Institutional Repository
| 类Unix文件系统中TOCTTOU缺陷的静态分析方法 | |
| 韩伟; 贺也平 | |
| 2011 | |
| Source | 计算机研究与发展
 |
| ISSN | 10001239 |
| Volume | 48Issue:8Pages:1430-1437 |
| English Abstract | 文件系统中的TOCTTOU缺陷是类Unix操作系统面临的一个严重安全问题,现有的静态检测方法具有很高的误报率.原因有2点:一是对导致TOCTTOU缺陷的函数对缺乏精确定义和分析;二是分析过程过度抽象,忽略了很多重要的程序信息.因此,首先对TOCTTOU缺陷进行了分类,并系统分析了C标准库中可以导致TOCTTOU缺陷的函数对.在此基础上,提出了一种TOCTTOU缺陷的静态分析方法,利用有限状态安全属性刻画TOCTTOU缺陷,分析精度达到了过程内路径敏感、过程间流敏感.实验结果表明,该方法能够有效检测C程序中的TOCTTOU缺陷,相比现有方法,有效降低了误报率. |
| Abstract | TOCTTOU is a serious threat to Unix-style file systems. All the existing static detection methods have high false positive rate. There are two reasons: firstly, the function pairs which may cause TOCTTOU vulnerabilities are not defined and enumerated accurately; and secondly, the methods make an over-approximation of the program and omit a lot of useful information. In this paper, we first systematically examine the TOCTTOU pairs in the standard C library. On this basis, a static analysis method is presented to detect the TOCTTOU vulnerabilities. Vulnerability is expressed as a finite safety state property. At each program point, a value is associated to a set of states. To make the analysis more precise, the algorithm is inter-procedurally flow sensitive and intra-procedurally path sensitive. To achieve scalability, the safety state property of each procedural is analyzed independently and the inter-procedurally analysis is summary based. The experimental results show that this method can effectively find TOCTTOU vulnerabilities in C programs. In comparison with other static methods, this method can effectively reduce false positive rate. |
| Keyword | Tocttou缺陷 文件竞争条件 静态分析 流敏感分析 路径敏感分析c (Programming Language) Unix |
| Department | 基础软件国家工程中心(中国科学院软件研究所);中国科学院研究生院;石家庄铁道大学信息科学与技术学院 |
| Language | 中文 |
| Content Type | 期刊论文 |
| URI | http://ir.iscas.ac.cn/handle/311060/13851 |
| Collection | 基础软件国家工程研究中心 |
| Recommended Citation GB/T 7714 | 韩伟,贺也平. 类Unix文件系统中TOCTTOU缺陷的静态分析方法[J]. 计算机研究与发展,2011,48(8):1430-1437. |
| APA | 韩伟,&贺也平.(2011).类Unix文件系统中TOCTTOU缺陷的静态分析方法.计算机研究与发展,48(8),1430-1437. |
| MLA | 韩伟,et al."类Unix文件系统中TOCTTOU缺陷的静态分析方法".计算机研究与发展 48.8(2011):1430-1437. |
| Files in This Item: | ||||||
| File Name/Size | DocType | Version | Access | License | ||
| 类Unix文件系统中TOCTTOU缺陷的(1036KB) | 开放获取 | -- | Application Full Text | |||
Items in the repository are protected by copyright, with all rights reserved, unless otherwise indicated.
Edit Comment