CN114417343B - Method for detecting kernel information leakage loopholes of operating system under binary files - Google Patents
Method for detecting kernel information leakage loopholes of operating system under binary files Download PDFInfo
- Publication number
- CN114417343B CN114417343B CN202011174860.9A CN202011174860A CN114417343B CN 114417343 B CN114417343 B CN 114417343B CN 202011174860 A CN202011174860 A CN 202011174860A CN 114417343 B CN114417343 B CN 114417343B
- Authority
- CN
- China
- Prior art keywords
- code
- information
- function
- pointer
- unit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 32
- 230000014509 gene expression Effects 0.000 claims abstract description 26
- 238000001514 detection method Methods 0.000 claims description 8
- 238000010586 diagram Methods 0.000 description 3
- 238000004880 explosion Methods 0.000 description 2
- 238000004088 simulation Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012038 vulnerability analysis Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The method for detecting the leakage loopholes of the kernel information of the operating system under the binary file comprises the steps of performing pre-analysis processing on binary codes to be analyzed to obtain the use condition of binary code pointers; then performing symbol execution on the binary code to obtain a symbol execution expression and performing potential vulnerability judgment; and finally, judging whether the corresponding kernel information leakage loopholes are determined according to further sensitive information of the code mode with the loopholes risk obtained by the loopholes judgment. The method and the device cut the binary code into the function by using the disclosed symbol information, analyze the property of the parameter of the function by using the code slice and analyze the privacy leakage of the kernel by performing the symbol, thereby effectively finding the information leakage problem contained in the kernel of the operating system and ensuring the safety of the operating system.
Description
Technical Field
The invention relates to a technology in the field of information security, in particular to a method for detecting information leakage loopholes of an operating system kernel under a binary file.
Background
The operating system kernel information leakage loopholes are hidden security loopholes, and analysis of the operating system kernel information leakage loopholes mainly uses analysis based on source codes and analysis based on whole system simulation, and is limited in that: the scheme based on the source codes requires an analyst to master the source codes, and a third party authorized analyst often does not have such conditions and the scheme based on the full system simulation cannot well cover all logic of the analysis target program, so that the analysis process is difficult to complete completely.
These limitations are addressed using a binary symbolic execution method that can be performed without source code and that can guarantee coverage of the entire logic of the target program. The existing binary symbol execution method cannot well analyze the kernel information leakage loopholes of the operating system because: binary symbol execution does not realize the identification of pointer properties, and operating system kernel information leakage holes often occur in a special pointer such as a user state pointer; the symbol execution method has the common efficiency problem caused by path explosion, and for the binary program of the kernel of the operating system, the path combination is more complex, and a good method is required to treat the path explosion problem; the code mode can be obtained in the symbol execution process, but the code mode corresponding to the kernel information loophole is similar to some benign code modes, and further discrimination is needed on the basis of the symbol execution result.
Disclosure of Invention
Aiming at the defects of weak operability and the like of the existing vulnerability analysis scheme based on source codes, the invention provides an operating system kernel information leakage vulnerability detection method under binary files, which uses the disclosed symbol information to cut binary codes as functions, uses code slices to analyze the parameters of the functions by referring to the parameters, and performs kernel privacy leakage analysis by symbol execution, thereby effectively finding out the information leakage problem contained in the operating system kernel and ensuring the safety of the operating system.
The invention is realized by the following technical scheme:
the invention relates to an operating system kernel information leakage vulnerability detection method under a binary file, which is characterized in that binary codes to be analyzed are subjected to pre-analysis processing to obtain the use condition of binary code pointers; then performing symbol execution on the binary code to obtain a symbol execution expression and performing potential vulnerability judgment; and finally, judging whether the corresponding kernel information leakage loopholes are determined according to further sensitive information of the code mode with the loopholes risk obtained by the loopholes judgment.
The pre-analysis processing is automatically realized by a code slicing technical means.
The use cases include: the functions involved in the code and their corresponding user state pointers, the method by which the code uses code slices, and the access patterns of all pointers.
The symbol execution means: according to the use condition of the binary code pointer, only a path corresponding to a sequence formed from a starting point to a node where memory access is located in a control flow graph of an execution function is executed, and a symbol execution expression is obtained from an execution result.
