CN105117332B - A kind of detection method of stack overflow position - Google Patents
A kind of detection method of stack overflow position Download PDFInfo
- Publication number
- CN105117332B CN105117332B CN201510510578.6A CN201510510578A CN105117332B CN 105117332 B CN105117332 B CN 105117332B CN 201510510578 A CN201510510578 A CN 201510510578A CN 105117332 B CN105117332 B CN 105117332B
- Authority
- CN
- China
- Prior art keywords
- stack overflow
- software
- program
- address
- text
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The present invention provides a kind of detection method of stack overflow position, is related to software detection technical field, quickly to detect stack overflow position, helper applications analysis.The method of the present invention includes:A set A is defined, test software is executed using program pitching pile;It is executed constantly when executing call, gets it and enter stack address and be deposited into set A;When executing ret instructions, its return address is judged whether in set A, if judging that stack overflow does not occur for the function, there are stack overflow if it was not then judging the function.Technical solution of the present invention is mainly used for software analysis, can quick and precisely orient the module for generating stack overflow, and by further analyzing, the specific location for leading to stack overflow can be accurately positioned.The source code that the present invention does not need tested software can handle business software, can detect all type function, such as the nested function of all kinds of complexity, have better adaptability.
Description
Technical field
The invention belongs to software analysis technology fields, are a kind of stack overflow automated detection methods for software analysis,
Business software can be handled by not needing the source code of tested software, can detect all type function.
Background technology
Stack overflow is exactly one kind of buffer overflow.Program in the process of running, in order to access the needs of data temporarily, one
As will distribute some memory headrooms, commonly referred to as these spaces be buffering area.If write-in is more than that itself is grown into buffering area
The data of degree cause the spilling of buffering area so that buffering area can not accommodate, and cause program crashing or program is made to transfer to execute it
It is instructed.
Buffer-overflow vulnerability exists generally, and its attack is easily achieved.When occurring a function call, caller
An activity inventory, the address that it is returned at the end of containing function can be left in stack.And stack overflow refers mainly to the key of stack
Content is changed by the external world, if local buffer area occurs to overflow (being more than the coboundary of buffering area), i.e., toward the stack direction of growth
Opposite direction growth, then being possible to cover some crucial pointers, such as Function return addresses etc..At this point, the fortune of program
Row will be abnormal, for example the modification of return address will make program operation redirect unpredictable address, such as jump to evil
Program of anticipating etc..
Program pitching pile is proposed by J.C. professors Huang earliest, it is to ensure that the original logic of tested program is complete
Property on the basis of be inserted into some probes in a program, the characteristic run by the execution of probe and program of dishing out, by right
The analysis of these data, can obtain the control stream and traffic flow information of program, and then obtain the multidate informations such as Logic coverage, from
And the method for realizing test purpose.
According to the stage that detection occurs, the detection of stack overflow can be divided into stationary detection technique and dynamic detection technology.It is quiet
State detection technique refers to detect that the mistake of stack overflow, static detection typically occur in volume independent of the operation of program
Before translating and after compiling.Dynamic detection technology refers to that detection process is necessarily dependent upon the operation of program, generally requires in a program
Some instructions are inserted into or changed to detect the spilling of stack.According to the difference of inserted mode, dynamic detection technology can be further
It is divided into static inserting and dynamic instrumentation.Static Program instrumentation is primarily referred to as being happened at before program operation the modification of program.
There are two main classes for static state Program instrumentation at present:Static Program instrumentation based on source code and the static inserting skill based on binary code
Art.And dynamic instrumentation refers to modifying to binary code in program operation process, is inserted in the entrance and exit of function
Enter some instructions to complete the monitoring to stack service condition.
Present technology is all based on source code recompility to the detection of stack overflow position, cannot be directed to compiled
Software.
Invention content
The purpose of the present invention is to provide a kind of detection method for analysis software stack overflow position, this method only judges
During Function return addresses are gathered in its entry address, it is not required that one is set to this function entrance address, can adapt to all letters
Number method of calling.This method does not need software source codes, and during runs software, generation is inserted into designated position by pitching pile mode
Code, it will be able to be detected, thus can easily test commercial embedded software.And judgment mode is simple, can quickly detect
Go out whether to occur stack overflow phenomenon, and by concrete analysis, the specific location that stack overflow occurs can be navigated to.
