摘要
不当内存操作一直是引发软件漏洞的主要原因之一。堆分配大小可控(CMA)是指当动态内存分配的关键参数可以被外界输入控制时,恶意用户可以通过精心构造输入数据导致非预期的内存分配。该文讨论了CMA可能引发的相关安全问题和CMA的检测方法。该CMA检测方法主要通过结合静态路径分析和路径导向符号执行技术的优势,系统地检测目标代码中的CMA问题。在经典的符号执行引擎KLEE的基础上,实现了CMA检测原型系统SCAD;通过对Linux系统常用的工具程序Coreutils进行测试,SCAD发现了10个CMA相关的问题,其中3个属于未公开漏洞。实验结果表明:SCAD的导向路径搜索算法与KLEE提供的8个路径搜索算法相比具有明显优势;针对内存分配相关的代码,SCAD的导向符号执行相比传统的符号执行引擎具有更高的代码覆盖率。
Improper memory operations are one of the main causes of software vulnerabilities.This study analyzes controlled memory allocation(CMA)errors which occur when key elements of the memory allocation method are affected by elaborately designed input data.This paper presents a CMA detection approach that uses static analyzes and optimized symbolic execution with a path-guided algorithm.These algorithms are combined with a state-of-the-art symbolic execution engine named KLEE in a CMA detection tool.The tool was tested on commonly used applications like Coreutils,where it found 10 CMA related bugs including 3previously unknown bugs.Tests show that the tool's path guided searcher reaches an assigned target faster and with more paths than the other path searchers provided by KLEE.The tool executes faster for memory allocation related code with better coverage than conventional symbolic execution engines.
出处
《清华大学学报(自然科学版)》
EI
CAS
CSCD
北大核心
2015年第5期572-578,共7页
Journal of Tsinghua University(Science and Technology)
基金
国家自然科学基金面上项目(61170050)
核高基重大专项(2012ZX01039-004)
关键词
漏洞分析
符号执行
内存分配
堆分配大小可控
vulnerability analysis
symbolic execution
memory allocation
size controlled heap allocation