The symbol execution expression includes: pointer variables, uninitialized value variables, instruction constants, and boolean signs linking assignment operations.
The potential vulnerability determination is as follows: and carrying out satisfaction judgment on the proposition formula of the symbol execution expression, and judging whether the code mode corresponding to the current path has potential vulnerability or not when the proposition can be satisfied and ambiguity exists.
Whether the corresponding kernel information leakage loophole is determined refers to: by statically analyzing pointer properties of data related to codes with vulnerability risks, searching a using method of the data in the codes, judging whether the pointer properties are pointers or constants and whether code modes with vulnerability risks really correspond to kernel information leakage vulnerabilities, specifically comprising the following steps: when the value field meeting the ambiguity of the proposition contains a pointer variable, finally confirming that the risk code mode really has the loophole.
The invention relates to a system for realizing the method, which comprises the following steps: the system comprises a pre-analysis module, a symbol execution module and a threat determination module, wherein: the pre-analysis module performs function cutting, code slicing processing and parameter property outputting of a function according to the disclosed symbol information, the information contained in the binary file format and the binary code information, a function information result is obtained and is output to the symbol execution module, the symbol execution module obtains an expression result according to symbol execution and is output to the threat judgment module, and the threat judgment module solves the expression result and obtains an operating system kernel leakage leak detection result.
Technical effects
The invention integrally solves the problem that the prior art cannot automatically statically analyze the kernel information leakage of the operating system.
Compared with the prior art, the method can identify sensitive path identification related to kernel information leakage loopholes of the operating system, function property judgment of kernel information exchange of the operating system based on binary codes, pointer property judgment related to kernel information leakage
Drawings
FIG. 1 is a schematic diagram of a pre-analysis module of the present invention;
FIG. 2 is a schematic diagram of a symbol execution module according to the present invention;
FIG. 3 is a schematic diagram of a threat determination module of the invention.
Detailed Description
The embodiment relates to an operating system kernel information leakage vulnerability automatic detection system based on binary symbol execution, which comprises the following components: the system comprises a pre-analysis module, a symbol execution module and a threat determination module.
The pre-analysis module comprises: the method comprises the steps of analyzing a binary file unit, identifying a user pointer related function unit, a pointer access analysis unit and a function property sorting unit, wherein: the analysis binary file unit is associated with the user pointer related function identifying unit, the head and tail information of the function is transmitted to the user pointer related function identifying unit, the user pointer related function identifying unit is connected with the pointer analyzing unit, the user pointer related function identifying unit transmits the function information used by the user pointer to the pointer access analyzing unit, the pointer access analyzing unit transmits the pointer property used by the function and the access mode to the function property sorting unit, and the function property sorting unit outputs a function property database.
The symbol execution module comprises: a symbol execution engine unit and a code pattern processing unit, wherein: the symbol execution engine unit obtains function property information from the function property database, combines the function property information in the execution process to generate a path transfer expression, splices instruction-level symbol execution result expressions to obtain code patterns, is connected with the code pattern processing unit and transmits the code pattern information, the code pattern processing unit inputs the code pattern information, screens out problematic code patterns and outputs a dangerous function code pattern database.
The threat determination module includes: the device comprises a data identification unit, a code slicing unit, a data property judging unit and a vulnerability confirming unit, wherein: the data identification unit obtains a dangerous function code mode from the dangerous function code mode database, is connected with the code slicing unit, transmits the data position in the dangerous function code mode to the code slicing unit, the code slicing unit slices the code according to the data position, outputs data access information, the data property judgment unit judges the property of the data according to the data access information, and transmits the data property to the vulnerability identification unit, and the vulnerability identification unit judges whether the code mode corresponds to the vulnerability code according to the data property and the code mode.
The embodiment relates to a vulnerability detection method of the system, which obtains the use condition of a binary code pointer by performing pre-analysis processing on binary codes to be analyzed; then performing symbol execution on the binary code to obtain a symbol execution expression and performing potential vulnerability judgment; and finally, judging whether the corresponding kernel information leakage loopholes are determined according to further sensitive information of the code mode with the loopholes risk obtained by the loopholes judgment.
