基于静态代码分析的自动化对象行为协议提取工具

对象行为协议对于理解对象接口、正确实现模块集成以及类代码的复用都有着重要的意义.在前期工作中,提出了一种基于静态源代码分析的对象行为协议自动提取方法.该方法通过源代码分析获取对象(类)内部各接口方法之间直接和间接的依赖关系,然后在对象(类)内部依赖关系的基础上构建接口的状态机图.在此基础上,进一步介绍相应的支持工具,包括主要模块、各部分的主要实现技术等.     

基于行为协议的构件软件静态测试研究

系统的静态分析能在设计开发阶段发现错误,从而避免了在运行时错误检测技术在系统执行期间带来的负面影响。基于尽可能避免静态错误这一构件测试策略的基本思想提出了一种对构件化软件系统进行静态测试的方法。采用通信模型对数据库服务构件系统进行抽象建模,并结合用于描述构件系统中构件之间交互的形式化方法行为协议,通过对构件系统构件行为协议的一致性验证,从而测试构件交互的正确性。     

基于静态二进制分析的工控协议逆向解析

针对传统的协议解析方法在工业控制系统中的局限性,提出了一种适用于工业控制系统通信协议的协议逆向分析方法。该方法的算法思想来源于动态污点算法,算法实现基于静态二进制分析平台IDA Pro及其提供的软件开发接口,解析结果可直接为模糊测试提供语义参考。该算法包括预处理、交叉引用分析、协议帧重构和语义提取等步骤,具有针对性强、通用性好的特点。将算法实现后应用于某组态软件,能够得到正确的分析结果,证明了该方法的正确性与有效性。     

基于网络轨迹的协议逆向技术研究进展

协议逆向广泛应用于入侵检测系统、深度包检测、模糊测试、僵尸网络检测等领域.首先给出了协议逆向工程的形式化定义和基本原理,然后针对网络运行轨迹的协议逆向方法和工具从协议格式提取和协议状态机推断两个方面对现有的协议逆向方法进行了详细分析,阐释其基本模块、主要原理和特点,最后从多个角度对现有算法进行了比较,对基于网络流量的协...     

通过静态分析逆向恢复面向对象程序中的用况

在软件维护任务中,通过阅读用况能有效地帮助维护人员理解软件系统,然而在现实中用况文档往往是过时或残缺不全的.如何通过代码分析还原用况是一大难题.针对上述问题提出了一种针对面向对象程序源代码通过静态代码分析逆向恢复用况的方法.该方法在高层通过分析系统逻辑层高层门面类的对象行为协议来获取用况的高层划分,在底层通过分析OO-BRCG(object-oriented branch-reserving call graph)来得到用况的底层划分,然后结合两方面恢复出最终用况.最后通过实验验证了该方法的有效性,恢复用况时该方法能获得极高的用况覆盖度及可观的准确度.     

一种逆向分析协议状态机模型的有效方法

网络协议的逆向分析技术无论对可信软件的验证、保护还是对恶意软件机理的分析都具有重要用途。由于协议的内在复杂性,重构与其源程序一致的高级模型对分析尤为有益,其中又以有限状态机模型最为典型。建立一种重构网络协议状态机模型的有效方法,主要依据所记录的协议会话的消息流及协议软件实际执行的指令流,通过对指令流反编译并应用改进的形式分析及验证技术构建出状态对象、转移关系及状态转移条件。该方法从协议的会话实例重构出充分一般的状态机模型,效率可行并具有逻辑上可证明的精确性。在详细阐述理论基础之后,也讨论了该方法的实现和应用。     

基于行为协议的构件软件静态测试研究

系统的静态分析能在设计开发阶段发现错误,从而避免了在运行时错误检测技术在系统执行期间带来的负面影响.基于尽可能避免静态错误这一构件测试策略的基本思想提出了一种对构件化软件系统进行静态测试的方法.采用通信模型对数据库服务构件系统进行抽象建模,并结合用于描述构件系统中构件之间交互的形式化方法行为协议,通过对构件系统构件行为协议的一致性验证,从而测试构件交互的正确性.     

工控协议逆向分析技术研究与挑战

近年来,工业互联网的安全事件日益频发,尤其是工业控制系统(industrial control system, ICS),该现象揭示了目前ICS中已经存在较多的安全隐患,并且那些针对ICS安全隐患的大多数攻击和防御方法都需要对工控协议进行分析.然而,目前ICS中大多数私有工控协议都具有与普通互联网协议完全不同的典型特征,如结构、字段精度、周期性等方面,导致针对互联网协议的逆向分析技术通常都无法直接适用于工控协议.因此,针对工控协议的逆向分析技术已经成为近几年学术界和产业界的研究热点.首先结合2种典型工控协议,深入分析和总结了工控协议的结构特征.其次,给出了工控协议逆向分析框架,深入剖析了基于程序执行和基于报文序列的工控协议逆向分析框架的特点,并依次从人机参与程度和协议格式提取方式这2个角度,重点针对基于报文序列的工控协议分析方法进行详细阐述和对比分析.最后探讨了现有逆向分析方法的特点及不足,并对工控协议逆向分析技术的未来研究方向进行展望与分析.     

