資訊產品安全檢測技術整合型研究

Abstract

目前由第三方所提供之資訊產品，可能以原始碼的方式交付，如網頁成品或腳本語言等。同時亦有可能以二進位可執行檔的方式交付，如Third-Party的程式庫等等。要能完整的檢測資訊產品，二進位可執行檔的檢測與原始碼檢測都是不可或缺的研究項目，且在開發過程中，雙方參與開發人員可以本身領域的經驗，互相交流以補足某些缺失。如檢測二進位可執行檔時，在動態分析程式中是否有Shellcode時，若能參考Compiler的編譯法則加以輔助，將能提高掃描的效率。因此，對於資訊產品安全檢測，提供分析原始碼以及分析二進位可執行檔兩種方式，是最為全面的檢測方法。 本資訊產品安全檢測技術整合型研究案(以下簡稱本研究案)為第二年度延續性計畫。第一年度 ( 98年)，我們完成了兩大項目標，分別為（一）建立一惡意程式分析平台，對於進入平台的待分析目標檔案，記錄其行為供人員研判，以及（二）尋找C/C++/PHP軟體原始碼中的可能漏洞。在本年度中，將會延續前一年度之研究成果，分別提出（一）可針對未知惡意程式的入侵行為的分析系統，亦即由使用者輸入一待檢測的目標檔案至系統後，本系統將自動進行分析出該目標對系統進行的隱藏行為，例如程序模組隱藏、檔案隱藏或登錄機碼隱藏等等，並以這些資訊判別該目標檔案是否為Rootkit程式。（二）使用一靜態程式檢測工具－Fortify，並自行加入Fortify的規則，來解決不斷出新的程式漏洞。除了第一年度所提出的C/C++/PHP軟體原始碼中的可能漏洞，本年度會加上JAVA與VB .Net的原始碼檢測，讓整體檢測範圍更加全面。並提出JAVA與VB .Net的安全程式設計原則，使軟體開發人員可減少開發時造成的安全性漏洞。 本計畫著重兩大目標：（一）本系統對資安人員在面對未知的檔案目標進行鑑識判別時，將能有效的提供判斷依據。（二）尋找軟體原始碼中的漏洞，以期軟體開發人員在設計過程中能及早發現弱點加以更正。此二目標若能達成，對於台灣資訊安全的防護能力將有極大的助益，不論是在國防、產業、學術甚至個人層面，皆能提供有效的資安屏障。

Currently, the testing software may be delivered by a third party in two ways, one is source code, such as web pages or script language; another one is binary executable file, such as third-party library. To complete testing software, both of source code testing and binary executable file are essential. In developing process, the researchers of source code analysis and binary executable analysis can be complementary by discussing. For example, if the compile technique is used by dynamic analysis of binary executable, the analysis efficiency will be enhanced. Therefore, the most comprehensive method for software security analysis is providing both of them. This project is a continuity plan for the second year. In the first year (2009), we had finished two objectives. One is to build a malware analysis platform. Another one is to find vulnerabilities in C/C++/PHP source code. In this year (2010), we will extend the research result in the first year and propose two analysis tools, one is a analysis system for analyzing the behavior of unknown malware, and another is a static analysis tool for analyzing source code. The process of malware analysis system has three steps, first step is input a testing binary executable file, and the system will analyze the behaviors of this program such as process hidden, file hidden, or registry hidden, and the last step is to verify the testing program is a rootkit or not. For the static analysis tool to analyze source code, we want to add new rules of Fortify to defend zero-day vulnerabilities. To cover more types of source code, we will extend our system to find vulnerabilities in JAVA and VB.Net source code. It will help software developers reduce secure weakness in their programs. This project focused on two main objectives: (a) The system-owned security administrator in the face of the unknown targets forensic files discrimination, it will be able to effectively provide the basis to judge. (b) To find the loopholes in the software source code to software developers in the design process can be corrected early detection of weaknesses. If these two goals to reach, for Taiwan's IT security protection capability will be of great benefit, whether in defense, industry, academic and even personal level, have encountered barriers to provide an effective information security.