攻克二进制分析的艺术：攻防技术综述

需积分: 13 98 浏览量更新于2024-07-18 收藏 282KB PDF 举报

"(State of) The Art of War: Offensive Techniques in Binary Analysis" 这篇文章探讨了在二进制代码中发现和利用漏洞这一关键任务的复杂性。随着软件越来越多地以机器码形式运行，而非源代码，对二进制分析的需求正在增长。由于高级别的、具有语义丰富度的结构和控制信息的缺失，传统的静态或动态分析方法在处理程序属性时面临挑战，难以实现大规模的自动化分析。作者们指出，尽管如此，二进制分析的重要性不容忽视。在许多场景下，例如安全评估、恶意软件检测或硬件级攻击，直接分析二进制代码是验证或否定实际执行代码行为的有效途径。为了克服分析的局限性，该论文提出了一种创新的二进制分析框架，它整合了过去提出的多种分析技术。这个系统化的实施不仅允许研究者复用这些技术，而且还促进了新方法的发展。论文的核心贡献在于提供了一个统一的平台，用于执行和实验不同的分析技术，包括但不限于反汇编、控制流分析、数据流分析、符号执行、以及针对特定漏洞的技术（如缓冲区溢出、跳转表欺骗等）。通过这种方式，研究人员能够更有效地探索代码的行为模式，识别潜在的安全威胁，并可能开发出针对性的防御策略。此外，框架的设计着重于可扩展性和易用性，旨在降低二进制分析的门槛，使更多的安全专家和开发者能够参与到这个领域中来。论文还可能讨论了框架在实际应用中的性能评估，以及如何与其他工具（如静态分析器、逆向工程工具）协同工作，以提高整体的安全分析能力。这篇论文不仅提供了深入理解二进制分析现状的视角，还为未来的研究者和实践者提供了一个实用的工具和研究平台，推动了二进制分析领域的前沿技术发展。

allocate and deallocate for memory management,

and terminate to exit.

Despite the simple environment model, the binaries

provided by DARPA for the CGC have a wide range of

complexity. They range from 4 kilobytes to 10 megabytes

in size, and implement functionality ranging from simple

echo servers, to web servers, to image processing libraries.

DARPA has open-sourced all of the binaries used in the

competition thus far, complete with proof-of-concept exploits

and write-ups about the vulnerabilities [24].

Because the simple environment model makes it feasible to

accurately implement and evaluate (on a large scale) binary

analysis techniques, we use the DARPA CGC samples as our

dataset for the comparative evaluations in this paper.

C. Comparative Analysis of CGC Binaries

Offensive binary analyses use different underlying

techniques to reason about the application that is being

processed. For example, they may analyze data over different

domains or utilize different levels of interaction with the

application being tested. In the next two sections, we survey

the current state of the art, and choose several analyses

for in-depth evaluation in the rest of the paper. We focus

speciﬁcally on analyses whose goals are to identify and

exploit ﬂaws in binary software (for example, memory safety

violation identiﬁcation using symbolic execution), as opposed

to the more general binary analysis techniques on which

those are based (in this case, symbolic execution itself).

III. BACKGROUND: STATIC VULNERABILITY DISCOVERY

Static techniques reason about a program without executing

it. Usually, a program is interpreted over an abstract domain.

Memory locations containing bits of ones and zeroes contain

other abstract entities (at the familiar end, this might simply

be integers, but, as we explain below, these can include more

abstract constructs). Additionally, program constructs such as

the layout of memory, or even the execution path taken, may

be abstracted as well.

Here, we split static analyses into two paradigms: those

that model program properties as graphs (i.e., a control-ﬂow

graph) and those that model the data itself.

Static vulnerability identiﬁcation techniques have two main

drawbacks, relating to the trade-offs discussed in Section II-A.

