摘要
文章提出一种污点回溯方法,该方法首先对网络应用程序进行动态调试,定位网络接口函数和网络输出缓冲区,确定单次最小执行轨迹区间;然后通过执行轨迹分析计算执行轨迹区间内的所有初始内存地址;接着对应用程序进行内存快照,缓存执行轨迹区间的入口状态,并在单次执行计算之后进行恢复;最后通过污染源定位算法获取编码前的内存数据地址。实验结果表明,该方法能有效定位编码前内存地址,适用于包括加密、压缩、校验等不同类型的编码协议。通过该方法一方面可以利用编码前的内存数据分析编码协议的语法信息,提高对编码协议的语法分析能力;另一方面,利用编码函数入口地址及编码前内存地址,生成能通过完整性检测的网络协议测试数据,提高对编码协议的漏洞挖掘能力。
This paper proposes a method of taint backtracking. Firstly, this method carries on the dynamic debugging to the network application procedure, locates network interface functions and network output buffers, determines the single minimum execution trajectory interval. Secondly, it performs all of the initial memory addresses in the track section by performing a path analysis calculation. And then the memory cache is applied to the application program, and the entrance state of the trajectory interval is buffered and restored after a single execution of the calculation. Finally, the address of the memory data before coding is obtained by the pollution source localization algorithm. Experimental results show that this method can effectively locate the pre-coding memory address, and it is suitable for different types of coding protocols, including encryption, compression and verification. On the one hand, this method can analyze the syntax information of the encoding protocol by using the memory data before encoding, and improve the syntax analysis ability of the encoding protocol. On the other hand, using the encoding function entry address and the pre-coding memory address, it can generate the network protocol test data that can be detected through integrity, and improve the capabilities of vulnerabilities discovery of the encoding protocol.
出处
《信息网络安全》
CSCD
2017年第1期68-76,共9页
Netinfo Security
基金
国家242信息安全计划[2005C48]
关键词
协议逆向
编码协议
污点回溯
protocol reverse
encoding protocol
taint backtracking