利用核心态钩挂技术防止代码注入攻击

为防止代码注入攻击,利用钩挂技术来监视有关的API函数调用十分必要。由于Windows NT系统中存在着严格的进程隔离机制,此种钩挂要在核心态下才有效。提出并讨论了实现此种技术的一种简便的方法。实践表明,在Windows XP系统条件下,利用它能够成功阻止木马利用代码注入实现攻击。     

On using machine learning to automatically classify software applications into domain categories

Software repositories hold applications that are often categorized to improve the effectiveness of various maintenance tasks. Properly categorized applications allow stakeholders to identify requirements related to their applications and predict maintenance problems in software projects. Manual categorization is expensive, tedious, and laborious – this is why automatic categorization approaches are gaining widespread importance. Unfortunately, for different legal and organizational reasons, the applications’ source code is often not available, thus making it difficult to automatically categorize these applications. In this paper, we propose a novel approach in which we use Application Programming Interface (API) calls from third-party libraries for automatic categorization of software applications that use these API calls. Our approach is general since it enables different categorization algorithms to be applied to repositories that contain both source code and bytecode of applications, since API calls can be extracted from both the source code and byte-code. We compare our approach to a state-of-the-art approach that uses machine learning algorithms for software categorization, and conduct experiments on two large Java repositories: an open-source repository containing 3,286 projects and a closed-source repository with 745 applications, where the source code was not available. Our contribution is twofold: we propose a new approach that makes it possible to categorize software projects without any source code using a small number of API calls as attributes, and furthermore we carried out a comprehensive empirical evaluation of automatic categorization approaches.     

VisualC＋＋中动态链接函数库的应用

动态键接函数库（Ｄｙｎａｍｉｃ Ｌｉｎｋ Ｌｉｂｒａｒｉｅｓ,简称ＤＬＬ）是组成Ｗｉｎｄｏｗｓ系统最重要的元素。Ｗｉｎｄｏｗｓ将构成其系统大部分的程序代码、数据以及经常用到的资源,以二进制文件的形式存储在磁盘文件里。用户在开发Ｗｉｎｄｏｗｓ大型应用程序时,采用动态链接库方式,同样会带来诸如减小可执行文件、节约应用程序运行内存、便于修改和更新等好处。本文结合笔者在实际开发工作中遇到的一些问题,介绍了     

Analyzing the co-evolution of comments and source code

Source code comments are a valuable instrument to preserve design decisions and to communicate the intent of the code to programmers and maintainers. Nevertheless, commenting source code and keeping comments up-to-date is often neglected for reasons of time or programmers obliviousness. In this paper, we investigate the question whether developers comment their code and to what extent they add comments or adapt them when they evolve the code. We present an approach to associate comments with source code entities to track their co-evolution over multiple versions. A set of heuristics are used to decide whether a comment is associated with its preceding or its succeeding source code entity. We analyzed the co-evolution of code and comments in eight different open source and closed source software systems. We found with statistical significance that (1) the relative amount of comments and source code grows at about the same rate; (2) the type of a source code entity, such as a method declaration or an if-statement, has a significant influence on whether or not it gets commented; (3) in six out of the eight systems, code and comments co-evolve in 90% of the cases; and (4) surprisingly, API changes and comments do not co-evolve but they are re-documented in a later revision. As a result, our approach enables a quantitative assessment of the commenting process in a software system. We can, therefore, leverage the results to provide feedback during development to increase the awareness of when to add comments or when to adapt comments because of source code changes.     

软件库调用规约挖掘

软件库调用规约是一种描述软件库提供函数正确调用顺序的规约.客户代码应按此规约描述的内容调用函数,否则可能引入缺陷,从而降低软件的可信性.由于能够描述可信软件应该满足的性质,软件库调用规约在可信软件、模型检测等研究中扮演特殊的角色.但是,受制于编写规约的巨大代价,软件库通常并不提供已编写好的调用规约.为此,研究者提出了各种自动挖掘此种规约的方法.阐述了其中代表性的方法及其最新的研究进展,并在此基础上探讨了将来的研究方向.     

