( 您好!臺灣時間:2021/06/23 10:10
字體大小: 字級放大   字級縮小   預設字形  


研究生(外文):Yao-Nang Tseng
論文名稱:TOCTOU 漏洞的靜態分析與實作
論文名稱(外文):Static Analysis and Implementation of TOCTOU Vulnerability
指導教授(外文):Yung-Yu Zhuang
中文關鍵詞:TOCTOU 漏洞靜態分析LLVMClang Static Analyzer
外文關鍵詞:TOCTOU vulnerabilityStatic analysisLLVMClang Static Analyzer
  • 被引用被引用:0
  • 點閱點閱:89
  • 評分評分:
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
C語言同時擁有高階語言與低階語言的許多優點,執行效率高、能直接控制硬體、可移植性佳,因此非常廣泛地被採用;根據TIOBE INDEX網站的熱門語言排行榜,C語言從1989年至今都一直維持在前2名。
但是C語言先天上有許多問題,容易導致程式人員寫出不安全的程式碼,再加上因其悠久的歷史累積了大量的既有程式碼 (legacy code),因此大多仰賴動態分析或靜態分析工具來找出這些漏洞;其中C語言中的TOCTOU (time of check to time of use) 漏洞一旦遭利用將導致嚴重的系統安全問題,雖然陸續都有學者提出動態或靜態的分析方法,其結果卻不盡理想。
本論文提出結合符號執行 (symbolic execution) 與參數追蹤的偵測方法,做到精確的靜態分析,並且能處理變數別名與函數別名的狀況;再以Clang Static Analyzer實作出工具,並以命令列介面以及網頁形式呈現偵測結果,最後以Juliet Test Suite檢驗此分析的準確性,再分別與文獻提出的方法以及業界常用的C靜態工具進行比較分析。
C language has many advantages of high-level language and low-level language, such as high execution efficiency, direct control of hardware, and good portability, hence it is widely used in the industry. According to the popular programming language list of TIOBE INDEX website, C language has maintained its position in the top 2 since 1989.
However, C language has many inborn problems, which is likely to cause programmers to write unsafe codes. In addition, it has accumulated a large number of legacy codes due to its long history. Therefore, most programmers rely on dynamic analysis or static analysis tools to identify these vulnerabilities. TOCTOU (time of check to time of use), one of those vulnerabilities, will lead to serious system security problems once abused. Although scholars have proposed some detection methods, the results are not ideal.
We propose a detection method which combines symbolic execution and parameter tracking. The proposed method is able to detect TOCTOU more accurately, and deal with alias problems of variables and functions. Moreover, we implement this method with Clang Static Analyzer and present the detection result through command line and web pages. Finally, the tool we implemented is tested by Juliet Test Suite to verify its accuracy, and compared with the methods proposed in the literature and the C static tools commonly used in the industry.
摘要 i
Abstract ii
誌謝 iii
目錄 iv
圖目錄 v
表目錄 vi
一、緒論 1
1.1研究背景與動機 1
1.2研究架構 2
1.3論文章節概述 3
二、文獻探討 5
2.1 TOCTOU漏洞 5
2.2動態分析 6
2.3靜態分析 7
2.4 Symbolic Execution 10
2.5 LLVM與Clang Static Analyzer (CSA) 11
2.6 相關論文 12
三、本文提出的方法 17
四、本文實作出的工具 20
4.1實作環境 20
4.2實作邏輯 20
4.3實作細節 20
4.4實作結果 25
五、比較分析 29
5.1本文方法與文獻提出方法的比較 29
5.2 本文工具與業界常用工具的比較 34
六、結論與未來研究方向 42
參考文獻 43
1. TIOBE Index. Retrieved May 2, 2019, from https://www.tiobe.com/tiobe-index/
2. Seacord, Robert C. (2013). Secure Coding in C and C++: Addison-Wesley Professional.
3. Bishop, M., & Dilger, M. (1996). Checking for race conditions in file accesses. Computing systems, 2(2), 131-152.
4. Viega, J., Bloch, J. T., Kohno, Y., & McGraw, G. (2000, December). ITS4: A static vulnerability scanner for C and C++ code. Proceedings of the 16th IEEE Annual Computer Security Applications Conference, 257-267.
5. Wei, J., & Pu, C. (2005, December). TOCTTOU vulnerabilities in UNIX-Style file systems: An anatomical study. Proceedings of the 4th USENIX Conference on File and Storage Technologies, 5, 156-167.
6. 賴亭君(2018),用LLVM靜態分析器偵測TOCTOU漏洞,國立中正大學資訊工程研究所碩士論文。
7. Dean, D., & Hu, A. J. (2004, August). Fixing races for fun and profit: How to use access (2). Proceedings of the 13th USENIX Security Symposium, 195-206.
8. Ball, T. (1999, October). The concept of dynamic analysis. ACM SIGSOFT Software Engineering Notes, 24(6), 216-234.
9. Cornelissen, B., Zaidman, A., Van Deursen, A., Moonen, L., & Koschke, R. (2009). A systematic survey of program comprehension through dynamic analysis. IEEE Transactions on Software Engineering, 35(5), 684-702.
