In recent years,Android applications have caused personal privacy leaks frequently.In order to analyze the malicious behavior,taint analysis technology can be used to track the API call chain,build a control-flow grap...In recent years,Android applications have caused personal privacy leaks frequently.In order to analyze the malicious behavior,taint analysis technology can be used to track the API call chain,build a control-flow graph of function,and determine whether there is a security risk.However,with the continuous escalation of offensive and defensive confrontation of source code,more and more applications use reinforcement technology to prevent security practitioners from performing reverse analysis,therefore it is impossible to analyze function-behavior from the source code.Thus,we design a framework of taint analysis that applied to the Android applications,which automatically unpacks the Android APKs,restores the real source code of the App,performs taint analysis,and generates a control-flow graph of function.Experimental tests showed that the system can cope with the current mainstream reinforcement technology and restore the real Dex file quickly.Simultaneously,compared with the number of nodes before packing,the generated control-flow graph had an explosive increase,which effectively assisted manual analysis of App with the privacy leakage behaviors.展开更多
Smart contract has greatly improved the services and capabilities of blockchain,but it has become the weakest link of blockchain security because of its code nature.Therefore,efficient vulnerability detection of smart...Smart contract has greatly improved the services and capabilities of blockchain,but it has become the weakest link of blockchain security because of its code nature.Therefore,efficient vulnerability detection of smart contract is the key to ensure the security of blockchain system.Oriented to Ethereum smart contract,the study solves the problems of redundant input and low coverage in the smart contract fuzz.In this paper,a taint analysis method based on EVM is proposed to reduce the invalid input,a dangerous operation database is designed to identify the dangerous input,and genetic algorithm is used to optimize the code coverage of the input,which construct the fuzzing framework for smart contract together.Finally,by comparing Oyente and ContractFuzzer,the performance and efficiency of the framework are proved.展开更多
Smart contract has greatly improved the services and capabilities of blockchain,but it has become the weakest link of blockchain security because of its code nature.Therefore,efficient vulnerability detection of smart...Smart contract has greatly improved the services and capabilities of blockchain,but it has become the weakest link of blockchain security because of its code nature.Therefore,efficient vulnerability detection of smart contract is the key to ensure the security of blockchain system.Oriented to Ethereum smart contract,the study solves the problems of redundant input and low coverage in the smart contract fuzz.In this paper,a taint analysis method based on EVM is proposed to reduce the invalid input,a dangerous operation database is designed to identify the dangerous input,and genetic algorithm is used to optimize the code coverage of the input,which construct the fuzzing framework for smart contract together.Finally,by comparing Oyente and ContractFuzzer,the performance and efficiency of the framework are proved.展开更多
Proprietary(or semi-proprietary)protocols are widely adopted in industrial control systems(ICSs).Inferring protocol format by reverse engineering is important for many network security applications,e.g.,program tests ...Proprietary(or semi-proprietary)protocols are widely adopted in industrial control systems(ICSs).Inferring protocol format by reverse engineering is important for many network security applications,e.g.,program tests and intrusion detection.Conventional protocol reverse engineering methods have been proposed which are considered time-consuming,tedious,and error-prone.Recently,automatical protocol reverse engineering methods have been proposed which are,however,neither effective in handling binary-based ICS protocols based on network traffic analysis nor accurate in extracting protocol fields from protocol implementations.In this paper,we present a framework called the industrial control system protocol reverse engineering framework(ICSPRF)that aims to extract ICS protocol fields with high accuracy.ICSPRF is based on the key insight that an individual field in a message is typically handled in the same execution context,e.g.,basic block(BBL)group.As a result,by monitoring program execution,we can collect the tainted data information processed in every BBL group in the execution trace and cluster it to derive the protocol format.We evaluate our approach with six open-source ICS protocol implementations.The results show that ICSPRF can identify individual protocol fields with high accuracy(on average a 94.3%match ratio).ICSPRF also has a low coarse-grained and overly fine-grained match ratio.For the same metric,ICSPRF is more accurate than AutoFormat(88.5%for all evaluated protocols and 80.0%for binary-based protocols).展开更多
