| 000 | 00000nam c2200205 c 4500 | |
| 001 | 000046026277 | |
| 005 | 20230626132654 | |
| 007 | ta | |
| 008 | 191231s2020 ulk bmAC 000c eng | |
| 040 | ▼a 211009 ▼c 211009 ▼d 211009 | |
| 041 | 0 | ▼a eng ▼b kor |
| 085 | 0 | ▼a 0510 ▼2 KDCP |
| 090 | ▼a 0510 ▼b 6D36 ▼c 1112 | |
| 100 | 1 | ▼a 장하진, ▼g 張河眞 |
| 245 | 1 0 | ▼a Scalable binary code clone detection for vulnerability scanning / ▼d Hajin Jang |
| 260 | ▼a Seoul : ▼b Graduate School, Korea University, ▼c 2020 | |
| 300 | ▼a 42장 ; ▼c 26 cm | |
| 500 | ▼a 지도교수: 이희조 | |
| 502 | 0 | ▼a 학위논문(석사)-- ▼b 고려대학교 대학원, ▼c 컴퓨터·전파통신공학과, ▼d 2020. 2 |
| 504 | ▼a 참고문헌: 장 39-42 | |
| 530 | ▼a PDF 파일로도 이용가능; ▼c Requires PDF file reader(application/pdf) | |
| 653 | ▼a scalability ▼a vulnerability detection ▼a vulnerable code clone ▼a static binary analysis ▼a binary code clone detection | |
| 776 | 0 | ▼t Scalable Binary Code Clone Detection for Vulnerability Scanning ▼w (DCOLL211009)000000127346 |
| 900 | 1 0 | ▼a Jang, Ha-jin, ▼e 저 |
| 900 | 1 0 | ▼a 이희조, ▼g 李喜造, ▼d 1971-, ▼e 지도교수 ▼0 AUTH(211009)116659 |
| 945 | ▼a KLPA |
전자정보
소장정보
| No. | 소장처 | 청구기호 | 등록번호 | 도서상태 | 반납예정일 | 예약 | 서비스 |
|---|---|---|---|---|---|---|---|
| No. 1 | 소장처 과학도서관/학위논문서고/ | 청구기호 0510 6D36 1112 | 등록번호 123063741 | 도서상태 대출가능 | 반납예정일 | 예약 | 서비스 |
| No. 2 | 소장처 과학도서관/학위논문서고/ | 청구기호 0510 6D36 1112 | 등록번호 123063742 | 도서상태 대출가능 | 반납예정일 | 예약 | 서비스 |
컨텐츠정보
초록
코드 재사용은 취약점을 소프트웨어를 개발하고 관리하는 과정에서 전파시킨다. 코드 클론 탐지 기술은 이러한 문제를 예방하고 관리하기 위해 사용된다. 특히 바이너리 코드 클론 탐지 기술은 상용 프로그램이나 커스텀 바이너리 등 소스 코드에 접근할 수 없는 상황의 문제 해결에 필수적이다. 그러나 기존 바이너리 기반 탐지 기술들은 규모 가변성에 제약이 있거나, 취약 코드 클론을 정밀하게 탐지할 수 없는 한계를 가지고 있다. 본 논문은 확장성이 좋은 바이너리 코드 클론 기반 취약점 탐지 프레임워크인 QuickBCC를 제안한다. 성능과 정확도를 높이기 위해 바이너리의 시맨틱을 정적으로 추출 및 비교하는 아이디어를 사용하였고, 취약 코드 클론을 탐지하기 위해 취약점 패치가 바이너리에서 삭제하거나 추가하는 코드를 추적하는 새로운 방안을 제시하였다. QuickBCC는 고도로 최적화되었으며 평균적으로 11ms 안에 하나의 타겟 바이너리를 스캔할 수 있다. 멀티스레드 환경에서 5,420개의 타겟 바이너리 전처리를 62분 만에 끝낼 수 있었고, 10초만에 타겟들을 6개의 취약점 시그니처와 매칭하였다. QuickBCC는 하나의 시그니처로 여러 타겟 바이너리에서 취약점을 탐지할 수 있다. 일례로, 실험 결과 타겟 내 모든 OpenSSL 바이너리에서 CVE-2019-1547과 CVE-2019-1563을 탐지하였다.
Vulnerability propagation by code reuse can happen during the software development life-cycle. Code clone detection techniques are used for preventing and managing such situations. In particular, binary code clone detection methods are necessary to address problems such as proprietary software and some custom distributions. However, existing binary-focused detectors have scalability issues, or are limited in their accurate detection of vulnerable code clones. In this thesis, we introduce QuickBCC, a scalable binary code clone detection framework designed for vulnerability scanning. We built the framework on the idea of extracting and comparing semantics statistically, with a goal of maximum performance and accuracy. We also devised a novel idea of detecting vulnerable code clones by marking removed and added instructions within a security patch. QuickBCC is highly optimized, capable of preprocessing 5,420 target binaries within 62 minutes, and able to match those binaries with 6 signatures in 10 seconds when running as a multi-threaded application. It only took 11ms to match one target binary on average. The framework is capable of detecting vulnerabilities from multiple binaries with one signature, such as detecting CVE-2019-1547 and CVE-2019-1563 from every target OpenSSL binary.
목차
1 Introduction 1 1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.3 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2 Related Works 5 2.1 Source Code Clone Detection . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.2 Binary Code Clone Detection . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.3 n-Grams for Binary Similarity . . . . . . . . . . . . . . . . . . . . . . . . . 8 3 Background and Methodology 9 3.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.1.1 Code Clone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.1.2 Vulnerable Code Clone . . . . . . . . . . . . . . . . . . . . . . . . . 10 3.1.3 Strand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 3.1.4 Compile Environment . . . . . . . . . . . . . . . . . . . . . . . . . 10 3.1.5 Stable Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 3.1.6 Fingerprint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 3.1.7 Vulnerability Signature . . . . . . . . . . . . . . . . . . . . . . . . 11 3.2 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 4 Design 13 4.1 Binary Preprocessor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 4.1.1 Disassembler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 4.1.2 Lifting to IR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 4.1.3 Marks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 4.1.4 Strand Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 4.2 Vulnerability Signature Preprocessor . . . . . . . . . . . . . . . . . . . . . 19 4.3 Code Clone Detector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 4.3.1 Fingerprint Matcher . . . . . . . . . . . . . . . . . . . . . . . . . . 21 4.4 Fingerprint & Strand Filtering . . . . . . . . . . . . . . . . . . . . . . . . 24 5 Implementation 25 5.1 Disassmbler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 5.2 Diff Marks Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 5.3 Strand Generator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 5.4 Code Clone Detector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 6 Evaluation 27 6.1 Environmental Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 6.1.1 Target Binaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 6.1.2 Vulnerability Signatures . . . . . . . . . . . . . . . . . . . . . . . . 28 6.1.3 Test Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 6.2 Vulnerable Code Clone Detection . . . . . . . . . . . . . . . . . . . . . . . 29 6.2.1 Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 6.2.2 Accuracy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 6.3 Comparison with Esh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 7 Discussion & Future Work 35 7.1 Issues Related to Disassembler . . . . . . . . . . . . . . . . . . . . . . . . 35 7.2 Robustness to Compile Environments . . . . . . . . . . . . . . . . . . . . 35 7.3 Expand to Virtual Machine-Based Language . . . . . . . . . . . . . . . . . 36 7.4 Better Vulnerability Signature Generation . . . . . . . . . . . . . . . . . . 36 8 Conclusion 38 Bibliography 39
