Page 118 - 《软件学报》2020年第11期

P. 118

3434 Journal of Software 软件学报 Vol.31, No.11, November 2020

鉴于以上两点,基于 DDG 进行静态脆弱性分析的效率非常低,故没有提供基于 DDG 进行漏洞挖掘的实验结果.
综上,利用 FFVA 系统对固件进行静态脆弱性分析,虽然结果存在误报,但其时间开销较低;同时能够发现程
序中存在的安全缺陷或漏洞,表明了函数级数据依赖图在静态脆弱性分析中的有效性.

6 总结与展望

本文提出了函数级数据依赖图 FDDG 的概念,同时设计了 FDDG 的构建方法.与指令级数据依赖图相比,
该图的粒度更“粗”,数据流更清晰,同时包含丰富的变量及语义信息.进一步,基于 angr 框架,在 FDDG 的基础上
实现了一个固件脆弱性静态分析原型系统 FFVA.实验结果表明:FDDG 能够高效地应用在程序静态脆弱性分析
中,并在 D-Link、NETGEAR、EasyN、uniview 等品牌的设备中发现了 24 个漏洞,其中 14 个为未知漏洞.本文
验证了 FDDG 在静态分析中的有效性,但对 FDDG 是否会因为忽略信息而导致脆弱性分析不全的问题只做了
定性分析,后续将尝试通过模型方法论证.

References:
[1] Aho AV, Lam MS, Sethi R, et al. Compilers: Principles, Techniques, and Tools. 2rd ed., Boston: Addison-Wesley Longman
Publishing Co. Inc., 2006.
[2] Wu SZ, Guo T, Dong GW. Software Vulnerability Analyses. Beijing: Science Press, 2014 (in Chinese).
[3] Jovanovic N, Kruegel C, Kirda E. Pixy: A static analysis tool for detecting Web application vulnerabilities. In: Proc. of the IEEE
S&P. 2006. 258−263.
[4] The findbugs Java static checker. 2015. http://findbugs.sourceforge.net/
[5] The HP Fortify Static Checker. 2016. https://www.microfocus.com/en-us/products/static-code-analysis-sast/overview
[6] The coverity code checker. 2016. http://www.coverity.com/
[7] IBM appscan. 2016. https://www.ibm.com/security/application-security/appscan
[8] The sourcebrella pinpoint. 2016. https://www.sourcebrella.com/pinpoint/
[9] The grammatech codesonar static checker. 2016. https://www.grammatech.com/codesonar-sast-binary
[10] Ye JM, Chen J, Chen T, et al. Offline data dependence analysis to facilitate runtime parallelism extraction. In: Proc. of the
Computational Science and Engineering, 2014. 698−703.
[11] Abbas MM, Elmahdy A. Approximate data dependence graph generation using adaptive sampling. In: Proc. of the Int’l Conf. on
Parallel Processing. 2016. 329−337.
[12] Li Z, Beaumont M, Jannesari A, et al. Fast data-dependence profiling by skipping repeatedly executed memory operation. In: Proc.
of the Int’l Conf. on Algorithms and Architectures for Parallel Processing. 2015. 583−596.
[13] Sharir M, Pnueli A. Two Approaches to Interprocedural Data Flow Analysis. New York: Courant Institute of Mathematical
Sciences, Computer Science Department, New York University, 1978.
[14] Rountev A, Kagan S, Marlowe T. Interprocedural dataflow analysis in the presence of large libraries. In: Proc. of the Int’l Conf. on
Compiler Construction. Berlin, Heidelberg: Springer-Verlag, 2006. 2−16.
[15] Tang H, Wang X, Zhang L, et al. Summary-based context-sensitive data-dependence analysis in presence of callbacks. In: Proc. of
the POPL. 2015. 83−95.
[16] Yang Y, Su PR, Ying LY, Feng DG. Dependency-based malware similarity comparison method. Ruan Jian Xue Bao/Journal of
Software, 2011,22(10):2438−2453 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/3888.htm [doi: 10.3724/SP.
J.1001.2011.03888]
[17] Ferrante J, Ottenstein KJ, Warren JD. The program dependence graph and its use in optimization. ACM Trans. on Programming
Languages and Systems, 1987,9(3):319−349.
[18] Rawat S, Mounier L. Finding buffer overflow inducing loops in binary executables. In: Proc. of the IEEE Conf. on Software
Security and Reliability. 2012. 177−186.
[19] Yamaguchi F, Maier A, Gascon H, et al. Automatic inference of search patterns for taint-style vulnerabilities. In: Proc. of the IEEE
S&P. 2015. 797−812.

113 114 115 116 117 118 119 120 121 122 123