Static Program Analysis Assisted Dynamic Software Vulnerability Discovery

With the evolution and prevalence of the computer science, increasing amount of computer applications have influenced our lives in the recent years, and exposed us to the growing gravity of the security problems and threats. The researches on this field has drawn much attention, and there already exist many program analyzing tools which are able to identify the suspicious code and provide protection in the software by applying related analysis on the code. Many of these tools are designed with the technique of program testing which is part of the dynamic analysis, or static program analysis. Program testing is very accurate but each test case can only cover little code of the program, thus difficult to provide complete results. On the other hand, the static approach is able to cover all the code of the target program, but it will generate a lot of false positive.This essay proposes a novel program analysis to combine the two methods based on their characteristics. My approach achieves a goal of high code coverage of the target program and exceeds the traditional static program analysis in accuracy. I realize a mechanism which contains a major procedure of dynamic taint analysis and provides additional information to it by static methods. During the taint tracking, the system apply control flow graph (CFG) competition in the level of function, and implement static taint analysis based on the paths in the control flow graph to combine the technique of static and dynamic program analysis.The research contained in this paper includes contributions and efforts listed as follow: 1) A novel approach to integrate the dynamic and static program analysis to make the best use of the strong points of them while counteracting their weak points. 2) Based on the method proposed in the previous description, the paper implements a software vulnerability discovery system SDCF, which is developed to process the binary code. The system performs static analysis during the dynamic taint tracing procedure. 3) The paper presents an API filter to optimize the system. By formalizing the tainting related behavior of the system functions, this module is able to reduce the time cost of SDCF.The experiments show that SDCF is not only able to provide efficient runtime protection by introducing an overhead of 4.16x based on the taint tracing technique, but also capable to discover latent software vulnerabilities which has not been exploited, and achieve the code coverage of more than 90%.