摘要
污点分析是一种常用的软件分析方法,在信息安全领域有较多的应用。现有的二进制程序动态污点分析大多采用指令级插桩的分析方法,通常会产生巨大的性能开销,使得程序执行效率大幅度降低,难以在复杂恶意样本和商业软件分析环境中有效应用。为了提升污点分析效率,降低指令级插桩分析带来的性能损耗,使污点分析更加广泛地应用在软件分析中,提出了基于函数摘要的二进制程序污点分析优化方法。所提方法使用函数污点传播规则代替指令污点传播规则,以减少数据流传播分析次数,有效提升污点分析效率。对于函数摘要,提出了函数摘要的定义;研究了不同函数结构的摘要生成算法。在函数内部,针对非循环结构,设计了路径敏感的分析方法;针对循环结构,设计了有限迭代的分析方法,将这两种分析方法相结合,解决混合结构函数的函数摘要生成。在函数摘要生成算法研究的基础上,进一步设计实现了由函数摘要生成模块、数据流记录模块、污点分析模块3个部分构成的通用污点分析框架FSTaint。对FSTaint的分析效率进行了评估,在分析真实APT恶意样本中,FSTaint的污点分析效率是libdft的7.75倍,分析效率较高;在准确性方面,FSTaint相对libdft在传播规则的准确性、完备性等方面也有所提高。
Taint analysis is a popular software analysis method,which has been widely used in the field of information security.Most of the existing binary program dynamic taint analysis frameworks use instruction-level instrumentation analysis methods,which usually generate huge performance overhead and reduce the program execution efficiency by several times or even dozens of times.This limits taint analysis technology’s wide usage in complex malicious samples and commercial software analysis.An optimization method of taint analysis based on function summary was proposed,to improve the efficiency of taint analysis,reduce the performance loss caused by instruction-level instrumentation analysis,and make taint analysis to be more widely used in software analysis.The taint analysis method based on function summary used function taint propagation rules instead of instruction taint propagation rules to reduce the number of data stream propagation analysis and effectively improve the efficiency of taint analysis.For function summary,the definition of function summary was proposed.And the summary generation algorithms of different function structures were studied.Inside the function,a path-sensitive analysis method was designed for acyclic structures.For cyclic structures,a finite iteration method was designed.Moreover,the two analysis methods were combined to solve the function summary generation of mixed structure functions.Based on this research,a general taint analysis framework called FSTaint was designed and implemented,consisting of a function summary generation module,a data flow recording module,and a taint analysis module.The efficiency of FSTaint was evaluated in the analysis of real APT malicious samples,where the taint analysis efficiency of FSTaint was found to be 7.75 times that of libdft,and the analysis efficiency was higher.In terms of accuracy,FSTaint has more accurate and complete propagation rules than libdft.
作者
杨盼
康绯
舒辉
黄宇垚
吕小少
YANG Pan;KANG Fei;SHU Hui;HUANG Yuyao;LYU Xiaoshao(State Key Laboratory of Mathematical Engineering and Advanced Computing,Zhengzhou 450001,China)
出处
《网络与信息安全学报》
2023年第2期115-131,共17页
Chinese Journal of Network and Information Security
基金
国家重点研发计划(2019QY1300)。