The Integer-Overflow-to-Buffer-Overflow(IO2BO)vulnerability has been widely exploited by attackers to cause severe damages to computer systems.Automatically identifying this kind of vulnerability is critical for softw...The Integer-Overflow-to-Buffer-Overflow(IO2BO)vulnerability has been widely exploited by attackers to cause severe damages to computer systems.Automatically identifying this kind of vulnerability is critical for software security.Despite many works have been done to mitigate integer overflow,existing tools either report large number of false positives or introduce unacceptable time consumption.To address this problem,in this article we present a static analysis framework.It first constructs an inter-procedural call graph and utilizes taint analysis to accurately identify potential IO2BO vulnerabilities.Then it uses a light-weight method to further filter out false positives.Specifically,it generates constraints representing the conditions under which a potential IO2BO vulnerability can be triggered,and feeds the constraints to SMT solver to decide their satisfiability.We have implemented a prototype system ELAID based on LLVM,and evaluated it on 228 programs of the NIST’s SAMATE Juliet test suite and 14 known IO2BO vulnerabilities in real world.The experiment results show that our system can effectively and efficiently detect all known IO2BO vulnerabilities.展开更多
The Integer-Overflow-to-Buffer-Overflow(IO2BO)vulnerability has been widely exploited by attackers to cause severe damages to computer systems.Automatically identifying this kind of vulnerability is critical for softw...The Integer-Overflow-to-Buffer-Overflow(IO2BO)vulnerability has been widely exploited by attackers to cause severe damages to computer systems.Automatically identifying this kind of vulnerability is critical for software security.Despite many works have been done to mitigate integer overflow,existing tools either report large number of false positives or introduce unacceptable time consumption.To address this problem,in this article we present a static analysis framework.It first constructs an inter-procedural call graph and utilizes taint analysis to accurately identify potential IO2BO vulnerabilities.Then it uses a light-weight method to further filter out false positives.Specifically,it generates constraints representing the conditions under which a potential IO2BO vulnerability can be triggered,and feeds the constraints to SMT solver to decide their satisfiability.We have implemented a prototype system ELAID based on LLVM,and evaluated it on 228 programs of the NIST’s SAMATE Juliet test suite and 14 known IO2BO vulnerabilities in real world.The experiment results show that our system can effectively and efficiently detect all known IO2BO vulnerabilities.展开更多
Static analysis is often impeded by malware obfuscation techniques,such as encryption and packing,whereas dynamic analysis tends to be more resistant to obfuscation by leveraging concrete execution information.Unfortu...Static analysis is often impeded by malware obfuscation techniques,such as encryption and packing,whereas dynamic analysis tends to be more resistant to obfuscation by leveraging concrete execution information.Unfortunately,malware can employ evasive techniques to detect the analysis environment and alter its behavior accordingly.While known evasive techniques can be explicitly dismantled,the challenge lies in generically dismantling evasions without full knowledge of their conditions or implementations,such as logic bombs that rely on uncertain conditions,let alone unsupported evasive techniques,which contain evasions without corresponding dismantling strategies and those leveraging unknown implementations.In this paper,we present Antitoxin,a prototype for automatically exploring evasive malware.Antitoxin utilizes multi-path exploration guided by taint analysis and probability calculations to effectively dismantle evasive techniques.The probabilities of branch execution are derived from dynamic coverage,while taint analysis helps identify paths associated with evasive techniques that rely on uncertain conditions.Subsequently,Antitoxin prioritizes branches with lower execution probabilities and those influenced by taint analysis for multi-path exploration.This is achieved through forced execution,which forcefully sets the outcomes of branches on selected paths.Additionally,Antitoxin employs active anti-evasion countermeasures to dismantle known evasive techniques,thereby reducing exploration overhead.Furthermore,Antitoxin provides valuable insights into sensitive behaviors,facilitating deeper manual analysis.Our experiments on a set of highly evasive samples demonstrate that Antitoxin can effectively dismantle evasive techniques in a generic manner.The probability calculations guide the multi-path exploration of evasions without requiring prior knowledge of their conditions or implementations,enabling the dismantling of unsupported techniques such as C2 and significantly improving efficiency compared to linear exploration when dealing with complex control flows.Additionally,taint analysis can accurately identify branches related to logic bombs,facilitating preferential exploration.展开更多
