Research On Memory-related Software Vulnerability Feature Analysis And The Vulnerability Model Construction Approach

With the continuous development of information technology,software applications have been widely used in different areas,involving various aspects of social production and life.Great attention to the research of software vulnerability has been paid by the worldwide government departments,organizations and relevant scholars since that software vulnerability has been a great threat that can not be ignored in software security.In the past years,researchers worldwide have studied software vulnerabilities from different perspectives,and have made great progress in vulnerability definition,cause,classification,threat assessment,vulnerability database establishment and maintenance,vulnerability detection and so on.Although great achievements have been achieved in the research of vulnerability,the research of memory leak,double-free,use-after-free on vulnerability feature analysis and vulnerability model construction is still insufficient,which is mainly reflected in two aspects: firstly,the research on vulnerability feature mainly focuses on conceptual description at present,which can not reflect the essential feature of vulnerabilities,and there are little authoritative achievements on vulnerability feature formalization.Secondly,constructing vulnerability model is an important stage in the process of software vulnerability research.The existing research on vulnerability model mainly focuses on conceptual vulnerability model construction,and it is short of vulnerability models that can effectively indicate the formation mechanism of vulnerabilities.To solve the above issues,the research of this paper is presented as follows:1.The feature of software vulnerability is formalized,and the vulnerability detection method based on vulnerability feature is implemented.Firstly,the definition of vulnerability feature for memory leak,double-free,and use-after-free is proposed on the basis of studying a large number of literatures about vulnerabilities.Secondly,pointer related control flow graph(PCFG)is proposed based on control flow graph(CFG)and vulnerability feature,and the features of memory leak,double-free and use-after-free are formally described based on PCFG.A vulnerability detection method based on vulnerability feature(VFVDM)is also proposed.The framework of VFVDM is introduced and each module is analyzed.The PCFG generation algorithm,vulnerability judging algorithm based on vulnerability feature(VFVJ Algorithm)and feature judging algorithm(FJ Algorithm)are detailed in the paper.2.The software vulnerability model is constructed,and the vulnerability detection method based on vulnerability model is implemented.Firstly,the guidance framework of vulnerability model construction is proposed,and it is suggested that the vulnerability subject,inducement,environment and their interaction should be considered in vulnerability model construction.Then the vulnerability model based on Petri net(VM_PN)of memory leak,double-free,and use-after-free is constructed in the perspective of vulnerability subject and environment.A vulnerability detection method based on vulnerability model(VMVDM)is also proposed.The framework of VMVDM is introduced and each module is analyzed.The vulnerability judging algorithm based on vulnerability model(VMVJ Algorithm)is detailed in the paper.3.A prototype system for vulnerability detection named vulnerability detection system based on vulnerability feature and vulnerability model(VFVM-VDS)is designed and implemented.The system mainly includes four modules: PCFG generation module,vulnerability detection method based on vulnerability feature module(VFVDM module),vulnerability detection method based on vulnerability model module(VMVDM module)and methods comparative analysis module.The two vulnerability detection methods of this paper can be well implemented in the prototype system,and the system has good effectiveness and feasibility.