Function-level Data Dependence Graph and Its Application in Static Vulnerability Analysis
Author:
Affiliation:

Clc Number:

Fund Project:

National Natural Science Foundation of China (U1766215, U1636120); International Cooperation Project of Institute of Information Engineering, Chinese Academy of Sciences (Y7Z0451104); Science and Technology Project of State Grid Corporation of China (52110417001B)

  • Article
  • |
  • Figures
  • |
  • Metrics
  • |
  • Reference
  • |
  • Related
  • |
  • Cited by
  • |
  • Materials
  • |
  • Comments
    Abstract:

    Data flow analysis plays an important role in binary code analysis. Due to consuming too much time and space, constructing the traditional data dependence graph (DDG) limits the size of the analyzed code thoroughly. This study introduces a novel graph model, function-level data dependence graph (FDDG), and proposes a corresponding construction method. The key insights behind FDDG lie in the following two points. First, FDDG focuses on the relationships between function parameters; Second, FDDG treats a function as a whole and ignores the details inside the function. As a result, the size of the data dependence graph is reduced significantly. Also, the time and space are saved greatly. The experimental results show the time performance of the method is improved by about three orders of magnitude compared to the method in angr. As an instance, FDDG is employed to analyze the vulnerability of embedded firmwares, and a firmware vulnerability analysis prototype system called FFVA is implemented. The implemented FFVA system is used to analyze firmwares from real embedded devices, and find a total of 24 vulnerabilities in the devices from D-Link, NETGEAR, EasyN, uniview, and so on, among which 14 are unknown vulnerabilities, thus validating the effectiveness of function-level data dependence graph in static vulnerability analysis.

    Reference
    Related
    Cited by
Get Citation

陈千,程凯,郑尧文,朱红松,孙利民.函数级数据依赖图及其在静态脆弱性分析中的应用.软件学报,2020,31(11):3421-3435

Copy
Share
Article Metrics
  • Abstract:
  • PDF:
  • HTML:
  • Cited by:
History
  • Received:October 09,2018
  • Revised:January 18,2019
  • Adopted:
  • Online: November 07,2020
  • Published: November 06,2020
You are the firstVisitors
Copyright: Institute of Software, Chinese Academy of Sciences Beijing ICP No. 05046678-4
Address:4# South Fourth Street, Zhong Guan Cun, Beijing 100190,Postal Code:100190
Phone:010-62562563 Fax:010-62562533 Email:jos@iscas.ac.cn
Technical Support:Beijing Qinyun Technology Development Co., Ltd.

Beijing Public Network Security No. 11040202500063