10. Gosain, A., & Sharma, G. (2015). A survey of dynamic program analysis techniques and tools. Proceedings of the 3rd International Conference on Frontiers of Intelligent Computing: Theory and Applications, 113-122.
11. Nethercote, N. (2004). Dynamic binary analysis and instrumentation. University of Cambridge.
12. Hangal, S., & Lam, M. S. (2002, May). Tracking down software bugs using automatic anomaly detection. Proceedings of the 24th IEEE International Conference on Software Engineering, 291-301.
13. Gomes, I., Morgado, P., Gomes, T., & Moreira, R. (2009). An overview on the static code analysis approach in software development. Faculdade de Engenharia da Universidade do Porto, Portugal.
14. Ayewah, N., Pugh, W., Hovemeyer, D., Morgenthaler, J. D., & Penix, J. (2008). Using static analysis to find bugs. IEEE software, 25(5), 22-29.
15. Chess, B., & McGraw, G. (2004). Static analysis for security. IEEE Security & Privacy, 2(6), 76-79.
16. Chess, B., & West, J. (2007). Secure programming with static analysis: Pearson Education.
17. Cousot, P., & Cousot, R. (1977, January). Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. Proceedings of the 4th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, 238-252
18. Landi, W. (1992). Undecidability of static analysis. ACM Letters on Programming Languages and Systems, 1(4), 323-337.
19. Wagner, D., & Dean, R. (2000, May). Intrusion detection via static analysis. Proceedings of the 2001 IEEE Symposium on Security and Privacy, 156-168.
20. Ball, T., & Rajamani, S. K. (2002, January). The SLAM project: Debugging system software via static analysis. ACM SIGPLAN Notices, 37(1),1-3.
21. Venkatasubramanyam, R. D., & GR, S. (2014, June). Why is dynamic analysis not used as extensively as static analysis: an industrial study. Proceedings of the 1st ACM International Workshop on Software Engineering Research and Industrial Practices, 24-33.
22. Ernst, M. D. (2003, May). Static and dynamic analysis: Synergy and duality. Proceedings of WODA 2003: ICSE Workshop on Dynamic Analysis, 24-27.
23. Baldoni, R., Coppa, E., D’elia, D. C., Demetrescu, C., & Finocchi, I. (2018). A survey of symbolic execution techniques. ACM Computing Surveys, 51(3).
24. Schwartz, E. J., Avgerinos, T., & Brumley, D. (2010, May). All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). Proceedings of 2010 IEEE Symposium on Security and Privacy, 317-331.
25. Cadar, C., & Sen, K. (2013). Symbolic execution for software testing: three decades later. Communications of the ACM, 56(2), 82-90.
26. Clarke, L. A. (1976). A system to generate test data and symbolically execute programs. IEEE Transactions on Software Engineering, (3), 215-222.
27. King, J. C. (1976). Symbolic execution and program testing. Communications of the ACM, 19(7), 385-394.
28. Binary 自動分析的那些事. Retrieved May 2, 2019, from https://hitcon.org/2016/CMT/slide/day1-r1-a-1.pdf
29. LLVM. Retrieved May 2, 2019, from https://llvm.org/
30. Getting Started with LLVM Core Libraries. Retrieved May 2, 2019, from
31. Clang Static Analyzer. Retrieved May 2, 2019, from https://clang-analyzer.llvm.org/
32. Xu, Z., Kremenek, T., & Zhang, J. (2010, October). A memory model for static analysis of C programs. Proceedings of International Symposium On Leveraging Applications of Formal Methods, Verification and Validation, 535-548.
33. llvm之旅第一站. Retrieved May 2, 2019, from http://www.nagain.com/activity/article/4/
34. Cowan, C., Beattie, S., Wright, C., & Kroah-Hartman, G. (2001, August). RaceGuard: Kernel protection from temporary file race vulnerabilities. Proceedings of USENIX Security Symposium, 165-176.
35. Pu, C., & Wei, J. (2006, March). A methodical defense against tocttou attacks: The edgi approach. Proceedings of 2006 International Symposium on Secure Software Engineering.
36. Juliet Test Suite User Guide. Retrieved May 2, 2019, from
37. Juliet Test Suite. Retrieved May 2, 2019, from https://samate.nist.gov/SARD/testsuite.php
38. Fatima, A., Bibi, S., & Hanif, R. (2018, January). Comparative study on static code analysis tools for C/C++. Proceedings of the IEEE International Bhurban Conference on Applied Sciences and Technology, 465-469.
電子全文 電子全文(網際網路公開日期:20240625)
註: 此連結為研究生畢業學校所提供,不一定有電子全文可供下載,若連結有誤,請點選上方之〝勘誤回報〞功能,我們會盡快修正,謝謝!
第一頁 上一頁 下一頁 最後一頁 top