Exploitability assessment of vulnerabilities is important for both defenders and attackers.The ultimate way to assess the exploitability is crafting a working exploit.However,it usually takes tremendous hours and sign...Exploitability assessment of vulnerabilities is important for both defenders and attackers.The ultimate way to assess the exploitability is crafting a working exploit.However,it usually takes tremendous hours and significant manual efforts.To address this issue,automated techniques can be adopted.Existing solutions usually explore in depth the crashing paths,i.e.,paths taken by proof-of-concept(PoC)inputs triggering vulnerabilities,and assess exploitability by finding exploitable states along the paths.However,exploitable states do not always exist in crashing paths.Moreover,existing solutions heavily rely on symbolic execution and are not scalable in path exploration and exploit generation.In this paper,we propose a novel solution to generate exploit for userspace programs or facilitate the process of crafting a kernel UAF exploit.Technically,we utilize oriented fuzzing to explore diverging paths from vulnerability point.For userspace programs,we adopt a control-flow stitching solution to stitch crashing paths and diverging paths together to generate exploit.For kernel UAF,we leverage a lightweight symbolic execution to identify,analyze and evaluate the system calls valuable and useful for exploiting vulnerabilities.We have developed a prototype system and evaluated it on a set of 19 CTF(capture the flag)programs and 15 realworld Linux kernel UAF vulnerabilities.Experiment results showed it could generate exploit for most of the userspace test set,and it could also facilitate security mitigation bypassing and exploitability evaluation for kernel test set.展开更多
Exploitability assessment of vulnerabilities is important for both defenders and attackers.The ultimate way to assess the exploitability is crafting a working exploit.However,it usually takes tremendous hours and sign...Exploitability assessment of vulnerabilities is important for both defenders and attackers.The ultimate way to assess the exploitability is crafting a working exploit.However,it usually takes tremendous hours and significant manual efforts.To address this issue,automated techniques can be adopted.Existing solutions usually explore in depth the crashing paths,i.e.,paths taken by proof-of-concept(PoC)inputs triggering vulnerabilities,and assess exploitability by finding exploitable states along the paths.However,exploitable states do not always exist in crashing paths.Moreover,existing solutions heavily rely on symbolic execution and are not scalable in path exploration and exploit generation.In this paper,we propose a novel solution to generate exploit for userspace programs or facilitate the process of crafting a kernel UAF exploit.Technically,we utilize oriented fuzzing to explore diverging paths from vulnerability point.For userspace programs,we adopt a control-flow stitching solution to stitch crashing paths and diverging paths together to generate exploit.For kernel UAF,we leverage a lightweight symbolic execution to identify,analyze and evaluate the system calls valuable and useful for exploiting vulnerabilities.We have developed a prototype system and evaluated it on a set of 19 CTF(capture the flag)programs and 15 realworld Linux kernel UAF vulnerabilities.Experiment results showed it could generate exploit for most of the userspace test set,and it could also facilitate security mitigation bypassing and exploitability evaluation for kernel test set.展开更多
基金supported by Beijing Natural Science Foundation(No.4214061)。
文摘In recent years,Android applications have caused personal privacy leaks frequently.In order to analyze the malicious behavior,taint analysis technology can be used to track the API call chain,build a control-flow graph of function,and determine whether there is a security risk.However,with the continuous escalation of offensive and defensive confrontation of source code,more and more applications use reinforcement technology to prevent security practitioners from performing reverse analysis,therefore it is impossible to analyze function-behavior from the source code.Thus,we design a framework of taint analysis that applied to the Android applications,which automatically unpacks the Android APKs,restores the real source code of the App,performs taint analysis,and generates a control-flow graph of function.Experimental tests showed that the system can cope with the current mainstream reinforcement technology and restore the real Dex file quickly.Simultaneously,compared with the number of nodes before packing,the generated control-flow graph had an explosive increase,which effectively assisted manual analysis of App with the privacy leakage behaviors.