As shown in fig. 1, the pre-analysis process includes the following steps:
step 101, analyzing a binary file and identifying function information in the file;
Step 102, selecting a function accessed by a user pointer according to the function information;
step 103, analyzing and slicing pointer accesses of the screened functions, and combining relationship between authority related pointers and user pointers to obtain information of use conditions of the user pointers;
Step 104, generating symbol execution expression, namely binary code pointer use case, on the data related to the user pointer according to the slicing result.
As shown in fig. 2, the symbol execution includes the following steps:
Step 201, starting to perform symbol execution on the binary file based on the input binary file, wherein each symbol execution takes a function as a starting point, and an initial state is set to be all-empty;
Step 202, when the control flow transfer related to the user pointer occurs in the symbol execution process, discarding the transfer and directly executing the symbol execution expression obtained by the pre-analysis processing;
step 203, generating expressions of all operations generated in the symbol execution process, and splicing all the obtained expressions to obtain a code mode;
And 204, solving the code pattern and simplifying the code pattern, and confirming whether the code pattern is dangerous or not according to the simplifying result.
As shown in fig. 3, the sensitive information judgment includes the following steps:
step 301: the code pattern is split into source data and general data and data associated with the user state pointer is identified.
Step 302: and slicing based on the obtained data information, and finding out the access mode of the adjacent codes to the data.
Step 303: and judging whether the data is a pointer or sensitive information according to the access mode of the data.
Step 304: when the effective range of the sensitive information exists in the code mode and participates in the writing operation of the user state pointer, judging that the loophole is established, and obtaining the detection result of the leak loophole of the kernel of the operating system.
Through specific practical experiments, under the specific environment setting of a 7700HQ CPU and a 16G RAM common computer, with a 5 th month in 2020 win32kfull.sys, ntoskrnl.exe file as parameters, experimental data can be obtained: obtaining a database containing function property information, and outputting a function win32 k-! fnHkINLPDEBUGHOOKSTRUCT and ntoskrnl-! MmQueryVirtualMemory are leaky functions.
Compared with the prior art, the method can analyze the codes of the kernel information leakage loopholes under the static condition, and can successfully and automatically analyze the loopholes which cannot be analyzed by the existing automatic scheme.
The foregoing embodiments may be partially modified in numerous ways by those skilled in the art without departing from the principles and spirit of the invention, the scope of which is defined in the claims and not by the foregoing embodiments, and all such implementations are within the scope of the invention.
Claims (8)
1. The method for detecting the leakage loopholes of the kernel information of the operating system under the binary file is characterized in that the binary code pointer service condition is obtained by performing pre-analysis processing on the binary code to be analyzed; then performing symbol execution on the binary code to obtain a symbol execution expression and performing potential vulnerability judgment; finally, judging whether the corresponding kernel information leakage loopholes are determined according to further sensitive information of the code mode with the loopholes risk obtained by the loopholes judgment;
The pre-analysis processing is automatically realized by a code slicing technical means;
the use cases include: functions involved in the code, corresponding user state pointers thereof, a method for using the code slice by the code and access modes of all pointers;
The symbol execution expression includes: pointer variables, uninitialized value variables, instruction constants, and boolean signs linking assignment operations;
The pre-analysis treatment comprises the following steps:
step 101, analyzing a binary file and identifying function information in the file;
Step 102, selecting a function accessed by a user pointer according to the function information;
step 103, analyzing and slicing pointer accesses of the screened functions, and combining relationship between authority related pointers and user pointers to obtain information of use conditions of the user pointers;
step 104, generating a symbol execution expression, namely binary code pointer use condition, on the data related to the user pointer according to the slicing result;
The symbol execution comprises the following steps:
Step 201, starting to perform symbol execution on the binary file based on the input binary file, wherein each symbol execution takes a function as a starting point, and an initial state is set to be all-empty;
Step 202, when the control flow transfer related to the user pointer occurs in the symbol execution process, discarding the transfer and directly executing the symbol execution expression obtained by the pre-analysis processing;
step 203, generating expressions of all operations generated in the symbol execution process, and splicing all the obtained expressions to obtain a code mode;
step 204, solving the code pattern and simplifying the code pattern, and determining whether the code pattern is dangerous or not according to the simplifying result;
the sensitive information judgment comprises the following steps:
Step 301: splitting the code pattern into source data and general data and identifying data related to a user state pointer;
step 302: slicing based on the obtained data information, and finding out the access mode of the adjacent codes to the data;
step 303: judging whether the data is a pointer or sensitive information according to the access mode to the data;
Step 304: when the effective range of the sensitive information exists in the code mode and participates in the writing operation of the user state pointer, judging that the loophole is established, and obtaining the detection result of the leak loophole of the kernel of the operating system.
