嵌入式C代码释放后重用缺陷检测

doi:10.19665/j.issn1001-2400.2021.01.014

Abstract

Abstract:

Use-after-Free (UaF) bugs in C programs seriously affect the robustness and reliability of embedded systems.Current detection methods are mostly focused on computer operating systems or applications,which does not support complex and variable embedded systems.A static code analysis can achieve the detection without the requirement of execution environment.Therefore,a static taint analysis tool based on the LLVM compiler infrastructure has been implemented to detect UaF bugs in theembedded C code automatically.Experimental results prove that this static analysis method can detect UaF bugs in C programs rapidly with low false positive and false negative.It is also proved that the tool can be applied in large-scale embedded C projects.

Key words: embedded system, C programs, use-after-free, bug detection, static code analysis

CLC Number:

TP312

WANG Yaxin,LI Xiaoqing,WU Gaofei,TANG Shijian,ZHU Yajie,DONG Ting. Detecting use-after-free bugs in embedded C programs[J].Journal of Xidian University, 2021, 48(1): 124-132.

Figures/Tables 9

References 18

[1]	ZHOU L, NIU X, ZHAO S, et al.Research on Congestion Rate of Classified Storage Narrow Channel Picking System for IoT Security[J/OL].[2020-07-26].https://link.springer.com/article/10.1007/s11276-020-02372-6.
[2]	毕梦格, 巨玉, 侯蓉晖. 一种环境自适应的卫星网络安全路由协议[J]. 西安电子科技大学学报, 2020,47(1):66-72.
	BI Mengge, JU Yu, HOU Ronghui. Environmentally-adaptive Secure Routing Protocol for Satellite Networks[J]. Journal of Xidian University, 2020,47(1):66-72.
[3]	NVD.CVE-2019-2215[EB/OL].[2020-07-17] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2215.
[4]	史翠红. 嵌入式汇编程序静态分析研究[J]. 航天返回与遥感, 2008,29(1):59-62.
	SHI Cuihong. Static Analysis for Embedded Assembly Program[J]. Spacecraft Recovery & Remote Sensing, 2008,29(1):59-62.
[5]	CERDEIRA D, SANTOS N, FONSECA P, et al. SoK:Understanding the Prevailing Security Vulnerabilities in Trust Zone-assisted TEE Systems [C]//Proceedings of the 2020 IEEE Symposium on Security and Privacy.Piscataway:IEEE, 2020: 1416-1432.
[6]	侯成杰. 航天器C语言软件常见编程错误分析及检测方法研究[J]. 空间控制技术与应用, 2013,39(6):53-57.
	HOU Chengjie. On Common Programming Errors of Spacecraft Software in C Language and Their Checking Methods[J]. Aerospace Control and Application, 2013,39(6):53-57.
[7]	王志强, 张玉清, 刘奇旭, 等. 一种简单网络管理协议漏洞挖掘算法[J]. 西安电子科技大学学报, 2015,42(4):20-26.
	WANG Zhiqiang, ZHANG Yuqing, LIU Qixu, et al. Algorithm for Discovering SNMP Protocol Vulnerability[J]. Journal of Xidian University, 2015,42(4):20-26.
[8]	SEREBRYANY K, BRUENING D, POTAPENKO A, et al. Address Sanitizer:a Fast Address Sanity Checker [C]//Proceedings of the 2012 USENIX Annual Technical Conference.Berkeley:USENIX Association, 2019: 309-318.
[9]	VANDER KOUWE E, NIGADE V, GIUFFRIDA C. DangSan:Scalable Use-after-free Detection [C]//Proceedings of the 2017 12th European Conference on Computer Systems.New York:ACM, 2017: 405-419.
[10]	NETHERCOTE N, SEWARD J. Valgrind:a Program Supervision Framework[J]. Electronic Notes in Theoretical Computer Science, 2003,89(2):44-66.
[11]	BEKRAR S, BEKRAR C, GROZ R, et al. Finding Software Vulnerabilities by Smart Fuzzing [C]//Proceedings of the 2011 4th IEEE International Conference on Software Testing,Verification,and Validation.Washington:IEEE Computer Society, 2011: 427-430.
[12]	Lcamtuf.American Fuzzy Lop (2.52b)[EB/OL].[2020-07-17] https://lcamtuf.coredump.cx/afl/.
[13]	YAN H, SUI Y, CHEN S, et al. Spatio-Temporal Context Reduction:A Pointer-analysis-based Static Approach for Detecting Use-after-free Vulnerabilities [C]//Proceedings of the 2018 40th International Conference on Software Engineering.New York:ACM, 2018: 327-337.
[14]	BAI J J, LAWALL J, CHEN Q L, et al. Effective Static Analysis of Concurrency Use-after-free Bugs in Linux Device Drivers [C]//Proceedings of the 2019 USENIX Annual Technical Conference.Berkeley:USENIX Association, 2019: 255-268.
[15]	韩心慧, 魏爽, 叶佳奕, 等. 二进制程序中的use-after-free漏洞检测技术[J]. 清华大学学报(自然科学版), 2017,57(10):1022-1029.
	HAN Xinhui, WEI Shuang, YE Jiayi, et al. Detect Use-after-free Vulnerabilities in Binaries[J]. Journal of Tsinghua University (Science and Technology), 2017,57(10):1022-1029.
[16]	CHIPOUNOV V, KUZNETSOV V, CANDEA G, et al. S2E:a Platform for In-vivo Multi-path Analysis of Software Systems [C]//Proceedings of 2011 the International Conference on Architectural Support for Programming Languages and Operating Systems.New York:ACM, 2011,46(3):265-278.
[17]	NVD.CVE-2016-7910[EB/OL].[2020-07-17] .https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7910.
[18]	NVD.CVE-2016-6309[EB/OL].[2020-07-17].https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6309.