Windows系统API函数拦截技术研究

API函数拦截是指通过特定的方法中断API函数的调用,转而执行用户的功能代码的一种行为。该技术由代码加载和用户代码组成。文中首先详细讨论了Windows系统中三种代码加载技术:Hook(钩子)、使用动态链接库的远线程插入和使用代码段的远线程插入。同时对这三种技术的优缺点进行了分析,给出了它们各自的应用场合。最后给出了一种函数拦截系统的设计和实现。     

Bytecode fault injection for Java software

Developers using third party software components need to test them to satisfy quality requirements. In the past, researchers have proposed fault injection testing approaches in which the component state is perturbed and the resulting effects on the rest of the system are observed. Non-availability of source code in third-party components makes it harder to perform source code level fault injection. Even if Java decompilers are used, they do not work well with obfuscated bytecode. We propose a technique that injects faults in Java software by manipulating the bytecode. Existing test suites are assessed according to their ability to detect the injected faults and improved accordingly. We present a case study using an open source Java component that demonstrates the feasibility and effectiveness of our approach. We also evaluate the usability of our approach on obfuscated bytecode.     

基于代码覆盖的浏览器漏洞利用攻击检测方法

根据漏洞利用攻击的概念验证,使用WinDbg逆向工程找出该类攻击的特征,并根据该特征编写检测代码。而后将检测代码封装至DLL中,并通过远程线程方式将DLL注入网页浏览器。被注入的DLL会以代码覆盖的方法拦截浏览器的API,使浏览器跳转到检测代码。根据浏览器打开网址时检测代码的返回值,来判断该网址是否包含利用该漏洞进行攻击的网页木马。通过将该技术部署于众多虚拟机中,批量检测网页,来向杀毒软件公司以及搜索引擎等提供高可信度的挂马网页黑名单。     

Dynamic Analysis of Malicious Code

Malware analysis is the process of determining the purpose and functionality of a given malware sample (such as a virus, worm, or Trojan horse). This process is a necessary step to be able to develop effective detection techniques for malicious code. In addition, it is an important prerequisite for the development of removal tools that can thoroughly delete malware from an infected machine. Traditionally, malware analysis has been a manual process that is tedious and time-intensive. Unfortunately, the number of samples that need to be analyzed by security vendors on a daily basis is constantly increasing. This clearly reveals the need for tools that automate and simplify parts of the analysis process. In this paper, we present TTAnalyze, a tool for dynamically analyzing the behavior of Windows executables. To this end, the binary is run in an emulated operating system environment and its (security-relevant) actions are monitored. In particular, we record the Windows native system calls and Windows API functions that the program invokes. One important feature of our system is that it does not modify the program that it executes (e.g., through API call hooking or breakpoints), making it more difficult to detect by malicious code. Also, our tool runs binaries in an unmodified Windows environment, which leads to excellent emulation accuracy. These factors make TTAnalyze an ideal tool for quickly understanding the behavior of an unknown malware.     

基于图嵌入的软件项目源代码检索方法

源代码检索是软件工程领域的一项重要研究问题,其主要任务是检索和复用软件项目API（application program interface,应用程序接口）.随着软件项目的规模越来越大、越来越复杂,当前,源代码检索一方面需要提高基于自然语言API查询的准确性,另一方面需要定位和展示目标API及其相关代码之间的关联,以更好地辅助用户理解API的实现逻辑和使用场景.为此,提出一种基于图嵌入的软件项目源代码检索方法.该方法能够基于软件项目源代码自动构建其代码结构图,并通过图嵌入对源代码进行信息表示.在此基础上,用户可以输入自然语言问题、检索并返回相关的API及其关联信息构成的连通代码子图,从而提高API检索和复用的效率.在以开源项目Apache Lucene和POI为例的检索实验中,该方法检索结果的F1值比现有基于最短路径的方法提高了10%,同时显著缩短了平均响应时间.     

Mining Effective Temporal Specifications from Heterogeneous API Data

Temporal specifications for Application Programming Interfaces (APIs) serve as an important basis for many defect detection tools. As these specifications are often not well documented, various approaches have been proposed to automatically mine specifications typically from API library source code or from API client programs. However, the library-based approaches take substantial computational resources and produce rather limited useful specifications, while the client-based approaches suffer from high false positive rates. To address the issues of existing approaches, we propose a novel specification mining approach, called MineHEAD, which exploits heterogeneous API data, including information from API client programs as well as API library source code and comments, to produce effective specifications for defect detection with low cost. In particular, MineHEAD first applies client-based specification mining to produce a collection of candidate specifications, and then exploits the related library source code and comments to identify and refine the real specifications from the candidates. Our evaluation results on nine open source projects show that MineHEAD produces effective specifications with average precision of 97.2%.     

