which covers control-flow and data-flow,is built according to these chains and system call sequence. Finally,the experimental and analytical results demonstrate that this model can be used to detect stealthy noncontrol attacks.
Based on the fine-grained binary dynamic analysis platform,we propose a taint analysis method to construct the software behavior model using the system call arguments. Firstly,the method obtains the associations between the arguments,between an argument and a local variable,and between an argument and a foreign data through monitoring the applications running and tracking the taint propagation of system call arguments at the instruction level,and then the taint propagation chains between arguments are generated. Secondly, a software behavior model, which covers control-flow and data-flow,is built according to these chains and system call sequence. Finally,the experimental and analytical results demonstrate that this model can be used to detect stealthy noncontrol attacks.
引文
[1]Tandon G,Chan P K.On the learning of system call attributes for host-based anomaly detection[J].International Journal on Artificial Intelligence Tools,2006,15(6):875-892.
[2]Kruegel C,Mutz D,Valeur F,et al.On the detection of anomalous system call arguments[C]∥Snekkenes E,Gollmann D.Computer Security-Esorics 2003,Proceedings.Berlin:Springer-Verlag Berlin,2003:326-343.
[3]Oyama Y,Yonezawa A.Prevention of code-injection attacks by encrypting system call arguments[R/OL].University of Tokyo,2006[2016-06-20].https:∥www.researchgate.net/profile/Akinori_Yonezawa2/publication/228576079_Prevention_of_code-injection_attacks_by_encrypting_system_call_arguments/links/53eaf9ee0cf2fb1b9b6ad0fd.pdf.
[4]Sufatrio,Yap R H C.Improving host-based IDS with argument abstraction to prevent mimicry attacks[C]∥Valdes A,Zamboni D.Recent Advances in Intrusion Detection.Berlin:Springer-Verlag Berlin,2006:146-164.
[5]Demay J C,Totel E,Tronel F.SIDAN:a tool dedicated to software instrumentation for detecting attacks on non-controldata[C]∥Risks and Security of Internet and Systems(CRi SIS),2009 Fourth International Conference on.IEEE,2009:51-58.
[6]Bhatkar S,Chaturvedi A,Sekar R,et al.Dataflow anomaly detection[C]∥2006 IEEE Symposium on Security and Privacy,Proceedings.Los Alamitos:Ieee Computer Soc,2006:48-62.
[7]Li P,Park H,Gao D,et al.Bridging the gap between dataflow and control-flow analysis for anomaly detection[C]∥24th Annual Computer Security Applications Conference,Proceedings.Los Alamitos:Ieee Computer Soc,2008:392-401.
[8]Clause J,Li W,Orso A.Dytan:a generic dynamic taint analysis framework[C]∥Proceedings of the 2007international symposium on Software testing and analysis.ACM,2007:196-206.
[9]Newsome J,Song D.Dynamic taint analysis for automatic detection,analysis,and signature generation of exploits on commodity software[C]∥Proceedings of NDSS'05.San Diego,California,USA:2005.
[10]Chen K,Feng D,Su P,et al.Black-box testing based on colorful taint analysis[J].Science China Information Sciences,2012,55(1):171-183.
[11]Ma J X,Zhang P H,Dong G W,et al.TWalker:an efficient taint analysis tool[C]∥2014 10th International Conference on Information Assurance and Security.New York:Ieee,2014:18-22.
[12]Haller I,Slowinska A,Neugschwandtner M,et al.Dowsing for overflows:a guided fuzzer to find buffer boundary violations[C]∥22nd USENIX Security Symposium(USENIX Security 13).2013:49-64.
[13]Kong J,Zou CC,Zhou H.Improving software security via runtime instruction-level taint checking[C]∥Proceedings of the 1st workshop on Architectural and system support for improving software dependability.ACM,2006:18-24.
