Statically scanning Java code: finding security vulnerabilities

The source code scanning tool Jslint helps programmers automatically utilize existing security knowledge. The tool identifies insecure coding practices by scanning for common problems, to prevent bugs that are familiar to the security community     

二进制代码相似性搜索研究进展

随着物联网和工业互联网的快速发展,网络空间安全的研究日益受到工业界和学术界的重视。由于源代码无法获取,二进制代码相似性搜索成为漏洞挖掘和恶意代码分析的关键核心技术。首先,从二进制代码相似性搜索基本概念出发,给出二进制代码相似性搜索系统框架;然后,围绕相似性技术系统介绍二进制代码语法相似性搜索、语义相似性搜索和语用相似性搜索的发展现状;其次,从二进制哈希、指令序列、图结构、基本块语义、特征学习、调试信息恢复和函数高级语义识别等角度总结比较现有解决方案;最后,展望二进制代码相似性搜索未来发展方向与前景。     

On the use of binary and gray code schemes for continuous-tone picture representation

The paper discusses the idea of iterating the conversion of a continuous-tone picture from binary to Gray code representation. A simple recursive function is defined by means of which the value of the ith bit representing a picture point's grey level after the mth iteration is determined. The resulting rearrangement of grey levels as well as that of the bits throughout the planes is discussed next. The iteration is shown to repeat after 2″ steps, where n is the number of bit planes representing the picture. A data compression scheme is developed on the basis that prior to exact repetition, approximate repetitions take place during the iterations, and the resulting picture is almost the same as the original.     

模型检测迷惑二进制恶意代码

对二进制恶意代码进行形式化建模,开发了一个检查迷惑恶意代码的模型检查器。生成迷惑前的二进制恶意代码的有限状态机模型,再使用模型检查器检测迷惑二进制恶意代码,如果迷惑二进制恶意代码能被有限状态机模型识别,可判定其为恶意代码。实验结果表明模型检查迷惑二进制恶意代码是一种有效的静态分析方法,可以检测出一些常用的迷惑恶意代码。     

代码翻译中Case语句的识别和恢复

提出了在开发IA 64二进制翻译系统中采用的n 条件分支跳转表和目标地址恢复技术。着重论述了该技术的核心——过程内切片和表达式替换，以及针对IA 64特性的改进算法。     

Transforming binary code for low-power embedded processors

Two program code transformation methodologies reduce the power consumption of instruction communication buses in embedded processors. Aimed at deep-submicron process technologies, these techniques offer an efficient solution for applications in which low power consumption is the key quality factor. We have developed two techniques for power minimization on the instruction bus of embedded processors. The first is compiler-driven register name adjustment (RNA), with the main goal of power minimization on instruction fetch and register file access. The second technique, more general in nature, incorporates transformations into the binary program code and necessitates hardware support on the processor side to efficiently restore the power-optimized program code.     

Parallel binary reflected Gray code sequence generation on multicore architectures

We propose a novel parallel algorithm for generating all the sequences of binary reflected Gray code for a given number of bits as input, targeting machines with multicore architectures. A theoretical analysis of work and span, as well as parallelism of this algorithm, is carried out following a multithreaded implementation using Cilk++ on a multicore machine. Theoretical analysis of this algorithm shows a parallelism of Θ(2ⁿ/log n) and achieves a linear speedup on 12 cores for input data of sufficiently large size.     

基于多数投票的DBC人脸识别

在定向二值编码（DBC）的基础上提出了一种基于Haar小波变换和多数投票的V-HaarDBC方法。先对人脸图像进行Haar小波去噪,然后通过DBC进行特征提取,最后以多数投票的方式分类。该方法不仅解决了原DBC方法中特征维数过高的问题,而且有效地提高了识别率。随后进一步提出了融合全局特征的加权WV-HaarDBC方法。基于ORL人脸库的实验表明了该方法的有效性。     

