HOME > Detail View

Detail View

Scalable binary code clone detection for vulnerability scanning

Scalable binary code clone detection for vulnerability scanning

Material type
학위논문
Personal Author
장하진, 張河眞
Title Statement
Scalable binary code clone detection for vulnerability scanning / Hajin Jang
Publication, Distribution, etc
Seoul :   Graduate School, Korea University,   2020  
Physical Medium
42장 ; 26 cm
기타형태 저록
Scalable Binary Code Clone Detection for Vulnerability Scanning   (DCOLL211009)000000127346  
학위논문주기
학위논문(석사)-- 고려대학교 대학원: 컴퓨터·전파통신공학과, 2020. 2
학과코드
0510   6D36   1112  
General Note
지도교수: 이희조  
Bibliography, Etc. Note
참고문헌: 장 39-42
이용가능한 다른형태자료
PDF 파일로도 이용가능;   Requires PDF file reader(application/pdf)  
비통제주제어
scalability , vulnerability detection , vulnerable code clone , static binary analysis , binary code clone detection,,
000 00000nam c2200205 c 4500
001 000046026277
005 20200428154418
007 ta
008 191231s2020 ulk bmAC 000c eng
040 ▼a 211009 ▼c 211009 ▼d 211009
041 0 ▼a eng ▼b kor
085 0 ▼a 0510 ▼2 KDCP
090 ▼a 0510 ▼b 6D36 ▼c 1112
100 1 ▼a 장하진, ▼g 張河眞
245 1 0 ▼a Scalable binary code clone detection for vulnerability scanning / ▼d Hajin Jang
260 ▼a Seoul : ▼b Graduate School, Korea University, ▼c 2020
300 ▼a 42장 ; ▼c 26 cm
500 ▼a 지도교수: 이희조
502 0 ▼a 학위논문(석사)-- ▼b 고려대학교 대학원: ▼c 컴퓨터·전파통신공학과, ▼d 2020. 2
504 ▼a 참고문헌: 장 39-42
530 ▼a PDF 파일로도 이용가능; ▼c Requires PDF file reader(application/pdf)
653 ▼a scalability ▼a vulnerability detection ▼a vulnerable code clone ▼a static binary analysis ▼a binary code clone detection
776 0 ▼t Scalable Binary Code Clone Detection for Vulnerability Scanning ▼w (DCOLL211009)000000127346
900 1 0 ▼a Jang, Ha-jin, ▼e
900 1 0 ▼a 이희조, ▼g 李喜造, ▼e 지도교수
945 ▼a KLPA

Electronic Information

No. Title Service
1
Scalable binary code clone detection for vulnerability scanning (55회 열람)
View PDF Abstract Table of Contents

Holdings Information

No. Location Call Number Accession No. Availability Due Date Make a Reservation Service
No. 1 Location Science & Engineering Library/Stacks(Thesis)/ Call Number 0510 6D36 1112 Accession No. 123063741 Availability Available Due Date Make a Reservation Service B M
No. 2 Location Science & Engineering Library/Stacks(Thesis)/ Call Number 0510 6D36 1112 Accession No. 123063742 Availability Available Due Date Make a Reservation Service B M

Contents information

Abstract

코드 재사용은 취약점을 소프트웨어를 개발하고 관리하는 과정에서 전파시킨다. 코드 클론 탐지 기술은 이러한 문제를 예방하고 관리하기 위해 사용된다. 특히 바이너리 코드 클론 탐지 기술은 상용 프로그램이나 커스텀 바이너리 등 소스 코드에 접근할 수 없는 상황의 문제 해결에 필수적이다. 그러나 기존 바이너리 기반 탐지 기술들은 규모 가변성에 제약이 있거나, 취약 코드 클론을 정밀하게 탐지할 수 없는 한계를 가지고 있다.

본 논문은 확장성이 좋은 바이너리 코드 클론 기반 취약점 탐지 프레임워크인 QuickBCC를 제안한다. 성능과 정확도를 높이기 위해 바이너리의 시맨틱을 정적으로 추출 및 비교하는 아이디어를 사용하였고, 취약 코드 클론을 탐지하기 위해 취약점 패치가 바이너리에서 삭제하거나 추가하는 코드를 추적하는 새로운 방안을 제시하였다.

