基於污點分析引導的復現漏洞偵測

Abstract

復現漏洞是一種與特定已知漏洞相似的漏洞，它通常是由程式碼重複使用所造成的。開發人員經常複製開源的程式碼來實現特定的功能。然而，假如開源的程式碼含有漏洞的話，則這種程式碼重複使用的行為會使這些漏洞在開發人員無察覺的情況下以另一種形式存在。為了偵測復現漏洞，研究人員致力於開發一些強大的技術。然而，他們往往無法同時實現高準確性、高擴展性和高漏洞類型覆蓋率。近期，Kang 等人將污點分析引入了這個領域，他們不僅提高了準確性也維持高擴展性，但漏洞類型覆蓋率較低。

為了使基於汙點分析的方法能支援更多的漏洞類型，我們提出了一種更通用的方法 OpSMatcher。OpSMatcher 使用汙點分析的技術來提取蹤跡。然後，OpSMatcher 從蹤跡中提取運算符和函數調用序列作為特徵。為了匹配漏洞，OpSMatcher 利用字串匹配演算法去計算序列之間的相似性並生成過濾補丁的規則。在我們的實驗中，OpSMatcher 支援 24 種常見的漏洞類型，並且獲得了 0.789 的準確率和 0.730 的召回率。此外，OpSMatcher 還在 Debian 軟體包偵測到了 5 個之前的研究未曾發現的未知復現漏洞。這表明 OpSMatcher 具有較高的漏洞類型覆蓋率並能有效地偵測復現漏洞。

Recurring vulnerability is a kind of vulnerability that is similar to a particular known vulnerability. It is often caused by code reuse. Developers usually copy open-source codes to implement their specific functionality. However, if open-source codes contain vulnerabilities, the behavior of code reuse will make them exist in another form without awareness. To detect recurring vulnerabilities, researchers have dedicated themselves to coming up with some powerful techniques. Nevertheless, they can't achieve high accuracy, high scalability, and high vulnerability type coverage at the same time. Recently, Kang et al. introduced taint analysis into this field. They improve accuracy and maintain high scalability but have a low vulnerability type coverage.

To make taint analysis-based approaches support more vulnerability types, we propose a more general approach OpSMatcher. OpSMatcher uses taint analysis techniques to extract traces. Then, OpSMatcher extracts the sequence of operators and function calls from traces as signatures. To match vulnerabilities, OpSMatcher leverages string-matching algorithms to compute the similarity between sequences and make rules to filter patches. In our experiments, OpSMatcher supports 24 kinds of common vulnerabilities and gets 0.789 precision and 0.730 recall. In addition, OpSMatcher also detects 5 unknown recurring vulnerabilities that are never found by previous works in Debian packages. It shows that OpSMatcher has a high vulnerability type coverage and can detect recurring vulnerabilities effectively.