Title :
Combining Static and Dynamic Analysis to Discover Software Vulnerabilities
Author :
Zhang, Ruoyu ; Huang, Shiqiu ; Qi, Zhengwei ; Guan, Haibin
Author_Institution :
Shanghai Key Lab. of Scalable Comput. & Syst., Shanghai Jiao Tong Univ., Shanghai, China
fDate :
June 30 2011-July 2 2011
Abstract :
Dynamic taint analysis has been proved to be very effective in solving security problems recently, especially in software vulnerability detection and malicious behavior prevention. Unfortunately, most of current researches in this field focus on the runtime protection, and are incapable to discover the potential threat in the software. This paper describes a novel approach to overcome the limitation of traditional dynamic taint analysis by integrating static analysis into the system and presents framework SDCF. The framework translates the binary into assembly code and tracks the data flow. Then with static method, the system can get the important information which can´t be gained at runtime, such as unexecuted part of the code. When this information is acquired, they will be provided to the client tools. The practicability of the framework is validated by implementing and evaluating a tool built on SDCF. The result of the experiments shows that our system is able to detect latent software vulnerabilities efficiently.
Keywords :
program diagnostics; security of data; assembly code; dynamic analysis; dynamic taint analysis; malicious behavior prevention; runtime protection; security problems; software vulnerabilities; software vulnerability detection; static analysis; Monitoring; Optimization; Performance analysis; Registers; Runtime; Software; Testing; Code Coverage; Data Flow Analysis; Software Vulnerability; Taint Analysis;
Conference_Titel :
Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS), 2011 Fifth International Conference on
Conference_Location :
Seoul
Print_ISBN :
978-1-61284-733-7
Electronic_ISBN :
978-0-7695-4372-7
DOI :
10.1109/IMIS.2011.59