一种精简二进制代码的程序理解方法

精简二进制代码形式的软件是软件分析和程序理解需要处理的一类具有代表性的对象,基于高级语言源代码和调试符号信息的传统分析方法在处理此类软件时受到了极大限制。提出一种精简二进制形式软件的理解方法,首先将分析对象转变为运行期进程,引入实际运行中的进程信息;然后引入程序的行为特征,以程序表现出的外在行为和对外接口作为辅助信息,将此类外部特征映射到程序代码;最后基于切片思想和调试技术,获得程序切片并分析。这种方法为分析理解过程扩展了信息量,降低了复杂度,解决了分析此类软件时信息缺失和难以建立理解模型的问题。     

改进的二进制循环码盲识别方法

目前已有的循环码盲识别方法在低码率编码条件下效果较好,但在高误码率及高码率条件下不能高效识别,或者只针对循环码中某一子类。为有效解决高误码率以及高码率编码下的循环码盲识别问题,提出一种基于矩阵变换和码重分布的方法,首先对接收序列按估计码长构造矩阵,并对矩阵进行初等变换;然后利用改进的码重分布距离公式对循环码进行盲识别。仿真结果表明该方法在高误码率以及高码率编码时可实现高效的循环码盲识别。     

基于结构特征的二进制代码安全缺陷分析模型

针对现有方法检测复杂结构二进制代码安全缺陷的不足,提出新的分析模型,并给出其应用方法。首先以缺陷的源代码元素集合生成特征元素集合,抽取代码结构信息,构建分析模型。然后依据各类中间表示（IR,intermediate representation）语句的统计概率计算分析模型,查找满足特征模型的IR代码组,通过IR代码与二进制代码的转换关系,实现对二进制程序中代码安全缺陷的有效检测。分析模型可应用于二进制单线程程序和并行程序。实验结果表明,相对于现有方法,应用该分析模型能够更全面深入地检测出各类结构复杂的二进制代码安全缺陷,且准确率更高。     

源代码中设计模式实例的抽取及验证方法研究

从源码中抽取设计模式对于提高软件可理解性和可维护性、软件设计重用以及软件重构具有重要意义。面向Java语言提出了一种静态和动态分析相结合的源码中设计模式的抽取方法。具体地,研究了源码中设计模式抽取的静态结构分析过程,为了进一步提高设计模式实例抽取的准确率,对结构分析得到的创建型模式候选,使用创建对象的多重性分析方法进行验证,对结构分析得到的行为型模式候选,使用动态分析的方法进行验证,以区分结构相似但行为不同的模式的实例。最后实现了设计模式抽取工具并对开源软件中的模式实例进行抽取。通过实验数据,验证了设计模式实例抽取及验证方法的可行性及有效性。     

基于TensorFlow的恶意代码片段自动取证检测算法

针对数字犯罪事件调查,在复杂、异构及底层的海量证据数据中恶意代码片段识别难的问题,通过分析TensorFlow深度学习模型结构及其特性,提出一种基于TensorFlow的恶意代码片段检测算法框架;通过分析深度学习算法训练流程及其机制,提出一种基于反向梯度训练的算法;为解决不同设备、不同文件系统的证据源中恶意代码片段特征提取问题,提出一种基于存储介质底层的二进制特征预处理算法;为进行反向传播训练,设计并实现了一个代码片段数据集制作算法。实验结果表明,基于TensorFlow的恶意代码片段检测算法针对不同存储介质以及证据存储容器中恶意代码片段的自动取证检测,综合评价指标F₁达到 0.922,并且和 CloudStrike、Comodo、FireEye 等杀毒引擎相比,该算法在处理底层代码片段数据方面具有绝对优势。     

Recovery of jump table case statements from binary code

One of the fundamental problems with the static analysis of binary (executable) code is that of recognizing, in a machine-independent way, the target addresses of n-conditional branches implemented via a jump table. Without these addresses, the decoding of the machine instructions for a given procedure is incomplete, leading to imprecise analysis of the code.

In this paper we present a technique for recovering jump tables and their target addresses in a machine and compiler independent way. The technique is based on slicing and copy propagation. The assembly code of a procedure that contains an indexed jump is transformed into a normal form which allows us to determine where the jump table is located and what information it contains (e.g. offsets from the table or absolute addresses).