要点	存储单元		存储元素
类型	寄存器	内存	内存指针	符号值	常量
特点	单次赋值	store指令多次赋值	指向内存空间	未知具体值	已知具体值,如函数指针

类型	指令名	指令作用	数据传递 (源→目的)
数据传递	LoadInst	读内存	源内存→目的寄存器
	StoreInst	写内存	源寄存器→目的内存
	GetElementPtrInst	获取数据结构中元素的指针	解析所得内存指针→目的寄存器
	CastInst	类型转换	源寄存器→目的寄存器
	PHINode	基于执行流程选择源寄存器进行赋值	解析所得源寄存器→目的寄存器
	SelectInst	条件赋值语句	解析所得源寄存器→目的寄存器
	CallInst	函数调用语句,目标函数有IR	调用语句参数寄存器→被调用函数参数寄存器
	ReturnInst	函数返回语句	当前函数返回寄存器→调用者语句目的寄存器
数据创建	BinaryOperator	二进制计算操作	计算结果(符号/常量)→目的寄存器
	CmpInst	数值比较操作	计算结果(符号/常量)→目的寄存器
	AllocaInst	栈内存申请	新建内存对象→返回值寄存器
	CallInst	函数调用语句,目标函数无IR	新建符号值→返回值寄存器
数据消除	ReturnInst	函数返回语句	清除记录:本地寄存器、当前函数栈内存
数据消除	StoreInst	写内存	清除记录:目的内存可能存在的原有数据元素
特殊调用	CallInst	函数调用语句,需特殊处理	malloc类函数:新建内存对象→返回值寄存器 free类函数:内存对象添加Free标签

类别	测试效果				测试效率
类型	召回率/%	误报率	漏报率		耗时/s	CPU使用率/%	最大内存占用/KB
数据	138/138=100	0/138=0	0/138=0		0.59	555.37	8 835.97

方法	实现思路	嵌入式平台适用性
动态测试	基于遗传算法开展Fuzz测试,并监控UaF缺陷触发^[8,12]	测试条件难以满足
二进制静态分析	反汇编工具开展静态分析,符号执行判定路径有效性^[15,16]	工具依赖性强
现有源代码静态分析	通过路径剪枝^[13]或针对特定问题^[14]开展简化数据流分析	准确度低,可靠性差
文中源代码静态分析	通过全面数据流分析实现可靠的污点追踪	准确度高,可靠性强

Detecting use-after-free bugs in embedded C programs

RichHTML

PDF (PC)

Like

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 9

References 18

Related Articles 4

Metrics

Comments

Recommended 10

[1]	WANG Yuying;ZHOU Xingshe;LIANG Dongfang . Heterogeneous model translation method for the cyber physical system [J]. J4, 2015, 42(2): 108-115+151.
[2]	JIANG Yan;ZENG Xuewen;SUN Peng;ZHU Xiaoyong. Fuzzy threshold coalescence memory algorithm for embedded real-time multimedia systems [J]. J4, 2012, 39(5): 174-180.
[3]	XUAN Rong-xi(1);YING Zhe(2). Study of the technique of the embedded Web server based on the AT91M40800 micro-controller [J]. J4, 2006, 33(3): 482-485.
[4]	ZHANG Xi-min;ZHANG Jian-guo;ZHOU Li-hua. On the technique of the Web server in the micro-embedded system [J]. J4, 2005, 32(1): 116-121.