基于协议偏离的程序协议指纹提取与识别

针对传统协议指纹提取技术耗时耗力,且无法提取与识别加密协议指纹问题,提出了一种基于协议偏离的程序协议指纹自动提取方法。协议偏离描述了协议各版本实现程序的网络行为差异,以动态二进制分析技术为支撑,分别从协议偏离会话流层面与偏离消息层面对协议特征进行提取。实验结果不仅验证了所提方法的可行性,还为提取与识别加密协议应用程序指纹提供了一条新思路。     

基于Java的软件再工程支持工具研究

Internet的发展和构件化的软件开发为再工程指明了新的方向。面向对象软件再工程将以构件库为中心,并关注于将遗产系统改造为B/S结构的Internet应用。论文提出了一个面向对象软件再工程模型,分析了面向对象软件再工程支持工具的特性,然后介绍了基于Java的再工程支持工具原型。     

Applications of polyhedral computations to the analysis and verification of hardware and software systems

Convex polyhedra are the basis for several abstractions used in static analysis and computer-aided verification of complex and sometimes mission-critical systems. For such applications, the identification of an appropriate complexity–precision trade-off is a particularly acute problem, so that the availability of a wide spectrum of alternative solutions is mandatory. We survey the range of applications of polyhedral computations in this area; give an overview of the different classes of polyhedra that may be adopted; outline the main polyhedral operations required by automatic analyzers and verifiers; and look at some possible combinations of polyhedra with other numerical abstractions that have the potential to improve the precision of the analysis. Areas where further theoretical investigations can result in important contributions are highlighted.     

On abstract interpretation of Mobile Ambients

We introduce an abstract interpretation framework for Mobile Ambients, based on a new semantics called normal semantics. Then, we derive within this setting two analyses computing a safe approximation of the run-time topological structure of processes. Such a static information can be successfully used to establish interesting security properties.     

代码干扰变换在软件保护中的使用

阐述了两种代码干扰变换:基于不透明谓词基础上变换、降级高级控制结构的变换.它们是对软件源代码做保持语义的变换,使得软件的反向工程实现困难,从而保护软件知识产权.     

Certification of compiled assembly code by invariant translation

We present a method for analyzing assembly programs obtained by compilation and checking safety properties on compiled programs. It proceeds by analyzing the source program, translating the invariant obtained at the source level, and then checking the soundness of the translated invariant with respect to the assembly program. This process is especially adapted to the certification of assembly or other machine-level kinds of programs. Furthermore, the success of invariant checking enhances the level of confidence in the results of both the compilation and the static analysis. From a practical point of view, our method is generic in the choice of an abstract domain for representing sets of stores, and the process does not interact with the compilation itself. Hence a certification tool can be interfaced with an existing analyzer and designed so as to work with a class of compilers that do not need to be modified. Finally, a prototype was implemented to validate the approach.     

The abstract domain of Trapezoid Step Functions

The Trapezoid Step Functions (TSF) domain is introduced in order to approximate continuous functions by a finite sequence of trapezoids, adopting linear functions to abstract the upper and the lower bounds of a continuous variable in each time slot. The lattice structure of TSF is studied, showing how to build and compute a sound abstraction of a given continuous function. Experimental results underline the effectiveness of the approach in terms of both precision and efficiency with respect to the domain of Interval Valued Step Functions (IVSF).     

A sparse evaluation technique for detailed semantic analyses

We present a sparse evaluation technique that is effectively applicable to a set of elaborate semantic-based static analyses. Existing sparse evaluation techniques are effective only when the underlying analyses have comparably low precision. For example, if a pointer analysis precision is not affected by numeric statements like x≔1 then existing sparse evaluation techniques can remove the statement, but otherwise, the statement cannot be removed. Our technique, which is a fine-grained sparse evaluation technique, is effectively applicable even to elaborate analyses. A key insight of our technique is that, even though a statement is relevant to an analysis, it is typical that analyzing the statement involves only a tiny subset of its input abstract memory and the most are irrelevant. By exploiting this sparsity, our technique transforms the original analysis into a form that does not involve the fine-grained irrelevant semantic behaviors. We formalize our technique within the abstract interpretation framework. In experiments with a C static analyzer, our technique improved the analysis speed by on average 14×.     

Applying abstract acceleration to (co-)reachability analysis of reactive programs

Acceleration methods are commonly used for computing precisely the effects of loops in the reachability analysis of counter machine models. Applying these methods on synchronous data-flow programs, e.g. Lustre programs, requires to deal with the non-deterministic transformations due to numerical input variables. In this article, we address this problem by extending the concept of abstract acceleration of Gonnord et al. to numerical input variables. Moreover, we describe the dual analysis for co-reachability. We compare our method with some alternative techniques based on abstract interpretation pointing out its advantages and limitations. At last, we give some experimental results.