2. The method for detecting leakage vulnerability of kernel information of operating system under binary file as set forth in claim 1, wherein the symbol execution means: according to the use condition of the binary code pointer, only a path corresponding to a sequence formed from a starting point to a node where memory access is located in a control flow graph of an execution function is executed, and a symbol execution expression is obtained from an execution result.
3. The method for detecting leakage vulnerability of kernel information of operating system under binary file as set forth in claim 1, wherein the potential vulnerability determination is: and carrying out satisfaction judgment on the proposition formula of the symbol execution expression, and judging whether the code mode corresponding to the current path has potential vulnerability or not when the proposition can be satisfied and ambiguity exists.
4. The method for detecting leakage holes of kernel information of an operating system under a binary file according to claim 1, wherein whether the leakage holes of the corresponding kernel information are determined is: by statically analyzing pointer properties of data related to codes with vulnerability risks, searching a using method of the data in the codes, judging whether the pointer properties are pointers or constants and whether code modes with vulnerability risks really correspond to kernel information leakage vulnerabilities, specifically comprising the following steps: when the value field meeting the ambiguity of the proposition contains a pointer variable, finally confirming that the code mode of the risk does have a loophole.
5. A system for implementing the method of any one of claims 1-4, comprising: the system comprises a pre-analysis module, a symbol execution module and a threat determination module, wherein: the pre-analysis module performs function cutting, code slicing processing and parameter property outputting of a function according to the disclosed symbol information, the information contained in the binary file format and the binary code information, a function information result is obtained and is output to the symbol execution module, the symbol execution module obtains an expression result according to symbol execution and is output to the threat judgment module, and the threat judgment module solves the expression result and obtains an operating system kernel leakage leak detection result.
6. The system of claim 5, wherein the pre-analysis module comprises: the method comprises the steps of analyzing a binary file unit, identifying a user pointer related function unit, a pointer access analysis unit and a function property sorting unit, wherein: the analysis binary file unit is associated with the user pointer related function identifying unit, the head and tail information of the function is transmitted to the user pointer related function identifying unit, the user pointer related function identifying unit is connected with the pointer analyzing unit, the user pointer related function identifying unit transmits the function information used by the user pointer to the pointer access analyzing unit, the pointer access analyzing unit transmits the pointer property used by the function and the access mode to the function property sorting unit, and the function property sorting unit outputs a function property database.
7. The system of claim 5, wherein the symbol execution module comprises: a symbol execution engine unit and a code pattern processing unit, wherein: the symbol execution engine unit obtains function property information from the function property database, combines the function property information in the execution process to generate a path transfer expression, splices instruction-level symbol execution result expressions to obtain code patterns, is connected with the code pattern processing unit and transmits the code pattern information, the code pattern processing unit inputs the code pattern information, screens out problematic code patterns and outputs a dangerous function code pattern database.