基金This work is supported by the National Key R&D Program of China(2017YFB0802703)Major Scientific and Technological Special Project of Guizhou Province(20183001)+2 种基金Open Foundation of Guizhou Provincial Key VOLUME XX,2019 Laboratory of Public Big Data(2018BDKFJJ014)Open Foundation of Guizhou Provincial Key Laboratory of Public Big Data(2018BDKFJJ019)Open Foundation of Guizhou Provincial Key Laboratory of Public Big Data(2018BDKFJJ022).
文摘Smart contract has greatly improved the services and capabilities of blockchain,but it has become the weakest link of blockchain security because of its code nature.Therefore,efficient vulnerability detection of smart contract is the key to ensure the security of blockchain system.Oriented to Ethereum smart contract,the study solves the problems of redundant input and low coverage in the smart contract fuzz.In this paper,a taint analysis method based on EVM is proposed to reduce the invalid input,a dangerous operation database is designed to identify the dangerous input,and genetic algorithm is used to optimize the code coverage of the input,which construct the fuzzing framework for smart contract together.Finally,by comparing Oyente and ContractFuzzer,the performance and efficiency of the framework are proved.
基金supported by Major Scientific and Technological Special Project of Guizhou Province(20183001)Exploration and Practice on the Education Mode for Engineering Students Based on Technology,Literature and art Inter-disciplinary Integration with the Internet+Background(022150118004/001)+2 种基金Open Foundation of Guizhou Provincial Key Laboratory of Public Big Data(2018BDKFJJ014)Open Foundation of Guizhou Provincial Key Laboratory of Public Big Data(2018BDKFJJ019)Open Foundation of Guizhou Provincial Key Laboratory of Public Big Data(2018BDKFJJ022).
文摘Smart contract has greatly improved the services and capabilities of blockchain,but it has become the weakest link of blockchain security because of its code nature.Therefore,efficient vulnerability detection of smart contract is the key to ensure the security of blockchain system.Oriented to Ethereum smart contract,the study solves the problems of redundant input and low coverage in the smart contract fuzz.In this paper,a taint analysis method based on EVM is proposed to reduce the invalid input,a dangerous operation database is designed to identify the dangerous input,and genetic algorithm is used to optimize the code coverage of the input,which construct the fuzzing framework for smart contract together.Finally,by comparing Oyente and ContractFuzzer,the performance and efficiency of the framework are proved.
基金supported by the National Natural Science Foundation of China(No.61833015)。
文摘Proprietary(or semi-proprietary)protocols are widely adopted in industrial control systems(ICSs).Inferring protocol format by reverse engineering is important for many network security applications,e.g.,program tests and intrusion detection.Conventional protocol reverse engineering methods have been proposed which are considered time-consuming,tedious,and error-prone.Recently,automatical protocol reverse engineering methods have been proposed which are,however,neither effective in handling binary-based ICS protocols based on network traffic analysis nor accurate in extracting protocol fields from protocol implementations.In this paper,we present a framework called the industrial control system protocol reverse engineering framework(ICSPRF)that aims to extract ICS protocol fields with high accuracy.ICSPRF is based on the key insight that an individual field in a message is typically handled in the same execution context,e.g.,basic block(BBL)group.As a result,by monitoring program execution,we can collect the tainted data information processed in every BBL group in the execution trace and cluster it to derive the protocol format.We evaluate our approach with six open-source ICS protocol implementations.The results show that ICSPRF can identify individual protocol fields with high accuracy(on average a 94.3%match ratio).ICSPRF also has a low coarse-grained and overly fine-grained match ratio.For the same metric,ICSPRF is more accurate than AutoFormat(88.5%for all evaluated protocols and 80.0%for binary-based protocols).