In order to achieve the above object, the present invention adopts the following technical scheme that:
A kind of stack overflow automated detection method and device for software analysis, which is characterized in that including following device:
Pitching pile tool:It is responsible for compiling monitoring program, sense command is received from monitoring program and starts tested software, obtains quilt
Information is then forwarded to monitoring program when surveying running software;
Monitoring program:It is responsible for the major function of practical execution part, including:Setting monitoring specific location, and monitoring are surveyed
Specifying information when running software is tried, the value for specifying register and memory is obtained, establish set A and is judged, is referred to when executing call
When enabling, gets it and enter stack address and be deposited into set A;When executing ret instructions, judge whether its return address is gathering
In A, if it was not then judging the function, there are stack overflow.
Test software:Operation part after tested software startup;
In the present invention, a set is defined, test software is executed using program pitching pile;When executing call instructions,
It is got to enter stack address and be deposited into set A;When executing ret instructions, its return address is judged whether in set A,
If it was not then judging the function, there are stack overflow.This method mainly includes the following steps that:
S1:Set A is established, starts test software and brings into operation;
S2:Instruction parsing is carried out by program pitching pile, the instruction that test software executes is obtained according to the setting of monitoring program
With operation information, the instruction of transfer class or EP (end of program) instruction are determined whether, be that then detection terminates for EP (end of program) instruction;
S3:Decision procedure shifts class instruction, is instructed if it is call, obtains its entry address, is instructed if it is ret,
Then go to step S5;
S4:By in the deposit set A of entry address, step S2 is gone to;Judge that its return address whether there is in set A, such as
Fruit is then to go to step S1, if it is not, then stack overflow occurs, detection terminates.
S5:Obtain return address and its details;
S6:It is compared with the address in set A, judges that return address whether there is in set A, if it is, going to
Step S2, if it is not, then stack overflow occurs, detection terminates;
In the present invention, the entry address that detection call instructions are extracted from the operation information that pitching pile returns all is saved in
In set, after detection ret instructions obtain return address, return address is directly judged whether in set, hit is then normal, recklessly
In then indicate stack overflow phenomenon has occurred.
In the present invention, do not require return address must with enter stack address correspond, can to various complicated functions into
Row detection, has better adaptability.
The present invention compared with the existing technology, its advantages are shown in:
One, decision logic is simple, and detection obtains entry position and is added in set, and detection obtains return position, then sentences
Determine whether in set, to determine whether to have occurred stack overflow, execution efficiency is high;
Two, pitching pile technology is Binary analysis frame, and code insertion is carried out in object code by pitching pile technology, due to
The format of object code is main related to operating system, and specifically programming language mentions that version is unrelated, therefore our analysis side
Method can be applied on all kinds of business softwares in passive coding;
Three, the present invention is not strictly required that function outlet is corresponded with entrance, can adapt to nearly all function call side
Formula.For example, most of the time, the calling of external function is nested, and the present invention can also handle nested external function.
Description of the drawings
Fig. 1 is the general frame figure of the present invention;
Fig. 2 is the overflow checking flow chart of the present invention.
Specific implementation mode
Below in conjunction with the drawings and the specific embodiments, the invention will be further described.
Embodiment
In the present invention, a tool software Pin for program test developed using intel companies, it is a
Binary analytical framework, can be used for building powerful dynamic routine analysis tool, support 32,64 Linux and
The executable program of Windows can detect the details of order, memory, address in program operation process etc..Intel
For blocking technology, Pin is not allowed to increase income, but there is provided its compiled versions for using, user can be in the form of plug-in
Extend customized analytic function.
Pin is exactly to be inserted into some probe functions in executable binary code in simple terms, for observing, recording, is divided
Analysis etc..Various analytic functions can be write by the Pin API provided, after such program has been run, statistics and analysis result
It generates simultaneously.
In the next process operation of Pin frames, it includes three parts really to run code:The two of process itself into
System, Pin frames code, pintool code.
Assuming that we will monitor in certain program operation process whether stack overflow has occurred, then we are firstly the need of determining two
Point, i.e., wherein analyze, and how to analyze.Therefore, the present invention in pintool it needs to be determined that the specific insertion position of code with
And it records some parameters of current environment and is analyzed.
Table 1 lists the api function and its operation instruction that the pintool that the present embodiment uses is provided.
1 pintool of table often uses API
| Serial number | API | Explanation |
| 1 | itrace | Show the memory address of each instruction execution |
| 2 | malloctrace | Record function parameter is transmitted to the value of function or the value of return |
| 3 | pinatrace | The memory address that detection instruction reads and writees |
| 4 | safecopy | The logging program instruction of Copy Info to register from memory |
| 5 | malloctrace | Export malloc () and the input parameter of free () and the return value of malloc () |
One, the translation and compiling environment of Pin is set:Pin does not have graphical interface window, all operationss to be both needed to complete under the interfaces dos,
It runs pin and first has to install corresponding version visual studio as compilation tool, also need to pin being added before this
Environmental variance.