[14]Qin F,Wang C,Li Z,et al.LIFT:a low-overhead practical information flow tracking system for detecting security attacks[C]∥2006 39th Annual IEEE/ACM International Symposium on Microarchitecture(MICRO'06).2006:135-148.
[15]Halfond W G J,Orso A,Manolios P.Using positive tainting and syntax-aware evaluation to counter SQL injection attacks[C]∥Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering.Portland,Oregon,USA:ACM,2006:175-185.
[16]Kiezun A,Guo PJ,Jayaraman K,et al.Automatic creation of SQL injection and cross-site scripting attacks[C]∥2009 31st International Conference on Software Engineering,Proceedings.New York:Ieee,2009:199-209.
[17]Vogt P,Nentwich F,Jovanovic N,et al.Cross site scripting prevention with dynamic data tainting and static analysis[C]∥NDSS.2007:12.
[18]Yin H,Song D,Egele M,et al.Panorama:capturing system-wide information flow for malware detection and analysis[C]∥Proceedings of the 14th ACM conference on Computer and communications security.Alexandria,Virginia,USA:ACM,2007:116-127.
[19]Song D,Brumley D,Yin H,et al.Information systems security:4th International Conference,ICISS 2008,Hyderabad,India,December 16-20,2008 Proceedings[M].Berlin,Heidelberg:Springer Berlin Heidelberg,2008:1-25.
[20]Sekar R,Bendre M,Dhurjati D,et al.A fast automatonbased method for detecting anomalous program behaviors[C]∥2001 Ieee Symposium on Security and Privacy,Proceedings.Los Alamitos:Ieee Computer Soc,2001:144-155.
[21]Chen S,Xu J,Sezer E C,et al.Non-control-data attacks are realistic threats[C]∥USENIX Association Proceedings of the14th USENIX Security Symposium.Berkeley:Usenix Assoc,2005:177-191.
[22]Hu H,Shinde S,Adrian S,et al.Data-oriented programming:on the expressiveness of non-control data attacks[C]∥2016 IEEE Symposium on Security and Privacy(SP).San Jose,USA:2016:969-986.
[23]Delamore B,Ko R K L.A global,empirical analysis of the shellshock vulnerability in web applications[C]∥Trustcom/Big Data SE/ISPA,2015 IEEE.2015:1 129-1 135.
[24]Zalewski M.SSH1 CRC-32 compensation attack detector vulnerability[DB/OL].(2001)[2016-06-20].http:∥www.securityfocus.com/advisories/3088.
[2]Kruegel C,Mutz D,Valeur F,et al.On the detection of anomalous system call arguments[C]∥Snekkenes E,Gollmann D.Computer Security-Esorics 2003,Proceedings.Berlin:Springer-Verlag Berlin,2003:326-343.
[3]Oyama Y,Yonezawa A.Prevention of code-injection attacks by encrypting system call arguments[R/OL].University of Tokyo,2006[2016-06-20].https:∥www.researchgate.net/profile/Akinori_Yonezawa2/publication/228576079_Prevention_of_code-injection_attacks_by_encrypting_system_call_arguments/links/53eaf9ee0cf2fb1b9b6ad0fd.pdf.
[4]Sufatrio,Yap R H C.Improving host-based IDS with argument abstraction to prevent mimicry attacks[C]∥Valdes A,Zamboni D.Recent Advances in Intrusion Detection.Berlin:Springer-Verlag Berlin,2006:146-164.
[5]Demay J C,Totel E,Tronel F.SIDAN:a tool dedicated to software instrumentation for detecting attacks on non-controldata[C]∥Risks and Security of Internet and Systems(CRi SIS),2009 Fourth International Conference on.IEEE,2009:51-58.
[6]Bhatkar S,Chaturvedi A,Sekar R,et al.Dataflow anomaly detection[C]∥2006 IEEE Symposium on Security and Privacy,Proceedings.Los Alamitos:Ieee Computer Soc,2006:48-62.
