Research On Software Execution Trace Extraction And Analysis Technology For Binary Vulnerability Analysis

Tracing software execution is a dynamic binary analysis technique,it assists vulnerability diagnosis and analysis by dynamically tracking software execution processes.Execution trace is often used in fault localization,stain analysis,symbol execution and deterministic replay.Among them,deterministic replay can not only help researchers improve their ability of analyzing program,but also effectively solve the impact of uncertain factors on program analysis in parallel program under the multi-core architecture of processor.However,there are still many challenges in this field,there are several problems in applying execution trace to deterministic replay.Firstly,the program behavior information obtained by execution trace is not comprehensive enough to carry out deterministic replay.Second,the context is not maintained when the same program is analyzed repeatedly,and the execution information cannot be obtained twice.Finally,the time cost of collecting execution trace is huge,which is the main factor leading to the low efficiency of the implementation of deterministic replay.Therefore,taking the deterministic replay with the lowest efficiency as an example,this paper studies the software execution trace extraction and analysis method which is common to binary vulnerability analysis.In view of the above problems,the main work and innovation points of this paper are as follows:Firstly,an off-line tracing method for deterministic replay is proposed.This paper adopts the pure software method to run the analysis instruction dynamically in the process of the target system in offline file to obtain the corresponding execution information,which reduces the coupling between the instrumenting engine and the target analysis system.In this paper,we study the content requirement of execution trace corresponding to the degree of certainty of replay.Finally,this paper saves the execution trace in the form of database for subsequent replay analysis and research.Secondly,the parallel extraction algorithm of execution trace is proposed.Aiming at the problem that the traditional binary analysis method integrated with dynamic translation,instruction execution and program analysis,so that it cannot be parallelized,this paper studies the improvement of the traditional analysis method.The three processes of dynamic translation,instruction execution and program analysis are separated based on offline files--offline files are obtained during dynamic translation to drive instruction execution,and program analysis is finally conducted.In this paper,we find that the process of off-line file drive instruction execute can be divided.On this basis,an algorithm for parallel extraction of execution trace is proposed,which improves the efficiency of execution trace recording.Thirdly,the dynamic substitution method of program oriented to context retention is proposed.This paper makes an in-depth study of the realization principle of virtualization technology and proposes two methods of replacing program input based on virtualization: The source code of the simulator is analyzed and the dynamic translation mechanism is studied.During this process,analysis code can be inserted,guest instructions can be monitored in real time and file replacement operations can be made.Then,studied the method of real-time communication between the host and the guest,and replaced it by real-time file transfer after hook target program inside guest.In this paper,the snapshot mechanism of the simulator is analyzed and integrated with input substitution to realize dynamic replacement.This method plays an important role in vulnerability analysis,such as performing differential comparisons.Finally,based on the methods and algorithms mentioned above,a software execution trace extraction and analysis system is designed in this paper,and the ability to extract software execution trace in parallel and replace program input is verified through experiments.Finally,the auxiliary ability of this system for binary vulnerability analysis is demonstrated by taking real software as an example.