程式動態行為安全分析(I)

Abstract

程式行為與軟體安全性關係密切，失控(crash)的程式將有可能被運用而成為安全弱點所 在。我們很難在程式失控後找出真正原因，因此多數研究藉助於動態程式實驗，著重於 偵測錯誤與區別失控的根源。軟體廠商為了趕上市發行的時間，以致系統常伴隨著非有 意的過失而產生軟體失控的狀況，有些只影響系統穩定性，有些則產生安全弱點。我們 的目標是設計工具程式，進行動態安全分析，輔助找尋錯誤點，判斷是否可供運用產生 系統安全缺陷。 在第一年的計畫中，我們將開發執行監控操作系統。此系統會定時進行執行狀態 監測，若程式失控，可以重複原先執行步驟，嘗試觸發先前的錯誤，藉此可觀察執行程 式的內部行為，例如 API 呼叫序列順序，呼叫參數與返回值關係。這些可經由包覆系 統 API 呼叫的技術達成，並判斷其結果否異常。預期將完成程式狀態觀測系統，可判 斷所觀測之失控點是否安全相依（是否安全可運用性）。 在第二年的計畫中，我們將建立軟體應用程式與作業系統函數之間的互動介面。 經由包覆的技術，不但能記錄相關重要參數，也能接受測試指令進行呼叫參數與返回數 值的任意替換。我們可以隨意操作程式，改變想要運作的呼叫參數，觀察其回應狀態並 找出可疑的失控點。我們將設計互動介面與測試驅動系統以便控制包覆點，並提供呼叫 點相關資訊以產生較細微的測試涵蓋率。預期將完成程式錯誤注入測試系統，有系統性 地激發錯誤點，並產生有意的安全運用程式碼。

Program running behavior has much to do with software security. Crashed software may be exploited to be a potential vulnerability. It is difficult to reconstruct system failures after a program has crashed. There is much research effort on detecting program errors and identifying their root causes either by static analysis or observing their running behavior through dynamic program instrument. In order to meet the time to market, software releases with unintended flaws. Some of them cause software crash, while others may introduce security vulnerabilities. Our goal is to design a tool that helps analyze program running behavior and determine if it is an exploitable vulnerability. In the first year plan, we will develop an execution instrument and interception system. This system will periodically monitor software running behavior. If the software crashes, we can roll back to the latest checkpoint and trigger the fault. We will observe the internal behavior of running programs, such as API call sequence, call parameters and return values through wrapping system call API techniques, and determine whether these things are anomalous or not. We expect to develop a dynamic instrument tool able to determine if the crash site is security exploitable. In the second year of project in execution, we investigate the design and implementation of such a tool to instrument the interfaces between the software application and the operating system functions with an interactive software wrapper. This wrapper cannot only intercept the functions to record the parameters and the return value but also receiving testing directives to replace calling parameters and the return value with any arbitrary value. We could use this tool to easily instrument the application, change the intended OS function call parameters with testing data and observe the response of the application to find out the suspicious crash sites. We devise a GUI and testing driver to control the wrapper and provide call site information with finer-grained test coverage. We expect to complete a fault injection tool systematically generating triggers for intended exploit code.