Comparing techniques for authorship attribution of source code

Attributing authorship of documents with unknown creators has been studied extensively for natural language text such as essays and literature, but less so for non‐natural languages such as computer source code. Previous attempts at attributing authorship of source code can be categorised by two attributes: the software features used for the classification, either strings of n tokens/bytes (n‐grams) or software metrics; and the classification technique that exploits those features, either information retrieval ranking or machine learning. The results of existing studies, however, are not directly comparable as all use different test beds and evaluation methodologies, making it difficult to assess which approach is superior. This paper summarises all previous techniques to source code authorship attribution, implements feature sets that are motivated by the literature, and applies information retrieval ranking methods or machine classifiers for each approach. Importantly, all approaches are tested on identical collections from varying programming languages and author types. Our conclusions are as follows: (i) ranking and machine classifier approaches are around 90% and 85% accurate, respectively, for a one‐in‐10 classification problem; (ii) the byte‐level n‐gram approach is best used with different parameters to those previously published; (iii) neural networks and support vector machines were found to be the most accurate machine classifiers of the eight evaluated; (iv) use of n‐gram features in combination with machine classifiers shows promise, but there are scalability problems that still must be overcome; and (v) approaches based on information retrieval techniques are currently more accurate than approaches based on machine learning. Copyright © 2012 John Wiley & Sons, Ltd.     

基于动态指令编译的软件性能分析方法

进行精确的软件性能分析，需要在代码中插入测量和控制代码，并根据具体运行状态动态的检查多个不同的参数。但是，用静态类型的程序语言，如C语言等书写的代码，一经编译和链接，其处理逻辑即不可更改。因此，在无法获取源代码或者重新编译和重新启动代价较高的应用中，对软件进行动态性能分析非常困难。本文将介绍一种在软件运行时刻动态插入监控点的动态指令编译技术对软件进行监控，从而在上述情况下达到对软件的监控目的。这种方法是基于Dynlnst API和PAPI技术的。实验表明，这种方法在去掉了对源代码的依赖的情况下，仍然与在源代码级插入监控点的方法具有同等的采集效率，在很大程度上增强了基于硬件性能计数器方法的软件监控技术的应用范围，达到了较好的性能分析效果。     

Approximate Structural Context Matching: An Approach to Recommend Relevant Examples

When coding to an application programming interface (API), developers often encounter difficulties, unsure of which class to subclass, which objects to instantiate, and which methods to call. Example source code that demonstrates the use of the API can help developers make progress on their task. This paper describes an approach to provide such examples in which the structure of the source code that the developer is writing is matched heuristically to a repository of source code that uses the API. The structural context needed to query the repository is extracted automatically from the code, freeing the developer from learning a query language or from writing their code in a particular style. The repository is generated automatically from existing applications, avoiding the need for handcrafted examples. We demonstrate that the approach is effective, efficient, and more reliable than traditional alternatives through four empirical studies     

Translation and Run-Time Validation of Optimized Code

The paper presents approaches to the validation of optimizing compilers. The emphasis is on aggressive and architecture-targeted optimizations which try to obtain the highest performance from modern architectures, in particular EPIC-like micro-processors. Rather than verify the compiler, the approach of translation validation performs a validation check after every run of the compiler, producing a formal proof that the produced target code is a correct implementation of the source code.First we survey the standard approach to validation of optimizations which preserve the loop structure of the code (though they may move code in and out of loops and radically modify individual statements), present a simulation-based general technique for validating such optimizations, and describe a tool, VOC-64, which implements these technique. For more aggressive optimizations which, typically, alter the loop structure of the code, such as loop distribution and fusion, loop tiling, and loop interchanges, we present a set of permutation rules which establish that the transformed code satisfies all the implied data dependencies necessary for the validity of the considered transformation. We describe the necessary extensions to the VOC-64 in order to validate these structure-modifying optimizations.Finally, the paper discusses preliminary work on run-time validation of speculative loop optimizations, that involves using run-time tests to ensure the correctness of loop optimizations which neither the compiler nor compiler-validation techniques can guarantee the correctness of. Unlike compiler validation, run-time validation has not only the task of determining when an optimization has generated incorrect code, but also has the task of recovering from the optimization without aborting the program or producing an incorrect result. This technique has been applied to several loop optimizations, including loop interchange, loop tiling, and software pipelining and appears to be quite promising.     

