基于执行踪迹离线索引的污点分析方法研究

针对二进制代码的污点分析方法在软件逆向工程、漏洞分析及恶意代码检测等方面具有重大的意义，目前大多数污点分析方法不支持浮点指令，执行效率较低，且传播的精度也不够高.提出并实现了一种基于执行踪迹离线索引的污点分析方法，以字节为粒度，且支持污点标签.提出执行踪迹离线索引的生成及查询算法，通过离线索引可跳过与污点数据无关的指令，以提高污点分析的效率.首次描述并解决了即时翻译执行导致的污点丢失问题.使用污点标签以标识污点的来源和位置.提出较完善的污点传播算法，支持浮点指令，以尽可能精确地刻画污点信息从源操作数传递到目的操作数的过程.实现了灵活的可配置机制，用户可通过黑名单动态地引入污点数据.将本文提出的方法应用到漏洞检测的场景中，使用12个真实的软件漏洞作为测试样本集，将本文中的方法与TEMU作对比实验，实验结果表明本文方法具备较强的漏洞检测能力，可验证的漏洞数比TEMU更多，且其平均执行效率比TEMU高5倍.

Taint Analysis Method Based on Offline Indices of Instruction Trace

Taint analysis method in binary code plays an important role in reverse engineering, malicious code detecting and vulnerabilities analysis. Currently, most of taint analysis methods failed to operate float point instruction and they did not propagate taints accurately and efficiently enough. In the paper, we present and Implement a taint analysis method based on trace offline indices which is byte-grained and utilizes taint tags. We also present generation and query algorithm of offline indices. Instructions unrelated with taint data are skipped with offline indices, which improve the efficiency of taint analysis. We describe and fix the taint loss problem resulted from just in time translation first time. Taint tags are utilized to denote where the taint data is derived. We present a more complete taint propagation algorithm, which could operate float point instructions, insure the taint data flow from source operands into the destination operands precisely. Flexible user-configuration mechanism are implemented to introduce taint data on the fly with black list. We have applied our method in vulnerabilities detecting and evaluated 12 vulnerabilities as test cases. The experimental result turns out that our taint analysis method are able to detect more vulnerabilities than TEMU, and 5 times faster than it by average.