基于动态二进制平台的缓冲区溢出过程分析

提出一种基于动态二进制平台的缓冲区溢出过程分析方法,并实现基于该方法的原型系统。分析缓冲区溢出攻击方法的特点,给出基于异常捕获、控制流分析和内存状态检查的溢出检测方法。通过对内存读写指令、控制转移指令进行监控,获得函数调用序列和数据传递关系,定位导致缓冲区溢出的代码。实验结果表明,该系统能有效检测缓冲区溢出,准确定位导致溢出的代码位置。     

A method for detecting obfuscated calls in malicious binaries

Information about calls to the operating system (or kernel libraries) made by a binary executable may be used to determine whether the binary is malicious. Being aware of this approach, malicious programmers hide this information by making such calls without using the call instruction. For instance, the call addr instruction may be replaced by two push instructions and a ret instruction, the first push pushes the address of instruction after the ret instruction, and the second push pushes the address addr. The code may be further obfuscated by spreading the three instructions and by splitting each instruction into multiple instructions. This work presents a method to statically detect obfuscated calls in binary code. The idea is to use abstract interpretation to detect where the normal call-ret convention is violated. These violations can be detected by what is called an abstract stack graph. An abstract stack graph is a concise representation of all potential abstract stacks at every point in a program. An abstract stack is used to associate each element in the stack to the instruction that pushes the element. An algorithm for constructing the abstract stack graph is also presented. Methods for using the abstract stack graph are shown to detect eight different obfuscations. The technique is demonstrated by implementing a prototype tool called DOC (detector for obfuscated calls).     

基于龙芯处理器的二进制翻译器优化

二进制翻译是实现系统迁移的主要方法,但基于通用平台的仅靠软件实现的二进制翻译性能不高。该文以龙芯2F处理器为实现平台,提出一种QEMU二进制翻译器并进行优化,其中包括编译环境的优化以及二进制翻译器本身的优化2个方面,对后者的优化主要涉及寄存器直接映射和多媒体指令的改进。实验结果表明,通过寄存器映射优化后,系统能够获得1．45的加速比,通过多媒体优化后,多媒体程序的执行能达到本地机器执行的80％的性能。     

系统虚拟化环境下客户机系统调用信息捕获与分析

针对当前方法无法对系统调用参数和返回值等信息进行捕获和分析的问题,在Nitro的基础上建立了一个实时监视客户机内系统调用的系统.该系统通过修改硬件规范和指令重写,实现对快速系统调用进入和退出指令的捕捉和分析.之后,结合VCPU的上下文信息和系统调用的语义模板解析各参数;捕获到系统调用退出指令后,则根据VCPU寄存器信息解析返回值.实验证明,与同类捕获系统调用的方法相比,该系统可以实时捕获客户机内的系统调用序列,解析得到完整的系统调用信息,包括系统调用名、系统调用号、参数和返回值.该系统还能区分不同进程产生的系统调用,并在宿主机中引入了不超过15%的性能开销.     

隐式API调用行为的静态检测方法

为有效提取恶意程序及其变种中的隐式API调用行为,提出一种基于静态分析的隐式API调用行为检测方法。采用指令模板匹配的方法识别具体调用形式,通过分析调用目标地址与函数名之间的关系来识别被调用API函数。实验结果表明,该方法能提高静态分析工具对恶意代码及其变体的检测能力。     

PDiOS:iOS应用程序中私有API的调用检测

苹果公司对App Store上的每一款应用程序都进行了审核,包括是否存在访问用户敏感信息的私有API调用,但是仍有恶意应用通过了该项审查。针对iOS应用程序中私有API的调用问题,提出了一种动、静态相结合的检测技术PDiOS。通过反向分片和常量传播的静态分析方式来处理大部分API调用,基于强制执行的动态迭代分析来处理剩余API。静态分析包含了对二进制文件的全面分析以及对资源文件中隐式调用的处理,动态分析主要依赖于二进制动态分析框架进行迭代分析。最后通过对比公开头文件中的API来确定私有API的调用。在对官方商店的1012款应用程序的检测中,确认有82款应用程序存在共128个不同的私有API调用。在对企业证书签名的32款应用程序的检测中,确认有26款使用了私有API调用。     