The presented technique has been implemented and tested on SPARC and Pentium code generated by C, C++, Fortran and Pascal compilers. Our tests show that up to 89% more of the code in a text segment can be found by using this technique, when compared against the standard method of decoding. The technique was developed as part of our retargetable binary translation framework UQBT; however, it is also suitable for other binary-manipulation and analysis tools such as binary profilers, instrumentors and decompilers.     

一种最优化链码指纹二值细化图像压缩编码

提出了一种适合于对线状结构的条形纹线二值图像进行压缩的最优化Freeman链码压缩算法——Freeman差分链码Huffman编码。与传统的Freeman链码相比,提出的压缩算法是基于Freeman链码、差分编码和Huffman编码的一种混和编码方式。通过理论分析和在指纹二值细化图上的实验结果证明,对于指纹二值细化图像,本算法优于现有的链码压缩二值图像的算法,针对于线状结构的条形纹线二值图像,本算法也优于其他压缩算法。其平均码长为1.7651bits,低于8方向Freeman链码或者Freeman差分链码的3bits的平均码长。     

动态指令流差分分析在恶意软件分析中的应用*

针对静态分析方法已不能满足安全分析的需求,而传统的动态分析技术不能快速定位关键信息,且分析效率不高,提出了一种动态指令流差分分析技术,描述了差分分析模型和分析方法。该分析技术能够高速有效地分析恶意软件的关键数据,识别加密算法,分析混淆代码的功能模块和数据扩散情况。通过实验对其可行性和高效性进行了验证。     

一种基于全系统仿真和指令流分析的二进制代码分析方法*

二进制代码分析是分析程序行为特征的重要手段。本文提出了一种基于全系统仿真和指令流分析的二进制代码分析方法,该方法的核心思想是在一个全系统仿真虚拟机上执行二进制代码,通过截获并分析二进制代码运行时产生的指令流信息,分析程序行为特征。基于该方法,本文设计并实现了一个二进制代码分析系统。实验结果表明,通过该系统捕获并分析指令流,能够更为高效全面地提取出代码执行过程中产生的各类信息。对于使用抗分析技术手段的二进制代码,本文的分析方法很有效果。     

二值图像区域旋转编码性质及运算

基于对二值图像进行区域旋转编码的思想,研究旋转编码的定义、运算及性质.介绍旋转编码的几何定义,证明旋转编码符合代数意义下码的基本定义,并给出旋转编码的代数定义.根据旋转编码的特点,进一步提出旋转编码性能的评价标准.然后,提出基于旋转编码的图像匹配运算与有效面积求解运算.最后,给出旋转编码区域扩充性质、区域平移性质的定义及对应的实现算法,并给出算法的运算实例.     

Methods and software tools to support combined binary code analysis

Methods and tools for binary code analysis developed in the Institute of System Programming, Russian Academy of Sciences, and their applications in algorithm and data format recovery are considered. The executable code of various general-purpose CPU architectures is analyzed. The analysis is performed given no source codes, debugging information, and specific OS version requirements. The approach implies collecting a detailed machine instruction level execution trace; a method for successively increasing presentation level; extraction of algorithm’s code followed by structuring of both code and data formats it processes. Important results are obtained, viz. an intermediate representation is developed that allows carrying out most preliminary processing tasks and algorithm code extraction without having to focus on specifics of a given machine; and a method and software tool are developed for automated recovery of network message and file formats. The tools are integrated into the unified analysis platform that supports their combined use. The architecture behind the platform is also described. Examples of its application to real programs are given.     

二进制代码覆盖率评估系统的设计与实现

在程序动态测试中,需要评价二进制代码动态测试效果.提出了一种二进制代码覆盖率评估方法,设计并实现了基于分支轨迹存储技术的二进制代码覆盖率评估系统.通过分支监视引擎记录动态测试中的代码分支轨迹,利用分支轨迹数据修正静态分析结果,综合静态分析结果和分支轨迹记录评估二进制代码覆盖率,并实现轨迹数据的可视化.实验结果表明,该系统能够有效提高覆盖率评估精度和效率.