[7]Li P,Park H,Gao D,et al.Bridging the gap between dataflow and control-flow analysis for anomaly detection[C]∥24th Annual Computer Security Applications Conference,Proceedings.Los Alamitos:Ieee Computer Soc,2008:392-401.
[8]Clause J,Li W,Orso A.Dytan:a generic dynamic taint analysis framework[C]∥Proceedings of the 2007international symposium on Software testing and analysis.ACM,2007:196-206.
[9]Newsome J,Song D.Dynamic taint analysis for automatic detection,analysis,and signature generation of exploits on commodity software[C]∥Proceedings of NDSS'05.San Diego,California,USA:2005.
[10]Chen K,Feng D,Su P,et al.Black-box testing based on colorful taint analysis[J].Science China Information Sciences,2012,55(1):171-183.
[11]Ma J X,Zhang P H,Dong G W,et al.TWalker:an efficient taint analysis tool[C]∥2014 10th International Conference on Information Assurance and Security.New York:Ieee,2014:18-22.
[12]Haller I,Slowinska A,Neugschwandtner M,et al.Dowsing for overflows:a guided fuzzer to find buffer boundary violations[C]∥22nd USENIX Security Symposium(USENIX Security 13).2013:49-64.
[13]Kong J,Zou CC,Zhou H.Improving software security via runtime instruction-level taint checking[C]∥Proceedings of the 1st workshop on Architectural and system support for improving software dependability.ACM,2006:18-24.
[14]Qin F,Wang C,Li Z,et al.LIFT:a low-overhead practical information flow tracking system for detecting security attacks[C]∥2006 39th Annual IEEE/ACM International Symposium on Microarchitecture(MICRO'06).2006:135-148.
[15]Halfond W G J,Orso A,Manolios P.Using positive tainting and syntax-aware evaluation to counter SQL injection attacks[C]∥Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering.Portland,Oregon,USA:ACM,2006:175-185.
[16]Kiezun A,Guo PJ,Jayaraman K,et al.Automatic creation of SQL injection and cross-site scripting attacks[C]∥2009 31st International Conference on Software Engineering,Proceedings.New York:Ieee,2009:199-209.
[17]Vogt P,Nentwich F,Jovanovic N,et al.Cross site scripting prevention with dynamic data tainting and static analysis[C]∥NDSS.2007:12.
[18]Yin H,Song D,Egele M,et al.Panorama:capturing system-wide information flow for malware detection and analysis[C]∥Proceedings of the 14th ACM conference on Computer and communications security.Alexandria,Virginia,USA:ACM,2007:116-127.
[19]Song D,Brumley D,Yin H,et al.Information systems security:4th International Conference,ICISS 2008,Hyderabad,India,December 16-20,2008 Proceedings[M].Berlin,Heidelberg:Springer Berlin Heidelberg,2008:1-25.
[20]Sekar R,Bendre M,Dhurjati D,et al.A fast automatonbased method for detecting anomalous program behaviors[C]∥2001 Ieee Symposium on Security and Privacy,Proceedings.Los Alamitos:Ieee Computer Soc,2001:144-155.
[21]Chen S,Xu J,Sezer E C,et al.Non-control-data attacks are realistic threats[C]∥USENIX Association Proceedings of the14th USENIX Security Symposium.Berkeley:Usenix Assoc,2005:177-191.
[22]Hu H,Shinde S,Adrian S,et al.Data-oriented programming:on the expressiveness of non-control data attacks[C]∥2016 IEEE Symposium on Security and Privacy(SP).San Jose,USA:2016:969-986.
[23]Delamore B,Ko R K L.A global,empirical analysis of the shellshock vulnerability in web applications[C]∥Trustcom/Big Data SE/ISPA,2015 IEEE.2015:1 129-1 135.
[24]Zalewski M.SSH1 CRC-32 compensation attack detector vulnerability[DB/OL].(2001)[2016-06-20].http:∥www.securityfocus.com/advisories/3088.