二进制代码中函数混淆调用的识别

函数调用相关信息识别是二进制代码静态分析的基础,也是恶意代码分析的重要线索。二进制代码混淆技术通过对函数调用指令call、参数传递过程和调用返回过程的混淆来隐藏代码中函数的信息。这大大增加了程序逆向分析的难度,此技术被广泛应用在变形和多态病毒中,使其逃脱杀毒软件的查杀。论文给出了一种静态分析方法,引入了抽象栈图的概念,给出了其构造算法,利用它能够有效识别出代码中对函数调用的混淆。     

基于地址完整性检查的函数指针攻击检测

针对传统函数指针攻击检测技术无法检测面向返回编程(ROP)攻击的问题,提出了一种基于跳转地址完整性检查的新方法,在二进制代码层面能够检测多种类型的函数指针攻击。首先,通过静态分析得到函数地址信息,然后动态检查跳转目标地址是否位于合法函数区间。分析了非入口点跳转,提出一种动静结合方法检测ROP攻击。基于二进制代码插桩工具实现原型系统fpcheck,对真实攻击和正常程序进行了测试。实验结果表明fpcheck能够检测包括ROP在内的多种函数指针攻击,通过准确的检测策略,误报率显著下降,性能损失相比原始插桩仅升高10%~20%。     

PowerBuilder中调用Windows API函数

简单描述了在PowerBuilder中调用Windows API函数的重要性。重点分析了PowerBuilder如何调用API函数,以及在调用过程中需要注意的事项。     

The use of vector instructions of a processor architecture for emulating the vector instructions of another processor architecture

The complexity of software is ever increasing, and it requires more and more computational resources for its execution. A way to satisfy these requirements is the use of vector instructions that can operate with fixed-length vectors of data of the same. A method for representing vector instructions of one processor architecture in terms of the vector instructions of another architecture during the dynamic binary translation is proposed. An implementation of this method that includes the translation of vector addition and memory access increased the performance of the QEMU emulator by a factor greater than three on an artificial example and 12% on a real-life application.     

Efficient and retargetable SIMD translation in a dynamic binary translator

The single‐instruction multiple‐data (SIMD) computing capability of modern processors is continually improved to deliver ever better performance and power efficiency. For example, Intel has increased SIMD register lengths from 128 bits in streaming SIMD extension to 512 bits in AVX‐512. The ARM scalable vector extension supports SIMD register length up to 2048 bits and includes predicated instructions. However, SIMD instruction translation in dynamic binary translation has not received similar attention. For example, the widely used QEMU emulates guest SIMD instructions with a sequence of scalar instructions, even when the host machines have relevant SIMD instructions. This leaves significant potential for performance enhancement. We propose a newly designed SIMD translation framework for dynamic binary translation, which takes advantage of the host's SIMD capabilities. The proposed framework has been built in HQEMU, an enhanced QEMU with a separate thread for applying LLVM optimizations. The current prototype supports ARMv7, ARMv8, and IA32 guests on the X86‐64 AVX‐2 host. Compared with the scalar‐translation version HQEMU, our framework runs up to 1.84 times faster on Standard Performance Evaluation Corporation 2006 CFP benchmarks and up to 6.81 times faster on selected real applications.     

医院无线呼救系统

基于无线传输方式,本文提出一种无线呼救系统,旨在解决一些不方便搭建有线呼叫系统的医院急救问题。该系统由病床模块、护士模块和护士站模块组成。三部分之间的数据传输均采用无线通信的方式。由于比一般的系统增设了护士模块部分,因此可以将病人的呼叫信息及时传递给护士,以避免因巡房等因素造成的"时间空白"。本文中着重对该系统的呼叫功能及其软件设计进行了介绍。     

SaBRe: load-time selective binary rewriting

Binary rewriting consists in disassembling a program to modify its instructions. However, existing solutions suffer from shortcomings in terms of soundness and performance. We present SaBRe, a load-time system for selective binary rewriting. SaBRe rewrites specific constructs—particularly system calls and functions—when the program is loaded into memory, and intercepts them using plugins through a simple API. We also discuss the theoretical underpinnings of disassembling and rewriting. We developed two backends—for x86_64 and RISC-V—which were used to implement three plugins: a fast system call tracer, a multi-version executor, and a fault injector. Our evaluation shows that SaBRe imposes little overhead, typically below 3%.

