程式失控動態分析系統設計與實作

Abstract

為了符合市場快速開發的特性，發行後的軟體系統常發生未預期的錯誤。有些錯誤可能導致軟體失控，甚或產生安全弱點。一般現成的商業軟體（Commercial Off-The-Shelf, COTS）都沒有附原始碼，若軟體發生失控，我們能做的就是回報給開發此軟體的廠商，並等待他們的修補（patch）。然而軟體廠商常延誤多時才推出修補程式，有些修補程式甚至與舊有的軟體版本不相容，未能完全修復錯誤。針對現有商業軟體元件，一般仍使用反向工程（Reverse Engineering）工具進行測試與觀察軟體執行行為，以判斷該軟體是否存在可能遭入侵的弱點。本研究的目標在於設計系統、協助判斷程式失控點是否隱藏可被運用的軟體漏洞。我們希望此系統能提供系統化的程式失控分析。 目前已有許多研究著力於偵測程式錯誤並指出錯誤形成的原因，有些是透過靜態程式碼分析或動態觀測程式執行過程來進行分析，而大部分的研究採用的方法是稽核或修改程式原始碼，以達到觀察的目的。然而由於本研究是針對現成的商用軟體，沒有原始碼可供分析，我們因此發展一個實驗與攔截（instrument and interception）的系統，能夠偵測軟體異常執行流程，並判斷是否可能成為安全上的漏洞。本研究發展堆疊錯誤點偵測、逼近（stack corrupt site approximation and identification）與呼叫目標確認（call target validation）兩種機制去偵測程式的執行流程是否發生異常。透過對微軟視窗（Microsoft Windows）平台上商業軟體的實驗，對現有多種弱點都能有效偵測，並經由攔截狀況分析中瞭解產生異常的原因。此實驗也證實錯誤點偵測機制能指出導致堆疊異常的函式。最後我們與相關工具比較，以評估系統的可行性。

In order to meet time to market, software often releases with unintended flaws. Some cause software crashes that are highly related to security vulnerabilities. Commercial Off-The-Shelf (COTS) software normally comes without source code. If there happened any program crash, all we can do is to report it to the vendor and wait for the patch. Some software companies, however, develop their patch not in timely manner, or even no longer support the older version. Normally, intended users can use debuggers to observe the running behavior of the software and determine if there exists any vulnerability to exploit. Our objective is to design a tool that helps systematically detect security-related errors from the crash. We want to automate the process to a certain extent for crash analysis. Much research work focused on detecting program errors and identifying their root causes either by static analysis or observing their running behavior through dynamic program instrument. Much of the work analyzes or instruments the source code of the software. However, with the assumption of lack of the source code, we develop an execution instrument and interception system and add detection mechanism of anomaly control flow inside to automatically judge if a certain crash can be exploited. We develop stack corrupt site identification and call target validation to detect if the control flow of the program is changed abnormally. Case studies of several commercial Windows applications from known exploits have proved the applicability of our system and better understanding of the exploiting path of these vulnerabilities. It manifests that our corrupt site identification mechanism points out the vulnerable function where the stack is polluted. At last, we compare this work with several related work to manifest the evaluation in the recent research.