Research On Summary Based Vulnerability Detection Of Binary Code

As the fast development of software and the Internet, the safety of software has gained more and more attention from people all around the world. The traditional automated program analyzing tools finds software bugs by analyzing the source code of software; However, the source code of lots of software are not available. Thus, the automated tools to directly analyze binary code have a bright future in applications. Meanwhile, the lack of type and structure information makes the direct analysis of binary code very difficult. Especially, when coming to static analysis tools, we cannot find any effective tools both home and abroad.To satisfy the emergent and challenging requirement, we propose a method to statically analyze binary code in this paper. This method is based on function summary. The function summary is built by intra-procedural and inter-procedural analysis. Taint analysis is used to detect potential vulnerabilities based on function summaries. At the beginning, the assembly code is translated into eREIL intermediate representation, and then function summary is built. In the intra-procedural analysis, semi-simulation is proposed to improve both accuracy and efficiency. Intra-procedural analysis first uses intra-procedural backward slicing to split the instructions into two, one of which for VSA algorithm, to accurately track memory addresses, and the other of which for DDA algorithm, to analyze data dependencies between different variables. Besides, we integrate other popular technologies, such as symbolic execution and Fuzzing, to semi-simulation, to reduce shortcomings of each other.We implement the semi-simulation algorithm into a usable tool Loong Checker, based on the industry level tool Binnavi. At the development of our tool, we develop a series of innovative technologies to make our tool effective, such as the integration of constraints and the simulation of library functions. To prove the effectiveness of Loong Checker, we verify three known vulnerabilities on three common use software Serenity player,FoxPlayer,KingSoft Office Writer (WPS). Besides, we find another three unknown 0day vulnerabilities on WPS. By these experiments on real world large software, both effectiveness and availability of our tool have been proved.