KIISE Transactions on Computing Practices (정보과학회 컴퓨팅의 실제 논문지)

Korean Institute of Information Scientists and Engineers (한국정보과학회)
권호 표지
DOI QR코드

DOI QR Code

Analyzing Vulnerable Software Code Using Dynamic Taint and SMT Solver

동적오염분석과 SMT 해석기를 이용한 소프트웨어 보안 취약점 분석 연구

  • 김성호 (한양대학교 컴퓨터 소프트웨어학과) ;
  • 박용수 (한양대학교 컴퓨터 소프트웨어학과)
  • Received : 2014.09.04
  • Accepted : 2015.01.09
  • Published : 2015.03.15
⟨ Previous Next ⟩

Abstract

As software grows more complex, it contains more bugs that are not recognized by developers. Attackers can then use exploitable bugs to penetrate systems or spread malicious code. As a representative method, attackers manipulated documents or multimedia files in order to make the software engage in unanticipated behavior. Recently, this method has gained frequent use in A.P.T. In this paper, an automatic analysis method to find software security bugs was proposed. This approach aimed at finding security bugs in the software which can arise from input data such as documents or multimedia. Through dynamic taint analysis, how input data propagation to vulnerable code occurred was tracked, and relevant instructions in relation to input data were found. Next, the relevant instructions were translated to a formula and vulnerable input data were found via the formula using an SMT solver. Using this approach, 6 vulnerable codes were found, and data were input to crash applications such as HWP and Gomplayer.

소프트웨어가 복잡해짐에 따라 개발자가 인지하지 못하는 버그가 증가하고 있다. 공격자들은 시스템을 공격하거나 악성코드를 유포하기 위해 이와 같은 소프트웨어 버그 중 보안에 취약한 버그를 이용한다. 대표적인 방법으로 문서, 멀티미디어 등의 파일을 조작하여 보안에 취약한 버그를 발생시키는 방법으로 최근 지능적 지속 공격 빈번하게 사용되었다. 이에, 본 논문에서는 소프트웨어의 보안 취약점을 찾기 위한 프로그램 자동 분석 방법을 제안한다. 제안 방법은 문서, 멀티미디어 등 입력 값에 의해 발생되는 소프트웨어의 보안에 취약한 버그를 찾는 것을 목표로 한다. 먼저, 동적 오염 분석을 통해 입력 데이터가 취약 코드 지점까지 전파되는 과정을 추적하고 입력데이터 전파와 관련이 있는 명령어를 추출한다. 추출된 연관 명렁어를 수식화하고 이를 SMT 해석기를 이용하여 보안 취약점이 발생할 수 있는 입력 값을 찾는다. 제안 방법을 통해 아래아 한글, 곰 플레이어에서 크래시가 발생할 수 있는 입력값과 취약 코드 6개를 찾았다.

Keywords

Acknowledgement

Supported by : 한국연구재단

References

  1. P. Godefroid, M. Y. Levin, and D. Molnar, "SAGE: whitebox fuzzing for security testing," Queue - Networks, Vol. 10 Issue 1, Jan. 2012.
  2. D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M. G. Kang, Z. Liang, J. Newsome, P. Poosankam, and P. Saxena, "BitBlaze: A New Approach to Computer Security via Binary Analysis," Proc. of the 4th International Conference on Information Systems Security, Dec. 2008, Hyderabad, India (Keynote invited paper).
  3. C. Cadar, D. Dunbar, and D. Engler, "KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs," Proc. of the 8th USENIX conference on Operating systems design and implementation, pp. 209-224, Dec. 2008.
  4. K. Sen, D. Marinov, and G. Agha, "CUTE: a concolic unit testing engine for C," ACM SIGSOFT Software Engineering Notes, Vol. 30, Issue 5, pp. 263-272, Sep. 2005. https://doi.org/10.1145/1095430.1081750
  5. C. S. Pasareanu and W. Visser, "A survey of new trends in symbolic execution for software testing and analysis," International Journal on Software Tools for Technology Transfer, Vol. 11, Issue 4, pp. 339-353, Oct. 2009. https://doi.org/10.1007/s10009-009-0118-1
  6. J. Burnim and K. Sen, "Heuristics for scalable dynamic test generation," Proc. of the 23rd IEEE/ ACM International Conference on Automated Software Engineering, pp. 443-446, Sep. 2008.
  7. P. Godefroid, N. Klarlund, and K. Sen, "DART: directed automated random testing," Proc. of the 2005 ACM SIGPLAN conference on Programming language design and implementation, pp. 213-223, Jun. 2005.
  8. N. Tillmann, and W. Schulte, "Parameterized unit tests," ACM SIGSOFT Software Engineering Notes, Vol. 30, Issue 5, pp. 253-262, Sep. 2005. https://doi.org/10.1145/1095430.1081749
  9. M. Z. Kim, Y. H. Kim, and Y. J. Choi, "Concolic Testing of the Multi-sector Read Operation for Flash Storage Platform Software," Formal Aspects of Computing (FACJ), Vol. 24, No. 2, pp. 355-374, May 2012. https://doi.org/10.1007/s00165-011-0200-9
  10. L. de Moura and N. Bjorner, "Z3: An efficient SMT solver," Tools and Algorithms for the Construction and Analysis of Systems, Vol. 4963, pp. 337-340, 2008. https://doi.org/10.1007/978-3-540-78800-3_24
  11. A. V. Aho, R. Sethi, and J. D. Ullman, "Compilers: principles, techniques, and tools," 2nd ED., pp. 614, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 2006.
  12. Intel Pin, [Online]. Available: http://www.pintool.org
  13. Z3 solver, [Online]. Available: http://z3.codeplex.com
  14. !exploitable, [Online]. Available: http://msecdbg.codeplex.com