【摘要】：在信息技術(shù)高速發(fā)展的今天,軟件已經(jīng)成為計(jì)算機(jī)系統(tǒng)的主要使能部件。但同時,軟件由于自身存在的漏洞被利用于攻擊,造成嚴(yán)重后果的事件也層出不窮。這對軟件安全提出了新的挑戰(zhàn),軟件安全問題成為一個越來越重要的問題。緩沖區(qū)溢出漏洞正是一類常被用于攻擊的漏洞,已經(jīng)成為一類極度危險的軟件漏洞。在程序運(yùn)行時,如果向程序的緩沖區(qū)當(dāng)中寫入超過其長度的數(shù)據(jù),就會發(fā)生緩沖區(qū)溢出。這些溢出的數(shù)據(jù)有可能破壞程序的堆棧,從而導(dǎo)致程序崩潰,甚至是執(zhí)行攻擊者的指令。緩沖區(qū)溢出發(fā)生的根本原因在于程序員沒有對程序中的緩沖區(qū)操作進(jìn)行必要的邊界檢查。目前檢測緩沖區(qū)溢出漏洞的方法主要分為兩大類:靜態(tài)分析和動態(tài)測試。動態(tài)測試的弊端在于非常依賴測試用例,且常常需要額外的執(zhí)行開銷。而靜態(tài)分析技術(shù)則可以在軟件部署前自動化發(fā)現(xiàn)漏洞,因此被工業(yè)界廣泛的采用。但是由于它無法獲取程序運(yùn)行時的緩沖區(qū)狀態(tài),又采取了保守的策略,靜態(tài)分析技術(shù)通常會有大量的誤報。這些誤報中有一部分是因?yàn)槲茨茏R別程序員主動采取的保護(hù)緩沖區(qū)的安全措施而產(chǎn)生。本文針對這類誤報,研究精準(zhǔn)靜態(tài)分析與誤報識別方法,論文具體工作包括:1.本文提出了緩沖區(qū)溢出漏洞模式。通過對C/C++程序緩沖區(qū)訪問操作以及真實(shí)項(xiàng)目的實(shí)例研究,本文建立了包含導(dǎo)致溢出的緩沖區(qū)操作分布、緩沖區(qū)溢出漏洞產(chǎn)生機(jī)理、緩沖區(qū)溢出人工修復(fù)模式等的緩沖區(qū)溢出漏洞模式。2.本文提出了一種識別主動安全措施的緩沖區(qū)溢出靜態(tài)分析方法。該方法基于緩沖區(qū)溢出漏洞模式,在靜態(tài)分析過程中,加入了對代碼中的預(yù)防緩沖區(qū)溢出發(fā)生的主動安全手段的檢測,從而減少了因?yàn)槲茨茏R別程序員主動安全手段導(dǎo)致的誤報,使得檢測結(jié)果誤報更少、更加精準(zhǔn)�；谠摲椒ū疚拈_發(fā)了工具BoChecker,并在100個真實(shí)案例上進(jìn)行了實(shí)驗(yàn)。實(shí)驗(yàn)結(jié)果顯示,其漏報率45.00%和誤報率29.1%都要低于對比的其他工具。3.本文提出了一種基于機(jī)器學(xué)習(xí)的靜態(tài)分析警報處理方法。該方法利用緩沖區(qū)溢出漏洞模式和靜態(tài)分析警報抽取特征,利用隨機(jī)森林來構(gòu)建模型。生成的模型可對靜態(tài)分析警報是否為誤報作出預(yù)測�；谠摲椒ū疚拈_發(fā)了工具BoWFilter,并在545個Checkmarx的警報上進(jìn)行了實(shí)驗(yàn)。實(shí)驗(yàn)結(jié)果顯示,對于誤報和非誤報該工具都有非常高的預(yù)測準(zhǔn)確率,分別達(dá)到了92.9%和 88.5%。
[Abstract]:With the rapid development of information technology, software has become the main enabling component of computer system. But at the same time, the software is exploited because of its own loopholes, and the events that cause serious consequences emerge in endlessly. This poses a new challenge to software security, and software security has become a more and more important issue. Buffer overflow vulnerability is a kind of vulnerability that is often used to attack, and has become a kind of extremely dangerous software vulnerability. When the program runs, a buffer overflow occurs if more than its length is written to the program's buffer. This overflow data may break the stack of the program, causing the program to crash or even execute the instructions of the attacker. The fundamental reason for buffer overflow is that the programmer does not perform the necessary boundary checks on buffer operations in the program. At present, the methods to detect buffer overflow vulnerabilities are mainly divided into two categories: static analysis and dynamic testing. The downside of dynamic testing is that it relies heavily on test cases and often requires additional execution overhead. Static analysis technology can automate the discovery of vulnerabilities before software deployment, so it is widely used in industry. However, because it can not obtain the buffer state of the program when it runs, and adopts a conservative strategy, static analysis technology usually has a large number of false positives. Some of these false positives are due to the failure to identify the security measures taken by the programmer to protect the buffer. Aiming at this kind of false positives, this paper studies the accurate static analysis and false positives recognition methods. The specific work of this paper includes: 1. In this paper, a buffer overflow vulnerability pattern is proposed. Through the study of buffer access operation of C / C program and the case study of real project, this paper establishes the distribution of buffer operation that leads to overflow and the mechanism of buffer overflow vulnerability. Buffer overflow vulnerability mode for buffer overflow manual repair mode, etc. 2. In this paper, a static analysis method of buffer overflow is proposed to identify active security measures. This method is based on buffer overflow vulnerability mode, and in the process of static analysis, it adds the detection of active security means to prevent buffer overflow from happening in the code. Thus, the false positives caused by the failure to identify the programmer's active security means are reduced, and the false positives of the detection results are less and more accurate. Based on this method, the tool BoChecker, is developed and experimented on 100 real cases. The experimental results show that the false positive rate of 45.00% and the false positive rate of 29.1% are lower than those of other tools. In this paper, a static analysis alarm processing method based on machine learning is proposed. In this method, buffer overflow vulnerability pattern and static analysis alarm extraction feature are used, and random forest is used to construct the model. The generated model can predict whether the static analysis alarm is false. Based on this method, a tool BoWFilter, is developed and tested on 545 Checkmarx alerts. The experimental results show that the prediction accuracy of the tool is 92.9% and 88.5%, respectively, for both mispositives and non-mispositives.
【學(xué)位授予單位】：南京大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2017
【分類號】：TP309

【參考文獻(xiàn)】

相關(guān)期刊論文 前1條

1 鮑鐵勻;高鳳娟;周嚴(yán);李游;王林章;李宣東;;基于目標(biāo)制導(dǎo)符號執(zhí)行的靜態(tài)緩沖區(qū)溢出警報自動確認(rèn)技術(shù)[J];信息安全學(xué)報;2016年02期

，

本文編號：2484244