火龙果软件漏洞发掘技术趋势—贾春福分析报告.pptVIP

* Vulnerability Identification Identification Identify Violations of Security Specification and Verify Software’s Security Properties. Security Specification Test cases * Vulnerability Identification—Static Analysis Static analysis checks violations of security specification from the program text. Comprehensive: cover entire codes Lightweight: test cases are not required and no need to guess or interpret software’s behavior. * Vulnerability Identification—Static Analysis Examples of Static Analysis Tools FindBugs (Java) PMD (Java) FxCop(.NET) XSSDetect (.NET) * Vulnerability Identification—Static Analysis Limintations: Difficult to reason about values with sufficient precision ( concrete value of an index or size of an object, heap layout, pointers). Will not find issues related to operational environments Tend to generate false positive and false negative * Vulnerability Identification—Run-time Detection No requirement to have access to source code. Run-time detection can check software deeper properties, such as infrastructure, configuration and path errors. * Vulnerability Identification—Run-time Detection Debugging—VC++, gcc Dynamic Instrumentation—Valgrind Whole-system emulation—BitBlaze, BAP * Contents 1 2 3 4 5 Software Vulnerability Security Specification Test Case Generation Vulnerability Identification Our Work * Environment-Sensitive Vulnerability Detection Environment-Sensitive Vulnerability is the mismatch between the assumptions made during the development about the execution environment of the software, and the environment in which the program executes. Year 2000 problem: the practice of representing the year with two digits becomes problematic with logical errors arising upon rollover from x99 to x00. * Environment-Sensitive Vulnerability Detection Environment-Sensitive Variable Propagation analysis Record a detailed and concrete execution trace Infer environment-sensitive variables from static analysis on the execution trace Use taint analy