利用迴圈特性加速靜態與動態程式分析

Abstract

自動尋找軟體漏洞以及產生如何滲透軟體安全之過程為當今軟體測試方法所迫切需求。實際/符號混和執行測試技術(concolic execution)為符合此需求的新技術之一，其結合了實際執行測試的速度優點以及符號化執行測試的廣泛可測範圍。然而，此技術繼承了符號化執行測試的限制 －面對迴圈時，當迴圈執行次數與外部輸入值有相依性，此技術必須將每種可能的外部輸入值都執行過一次，進而造成效能嚴重降低，甚至退化成為隨機測試。而迴圈是程式語言中大量使用的一種必要格式，這造成此技術面臨相當大的挑戰。在本論文中，我們提出一個新的實際/符號混和執行測試技術，稱為：”迴圈感知實際/符號混和執行測試技術(loop-aware concolic execution)”。本新技術可精確分析迴圈相關變數，並減少軟體測試所需之時間。為了展示此項新技術，我們開發了一套分析系統，稱為：”RELEASE”。在本分析系統中，我們將此項新技術應用在分析緩衝區溢位漏洞，並產生如何滲透軟體安全之外部輸入值。

Automatically finding vulnerabilities and even generating exploits are eagerly needed by software testing engineers today. And for security issue, many testing software are usually lake of source code and symbol table information. Concolic execution is a novel technique, which takes advantage of the rapid executing speed of concrete ex-ecution and the wide testing coverage of symbolic execution, to find and understand software bugs, including vulnerabilities, with only analyzing machine code. However, a serious limitation of concolic execution inherited from symbolic execution is its poor analysis result with loops, a common programming construct. Namely, when the number of iterations depends on the inputs, the analysis cannot determine possible execution paths of the program. In this paper, we propose a new concolic execution technique, loop-aware concolic execution, for testing software and producing more precise analysis on loop-related variables with fewer execution steps. To demonstrate our technique, we developed a concolic analyzer, called RELEASE, and apply it to discover buffer-overflow vulnerabilities and generate exploits of software.