基于语法与语义分析的代码搜索结果优化

通过示例代码学习简单算法的实现和具体API的使用方式是程序开发人员在软件开发中进行软件复用的高效手段,也是使用代码搜索引擎的主要目的.代码搜索引擎从网页搜索技术发展而来,提供对网络上源代码资源的检索功能,能够有效定位与搜索内容相关的代码,为程序开发人员提供帮助.但现有的代码搜索引擎没有在搜索结果中区别API的实现代码与使用代码,搜索结果存在冗余,导致用户无法快速有效地找到提供有用信息的代码片段.为了使用户更好更快地找到代码搜索目标,阐述了应用语法与语义分析技术从区分API实现代码和使用代码、相似代码聚类、搜索结果摘要3个方面对代码搜索结果进行优化的方法,给出了一个代码搜索引擎的实现,并在实例研究中展示了该方法的有效性.     

Deadline scheduling in the Linux kernel

During the last decade, there has been a considerable interest in using Linux in real‐time systems, especially for industrial control. The simple and elegant design of Linux guarantees reliability and very good performance, while its open‐source license allows to modify and change the source code according to the user needs. However, Linux has been designed to be a general‐purpose operating system. Therefore, it presents some issues like unpredictable latencies and limited support for real‐time scheduling. In this paper, we present our experience in the design and implementation of the real‐time scheduler that has been recently included in the Linux kernel. The scheduler is based on the Resource Reservation paradigm, which allows to enforce temporal isolation between the running tasks. We describe the genesis of the project, the challenges we have encountered, the implementation details and the API offered to the programmers. Then, we show the experimental results measured on a real hardware. Copyright © 2015 John Wiley & Sons, Ltd.     

Inferring specifications for resources from natural language API documentation

Many software libraries, especially those commercial ones, provide API documentation in natural languages to describe correct API usages. However, developers may still write code that is inconsistent with API documentation, partially because many developers are reluctant to carefully read API documentation as shown by existing research. As these inconsistencies may indicate defects, researchers have proposed various detection approaches, and these approaches need many known specifications. As it is tedious to write specifications manually for all APIs, various approaches have been proposed to mine specifications automatically. In the literature, most existing mining approaches rely on analyzing client code, so these mining approaches would fail to mine specifications when client code is not sufficient. Instead of analyzing client code, we propose an approach, called Doc2Spec, that infers resource specifications from API documentation in natural languages. We evaluated our approach on the Javadocs of five libraries. The results show that our approach performs well on real scale libraries, and infers various specifications with relatively high precisions, recalls, and F-scores. We further used inferred specifications to detect defects in open source projects. The results show that specifications inferred by Doc2Spec are useful to detect real defects in existing projects.     

CORBA request portable interceptors: analysis and applications

Interceptors are an emerging middleware technology enabling the addition of specific network‐oriented capabilities to distributed applications. By exploiting interceptors, developers can register code within interception points, extending the basic middleware mechanisms with specific functionality, e.g. authentication, flow control, caching, etc. Notably, these extensions can be achieved without modifying either the application or the middleware code. In this paper we report the results of our experiences with CORBA request portable interceptors. In particular, we point out (i) the basic mechanisms implementable by these interceptors, i.e. request redirection and piggybacking and (ii) we analyze their limitations. We then propose a proxy‐based technique to overcome the interceptors' limitations. Successively, we present a performance analysis carried out on three Java‐CORBA platforms currently implementing the portable interceptors specification. Finally, we conclude our work with a case study in which portable interceptors are used to implement the fault‐tolerant CORBA client invocation semantic without impacting on the client application code and on the CORBA ORB. We also release fragments of Java code for implementing the described techniques. Copyright © 2003 John Wiley & Sons, Ltd.     

Practical static analysis of context leaks in Android applications

Android native applications, written in Java and distributed in APK format, are widely used in mobile devices. Their specific pattern of use lets the operating system control the creation and destruction of resources, such as activities and services (contexts). Programmers are not supposed to interfere with such life cycle events. Otherwise, contexts might be leaked, ie, they will never be deallocated from memory, or be deallocated late, leading to memory exhaustion and frozen applications. In practice, it is easy to write incorrect code, which hinders garbage collection of contexts and leads to context leakages. In this work, we present a novel static analysis method that finds context leaks in Android code. We apply this analysis to APKs translated into Java bytecode. We provide a formal analysis of our algorithms and suggest further research directions for improving precision by combining different approaches. We discuss the results of a large number of experiments with our analysis, which reveal context leaks in many widely used applications from the Android marketplace. This shows the practical usefulness of our technique and its superiority w.r.t. the well-known Lint and Infer static analysis tools. We estimate the amount of memory saved by the collection of the leaks found and explain, experimentally, where programmers often go wrong and limitations of our tool. Such lessons could be used for designing of a sound or more powerful static analysis tool. This work can be considered as a practical application of software analysis techniques to solve practical problems.