基金This research was supported in part by the National Natural Science Foundation of China(Grant No.61802394,U1836209)Foundation of Science and Technology on Information Assurance Laboratory(No.KJ-17-110)+1 种基金National Key Research and Development Program of China(2016QY071405)Strategic Priority Research Program of the CAS(XDC02040100,XDC02030200,XDC02020200).
文摘The Integer-Overflow-to-Buffer-Overflow(IO2BO)vulnerability has been widely exploited by attackers to cause severe damages to computer systems.Automatically identifying this kind of vulnerability is critical for software security.Despite many works have been done to mitigate integer overflow,existing tools either report large number of false positives or introduce unacceptable time consumption.To address this problem,in this article we present a static analysis framework.It first constructs an inter-procedural call graph and utilizes taint analysis to accurately identify potential IO2BO vulnerabilities.Then it uses a light-weight method to further filter out false positives.Specifically,it generates constraints representing the conditions under which a potential IO2BO vulnerability can be triggered,and feeds the constraints to SMT solver to decide their satisfiability.We have implemented a prototype system ELAID based on LLVM,and evaluated it on 228 programs of the NIST’s SAMATE Juliet test suite and 14 known IO2BO vulnerabilities in real world.The experiment results show that our system can effectively and efficiently detect all known IO2BO vulnerabilities.
基金supported in part by the National Natural Science Foundation of China(Grant No.61802394,U1836209)Foundation of Science and Technology on Information Assurance Laboratory(No.KJ-17-110)+1 种基金National Key Research and Development Program of China(2016QY071405)Strategic Priority Research Program of the CAS(XDC02040100,XDC02030200,XDC02020200).
文摘The Integer-Overflow-to-Buffer-Overflow(IO2BO)vulnerability has been widely exploited by attackers to cause severe damages to computer systems.Automatically identifying this kind of vulnerability is critical for software security.Despite many works have been done to mitigate integer overflow,existing tools either report large number of false positives or introduce unacceptable time consumption.To address this problem,in this article we present a static analysis framework.It first constructs an inter-procedural call graph and utilizes taint analysis to accurately identify potential IO2BO vulnerabilities.Then it uses a light-weight method to further filter out false positives.Specifically,it generates constraints representing the conditions under which a potential IO2BO vulnerability can be triggered,and feeds the constraints to SMT solver to decide their satisfiability.We have implemented a prototype system ELAID based on LLVM,and evaluated it on 228 programs of the NIST’s SAMATE Juliet test suite and 14 known IO2BO vulnerabilities in real world.The experiment results show that our system can effectively and efficiently detect all known IO2BO vulnerabilities.
基金supported in part by the National Natural Science Foundation of China(Grant No.62272181)
文摘Static analysis is often impeded by malware obfuscation techniques,such as encryption and packing,whereas dynamic analysis tends to be more resistant to obfuscation by leveraging concrete execution information.Unfortunately,malware can employ evasive techniques to detect the analysis environment and alter its behavior accordingly.While known evasive techniques can be explicitly dismantled,the challenge lies in generically dismantling evasions without full knowledge of their conditions or implementations,such as logic bombs that rely on uncertain conditions,let alone unsupported evasive techniques,which contain evasions without corresponding dismantling strategies and those leveraging unknown implementations.In this paper,we present Antitoxin,a prototype for automatically exploring evasive malware.Antitoxin utilizes multi-path exploration guided by taint analysis and probability calculations to effectively dismantle evasive techniques.The probabilities of branch execution are derived from dynamic coverage,while taint analysis helps identify paths associated with evasive techniques that rely on uncertain conditions.Subsequently,Antitoxin prioritizes branches with lower execution probabilities and those influenced by taint analysis for multi-path exploration.This is achieved through forced execution,which forcefully sets the outcomes of branches on selected paths.Additionally,Antitoxin employs active anti-evasion countermeasures to dismantle known evasive techniques,thereby reducing exploration overhead.Furthermore,Antitoxin provides valuable insights into sensitive behaviors,facilitating deeper manual analysis.Our experiments on a set of highly evasive samples demonstrate that Antitoxin can effectively dismantle evasive techniques in a generic manner.The probability calculations guide the multi-path exploration of evasions without requiring prior knowledge of their conditions or implementations,enabling the dismantling of unsupported techniques such as C2 and significantly improving efficiency compared to linear exploration when dealing with complex control flows.Additionally,taint analysis can accurately identify branches related to logic bombs,facilitating preferential exploration.
