Automatic Vulnerability Discovery and Patch in Binary Programs

• Main Authors: Chen, Chung-Kuan, 陳仲寬
• Other Authors: Shieh, Shiuhpyng
• Format: Others
• Language: en_US
• Published: 2019
• Online Access: http://ndltd.ncl.edu.tw/handle/2v4k4y

博士 === 國立交通大學 === 資訊科學與工程研究所 === 107 === Software vulnerability is considered a serious security challenge in information systems. An adversary can exploit vulnerabilities to penetrate a system. These systems remain defenseless until the software vendor repairs the vulnerability and releases a patch. While automatic vulnerability discovery and patch can help shorten the time windows before vulnerability patch, thus automatic vulnerability discovery and patch is an emergence issue. In this dissertation, three innovation approaches are proposed in two layers - 1) binary program reversing and 2) vulnerability discovery and patch respectively. In binary program analysis, a binary analysis platform, a control flow analysis and a data structure reversing mechanisms are proposed. These mechanism enhance the accuracy and completeness of binary analysis. In vulnerability discovery and patch, Heap Vulnerability Assessment (HVA), Use-After-Free Patcher(UAF Patcher) and injection vulnerability patch are proposed to improve efficiency, accuracy and stability in the field of vulnerability discovery and patch. To automate vulnerability discovery and patch, an extensible and rich functional analysis platform is indispensable. Even though there exist many platforms designed for certain analysis tasks, such as PANDA, DECAF, data flow tracking for Windows 10 x64 and runtime memory forensic is still lacking since the insufficient analysis to undocumented, encryption data structure and semantics of extend instruction sets. In this paper, a semi-automatic methodology is proposed to conduct a binary analysis platform MBA to fulfill the need of aforementioned functionalities. Based on MBA,control flow analysis and data structure reversing methodologies are proposed. Control flow integrity is a software hardening mechanism. While convention methods apply either static or dynamic analysis to construct control flow graph, the CFI mechanisms could be bypassed since the incomplete of control flow graph. In this dissertation, a new hybrid approach is proposed which combines static value set analysis and dynamic concolic execution to construct a more complete control flow graph which include the control flow originally not be discovered by both static and dynamic analysis. To recognize data structure in a raw memory content, current mechanisms rely on fix signature or dereference chain to retrieve semantic of memory content. DeepMemIntrospect utilizes Convolutional Neural Network (CNN) to recognize data structures without relying on fix patterns. These analysis techniques can enable vulnerability discovery and patch. Since there are several research proposed for memory corruption vulnerability discovery and patch, this dissertation focuses on another critical memory corruption vulnerability - Use-After-Free(UAF). To discover UAF vulnerabilities in a binary program, Heap Vulnerability Assessment(HVA) is proposed. Whereas dynamic symbolic execution are widely used, this approach suffers from path explosion problem. In order to conquer the problem of path explosion in convention concolic execution-based approaches, HVA statically filters out more than 99\% of invulnerable paths with the designed automata-based vulnerability specifications, and then conducts dynamic symbolic execution to reach the vulnerable points for verification. Therefore the overall performance can be improved. When UAF vulnerabilities are found, the UAF patcher can repair the vulnerabilities. The bottleneck of current UAF patch approaches, such as DangNull and Undangle, is tracking the data propagation of dangling pointers at runtime. The UAF patcher executes the binary, mines invariant dereference chain to dangling pointers offline, and only inserts a few instructions patch code with invariant dereference chain into patched binary to eliminate the bottleneck. UAF patcher produces a recommended remediation for developers. In order to ensure the accuracy of patch and it's scope, a formal analysis is conducted. Furthermore, while symbolic execution is unsuitable for variable length data structures, string analysis can be applied to this type of data and complements the symbolic execution. However current research cannot precisely patch vulnerabilities due to lack of character-level data flow tracking and injected delimiter mining. Therefore the string analysis system, STAPA, is developed to address the two problems. With these automated approaches, vulnerabilities can be discovered and patched sooner to reduce malicious threats.