| Reverse binary analysis and vulnerability detection has been a primary and key issue in the field of software security. With the increasing of software complexity, diffculity for detecting vulnerability has been greatly increased. It has become a research focus to develop automated reverse analysis tools for assisting software vulnerability mining.The research in this subject is still in initial or theory stage at home and abroad. Existing binary static analysis tools have some limitations, weak ability, incomplete framework, and highly dependent on the person. This paper presents a binary static analysis method for vulnerability detection based on a uniform intermediate language. It simulates binary program execution under the guidance of control flow and function call graph. This method tracks the spread of data flow by data flow analysis and function summary, and detects potential defects automatically by the taint propagation. In the analysis of simulation execution, it combines with common vulnerability patterns to discover binary vulnerabilities effectively. Based on the the ideas, we have realized a binary static vulnerability detection tool in BinNavi, named BAT. Dynamic instrumentation technology has begun to be used in field of program vulnerability detection. This paper also implements a dynamic analysis framework for taint propagation by Pin platform, named DynTool.BAT has been applied to detect defects and vulnerabilities in WPS Office and Adobe PDF. It has validated many known vulnerabilities, and discovered three zero day vulnerabilities in WPS Writer. BAT can be effectively used for vulnerability mining in large-scale software. The results show that, for target binary program with more than 20,000 functions, BAT analyzes single entry within 20 minutes, passed functions more than 6,000, and analyzed instructions more than 3,000,000. Through statistics, the maximum calling depth is more than 100, and average code coverage of single entry is more than 20%. DynTool can also be applied to binary applications, and accurately locate suspicious program defects. The binary analysis tools proposed in this paper can be applied to large-scale software for vulnerability detection. |
PDF Full Text Request