基金This work is supported by the Key Laboratory of Network Assessment Technology,Chinese Academy of Sciences and Beijing Key Laboratory of Network Security and Protection Technology,as well as Beijing Municipal Science and Technology Project(No.Z181100002718002)National Natural Science Foundation of China(No.61572481 and 61602470,61772308,61472209,61502536,and U1736209)and Young Elite Scientists Sponsorship Program by CAST(No.2016QNRC001).
文摘Exploitability assessment of vulnerabilities is important for both defenders and attackers.The ultimate way to assess the exploitability is crafting a working exploit.However,it usually takes tremendous hours and significant manual efforts.To address this issue,automated techniques can be adopted.Existing solutions usually explore in depth the crashing paths,i.e.,paths taken by proof-of-concept(PoC)inputs triggering vulnerabilities,and assess exploitability by finding exploitable states along the paths.However,exploitable states do not always exist in crashing paths.Moreover,existing solutions heavily rely on symbolic execution and are not scalable in path exploration and exploit generation.In this paper,we propose a novel solution to generate exploit for userspace programs or facilitate the process of crafting a kernel UAF exploit.Technically,we utilize oriented fuzzing to explore diverging paths from vulnerability point.For userspace programs,we adopt a control-flow stitching solution to stitch crashing paths and diverging paths together to generate exploit.For kernel UAF,we leverage a lightweight symbolic execution to identify,analyze and evaluate the system calls valuable and useful for exploiting vulnerabilities.We have developed a prototype system and evaluated it on a set of 19 CTF(capture the flag)programs and 15 realworld Linux kernel UAF vulnerabilities.Experiment results showed it could generate exploit for most of the userspace test set,and it could also facilitate security mitigation bypassing and exploitability evaluation for kernel test set.
基金supported by the Key Laboratory of Network Assessment TechnologyChinese Academy of Sciences and Beijing Key Laboratory of Network Security and Protection Technology+2 种基金Beijing Municipal Science and Technology Project(No.Z181100002718002)National Natural Science Foundation of China(No.61572481 and 61602470,61772308,61472209,61502536,and U1736209)Young Elite Scientists Sponsorship Program by CAST(No.2016QNRC001).
文摘Exploitability assessment of vulnerabilities is important for both defenders and attackers.The ultimate way to assess the exploitability is crafting a working exploit.However,it usually takes tremendous hours and significant manual efforts.To address this issue,automated techniques can be adopted.Existing solutions usually explore in depth the crashing paths,i.e.,paths taken by proof-of-concept(PoC)inputs triggering vulnerabilities,and assess exploitability by finding exploitable states along the paths.However,exploitable states do not always exist in crashing paths.Moreover,existing solutions heavily rely on symbolic execution and are not scalable in path exploration and exploit generation.In this paper,we propose a novel solution to generate exploit for userspace programs or facilitate the process of crafting a kernel UAF exploit.Technically,we utilize oriented fuzzing to explore diverging paths from vulnerability point.For userspace programs,we adopt a control-flow stitching solution to stitch crashing paths and diverging paths together to generate exploit.For kernel UAF,we leverage a lightweight symbolic execution to identify,analyze and evaluate the system calls valuable and useful for exploiting vulnerabilities.We have developed a prototype system and evaluated it on a set of 19 CTF(capture the flag)programs and 15 realworld Linux kernel UAF vulnerabilities.Experiment results showed it could generate exploit for most of the userspace test set,and it could also facilitate security mitigation bypassing and exploitability evaluation for kernel test set.
