Abstract:

Crash analysis is a critical stage in exploitation and utilization of vulnerabilities. It’s prerequisite for Crash analysis and exploitation to determine what types of vulnerabilities are caused by crashes. In view of the problem that the existing vulnerability detection platform cannot effectively identify the Crash type, binary executable vulnerability detection and Crash type determination method is designed. The method performs taint marking on the Crash of the binary executable program, and takes care of taint removal and indirect pollution in the taint propagation stage. The purpose is to collect Crash point context information during the taint check phase to match multiple vulnerability triggering rules. Based on the above method, a tool for detecting vulnerability in a binary program and determining the type of Crash is developed. The experimental results show that the method is suitable for overwrite return address, function pointer and other modes caused by vulnerabilities such as stack overflow, format string and heap overflow.

Key words: Crash analysis, vulnerability detection, binary instrumentation, dynamic taint analysis

摘要：

Crash（程序崩溃）分析是漏洞挖掘与利用的关键阶段，判定Crash是由何种类型漏洞产生的是进行Crash分析和漏洞利用的前提。针对现有漏洞检测平台无法有效识别Crash类型的问题，提出一种二进制可执行程序漏洞检测和Crash类型判定的方法。该方法通过对二进制可执行程序Fuzz出的Crash进行污点标记，在污点传播阶段兼顾污点清除、间接污染等污点传播规则，在污点检查阶段通过收集崩溃点上下文信息，匹配多种漏洞触发规则。基于上述方法开发出对二进制程序漏洞检测和判定Crash所属漏洞类型的原型系统，实验结果表明，该方法适用于栈溢出、格式化字符串、堆溢出等漏洞导致的覆盖返回地址、函数指针等模式，具有较高准确率。

关键词: Crash分析, 漏洞检测, 二进制插桩, 动态污点分析