Software Vulnerability Detection Technologies On Specific Targets

“Bug”,or “vulnerability” refers to the security defect of computer system.Hackers can easily obtain the highest authority of computers by using common vulnerabilities,resulting in a series of security problems such as privacy disclosure,information leakage,and so on.The research topic of this thesis is software vulnerability detection technologies on specific targets,including three research points: 1)uncovering memory life-cycle bugs in operating system kernels; 2)detecting memory corruption bugs with fuzzing-based taint inference; 3)adaptive multi-objective optimization in grey-box fuzzing.For uncovering memory life-cycle bugs in operating system kernels,the core idea we put forward is: when studying the kernel memory vulnerabilities,we should start from the perspective of memory life-cycle and regard the memory allocation,dereferencing and freeing as an inseparable entity.The corresponding memory vulnerabilities are concluded as operating system kernel memory life-cycle bugs.No previous related work has proposed the key guiding ideology of memory life-cycle,and no work regards memory allocation,dereferencing and freeing as an inseparable entity.Therefore,compared with the techniques we propose,these related tools cannot find the vulnerabilities we can find,and their ability to find kernel memory vulnerabilities is not as good as the techniques we design.In this research point,we propose a series of methods to find the memory allocation and freeing functions in the operating system.We use these kernel functions and allocated memory to implement a prototype named MEBS to find hundreds of memory life-cycle bugs and 12 CVEs(common vulnerabilities and exposures)in Linux and Free BSD.For detecting memory corruption bugs with fuzzing-based taint inference,we believe that as a kind of vulnerability discovering technology,fuzz testing should pay more attention to how to find vulnerabilities more efficiently.In addition,through a series of automatic methods,we can accurately identify the vulnerability information needed in the program to guide the process of fuzzing.Moreover,we also use lightweight taint inference based on fuzzing to assist finding vulnerabilities,and we design an accurate seed selection strategy to find memory corruption vulnerabilities.In this research point,we implement a prototype named ov AFLow and have carried out experiments on real programs and the LAVA-M data set,respectively.The results show that the tool we design has completed the task of finding more memory corruption vulnerabilities with low performance overhead.For adaptive multi-objective optimization in grey-box fuzzing,we find that optimizing one objective will have a negative impact on another,and we put forward the key idea of adaptive selection of objective combination in multi-objective optimization.In addition,we propose a power scheduling strategy combined with objective combination selection and design a method to search the optimal solution of multi-objective optimization with less performance overhead.The new methods proposed in this research point include: multi-player multi-arm bandit model and non-dominated sorting genetic algorithm for grey-box fuzzing.We implement a prototype named MobFuzz and have carried out experiments on real programs,the LAVA-M data set and the MAGMA data set,respectively.The results are better than other fuzzing tools,which proves the effectiveness of our multi-objective optimization algorithm for fuzzing.