Research On Offline Dynamic Taint Analysis Of Binary Program Based On QEMU

According to the analysis time of dynamic taint analysis,the binary dynamic taint analysis technology is divided into the binary online dynamic taint analysis technology and the binary offline dynamic taint analysis technology.In recent years,the binary online dynamic taint analysis technology has gradually become one of the research hotspots in the software vulnerability analysis technology.The dynamic taint analysis technology carries out taint propragation when the program runs,leading to long analysis time,high vulnerability omission,more artificial analysis and other issues.Especially for some network applications that need to be responsed quickly,the online dynamic taint analysis technology has the inevitable problems.In view of the problems existing in the binary online dynamic taint analysis technology,this paper proposes the method of offline dynamic taint analysis of binary program based on QEMU.The method is divided into the following four parts: The first part is to obtain the dynamic information of the binary program.This part is mainly to modify the QEMU decoding and execution mechanism to achieve the target binary program running track record and mark the taint source with Hook technology at the same time.The second part is the binary program vulnerability modeling.This part is to analyze and study the existing binary vulnerabilities,and establish the vulnerability model which is suitable for the method.In this paper,a stack buffer overflow vulnerability model and a controlled jump vulnerability model are established.The third part is offline dynamic taint analysis.This part takes the program running trace file and the taint source log file as input to carry out offline dynamic taint analysis and check programs vulnerability with the taint propragation strategies and security policy that is generated by the binary program vulnerability models which have established,while the program is replaying virtually.The fourth part is the backtracing analysis of the tainted data.This part mainly reverses the taint propagation flow diagram to backtrace the tainted data to the offset in the taint source file.In addition,this paper also improved the existing taint propragation strategy,such as the effect of the taint state of the flag register and the associated register when some instructions operate on the tainted data is considered.These improvements make the taint propragation strategy more rigorously,so as to ensure the correctness of the offline dynamic taint analysis of this paper.Finally,through the case analysis of C language program written by myself,this paper detailedly analyzes the execution flow of this method,and further uses the network communication program Feiqiu V2.5 and the word processing software Word Microsoft 2010 as the test object to carry on the experiment.The experimental results prove that the method is correct,effective,practical and makes the program analysis simplistic.