First, the results are not replayable: detection by static analysis

must be veriﬁed by hand, as information on how to trigger

the detected vulnerability is not recovered. Second, these

analyses tend to operate on simpler data domains, reducing

their semantic insight. In short, they over-approximate: while

they can often authoritatively reason about the absence of

certain program properties (such as vulnerabilities), they

suffer from a high rate of false positives when making

statements regarding the presence of vulnerabilities.

A. Recovering Control Flow

The recovery of a control-ﬂow graph (CFG), in which

the nodes are basic blocks of instructions and the edges are

possible control ﬂow transfers between them, is a pre-requisite

for almost all static techniques for vulnerability discovery.

Control-ﬂow recovery has been widely discussed in the

literature [21], [33], [34], [50], [58], [59]. CFG recovery

is implemented as a recursive algorithm that disassembles

and analyzes a basic block (say, B

), identiﬁes its possible

exits (i.e., some successor basic block such as B

and B

)

and adds them to the CFG (if they have not already been

added), connects B

to B

and B

, and repeats the analysis

recursively for B

and B

until no new exits are identiﬁed.

CFG recovery has one fundamental challenge: indirect jumps.

Indirect jumps occur when the binary transfers control ﬂow

to a target represented by a value in a register or a memory

location. Unlike a direct jump, where the target is encoded

into the instruction itself and, thus, is trivially resolvable, the

target of an indirect jump can vary based on a number of

factors. Speciﬁcally, indirect jumps fall into several categories:

Computed. The target of a computed jump is determined by

the application by carrying out a calculation speciﬁed by

the code. This calculation could further rely on values

in other registers or in memory. A common example

of this is a jump table: the application uses values in a

table stored in memory, reads the target address from

that index, and jumps there.

Context-sensitive. An indirect jump might depend on the

context of an application. The common example is

qsort() in the standard C library – this function takes

a callback that it uses to compare passed-in values. As

a result, some of the jump targets of basic blocks inside

qsort() depend on its caller, as the caller provides

the callback function.

Object-sensitive. A special case of context sensitivity is

object sensitivity. In object-oriented languages, object

polymorphism requires the use of virtual functions, often

implemented as virtual tables of function pointers that

are consulted, at runtime, to determine jump targets.

Jump targets thus depend on the type of object passed

into the function by its callers.

Different techniques have been designed to deal with

different types of indirect jumps, and we will discuss the

implementation of several of them in Section VII. In the

end, the goal of CFG recovery is to resolve the targets of as

many of these indirect jumps as possible, in order to create

a CFG. A given indirect jump might resolve to a set of

values (i.e., all of the addresses in a jump table, if there are

conditions under which their use can be triggered), and this

set might change based on both object and context sensitivity.

Depending on how well jump targets are resolved, the CFG

recovery analysis has two properties:

Soundness. A CFG recovery technique is sound if the set

of all potential control ﬂow transfers is represented in

the graph generated. That is, when an indirect jump is

resolved to a subset of the addresses that it can actually

target, the soundness of the graph decreases. If a potential

剩余19页未读，继续阅读

qq_36042250

粉丝: 0
资源: 9

攻克二进制分析的艺术：攻防技术综述

程序分析理论-angr

关键字：跆拳道，后踢，训练质量，实战表现。翻译成英文

渗透工程师需要考的证书

counter strike global

electronic CSGO

Moral Behavior in Public

you need to add some Celebrity Stories to make the speech better, add the celebrity stories now, please

失败 更新 Counter-Strike: Global Offensive 时发生错误 (缺失文件权限)D:lsteamlsteamappslcommonlSteamworksShared_CommonRedistlvcredist 2012installscript.vdf 关闭

"http://170.106.117.230/?url=steam://rungame/730/76561202255233023/+csgo_econ_action_preview%20M4339827378402747041A30648261933D3039437502918428834"

适用于vm15的kali镜像

最新资源

失败更新 Counter-Strike: Global Offensive 时发生错误 (缺失文件权限)D:lsteamlsteamappslcommonlSteamworksShared_CommonRedistlvcredist 2012installscript.vdf 关闭