| Software vulnerability discovery is one of the most important parts in software security, while static method and dynamic method are two key technologies in it. Static method does not require the actual operation of the program, but obtains the analysis result by semantic analysis and certain rules (rules are obtained by artificial definition or machine learning) to the source code or binary form program. The advantage of static method is that it requires little dependence of the platform, which makes it widely used in different platforms and systems analysis. Another advantage of static method is that it has a good globe view of the program, which makes it easily applied in the overall analysis and module analysis. But the disadvantage of static method is that the result has a great probability not being verified due to the application scale. Comparing to static method, the dynamic method successfully overcomes the shortage of result verifying in static method, every step of the execution is reliable and can be retroactive. However, the disadvantage of dynamic method is also obvious, it has its own limitation that it cannot know the overall structure and the not-executed branch, it only knows the path it executes. The study of the subject is dynamic binary vulnerability discovery. The study of the subject can be divided into four parts:(1) The introduction to the mainstream platform in dynamic binary instrumentation; (2) The introduction to the plug-in composition in Intel Pin tool. (3) The method of tracing the data from input called "taint-tracing"; (4) In the dynamic process of taint-tracing, I propose a method to determine the vulnerability based on a set of operation I called "dangerous operation". Finally, I verify the effectiveness of the method at the end of the paper. |
PDF Full Text Request