Two, pintool files are write:Pin is the platform or frame of an inserting, and executing specific inserting task will lead to
Definition Pintool is crossed to realize, the principal function of pintool can be divided into three parts, and output file establishes part, Programmable detection letter
Number part and ending, output file establish the format and description that part determines output file, Programmable detection correspondence department
Divide and each function pair executable program is called to be detected, ending is generally its customized Fini function, will be examined for doing
The round-off work of output file, closing file etc. is written in measured data, it is clear that second part is most important part, specific implementation
Steps are as follows:
1. establishing set A;
2. registering three functions to handle event, TEXT_PUSH events, TEXT_POP events and TEXT_ are corresponded to respectively
EXIT events;TEXT_PUSH expressions have gone to push instructions, before proceeding by stacking;TEXT_POP expressions have gone to POP
Instruction, pops and returns;TEXT_EXIT indicates that tested software is finished, and normally exits;
3. compiling pintool files .dll files are obtained;
4. starting order operation tested software and compiled pintool files, event triggering is waited for.
Three, event handling flow:Specially treateds are carried out to three events, be respectively TEXT_PUSH, TEXT_POP and
TEXT_EXIT。
When TEXT_ACCESS is triggered, processing step is as follows:
A, obtain present instruction execute memory address;
B, judge whether the address is present in set A, if it is, data are abandoned, if it is not, then by the address
It is added in set A.
When TEXT_POP is triggered, processing step is as follows:
A, obtain present instruction execute memory address;
B, present instruction is obtained, and using inverse assembler is increased income by its dis-assembling, the details obtained are stored in
In one data structure;
C, the content of current EIP register is obtained;
D, content of registers is judged whether in set A, if it is, stack overflow does not occur, if it is not, then having occurred
Stack overflow phenomenon, and the data in its corresponding memory address data structure are exported.
It is simpler to the process flow of TEXT_EXIT events, it is mainly responsible for the cleaning work after tested software, is wrapped
It includes and closes tested software, releasing memory space etc..
The mode for the detection stack overflow position that present embodiment proposes effectively and simply, middle complexity that can be in Coping with Reality
Function call situation.For example, most of the time, the calling of external function is nested, and this method can also handle nesting
External function.
It the above is only the representative embodiment in the numerous concrete application ranges of the present invention, to protection scope of the present invention not structure
At any restrictions.It is all using transformation or equivalence replacement and the technical solution that is formed, all fall within rights protection scope of the present invention it
It is interior.
Claims (2)
1. a kind of detection method of stack overflow position, which is characterized in that
This method mainly includes the following steps that:
S1:Establish set A, testing results software;Specially:
1. establishing set A;
2. registering three functions to handle event, TEXT_PUSH events, TEXT_POP events and TEXT_EXIT things are corresponded to respectively
Part;TEXT_PUSH expressions have gone to push instructions, before proceeding by stacking;TEXT_POP expressions have gone to POP instructions,
It pops and returns;TEXT_EXIT indicates that tested software is finished, and normally exits;
3. compiling pintool files .dll files are obtained;
4. starting order operation tested software and compiled pintool files, event triggering is waited for;
S2:Test software is executed with pitching pile program, the instruction and operation that test software executes are obtained according to the setting of monitoring program
Information determines whether and shifts class instruction or EP (end of program) instruction, is that transfer class instruction then executes S3, is that EP (end of program) instructs then
Execute step S7;
S3:Decision procedure shifts class instruction, is instructed if it is call, obtains the execution address of next instruction of the instruction, i.e.,
For entry address, is instructed if it is ret, go to step S5;
S4:By in the deposit set A of entry address, step S2 is gone to;Judge that its return address whether there is in set A, if so,
Step S1 is then gone to, if it is not, then stack overflow occurs, detection terminates;
S5:Obtain return address and its details;
S6:It is compared with the address in set A, judges that return address whether there is in set A, if it is, going to step
S2, if it is not, then stack overflow occurs;
S7:Detection terminates.