     

System Call Monitoring Using Authenticated System Calls

System call monitoring is a technique for detecting and controlling compromised applications by checking at runtime that each system call conforms to a policy that specifies the program's normal behavior. Here, we introduce a new approach to implementing system call monitoring based on authenticated system calls. An authenticated system call is a system call augmented with extra arguments that specify the policy for that call, and a cryptographic message authentication code that guarantees the integrity of the policy and the system call arguments. This extra information is used by the kernel to verify the system call. The version of the application in which regular system calls have been replaced by authenticated calls is generated automatically by an installer program that reads the application binary, uses static analysis to generate policies, and then rewrites the binary with the authenticated calls. This paper presents the approach, describes a prototype implementation based on Linux and the Plto binary rewriting system, and gives experimental results suggesting that the approach is effective in protecting against compromised applications at modest cost.     

Putting speech recognition to work in the telephone network

The use of speaker-independent speech recognition in the development of Northern Telecom's automated alternate billing service (AABS) for collect calls, third-number-billed calls, and calling-card-billed calls is discussed. The AABS system automates a collect call by recording the calling party's name, placing a call to the called party, playing back the calling party's name to the called party, informing the called party that he or she has a collect call from that person, and asking. `Will you pay for the call?' The operation of AABS, the architecture of the voice interface, and the speech recognition algorithm are described, and the accuracy of the recognizer is discussed. AABS relies on isolated-word recognition, although more advanced techniques that can recognize continuous speech are being pursued     

嵌入式SQL的应用

数据库应用系统开发中,用高级语言来写数据库应用程序时,可以用ODBC/CLI,也可以用嵌入式SQL.如果是用ODBC/CLI,则你的高级语言程序中调用ODBC/CLI的各种API函数.属于底层开发,用嵌入式SQL方式写程序执行效率更高。用嵌入式SQL的概念和实现的方法,用DBMS预编译器和开发工具,对两种开发和调用SQL的方式进行了详细地分析和比较,实现了用嵌入式SQL这种调用方法可以提高对数据库的性能和效率。     

基于DynamoRIO的恶意代码行为分析

提出一种基于动态二进制分析的恶意代码行为分析方法,以动态二进制分析平台DynamoRIO为基础设计实现恶意代码行为分析的原型系统.实验结果证明,该系统能够全面地获取恶意代码的API调用序列和参数信息,通过对API调用的关联性进行分析,准确得到恶意代码在文件、注册表、服务及进程线程操作等方面的行为特征.     

嵌入式装置可视化页面程序代码处理架构设计

提出一种灵活的嵌入式装置可视化页面程序的代码处理架构.基于元件的层次模型,形成相关数据结构和功能调用函数.通过在脚本中调用代码生成器开放的接口,可定制形成不同运行场景的代码.通过扩充解析预处理函数,支持形成高效紧凑的代码.采用通用模板替换的方法,可自动形成多种处理器的编译文件.本文提出的技术已经在电力系统保护控制装置开发中进行了批量应用,显著提升了开发效率和质量.     

全自动图书馆通信控制的设计与应用

为了实现对自助图书馆控制系统的状态实时采集和指令传达,用VC编写动态链接库,供上层C#应用层程序调用;利用VC多线程技术和串口Win32API,实现了对自助借还书系统的多轴运动控制和状态实时采集。对设计中使用的串口通信、动态链接库、回调函数通信和多轴运动系统的控制方案做了详细的介绍。利用动态链接库提供了工控机应用程序与PLC控制器交互的控制平台。     

恶意软件的时序对偶数据流图挖掘及其检测方法

基于数据流图的恶意软件检测方法通常仅关注API(application programming interface)调用过程中的数据流信息,而忽略API调用顺序信息。为解决此问题,所提方法在传统数据流图的基础上融入API调用的时序信息,提出恶意软件时序对偶数据流图的概念,并给出模型挖掘方法,最后提出一种基于优化的图卷积网络对时序对偶数据流图进行分类、进而用于恶意软件检测与分类的方法。实验结果表明,所提方法的恶意软件识别准确率较传统基于数据流图的恶意软件识别方法有更好的检测效果。