基于控制流和数据流分析的内存拷贝类函数识别技术尹小康芦斌蔡瑞杰朱肖雅杨启超刘胜利(数学工程与先进计算国家重点实验室(信息工程大学)郑州450001)(yxksjtu@sjtu.edu.cn)MemoryCopyFunctionIdentificationTechniquewithControlFlowandDataFlowAnalysisYinXiaokang,LuBin,CaiRuijie,ZhuXiaoya,YangQichao,andLiuShengli(StateKeyLaboratoryofMathematicalEngineeringandAdvancedComputing(InformationEngineeringUniversity),Zhengzhou,450001)AbstractMemoryerrorvulnerabilityisstilloneofthemostwidelyusedandharmfulvulnerabilitiesincurrentcyber-attacks,whosetimelydiscoveryandrepairinbinaryprogramsbeargreatvalueinpreventingcyber-attacks.Memoryerrorvulnerabilitiesareoftenassociatedwiththemisuseofmemorycopyfunctions.However,thecurrentidentificationtechniquesofmemorycopyfunctionsmainlyrelyonthematchingofsymboltablesandcodefeaturepattern,whichhavehighfalsepositiveandfalsenegativeratesandpoorapplicability,andtherearestillmanyproblemstobesolved.Toaddresstheaboveproblems,weproposeamemorycopyfunctionidentificationtechnologyCPYFinder,basedonthecontrolflowofmemorycopyfunctions.CPYFinderliftsthebinarycodeintotheVEXIR(IntermediateRepresentation)codetoconstructandanalyzethedataflow,andidentifiesbinarycodeaccordingtothepatternofthememorycopyfunctiononthedataflow.Thismethodcanidentifythememorycopyfunctionsinstrippedbinaryexecutablesofvariousinstructionsetarchitectures(i.e.x86,ARM,MIPSandPowerPC)inashortruntime.ExperimentalresultsshowthatCPYFinderhasbetterperformanceinidentifyingmemorycopyfunctionsinClibrariesanduser-definedimplementations.Comparedwiththestate-of-the-artworksBootStompandSaTC,CPYFindergetsabetterbalancebetweenprecisionandrecall,andhasequaltimeconsumptioncomparedwithSaTCanditsruntimeonlyamountsto19%ofBootStomp.Inaddition,CPYFinderalsohasbetterperformanceinvulnerabilityfunctionidentification.Keywordsstaticanalysis;dataflowanalysis;intermediaterepresentation;memorycopyfunction;functionidentification摘要内存错误漏洞仍是当前网络攻击中造成危害最严重的漏洞之一.内存错误漏洞的产生往往与对内存拷贝类...