QuickBCC는 고도로 최적화되었으며 평균적으로 11ms 안에 하나의 타겟 바이너리를 스캔할 수 있다. 멀티스레드 환경에서 5,420개의 타겟 바이너리 전처리를 62분 만에 끝낼 수 있었고, 10초만에 타겟들을 6개의 취약점 시그니처와 매칭하였다. QuickBCC는 하나의 시그니처로 여러 타겟 바이너리에서 취약점을 탐지할 수 있다. 일례로, 실험 결과 타겟 내 모든 OpenSSL 바이너리에서 CVE-2019-1547과 CVE-2019-1563을 탐지하였다.


Vulnerability propagation by code reuse can happen during the software development life-cycle. Code clone detection techniques are used for preventing and managing such situations. In particular, binary code clone detection methods are necessary to address problems such as proprietary software and some custom distributions. However, existing binary-focused detectors have scalability issues, or are limited in their accurate detection of vulnerable code clones. In this thesis, we introduce QuickBCC, a scalable binary code clone detection framework designed for vulnerability scanning. We built the framework on the idea of extracting and comparing semantics statistically, with a goal of maximum performance and accuracy. We also devised a novel idea of detecting vulnerable code clones by marking removed and added instructions within a security patch. QuickBCC is highly optimized, capable of preprocessing 5,420 target binaries within 62 minutes, and able to match those binaries with 6 signatures in 10 seconds when running as a multi-threaded application. It only took 11ms to match one target binary on average. The framework is capable of detecting vulnerabilities from multiple binaries with one signature, such as detecting CVE-2019-1547 and CVE-2019-1563 from every target OpenSSL binary.

Table of Contents

1 Introduction 1
 1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
 1.2 Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
 1.3 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2 Related Works 5
 2.1 Source Code Clone Detection . . . . . . . . . . . . . . . . . . . . . . . . . 5
 2.2 Binary Code Clone Detection . . . . . . . . . . . . . . . . . . . . . . . . . 6
 2.3 n-Grams for Binary Similarity . . . . . . . . . . . . . . . . . . . . . . . . . 8
3 Background and Methodology 9
 3.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
  3.1.1 Code Clone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
  3.1.2 Vulnerable Code Clone . . . . . . . . . . . . . . . . . . . . . . . . . 10
  3.1.3 Strand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
  3.1.4 Compile Environment . . . . . . . . . . . . . . . . . . . . . . . . . 10
  3.1.5 Stable Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
  3.1.6 Fingerprint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
  3.1.7 Vulnerability Signature . . . . . . . . . . . . . . . . . . . . . . . . 11
 3.2 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4 Design 13
 4.1 Binary Preprocessor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
  4.1.1 Disassembler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
  4.1.2 Lifting to IR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
  4.1.3 Marks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
  4.1.4 Strand Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
 4.2 Vulnerability Signature Preprocessor . . . . . . . . . . . . . . . . . . . . . 19
 4.3 Code Clone Detector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
  4.3.1 Fingerprint Matcher . . . . . . . . . . . . . . . . . . . . . . . . . . 21
 4.4 Fingerprint & Strand Filtering . . . . . . . . . . . . . . . . . . . . . . . . 24
5 Implementation 25
 5.1 Disassmbler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
 5.2 Diff Marks Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
 5.3 Strand Generator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
 5.4 Code Clone Detector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
6 Evaluation 27
 6.1 Environmental Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
  6.1.1 Target Binaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
  6.1.2 Vulnerability Signatures . . . . . . . . . . . . . . . . . . . . . . . . 28
  6.1.3 Test Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
 6.2 Vulnerable Code Clone Detection . . . . . . . . . . . . . . . . . . . . . . . 29
  6.2.1 Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
  6.2.2 Accuracy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
 6.3 Comparison with Esh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
7 Discussion & Future Work 35
 7.1 Issues Related to Disassembler . . . . . . . . . . . . . . . . . . . . . . . . 35
 7.2 Robustness to Compile Environments . . . . . . . . . . . . . . . . . . . . 35
 7.3 Expand to Virtual Machine-Based Language . . . . . . . . . . . . . . . . . 36
 7.4 Better Vulnerability Signature Generation . . . . . . . . . . . . . . . . . . 36
8 Conclusion 38
Bibliography 39


New Arrivals Books in Related Fields