8. The system of claim 5, wherein the threat determination module comprises: the device comprises a data identification unit, a code slicing unit, a data property judging unit and a vulnerability confirming unit, wherein: the data identification unit obtains a dangerous function code mode from the dangerous function code mode database, is connected with the code slicing unit, transmits the data position in the dangerous function code mode to the code slicing unit, the code slicing unit slices the code according to the data position, outputs data access information, the data property judgment unit judges the property of the data according to the data access information, and transmits the data property to the vulnerability identification unit, and the vulnerability identification unit judges whether the code mode corresponds to the vulnerability code according to the data property and the code mode.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011174860.9A CN114417343B (en) | 2020-10-28 | 2020-10-28 | Method for detecting kernel information leakage loopholes of operating system under binary files |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011174860.9A CN114417343B (en) | 2020-10-28 | 2020-10-28 | Method for detecting kernel information leakage loopholes of operating system under binary files |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114417343A CN114417343A (en) | 2022-04-29 |
CN114417343B true CN114417343B (en) | 2024-07-05 |
Family
ID=81260403
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011174860.9A Active CN114417343B (en) | 2020-10-28 | 2020-10-28 | Method for detecting kernel information leakage loopholes of operating system under binary files |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114417343B (en) |
Family Cites Families (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8589888B2 (en) * | 2011-08-29 | 2013-11-19 | Microsoft Corporation | Demand-driven analysis of pointers for software program analysis and debugging |
US10460112B2 (en) * | 2014-02-07 | 2019-10-29 | Northwestern University | System and method for privacy leakage detection and prevention system without operating system modification |
CN104899514B (en) * | 2015-06-17 | 2018-07-31 | 上海斐讯数据通信技术有限公司 | The detection method and system of mobile terminal from malicious behavior based on guidance quality symbol |
KR101906004B1 (en) * | 2016-11-29 | 2018-10-10 | 한국전력공사 | Apparatus and method for analyzing embeded software vulnerability based on binary code |
CN109840416A (en) * | 2017-11-28 | 2019-06-04 | 西安玖诚玖谊实业有限公司 | Malicious code behavior automatic analysis system |
CN107992307B (en) * | 2017-12-11 | 2021-04-13 | 北京奇虎科技有限公司 | Function compiling method and device |
CN108171061B (en) * | 2018-01-16 | 2021-02-02 | 武汉轻工大学 | Android system kernel safety detection method and device |
CN109492406A (en) * | 2018-11-15 | 2019-03-19 | 百度在线网络技术(北京)有限公司 | Monitor the methods, devices and systems of kernel loophole attack |
CN111240687A (en) * | 2020-01-09 | 2020-06-05 | 华东师范大学 | Source code static analysis device |
-
2020
- 2020-10-28 CN CN202011174860.9A patent/CN114417343B/en active Active
Non-Patent Citations (1)
Title |
---|
一种基于符号污点执行的操作系统内核信息泄露漏洞检测方法;彭诗言;中国优秀硕士学位论文全文数据库 信息科技辑;20240115(第第01期期);I138-187 * |
Also Published As
Publication number | Publication date |
---|---|
CN114417343A (en) | 2022-04-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Razgallah et al. | A survey of malware detection in Android apps: Recommendations and perspectives for future research | |
Feng et al. | Apposcopy: Semantics-based detection of android malware through static analysis | |
CN109992970B (en) | JAVA deserialization vulnerability detection system and method | |
US8171551B2 (en) | Malware detection using external call characteristics | |
Antunes et al. | Defending against web application vulnerabilities | |
Mirsky et al. | {VulChecker}: Graph-based Vulnerability Localization in Source Code | |
US20170372068A1 (en) | Method to identify known compilers functions, libraries and objects inside files and data items containing an executable code | |
WO2021034740A1 (en) | Method, system, and storage medium for security of software components | |
KR101640479B1 (en) | Software vulnerability attack behavior analysis system based on the source code | |
Mercaldo et al. | Hey malware, i can find you! | |
Li et al. | A novel approach for software vulnerability classification | |
Alzarooni | Malware variant detection | |
CN109271789B (en) | Malicious process detection method and device, electronic equipment and storage medium | |
Zahan et al. | Shifting the Lens: Detecting Malware in npm Ecosystem with Large Language Models | |
Lubuva et al. | A review of static malware detection for Android apps permission based on deep learning | |
Samhi et al. | Negative results of fusing code and documentation for learning to accurately identify sensitive source and sink methods: An application to the android framework for data leak detection | |
CN114417343B (en) | Method for detecting kernel information leakage loopholes of operating system under binary files | |
CN109299610B (en) | Method for verifying and identifying unsafe and sensitive input in android system | |
US11995192B2 (en) | System for static analysis of binary executable code and source code using fuzzy logic and method thereof | |
US20220237289A1 (en) | Automated malware classification with human-readable explanations | |
EP3692456A1 (en) | Binary image stack cookie protection | |
Crincoli et al. | Code reordering obfuscation technique detection by means of weak bisimulation | |
Andrijasa et al. | Towards Automatic Exploit Generation for Identifying Re-Entrancy Attacks on Cross-Contract | |
Yarlagadda | Approach to computer security via binary analytics | |
Sun et al. | CryptoEval: Evaluating the risk of cryptographic misuses in Android apps with data‐flow analysis |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |