Vulnerability Causation Analysis Based on Dynamic Execution Logging and Reverse Analysis

doi:10.3969/j.issn.1671-1122.2024.10.003

Abstract

Abstract:

Software vulnerabilities pose a great threat to software security, and there are numerous security incidents due to software vulnerabilities around the world every year. However, in the actual development process, due to the lack of security awareness of developers and the increasing complexity of code and business logic, it is difficult to avoid the existence of security vulnerabilities in software code. Aiming at the challenges of inaccurate error code positioning and inefficient analysis faced by the existing methods, this paper broke through the challenges of obtaining and reverse analysis of instruction runtime information and accurate positioning of error code, and proposed a method for locating the cause of program errors based on trace logs and reverse execution, which was capable of tracking the code execution flow of the program, recording the register state information and storage access state information of the instruction in the runtime state, and analyzing the pointer associated with the pointer that triggered the execution error. It can track the code execution flow of the program, record the register state information and storage access state information in the running state of the instruction, analyze the set of instructions that generate, use, and compute the pointer value associated with the pointer that triggers the execution error, and realize the efficient and accurate vulnerability cause analysis and localization.

Key words: dynamic execution log, reverse analysis, vulnerability causation analysis

CLC Number:

TP309

SHEN Qintao, LIANG Ruigang, WANG Baolin, ZHANG Jingcheng, CHEN Kai. Vulnerability Causation Analysis Based on Dynamic Execution Logging and Reverse Analysis[J]. Netinfo Security, 2024, 24(10): 1493-1505.

Figures/Tables 4

References 20

[1]	CNVD. National Information Security Vulnerability Sharing Platform[EB/OL]. (2024-01-09)[2024-02-16]. https://www.cnvd.org.cn/.
	CNVD. 国家信息安全漏洞共享平台[EB/OL]. (2024-01-09)[2024-02-16]. https://www.cnvd.org.cn/.
[2]	LU Kangjie, PAKKI A, WU Qiushi. Detecting Missing-Check Bugs via Semantic and Context-Aware Criticalness and Constraints Inferences[C]// USENIX. 28th USENIX Security Symposium (USENIX Security 19). Berkeley: USENIX, 2019: 1769-1786.
[3]	ZOU Daming, LIANG Jingjing, XIONG Yingfei, et al. An Empirical Study of Fault Localization Families and Their Combinations[J]. IEEE Transactions on Software Engineering, 2019, 47(2): 332-347.
[4]	BLAZYTKO T, SCHLOGEL M, ASCHERMANN C, et al. AURORA: Statistical Crash Analysis for Automated Root Cause Explanation[C]// USENIX. 29th USENIX Security Symposium (USENIX Security 20). Berkeley: USENIX, 2020: 235-252.
[5]	JIANG Zhiyuan, JIANG Xiyue, HAZIMEH A, et al. Igor: Crash Deduplication through Root-Cause Clustering[C]// ACM. Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2021: 3318-3336.
[6]	ABREU R, ZOETEWEIJ P, VAN GEMUND A J. On the Accuracy of Spectrum-Based Fault Localization[C]// IEEE. Testing: Academic and Industrial Conference Practice and Research Techniques-MUTATION (TAICPART-MUTATION 2007). New York: IEEE, 2007: 89-98.
[7]	WONG E, WEI Tingting, QI Yu, et al. A Crosstab-Based Statistical Method for Effective Fault Localization[C]// IEEE. 2008 1st International Conference on Software Testing, Verification, and Validation. New York: IEEE, 2008: 42-51.
[8]	MASRI W. Fault Localization Based on Information Flow Coverage[J]. Software Testing, Verification and Reliability, 2010, 20(2): 121-147.
[9]	HONG S, LEE B, KWAK T, et al. Mutation-Based Fault Localization for Real-World Multilingual Programs[C]// IEEE. 30th IEEE/ACM International Conference on Automated Software Engineering (ASE). New York: IEEE, 2015: 464-475.
[10]	LI Xia, ZHANG Lingming. Transforming Programs and Tests in Tandem for Fault Localization[J]. Proceedings of the ACM on Programming Languages, 2017, 1: 1-30.
[11]	CUI Weidong, PEINADO M, CHA S K, et al. Retracer: Triaging Crashes by Reverse Execution from Partial Memory Dumps[C]// IEEE. Proceedings of the 38th International Conference on Software Engineering(ICSE). New York: IEEE, 2016: 820-831.
[12]	OHMANN P, LIBLIT B. Lightweight Control-Flow Instrumentation and Postmortem Analysis in Support of Debugging[C]// IEEE. 28th IEEE/ACM International Conference on Automated Software Engineering (ASE). New York: IEEE, 2017: 865-904.
[13]	XU Jun, MU Dongliang, XING Xinyu, et al. Postmortem Program Analysis with Hardware-Enhanced Post-Crash Artifacts[C]// USENIX. 26th USENIX Security Symposium (USENIX Security 17). Berkeley: USENIX, 2017: 17-32.
[14]	MU Dongliang, DU Yunlan, XU Jianhao, et al. Pomp++: Facilitating Postmortem Program Diagnosis with Value-Set Analysis[J]. IEEE Transactions on Software Engineering, 2019, 47(9): 1929-1942.
[15]	GE Xinyang, NIU Ben, CUI Weidong. Reverse Debugging of Kernel Failures in Deployed Systems[C]// USENIX. 2020 USENIX Annual Technical Conference (USENIX ATC 20). Berkeley: USENIX, 2020: 281-292.
[16]	ZUO Guofei, MA Jiacheng, QUINN A, et al. Execution Reconstruction: Harnessing Failure Reoccurrences for Failure Reproduction[C]// ACM. Proceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation. New York: ACM, 2021: 1155-1170.
[17]	YAGEMANN C, PRUETT M, CHUNG S P, et al. ARCUS: Symbolic Root Cause Analysis of Exploits in Production Systems[C]// USENIX. 30th USENIX Security Symposium (USENIX Security 21). Berkeley: USENIX, 2021: 1989-2006.
[18]	BELL J, SARDA N, KAISER G. Chronicler: Lightweight Recording to Reproduce Field Failures[C]// IEEE. 35th International Conference on Software Engineering (ICSE). New York: IEEE, 2013: 362-371.
[19]	HE Liang, HU Hong, SU Purui, et al. FreeWill: Automatically Diagnosing Use-After-Free Bugs via Reference Miscounting Detection on Binaries[C]// USENIX. 31st USENIX Security Symposium (USENIX Security 22). Berkeley: USENIX, 2022: 2497-2512.
[20]	CUI Weidong, GE Xinyang, KASIKCI B, et al. REPT: Reverse Debugging of Failures in Deployed Software[C]// USENIX. 13th USENIX Symposium on Operating Systems Design and Implementation (OSDI 18). Berkeley: USENIX, 2018: 17-32.

CVE-ID	程序名称	版本	大小	类型
CVE-2017-12955	Exiv2	7e4fad6	9.97 MB	图片处理程序
CVE-2017-14860	Exiv2	f25c9a6	9.94 MB	图片处理程序
CVE-2020-18831	Exiv2	c23b305	9.40 MB	图片处理程序
CVE-2019-13108	Exiv2	0.27.1	10.69 MB	图片处理程序
CVE-2020-23879	pdf2json	cfa8103	2.20 MB	pdf 格式转换
CVE-2023-36273	dwg2dxf	77a8562	35.00 MB	dwg 文件解析
CVE-2022-33033	dwg2dxf	0.12.4.4608	32.00 MB	dwg 文件解析
CVE-2019-9771	dwg2dxf	0.7	7.70 MB	dwg 文件解析
CVE-2022-35164	dwgrewrite	0.12.4.4608	25.00 MB	dwg 文件解析
CVE-2019-19887	ffjpeg	0f5c850	82 KB	jpeg 编码解析
CVE-2020-23705	ffjpeg	c31ce5d	81 KB	jpeg 编码解析
CVE-2021-34122	ffjpeg	4ab404e	78 KB	jpeg 编码解析
CVE-2022-37769	jpeg(libjpeg)	250c886	6.10 MB	jpeg 协议完整实现
CVE-2021-39515	jpeg(libjpeg)	e52406	6.10 MB	jpeg 协议完整实现
CVE-2023-4683	MP4Box	5360a17	859 KB	模块化多媒体框架

CVE-ID	距离崩溃点的指令数/个	崩溃原因	报告数 /行	是否正确	分析时间/s
CVE-2017-12955	1425224	读取不合法的地址	4	√	151.3
CVE-2017-14860	1545	读取不合法的地址	3	√	64.4
CVE-2020-18831	8	读取不合法的地址	1	√	0.1
CVE-2019-13108	603	分配超大内存	1	√	3.0
CVE-2020-23879	128026	使用空指针	3	√	11.9
CVE-2023-36273	16	使用空指针	2	√	0.1
CVE-2022-33033	726	释放错误	1	√	0.1
CVE-2019-9771	5879	读取不合法的地址	2	√	5.4
CVE-2022-35164	801	释放后使用	1	√	0.1
CVE-2019-19887	7	使用空指针	2	√	0.1
CVE-2020-23705	39	使用空指针	2	√	19.5
CVE-2021-34122	7	使用空指针	2	√	0.1
CVE-2022-37769	487	读取不合法的地址	3	√	0.1
CVE-2021-39515	259	使用空指针	2	√	0.1
CVE-2023-4683	23	使用空指针	2	√	0.1