基于抽象内存模型的内存相关漏洞检测方法

doi:10.3778/j.issn.1002-8331.2010-0354

摘要/Abstract

摘要： 针对现有的内存相关漏洞检测方法中存在依赖指针数据流而导致大量误报漏报、缺乏漏洞特征的形式化描述以及漏洞特征描述不全面的问题，提出一种基于抽象内存模型的内存相关漏洞检测方法。对抽象内存模型进行相关定义；基于抽象内存模型，对内存泄露、重复释放内存和读写释放后的内存这三种与内存相关的漏洞类型的特征进行形式化符号表示；基于代码的控制流图，利用可行路径求解算法得到代码的所有可行路径，并对所有可行路径上的抽象内存进行运行时状态判定，从而检测代码是否存在内存相关的漏洞；使用Juliet Test Suite中的CWE401、CWE415、CWE416三个内存相关漏洞的测试数据集对提出的检测方法进行验证，实验结果表明，相比依赖指针数据流的检测方法，该方法在内存相关漏洞检测的误报率和漏报率均降低。

Abstract: Aiming at the problems of the existing memory-related vulnerability detection model algorithms that rely on pointer data flow which is resulting in a large number of false positives and false negatives, lack of formal description of vulnerability characteristics, and incomplete description of vulnerability characteristics, a method for memory-related vulnerability detection based on abstract memory model is proposed. Firstly, it defines the abstract memory model. Then, based on the abstract memory model, it formalizes and symbolizes the characteristics of the three types of memory-related vulnerabilities：memory leak, double free, and use after free. Secondly, based on the control flow graph of the code, it uses the feasible path solving algorithm to obtain all feasible paths of the code, and the runtime state of the abstract memory is determined on all feasible paths to detect whether the code has memory-related vulnerabilities. Finally, the detection method is verified on the three test data sets of CWE401, CWE415, and CWE416 related to memory vulnerabilities in Juliet Test Suite, and the experimental results show that compared with the detection methods that rely on pointer data flow, the false positive rate and false negative rate of the method in the detection of memory-related vulnerabilities are reduced.

Key words: memory-related vulnerabilities detection, abstract memory model, memory leak, double free, use after free

许健, 陈平华, 熊建斌. 基于抽象内存模型的内存相关漏洞检测方法[J]. 计算机工程与应用, 2022, 58(8): 96-108.

XU Jian, CHEN Pinghua, XIONG Jianbin. Memory-Related Vulnerability Detection Method Based on Abstract Memory Model[J]. Computer Engineering and Applications, 2022, 58(8): 96-108.

参考文献

[1] JAIN R，AGRAWAL R，GUPTA R，et al.Detection of memory leaks in C/C++[C]//2020 IEEE International Students’ Conference on Electrical，Electronics and Computer Science（SCEECS），2020：1-6.
[2] CABALLERO J，GRIECO G，MARRON M，et al.Undangle：early detection of dangling pointers in use-after-free and double-free vulnerabilities[C]//Proceedings of the 2012 International Symposium on Software Testing and Analysis，2012：133-143.
[3] YAN H，SUI Y，CHEN S，et al.Spatio-temporal context reduction：a pointer-analysis-based static approach for detecting use-after-free vulnerabilities[C]//2018 IEEE/ACM 40th International Conference on Software Engineering（ICSE），2018：327-337.
[4] MOLINA J A N，MISHRA S.Addressing memory exhaustion failures in virtual machines in a cloud environment[C]//2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks（DSN），2013：1-6.
[5] HUANG S K，HUANG M H，HUANG P Y，et al.Software crash analysis for automatic exploit generation on binary programs[J].IEEE Transactions on Reliability，2014，63（1）：270-289.
[6] HAYASHI Y I，HOMMA N，MIZUKI T，et al.Analysis of electromagnetic information leakage from cryptographic devices with different physical structures[J].IEEE Transactions on Electromagnetic Compatibility，2012，55（3）：571-580.
[7] LIU Z，XU B，LIANG D，et al.Semantics-based memory leak detection for C programs[C]//2015 12th International Conference on Fuzzy Systems and Knowledge Discovery（FSKD），2015：2283-2287.
[8] HU J，CHEN J，ZHANG L，et al.A memory-related vulnerability detection approach based on vulnerability features[J].Tsinghua Science and Technology，2020，25（5）：604-613.
[9] AKRITIDIS P.Cling：a memory allocator to mitigate dangling pointers[C]//USENIX Security Symposium，2010：177-192.
[10] BERGER E D，ZORN B G.DieHard：probabilistic memory safety for unsafe languages[J].ACM SIGPLAN Notices，2006，41（6）：158-168.
[11] DHURJATI D，ADVE V.Efficiently detecting all dangling pointer uses in production servers[C]//International Conference on Dependable Systems and Networks（DSN’06），2006：269-280.
[12] YAMAGUCHI F，GOLDE N，ARP D，et al.Modeling and discovering vulnerabilities with code property graphs[C]//2014 IEEE Symposium on Security and Privacy，2014：590-604.
[13] 王涛，韩兰胜，付才，等.软件漏洞静态检测模型及检测框架[J].计算机科学，2016，43（5）：80-86.
WANG T，HAN L S，FU C，et al.Software vulnerability static detection model and detection framework[J].Computer Science，2016，43（5）：80-86.
[14] 韩心慧，魏爽，叶佳奕，等.二进制程序中的use-after-free漏洞检测技术[J].清华大学学报（自然科学版），2017，57（10）：1022-1029.
HAN X H，WEI S，YE J Y，et al.Detect use-after-free vulnerabilities in binaries[J].Journal of Tsinghua University（Science and Technology），2017，57（10）：1022-1029.
[15] ZHANG J.Symbolic execution of program paths involving pointer structure variables[C]//Fourth International Conference on Quality Software，2004：87-92.
[16] DONG Y.A sound abstract memory model for static analysis of C programs[J].International Journal of Computational Science and Engineering，2018，16（3）：255-264.
[17] DONG Y，YIN W，WANG S，et al.Memory leak detection in IoT program based on an abstract memory model SeqMM[J].IEEE Access，2019，7：158904-158916.
[18] KUMAR K S，MALATHI D.A novel method to find time complexity of an algorithm by using control flow graph[C]//2017 International Conference on Technical Advancements in Computers and Communications（ICTACC），2017：66-68.
[19] PHAN A V，LE NGUYEN M，BUI L T.Convolutional neural networks over control flow graphs for software defect prediction[C]//2017 IEEE 29th International Conference on Tools with Artificial Intelligence（ICTAI），2017：45-52.
[20] WAGNER A，SAMETINGER J.Using the Juliet test suite to compare static security scanners[C]//2014 11th International Conference on Security and Cryptography（SECRYPT），2014：1-9.
[21] FlawFinder[EB/OL].[2020-10-10].https：//www.dwheeler.com/
flawfinder/.
[22] Cppcheck[EB/OL].[2020-10-10].http：//cppcheck.sourceforge.net/.
[23] Splint[EB/OL].[2020-10-10].http：//splint.org/.