函数级数据依赖图及其在静态脆弱性分析中的应用

数据流分析是二进制程序分析的重要手段,但传统数据依赖图(DDG)构建的时间与空间复杂度较高,限制了可分析代码的规模.提出了函数级数据依赖图(FDDG)的概念,并设计了函数级数据依赖图的构建方法.在考虑函数参数及参数间相互依赖关系的基础上,将函数作为整体分析,忽略函数内部的具体实现,显著缩小了数据依赖图规模,降低了数据依赖图生成的时空复杂度.实验结果表明,与开源工具angr中的DDG生成方法相比,FDDG的生成时间性能普遍提升了3个数量级.同时,将FDDG应用于嵌入式二进制固件脆弱性分析,实现了嵌入式固件脆弱性分析原型系统FFVA,在对D-Link、NETGEAR、EasyN、uniview等品牌的设备固件分析中,发现了24个漏洞,其中14个属于未知漏洞,进一步验证了FDDG在静态脆弱性分析中的有效性.

Function-level Data Dependence Graph and Its Application in Static Vulnerability Analysis

Data flow analysis plays an important role in binary code analysis. Due to consuming too much time and space, constructing the traditional data dependence graph (DDG) limits the size of the analyzed code thoroughly. This study introduces a novel graph model, function-level data dependence graph (FDDG), and proposes a corresponding construction method. The key insights behind FDDG lie in the following two points. First, FDDG focuses on the relationships between function parameters; Second, FDDG treats a function as a whole and ignores the details inside the function. As a result, the size of the data dependence graph is reduced significantly. Also, the time and space are saved greatly. The experimental results show the time performance of the method is improved by about three orders of magnitude compared to the method in angr. As an instance, FDDG is employed to analyze the vulnerability of embedded firmwares, and a firmware vulnerability analysis prototype system called FFVA is implemented. The implemented FFVA system is used to analyze firmwares from real embedded devices, and find a total of 24 vulnerabilities in the devices from D-Link, NETGEAR, EasyN, uniview, and so on, among which 14 are unknown vulnerabilities, thus validating the effectiveness of function-level data dependence graph in static vulnerability analysis.