2. a kind of detection method of stack overflow position according to claim 1, which is characterized in that the monitoring program is used for
Monitoring and test software specific location, and specifying information when operation are set, the value for specifying register and memory is obtained, establishes set
A。
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510510578.6A CN105117332B (en) | 2015-08-19 | 2015-08-19 | A kind of detection method of stack overflow position |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510510578.6A CN105117332B (en) | 2015-08-19 | 2015-08-19 | A kind of detection method of stack overflow position |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105117332A CN105117332A (en) | 2015-12-02 |
| CN105117332B true CN105117332B (en) | 2018-08-14 |
Family
ID=54665330
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510510578.6A Active CN105117332B (en) | 2015-08-19 | 2015-08-19 | A kind of detection method of stack overflow position |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105117332B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106228065B (en) * | 2016-08-08 | 2020-06-05 | 武汉绿色网络信息服务有限责任公司 | Method and device for positioning buffer overflow vulnerability |
| CN111191243A (en) * | 2019-08-15 | 2020-05-22 | 腾讯科技(深圳)有限公司 | Vulnerability detection method and device and storage medium |
| CN110941552B (en) * | 2019-11-20 | 2023-07-07 | 广州大学 | Memory analysis method and device based on dynamic taint analysis |
| CN112685744B (en) * | 2020-12-28 | 2022-05-17 | 安芯网盾(北京)科技有限公司 | Method and device for detecting software bugs by using stack-related registers |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101241464A (en) * | 2007-02-05 | 2008-08-13 | 中兴通讯股份有限公司 | Method for checking stack frame destruction |
| CN103221960A (en) * | 2012-12-10 | 2013-07-24 | 华为技术有限公司 | Detection method and apparatus of malicious code |
| CN104598377A (en) * | 2014-12-29 | 2015-05-06 | 大唐移动通信设备有限公司 | Piling test method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7219333B2 (en) * | 2002-11-22 | 2007-05-15 | Texas Instruments Incorporated | Maintaining coherent synchronization between data streams on detection of overflow |
-
2015
- 2015-08-19 CN CN201510510578.6A patent/CN105117332B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101241464A (en) * | 2007-02-05 | 2008-08-13 | 中兴通讯股份有限公司 | Method for checking stack frame destruction |
| CN103221960A (en) * | 2012-12-10 | 2013-07-24 | 华为技术有限公司 | Detection method and apparatus of malicious code |
| CN104598377A (en) * | 2014-12-29 | 2015-05-06 | 大唐移动通信设备有限公司 | Piling test method and device |
Non-Patent Citations (2)
| Title |
|---|
| 基于动态二进制平台的缓冲区溢出过程分析;董鹏程等;《计算机工程》;20120331;第38卷(第6期);第66-71页 * |
| 基于动态插桩的缓冲区溢出漏洞检测技术研究;刘露平等;《信息安全与通信保密》;20150430(第4期);第80-82页及图3 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105117332A (en) | 2015-12-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP5430570B2 (en) | Method for test suite reduction by system call coverage criteria | |
| CN105678169B (en) | A kind of binary program bug excavation method and system | |
| CN109583200B (en) | Program abnormity analysis method based on dynamic taint propagation | |
| CN103699480B (en) | A kind of WEB dynamic security leak detection method based on JAVA | |
| US8578339B2 (en) | Automatically adding bytecode to a software application to determine database access information | |
| CN105117332B (en) | A kind of detection method of stack overflow position | |
| US8418149B2 (en) | Differential comparison system and method | |
| CN110704306B (en) | Assertion processing method, device, equipment and storage medium in test | |
| US11888885B1 (en) | Automated security analysis of software libraries | |
| US20090158260A1 (en) | Apparatus and method for automatically analyzing program for detecting malicious codes triggered under specific event/context | |
| US10599558B1 (en) | System and method for identifying inputs to trigger software bugs | |
| CN109101815B (en) | Malicious software detection method and related equipment | |
| CN106557413A (en) | Based on the method and apparatus that code coverage obtains test case | |
| CN111291384B (en) | Vulnerability scanning method and device and electronic equipment | |
| CN108595952A (en) | A kind of detection method and system of electric power mobile application software loophole | |
| JP7517585B2 (en) | Analytical function providing device, analytical function providing program, and analytical function providing method | |
| KR20080050118A (en) | Method of error detecting method for embedded sofeware | |
| US8458670B2 (en) | Automatically adding bytecode to a software application to determine network communication information | |
| CN106529304B (en) | A kind of Android applies concurrent leakage location | |
| CN101853200A (en) | High-efficiency dynamic software vulnerability exploiting method | |
| US7624304B2 (en) | Defect detection for integers | |
| CA2811617A1 (en) | Commit sensitive tests | |
| CN112632547A (en) | Data processing method and related device | |
| US11860765B2 (en) | Method and system for fuzzing windows kernel by utilizing type information obtained through binary static analysis | |
| CN115795489A (en) | Software vulnerability static analysis method and device based on hardware-level process tracking |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |