二进制代码级的漏洞攻击检测研究
|
摘要
网络攻击自从上世纪八十年代Morris蠕虫出现以来,一直给互联网和用户带来严重威胁。造成各种攻击的根源是软件漏洞。虽然工业界和学术界提出各种技术保护软件及操作系统安全,但攻击数量仍有增无减;而漏洞攻击技术也不断发展,从缓冲区溢出到最近的Return-Oriented-Programming(ROP)攻击。漏洞攻击检测是信息安全领域的研究热点,特别是如何在二进制代码级检测攻击更是业界关注的焦点,但x86指令的复杂性和WYSINWYX(What You See Is Not What YouExecute)给检测带来诸多挑战。
在二进制代码级检测攻击不仅可用于攻击防御,而且能为漏洞分析和zero-day漏洞挖掘提供帮助,同时有助于设计更有效的编译器和操作系统级防御机制。然而当前漏洞攻击检测技术存在若干问题:首先,相当部分的防御检测手段都需要源码,但商业软件不提供源码;其次,大部分防御技术都是纯粹的静态或动态分析,牺牲了准确性或效率,没有将两者结合起来,特别是对于最新的ROP攻击,目前还未找到一种合适的检测方法。总的来说,当前漏洞攻击的发展给攻击检测提出了新的要求,而以Stack canary、NX、特征码匹配为代表的经典防御技术已不能满足对于目前攻击的检测需求。
本文对动态污点分析、控制流安全以及复杂shellcode三个方面进行了深入细致的研究,取得了四方面成果:
1.提出了若干种技术加强动态污点分析,能够准确检测一种重要类型的攻击--内存溢出攻击,并提高了系统效率。首先,设计和实现了一种高效shadowmemory,能够在较低时间复杂度和空间复杂度存储查询shadow bit。提出了x86指令层次化结构分析,有效克服了x86指令的复杂性,通过它制定准确污点传播策略。传统污点分析只在指令级传播污点,缺乏过程级传播,为此提出了两种技术加强过程级污点传播的准确性与效率,分别是函数局部变量残留污点清除与函数摘要。基于动态插桩工具实现了原型系统MANGO,并对真实攻击进行了测试,实验结果表明MANGO能有效检测内存溢出攻击,并且系统效率得到提升。
2.提出了一种新的ROP攻击检测方法。当前检测技术依赖ROP某些特征检测攻击,但无法准确区分正常指令执行与ROP攻击,因此误报率较高。本文通过分析实际ROP代码,确定了ROP的表现特征与功能特征,并依赖它们作为检测依据。同时,纯粹的动态分析对程序性能影响较大,并且无法在gadget执行前阻止攻击,本文提出了黑盒模拟gadget思想加强检测效率与效果。原型系统通过动态插桩工具实现,通过自动化工具对真实shellcode生成ROP攻击样本,并对其进行测试,实验结果表明我们提出的方法在检测准确性和效率都优于当前ROP攻击检测方法。
3.提出了一种基于地址完整性检查的函数指针攻击检测方法FPGuard,其思想是判断间接跳转指令的目标地址是否位于合法函数范围。FPGuard与CFI的最大区别是前者的检查代码位于程序外部,能有效分析间接跳转指令。除了传统注入攻击,攻击者仍有可能利用函数指针覆盖进行ROP攻击,同时本文在实验中发现C++程序存在多函数入口点。提出了两阶段方法检测攻击,第一步是粗粒度的range check,第二步是细粒度的黑盒模拟gadget(用于检测ROP攻击)。通过测试真实攻击,FPGuard能准确检测注入代码与ROP攻击。并且由于FPGuard采用高效数据结构存储查询函数地址信息,保证了较高的效率。FPGuard是目前首个能同时检测(通过覆盖函数指针)注入代码攻击与ROP攻击的技术。
4.提出了一种有效的自修改多态shellcode(SMPS)检测方法。通过实际SMPS样本,我们观察到SMPS的一个重要特点是动态代码字节生成,基于此特点提出一种有效的静态与动态结合检测算法。首先用反汇编得到静态代码字节,然后将payload放入模拟器执行,比较两者之间差异,如果不同则检测到SMPS。为了过滤正常payload,实现了一种简单有效的过滤机制。对Metasploit提供的真实SMPS样本进行测试,实验结果表明检测效果非常好,同时对正常网络流进行了误报率测试,实验结果显示误报率较低。
Network attacks have caused great threats since the Morris worm in1980', and theroot cause of various attacks is software vulnerability. The number of attacks has beenin steady growth, though industry and academia have proposed a bunch of techniquesto protect software and operating system security. Attacking techniques have been de-veloping, from buffer overflow to recent Return-Oriented-Programming(ROP). Vulne-rability attack detection is a hot area in information security, especially binarycode-level detection is the focus in industry, however, the complexity of x86instruc-tions and WYSINWYX(What You See Is Not What You Execute) give rise to manychallenges.
Binary code level detection can not only defend attacks, but also provide sugges-tions for vulnerability analysis and zero-day vulnerability mining. It is also beneficialto design effective compiler-and OS-level defense. However, current detectionsagainst attacks have several vital limitations. First, a large fraction of defense tech-niques require source code which is unavailable for commercial software, and thus bi-nary code analysis is a must; second, most detection techniques are pure static or dy-namic analysis that sacrifices accuracy or efficiency, and there is no seamless combi-nation. Particularly, for recent ROP attacks, there is no effective defense. In brief, cur-rent attacks demand new defense techniques, but classical defenses such as stack ca-nary, NX and signature matching are unable to meet the demands.
This dissertation performs in-depth and elaborate research in three categories, in-cluding dynamic taint analysis, control flow integrity and complex shellcode. Weachieve four major contributions:
1. Proposed several novel techniques to strengthen dynamic taint analysis, whichis able to accurately detect a major attack form-memory corruption attack. Designedand implemented efficient shadow memory, which can store and query shadow bit inlow time and space complexity. Proposed structured and hierarchy analysis of x86in-structions, which overcomes the difficulty of x86instruction complexity. Using suchinstruction analysis, we design accurate taint propagation policies. Traditional taint analysis propagate taint value only on instruction level, lacking of procedure levelpropagation. Two techniques are proposed to enhance effectiveness and accuracy ofprocedure-level propagation that they are remaining taint data clear and function sum-mary. The prototype system is developed using dynamic binary instrumentation tool.The system is evaluated with real-world attacks and experiment results demonstratethat our system can effectively detection memory corruption attacks, moreover, systemperformance has also improved.
2. A novel technique against ROP is proposed. Current approaches rely on partialfeatures of ROP for detection, but they are unable to accurately distinguish normal in-struction execution and ROP attacks, which may cause high false positives. Throughreal ROP exploits study, we establish the manifested feature and functional feature ofROP and by using them to detect ROP attacks. Meanwhile, pure dynamic analysis in-curs high overhead, and more important, it cannot block attack before gadgets are ex-ecuted. We propose a new technique, black-box gadget emulation, to overcome theseproblems. The prototype system is built with dynamic binary instrumentation. ROPexploits are generated with an automatic tool. Experiment results show our system issuperior to existing ROP detection techniques in terms of both accuracy and efficiency.
3. A new function pointer defense technique called FPGuard is proposed. FPGuardworks by sanitizing address that checks if jump targets fall in legal function addressspace. The major difference between FPGuard and CFI is that the checking code ofFPGuard is placed out of program, which can analyze indirect jumps. Besides tradi-tional code injection attacks, attackers are still able to mount ROP attacks. We alsofound there are non-entry function calls in C++programs. A two-step detection tech-nique is proposed. Tthe first step is coarse-grained range check, and the second step isfine-grained black-box gadget emulation. By evaluating real-world exploits, FPGuardcan accurately detection code injection and ROP attacks. System performance is guar-anteed, as FPGuard uses efficient data structure to store and query function addressinformation. FPGuard is the fist system that can detect both code injection and ROPattacks which are exploited by overwriting function pointer.
4. A technique of detecting Self-Modify Polymorphic Shellcode(SMPS) is pro-posed. By studying real SMPS samples, we found a major characteristic of SMPS isdynamic code generation. Based on this feature, we propose an effective detection technique by combining static and dynamic analysis. First, it obtains static code bytesusing disassembling, and then obtains dynamic code bytes by emulation. If static anddynamic code are different, it implies a SMPS instance is identified. A simple and ef-fective filtering method is used to filter normal payload. We evaluate the system withSMPS instances generated by Metasploit, and results show it achieves satisfactory re-sults, and also by evaluating false positives with innocuous flows, it reveals false posi-tive rate is very low.
在二进制代码级检测攻击不仅可用于攻击防御,而且能为漏洞分析和zero-day漏洞挖掘提供帮助,同时有助于设计更有效的编译器和操作系统级防御机制。然而当前漏洞攻击检测技术存在若干问题:首先,相当部分的防御检测手段都需要源码,但商业软件不提供源码;其次,大部分防御技术都是纯粹的静态或动态分析,牺牲了准确性或效率,没有将两者结合起来,特别是对于最新的ROP攻击,目前还未找到一种合适的检测方法。总的来说,当前漏洞攻击的发展给攻击检测提出了新的要求,而以Stack canary、NX、特征码匹配为代表的经典防御技术已不能满足对于目前攻击的检测需求。
本文对动态污点分析、控制流安全以及复杂shellcode三个方面进行了深入细致的研究,取得了四方面成果:
1.提出了若干种技术加强动态污点分析,能够准确检测一种重要类型的攻击--内存溢出攻击,并提高了系统效率。首先,设计和实现了一种高效shadowmemory,能够在较低时间复杂度和空间复杂度存储查询shadow bit。提出了x86指令层次化结构分析,有效克服了x86指令的复杂性,通过它制定准确污点传播策略。传统污点分析只在指令级传播污点,缺乏过程级传播,为此提出了两种技术加强过程级污点传播的准确性与效率,分别是函数局部变量残留污点清除与函数摘要。基于动态插桩工具实现了原型系统MANGO,并对真实攻击进行了测试,实验结果表明MANGO能有效检测内存溢出攻击,并且系统效率得到提升。
2.提出了一种新的ROP攻击检测方法。当前检测技术依赖ROP某些特征检测攻击,但无法准确区分正常指令执行与ROP攻击,因此误报率较高。本文通过分析实际ROP代码,确定了ROP的表现特征与功能特征,并依赖它们作为检测依据。同时,纯粹的动态分析对程序性能影响较大,并且无法在gadget执行前阻止攻击,本文提出了黑盒模拟gadget思想加强检测效率与效果。原型系统通过动态插桩工具实现,通过自动化工具对真实shellcode生成ROP攻击样本,并对其进行测试,实验结果表明我们提出的方法在检测准确性和效率都优于当前ROP攻击检测方法。
3.提出了一种基于地址完整性检查的函数指针攻击检测方法FPGuard,其思想是判断间接跳转指令的目标地址是否位于合法函数范围。FPGuard与CFI的最大区别是前者的检查代码位于程序外部,能有效分析间接跳转指令。除了传统注入攻击,攻击者仍有可能利用函数指针覆盖进行ROP攻击,同时本文在实验中发现C++程序存在多函数入口点。提出了两阶段方法检测攻击,第一步是粗粒度的range check,第二步是细粒度的黑盒模拟gadget(用于检测ROP攻击)。通过测试真实攻击,FPGuard能准确检测注入代码与ROP攻击。并且由于FPGuard采用高效数据结构存储查询函数地址信息,保证了较高的效率。FPGuard是目前首个能同时检测(通过覆盖函数指针)注入代码攻击与ROP攻击的技术。
4.提出了一种有效的自修改多态shellcode(SMPS)检测方法。通过实际SMPS样本,我们观察到SMPS的一个重要特点是动态代码字节生成,基于此特点提出一种有效的静态与动态结合检测算法。首先用反汇编得到静态代码字节,然后将payload放入模拟器执行,比较两者之间差异,如果不同则检测到SMPS。为了过滤正常payload,实现了一种简单有效的过滤机制。对Metasploit提供的真实SMPS样本进行测试,实验结果表明检测效果非常好,同时对正常网络流进行了误报率测试,实验结果显示误报率较低。
Network attacks have caused great threats since the Morris worm in1980', and theroot cause of various attacks is software vulnerability. The number of attacks has beenin steady growth, though industry and academia have proposed a bunch of techniquesto protect software and operating system security. Attacking techniques have been de-veloping, from buffer overflow to recent Return-Oriented-Programming(ROP). Vulne-rability attack detection is a hot area in information security, especially binarycode-level detection is the focus in industry, however, the complexity of x86instruc-tions and WYSINWYX(What You See Is Not What You Execute) give rise to manychallenges.
Binary code level detection can not only defend attacks, but also provide sugges-tions for vulnerability analysis and zero-day vulnerability mining. It is also beneficialto design effective compiler-and OS-level defense. However, current detectionsagainst attacks have several vital limitations. First, a large fraction of defense tech-niques require source code which is unavailable for commercial software, and thus bi-nary code analysis is a must; second, most detection techniques are pure static or dy-namic analysis that sacrifices accuracy or efficiency, and there is no seamless combi-nation. Particularly, for recent ROP attacks, there is no effective defense. In brief, cur-rent attacks demand new defense techniques, but classical defenses such as stack ca-nary, NX and signature matching are unable to meet the demands.
This dissertation performs in-depth and elaborate research in three categories, in-cluding dynamic taint analysis, control flow integrity and complex shellcode. Weachieve four major contributions:
1. Proposed several novel techniques to strengthen dynamic taint analysis, whichis able to accurately detect a major attack form-memory corruption attack. Designedand implemented efficient shadow memory, which can store and query shadow bit inlow time and space complexity. Proposed structured and hierarchy analysis of x86in-structions, which overcomes the difficulty of x86instruction complexity. Using suchinstruction analysis, we design accurate taint propagation policies. Traditional taint analysis propagate taint value only on instruction level, lacking of procedure levelpropagation. Two techniques are proposed to enhance effectiveness and accuracy ofprocedure-level propagation that they are remaining taint data clear and function sum-mary. The prototype system is developed using dynamic binary instrumentation tool.The system is evaluated with real-world attacks and experiment results demonstratethat our system can effectively detection memory corruption attacks, moreover, systemperformance has also improved.
2. A novel technique against ROP is proposed. Current approaches rely on partialfeatures of ROP for detection, but they are unable to accurately distinguish normal in-struction execution and ROP attacks, which may cause high false positives. Throughreal ROP exploits study, we establish the manifested feature and functional feature ofROP and by using them to detect ROP attacks. Meanwhile, pure dynamic analysis in-curs high overhead, and more important, it cannot block attack before gadgets are ex-ecuted. We propose a new technique, black-box gadget emulation, to overcome theseproblems. The prototype system is built with dynamic binary instrumentation. ROPexploits are generated with an automatic tool. Experiment results show our system issuperior to existing ROP detection techniques in terms of both accuracy and efficiency.
3. A new function pointer defense technique called FPGuard is proposed. FPGuardworks by sanitizing address that checks if jump targets fall in legal function addressspace. The major difference between FPGuard and CFI is that the checking code ofFPGuard is placed out of program, which can analyze indirect jumps. Besides tradi-tional code injection attacks, attackers are still able to mount ROP attacks. We alsofound there are non-entry function calls in C++programs. A two-step detection tech-nique is proposed. Tthe first step is coarse-grained range check, and the second step isfine-grained black-box gadget emulation. By evaluating real-world exploits, FPGuardcan accurately detection code injection and ROP attacks. System performance is guar-anteed, as FPGuard uses efficient data structure to store and query function addressinformation. FPGuard is the fist system that can detect both code injection and ROPattacks which are exploited by overwriting function pointer.
4. A technique of detecting Self-Modify Polymorphic Shellcode(SMPS) is pro-posed. By studying real SMPS samples, we found a major characteristic of SMPS isdynamic code generation. Based on this feature, we propose an effective detection technique by combining static and dynamic analysis. First, it obtains static code bytesusing disassembling, and then obtains dynamic code bytes by emulation. If static anddynamic code are different, it implies a SMPS instance is identified. A simple and ef-fective filtering method is used to filter normal payload. We evaluate the system withSMPS instances generated by Metasploit, and results show it achieves satisfactory re-sults, and also by evaluating false positives with innocuous flows, it reveals false posi-tive rate is very low.
引文
[1] Microsoft. Microsoft安全公告MS07-017[EB/OL]. http://www.microsoft.com/cna/tech-net/security/bulletin/ms07-017.mspx,2007
[2]国家漏洞库[EB/OL]. http://www.cnnvd.org.cn,2012
[3] A. One. Smashing stack for profit and fun[J]. Prack Magazine,1996,49(7):21-33
[4] C. Cowan, C. Pu, D. Maier, et al. StackGuard: automatic adaptive detection and prevention ofbuffer-overflow attacks[C]. Proceedings of USENIX Security Symposium, San Antonio, TX,1998,63-78
[5] E. Hiroaki and Y. Kunikazu. ProPolice: improved stacking-smashing attack detection[J].Transactions of Information Processing,2002:4034-4041
[6] S, Bhatkar, D. DuVarney and R. Sekar. Address obfuscation: an Efficient approach to combat abroad range of memory error exploits[C]. USENIX Security Symposium, Washington D.C.,2003,105-120
[7] Pax Project[EB/OL]. http://pax.grsecurity.net, May2005
[8] S. Bhatkar and R. Sekar. Data space randomization[C]. Proceedings of the5th internationalconference on Detection of Intrusions and Malware, and Vulnerability Assessment, Paris,2008,1-22
[9] G. Kc, A. D. Keromytis and V. Prevelakis. Countering code-injection attacks with instruc-tion-set randomization[C]. Proceedings of the10th ACM conference on Computer and com-munications security, New York,2003,272-280
[10] J. Viega, J. Bloch, Y. Kohno, et al. ITS4: A static vulnerability scanner for C and C++code[C].Proceedings16th Annual Computer Security Applications Conference(ACSAC), Louisiana,2000,257-267
[11] D. Gregor and S. Schupp. STLlint: Lifting static checking from languages to libraries[J].Software Practice&Experience archive,2006,36(3):225-254
[12] Mudflap: pointer use checking for C/C++[EB/OL]. http://gcc.gnu.org/wiki/Mudflap_Pointer_Debugging, December2012
[13] G. Necula, S. McPeak and W. Weimer. CCured:Type-safe retrotting of legacy code[C]. Procee-digns of Principles of Programming Languages, Portaland, OR,2002,128–139
[14] N. Hasabnis, A. Misra, and R. Sekar. Light-weight bounds checking. Proceedings of the Inter-national Symposium on Code Generation and Optimization(CGO), San Jose,CA,2012,135–144
[15] G. Necula. Proof-carrying code[C]. Proceedings of24th ACM Symposium on Principles ofProgramming Languages, Paris,1997,106–119
[16] R. Johnson and D. Wagner. Finding user/kernel pointer bugs with type inference[C]. Proceed-ings of USENIX Seucirty Technical Conference, San Diego, CA,2004,9-25
[17] Coverity[EB/OL]. http://www.covertiy.com, December2012
[18] G. Balakrishnan, T. Reps. WYSINWYX: What you see is not what you eXecute[J]. ACMTransactions Programming Languages and Systems,2010,32(6):1-84
[19] M. Christodorescu, S. Jha. Static analysis of executables to detect malicious patterns[C]. Pro-ceedings of12th USENIX Security Symposium, Washington D.C.,2003,12-20
[20]M. Preda, M. Christodorescu, S. Jha, et al. A semantics-based approach to malware detection[C].Proceedings of34th Annual Symposium on Principles of Programming Languages(POPL),Nice, France2007,377-388
[21] B. Miller, L. Fredriksen, B. So. An empirical study of the reliability of UNIX utili-ties[J].Communications of the ACM,1990,33(12):32-44
[22]邵林.软件缓冲区溢出漏洞自动化发掘系统[D].成都:电子科技大学,2009,23-25
[23] D. Dennging. A lattice model of secure information flow[J]. Communications of the ACM,1976,19(5):236-253
[24] J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signa-ture generation of exploits on commodity software[C]. Proceedings of the Network and Distri-buted System Security Symposium (NDSS), San Diego,2005,19-35
[25] O. Tripp, M Pistoia, S. Fink, et al. TAJ: effective taint analysis of web applications[C]. Pro-ceedings of ACM SIGPLAN conference on Programming language design and implementation,Dublin, Ireland,2009,87-97
[26] W. Enck, P. Gilbert, B. Chun, et al. TaintDroid: an information-flow tracking system for real-time privacy monitoring on smartphones[C]. Proccedings of Operating System Design and Im-plementation(OSDI), Vancouver, Canda,2010,393-407
[27] J.C. King. Symbolic execution and program testing[J]. Communicatinos of the ACM,1976,19(7):385-394
[28] C. Cadar, D. Engler. Execution generated test cases: how to make systems code crash itself[J].Lecture Notes in Computer Science,2005,3939:2-23
[29] P. Godefroid, N. Klarlund and K. Sen. DART: directed automated random testing[C]. Proceed-ings of the ACM SIGPLAN conference on Programming language design and implementation,Washington D.C.,2005,213-223
[30] V. Ganesh and D. Dill.A decision procedure for bit-vectors and arrays[C]. Proceedings of theInternational Conference in Computer Aided Verification(CAV2007), Berlin,2007,519-531
[31] Z3solver[EB/OL]. http://research.microsoft.com/en-us/um/redmond/projects/z3/old/index.html,May2010
[32] E. Reisner, C. Song, K. Ma, et al. Using symbolic evaluation to understand behavior in confi-gurable Software Systems[C]. Proceedings of the32nd International Conference on SoftwareEngineering(ICSE), Cape Town,2010,445-454
[33] P. Saxena, P. Poosankam, S. McCamant, et al. Loop-extended symbolic execution on binaryprograms[C]. Proceedings of the18th international symposium on Software testing and analysis,Chicago,2009,225-236
[34] C. Cadar, D. Dunbar, D. Engler. KLEE: unassisted and automatic generation of high-coveragetests for complex systems programs[C]. USENIX Symposium on Operating Systems Designand Implementation(ODSI), San Diego, CA,2008,209-224
[35] E. Schwartz, T. Avgerinos, D. Brumley. All you Ever wanted to know about dynamic Taintanalysis and forward symbolic execution (but might have been afraid to ask)[C]. Proceedings ofIEEE Symposium on Security and Privacy, Oakland, CA,2010,317-331
[36] M. Abadi, M. Budiu, U. Erlingsson,et al. Control flow integrity[C]. Proceedings of12th ACMConference on Computer and Communications Security, Alexandria, VA,2005,340-351
[37] U. Erlingsson, M. Abadi, M. Vrable, et al. XFI: software guards for system address spaces[C].Proceedings of the7th USENIX Symposium on Operating Systems Design and Implementa-tion(OSDI), Seattle,2006,75-88
[38] P. Akritidis, C. Cadar, C. Raiciu, et al. Preventing memory error exploits with WIT[C]. Pro-ceeding of IEEE Security and Privacy, Oakland, CA,2008,263-271
[39] R. Wahbe, S. Lucco, T. Anderson, et al. Efficient software-based fault isolation[C]. Proceedingsof Symposiums on Operating System Principles(SOSP), Asheville, NC,1993,203-216
[40] S. McCamant, G. Morrisett. Evaluating SFI for a CISC architecture[C]. Proceeding of USENIXSecurity Symposium, Vancouver, Canada,2006,209-224
[41] H. Shacham. The geometry of innocent flesh on the Bone: return-into-libc without functioncalls (on the x86)[C]. Proceedings of the14th ACM Conference on Computer and Communica-tions Security (CCS), Alexandria, VA,2007,552-561
[42] L. Davi, A. Sadeghi, M. Winandy. ROPdefender: a detection tool to defend against re-turn-oriented programming attacks[C]. Proceedings of the6th ACM Symposium on Informa-tion, Computer and Communications Security(ASIACCS), Hong Kong,2011,40-51
[43] P. Chen, H. Xiao, X. Shen, et al. DROP: Detecting Return-Oriented Programming MaliciousCode[J]. Lecture Notes in Computer Science,2009,5905:163-177
[44] M. Roesch. Snort: Lightweight Intrusion Detection for Networks[C]. Proceedings of the13thUSENIX Conference on Systems Administration, Seattle,1999,229-238
[45] T. Toth and C. Kruegel. Accurate buffer overfow Detection via abstract payload execution[C].Proceedings of Recent Advances in Intrusion Detection, Zurich,2002,274-291
[46] X. Wang, C. Pan, Peng Liu, et al. Sigfree: a signature-free buffer overflow attackblockers[C].USENIX Security Symposium, Vancouver,2006,65-79
[47] M. Polychronakis, K..G. Anagnostakis, E. Markatos. Network–level polymorphic shellcode de-tection using emulation[C]. Proceedings of DIMVA, Lucerne,2006,54-73
[48] ISO27005[EB/OL]. http://en.wikipedia.org/wiki/Vulnerability_%28computer_science%29,June2012
[49] IETF RFC2828[EB/OL]. http://www.ietf.org/rfc/rfc2828.txt, June2012
[50] R. Riley, X. Jiang, Dongyan Xu. Guest-transparent prevention of kernel rootkits withVMM-based memory shadowing[C]. Proceeding of Recent Advances in Intrusion Detection,Cambridge, MA,2008,1-20
[51] F. Bellard. QEMU, a fast and portable dynamic translator[C]. Proceeding of USENIX TechConference, Anaheim, CA,2005,41-46
[52] Understanding full virtualization, para virtualization and hardware assist[EB/OL].http://www.vmware.com/files/pdf/VMware_paravirtualization.pdf, August2012
[53] D. Bruening. Efficient, transparent and comprehensive runtime code Manipulation[D]. Bos-ton: MIT,2004,20-35
[54] N. Nethercote, J. Seward. Valgrind: a framework for heavyweight dynamic binary instrumenta-tion[C]. Proceedings of ACM SIGPLAN conference on Programming language design and im-plementationm, San Diego, CA,2007,89-100
[55] J. Seward, N. Nethercote. Using Valgrind to detect undefined value errors with bit-precision[C].Proceedings of the annual conference on USENIX Annual Technical Conference, Anaheim,CA,2005,17-30
[56] N. Nethercote, R. Walsh and R. Fitzhardinge. Building workload characterization tools withvalgrind[C]. IEEE International Symposium on Workload Characterization, San Jose, CA,2006,2-3
[57] M. Poletto and V. Sarkar. Linear scan register allocation[J]. ACM Transactions on ProgrammingLanguages and Systems,1999,21(5):895–913
[58] P. Feiner, A. Brown, A. Goel. Comprehensive kernel instrumentation via dynamic binarytranslation[C]. Proceedings of International Conference on Architectural Support for Pro-gramming Languages and Operating Systems(ASPLOS), London,2012,135-146
[59] W. Cheng, Q. Zhao, B. Yu, et al. TaintTrace: efficient flow tracing with dynamic binary re-writing[C]. IEEE Symposium on Computers and Communications (ISCC), Cagliari,2006,749-754
[60] C. Wang, S. Hu, H. Kim, et al. StarDBT: an efficient multi-platform dynamic binary transla-tion system[C]. Proceedings of the12th Asia-Pacific conference on Advances in ComputerSystems Architecture, Seoul,2007,4-15
[61] E. Clarke, O. Grumberg, D. Long. Model checking and abstraction[J]. ACM Transactions onProgramming Languages and Systems(TOPLAS),1994,16(5):1512-1542
[62] M. Zitser, R. Lippmann, T. Lee. Testing static analysis tools using exploitable buffer overflowsfrom open source code[C]. Proceedings of the12th ACM SIGSOFT twelfth international sym-posium on Foundations of software engineering, New Port Beach,CA,2004,97-106.
[63] D. Brumley, P. Poosankam, D. Song, et al. Automatic patch-Based exploit generation is poss-ible: techniques and implications[C]. Proceedings of the IEEE Security and Privacy Sympo-sium, Oakland CA,2008,143-157
[64] M. Maurer, D. Brumley. Tachyon: tandem execution for efficient live patch testing[C]. Pro-ceedings of the USENIX Security Symposium, Bellevue WA,2012,43-57
[65] L. Szekeres, M. Payer, T. Wei, et al. SoK: eternal war in memory[C]. Proceedings of IEEESymposium on Security and Privacy, Oakland CA,2013,53-69
[66] OllyDbg[EB/OL]. http://www.ollydbg.de/, May2012
[67] WinDbg[EB/OL]. http://www.windbg.org/, June2012
[68] Fuzzing frameworks[EB/OL]. http://www.blackhat.com/presentations/bh-usa-07/Amini_andPortnoy/Whitepaper/bh-usa-07-amini_and_portnoy-WP.pdf, March2012
[69]陈锦富.基于错误注入的构件安全性测试理论与技术研究[D].武汉:华中科技大学,2009,12-20
[70]P. Godefroid, M. Levin, D. Molnar. Automated whitebox fuzz testing[C]. Proceedings of Net-work Distributed Security Symposium (NDSS), San Diego, CA,2008,32-46
[71]V. Ganesh, T. Leek, M. Rinard. Taint-based directed whitebox fuzzing[C]. Proccedings of IEEE31st International Conference on Software Engineeing(ICSE), Vancouver, Canada,2009,474-484
[72] S. Anand, C. P s reanu, W. Visser. JPF–SE: a symbolic execution extension to Java PathFind-er[C]. Proceedings of the13th international conference on Tools and algorithms for the con-struction and analysis of systems, Braga Portugal,2007,134-138
[73]E. Bounimova, P. Godefroid, and D. Molnar. Billions and billions of constraints: whitebox fuzztesting in production[R]. Seattle: Microsoft Corp., May2012
[74] P. Goidfroid. Random testing for security: blackbox vs. whitebox fuzzing[C]. Proceedings ofthe2nd international workshop on Random testing, Atlanta,2007,1-1
[75]D. Bell and L. LaPadula. Secure computer systems: mathematical foundations[R]. MA: MITRECorp.,1973
[76] K. J. Biba. Integrity considerations for secure computer systems[R]. Boston MA: USAF Elec-tronic Systems Division,1977
[77]T. Jaeger, R. Sailer, X. Zhang. Analyzing integrity protection in the SELinux example policy[C].Proceedings of USENIX Security Symposium, Washington D.C.,2003,59-74
[78] F. Qin, C. Wang, Z. Li, et al. LIFT: a low-overhead practical information fow tracking systemfor detecting general security attacks[C]. IEEE/ACM International Symposium on Microarchi-tecture, Florida,2006,135-148
[79] S. Chen, J. Xu, N. Nakka, et al. Defeating memory corruption attacks via pointer taintednessdetection[C]. Proceedings of IEEE International Conference on Dependable Systems and Net-works (DSN), Yokohama, Japan,2005,378-387
[80] J. Clause, W. Li, and A. Orso. Dytan: a generic dynamic taint analysis framework[C]. Proceed-ings of the ACM SIGSOFT International Symposium on Software Testing and Analysis(ISSTA),London,2007,196-206
[81] J. Clause, I. Doudalis, A. Orso, et al. Effective memory protection using dynamic tainting[C].Proceedings of the22nd IEEE and ACM International Conference on Automated Software En-gineering, Atlanta,2007,284-292
[82] V. Haldar, D. Chandra, and M. Franz. Dynamic taint propagationfor Java[C]. Annual ComputerSecurity Applications Conference, Tucson, USA,2005,303-311
[83] H. Yin, D. Song, M. Egele, et al. Panorama: capturing system-wide information flow for mal-ware detection and analysis[C]. Proceedings of the14th ACM Conference on Computer andCommunication Security (CCS), Alexandria, VA,2007,116-127
[84] H. Yin, Z. Liang, and D. Song. HookFinder: identifying and understanding malware hookingbehaviors[C]. Proceedings of the15th Annual Network and Distributed System Security Sym-posium (NDSS), San Diego, CA,2008,205-221
[85] H. Yin, P. Poosankam, S. Hanna, et al. HookScout: proactive and binary-Centric hook detec-tion[C]. Detection of Intrusions and Malware&Vulnerability Assessment (DIMVA’10), Bonn,Germany, July2010,1-20
[86] L. Yan, H. Yin. DroidScope: Seamlessly reconstructing OS and Dalvik semantic views fordynamic android malware analysis[C]. Proceedings of USENIX Security Symposium, Belle-vue WA,2012,29-43
[87] M. Zhang, A. Prakash, X. Li, et al. Identifying and analyzing pointer misuses for sophisti-cated memory-corruption exploit diagnosis[C]. Proceedings of Network and Distributed Sys-tem Security(NDSS), San Diego,2012,23-37
[88] L. Yan, M. Jayachandra, Z. Mu, et al. V2E: combining hardware virtualization and softwareemulation for transparent and extensible malware analysis[C]. Annual International Confe-rence on Virtual Execution Environments(VEE), London,2012,227-238
[89] W. Xu, S. Bhatkar and R. Sekar. Taint-enhanced policy enforcement: a practical approach todefeat a wide range of attacks[C]. USENIX Security Symposium, Vancouver, Canada, August2006,121-136
[90] Perl Security[EB/OL]. http://www.perl.compubdocmanualhtmlpodperlsec.html, August2011
[91] A. Nguyen, S. Guarnieri, D. Greene, et al. Automatically hardening web applications using pre-cise tainting[C]. In Twentieth IFIP Intl. Information Security Conference (SEC2005), Chiba,Japan, May2005,1-12
[92] T. Pietraszek and C. V. Berghe. Defending against injection attacks through context-sensitivestring evaluation[C]. Proceedings of RecentAdvances in Intrusion Detection(RAID2005), Seat-tle, Sep.2005,124-145
[93] W. Halfond, A. Orso, and P. Manolios. Using positive tainting and syntax-aware evaluation toprotect web applicationsp[C]. Proceedings of the14th ACM SIGSOFT Symposium on theFoundations of Software Engineering, Portland, Oregon,2006,175-185
[94] R.Sekar. An efficient black-box technique for defeating web application attacks[C]. Proceed-ings of Network and Distributed System Security(NDSS), San Diego,2009,25-39
[95] M. Dhawan and V. Ganapathy. Analyzing information fow in JavaScript-based browser exten-sions[C]. Proceedings of the25th Annual Computer Security Applications Conference, Hawaii,December2009,382-191
[96] D. Yu, A. Chander, N. Islam, et al. Javascript instrumentation for browser security[C]. Proceed-ings of Symposium on Principles of Programming Languages, Nice, France,2007,237-249
[97] N. Jovanovic, C. Kruegel, E. Kirda. Pixy: a static analysis tool for detecting Web applicationvulnerabilities[C]. Proceedings of IEEE Symposium on Security and Privacy, Oakland CA,2006,258-263
[98] Shadow memory[EB/OL]. http://en.wikipedia.org/wiki/Shadow_memory, May2011
[99] Q. Zhao, D. Bruening, and S. Amarasinghe. Umbra: efficient and scalable memory Shadow-ing[C]. International Symposium on Code Generation and Optimization (CGO), Toronto, Can-ada, April2010,22-31
[100] Detours[EB/OL]. http://research.microsoft.com/en-us/projects/detours/, December2011
[101]Tag fuzzer[EB/OL]. http://0x1byte.blogspot.com/2011/04/tif-file-format-tag-tags-fuzzer. html,Feb2012
[102] Kodak gallery[EB/OL]. http://r0k.us/graphics/kodak/kodim07.html, March2012
[103] IEEE template[EB/OL]. www.ieee.org/documents/MSW_A4_format.doc, March2012
[104]M. Frantzen, M. Shuey. Stackghost: hardware facilitated stack protection[C]. Proceedingsof the10th USENIX Security Symposium, Washington D.C.,2011,55-66
[105]Stackshield: A stack smashing technique protection tool for linux[EB/OL].http://www.angelfire.com/sk/stackshield/, Nov2010
[106]T. Chiueh and F. Hsu. RAD: A compile-time solution to buffer overflow attacks[C]. IEEE In-ternational Conference on Distributed Computing Systems, Phoenix, Arizona, April2001,409-417
[107]M. Prasad, T. Chiueh. A binary rewriting defense against stack-based buffer overflow at-tacks[C]. Proceedings of the USENIX Annual Technical Conference, San Antonio,2003,211-224
[108]D. Zovi. Security applications of dynamic binary translation[D]. New Mexico: University ofNew Mexico, Dec2002,15-18
[109]C. Cowan, M. Barringer, S. Beattle, et al. FormatGuard: automatic protection from printf for-mat string vulnerabilities[C]. Proceedings of the10th USENIX Security Symposium, Washing-ton D.C.,2001,191-199
[110]S. Forrest, A. Somayaji, and D. Ackley. Building diverse computer systems[C]. Workshop onHot Topics in Operating Systems, Los Alamitos, CA,1997,66-72
[111]S. Bhatkar, R. Sekar, Daniel C. DuVarney. Efficient techniques for comprehensive protectionfrom memory error exploits[C]. Proceedings of the14th conference on USENIX SecuritySymposium, Baltimore, MD,2005,17-32
[112]C. Kil, J. Jun, C. Bookholt. Address space layout permutation(ASLP): towards fine-grainedrandomization of commodity software[C]. Proceedings of22nd Annual Computer Security Ap-plications Conference(ACSAC), Florida,2006,339-348
[113]L. Xun. A linux executable editing library[D]. Singapore: National University of Singapore,1999,40-45
[114]WehnTrus[EB/OL]. http://www.wehnus.com/, August2010
[115]H. Shacham, M. Page, B. Pfaff, et al. On the effectiveness of address-space randomization[C].Proceedings of the11th ACM conference on Computer and Communications Security, Wash-ington D.C.,2004,298-307
[116]E. Barrantes, D. Ackley, S. Forrest, et al. Randomized instruction set emulation to disrupt bi-nary code injection attacks[C]. ACM conference on Computer and Communications Security(CCS), Washington D.C., October2003,272-280
[117]M. Chew and D. Song. Mitigating buffer overflows by operating system randomization[R].Pittsburgh: Carnegie Mellon University,2002,21-26
[118] Stack Patch of Solar Designer[EB/OL]. http://www.openwall.com/linux, March2010
[119]PaX Team. PaX non-executable pages Design&Implementation[EB/OL].http://pax.grsecurity.net/docs/noexec.tx, March2010
[120]R. Hund, T. Holz, and F. Freiling. Return-oriented rootkits: bypassing kernel code integrityprotection mechanisms[C]. Proceedings of the18th USENIX Security Symposium, Montreal,Canda,2009,383-398
[121]E. Buchanan, R. Roemer, H. Shacham, et al. When good instructions go bad: Generalizing re-turn-oriented programming to RISC[C]. Proceedings of the15th ACM Conference on Comput-er and Communications Security(CCS), Alexandria, VA,2008,27-38
[122]T. Kornau. Return-Oriented-Programming for the ARM architecture[D]. Bochum: Ruhr Uni-versity Bochum,2009,5-15
[123]V. Iozzo and C. Miller. Fun and games with Mac OS X and iPhone payloads[EB/OL].http://security2.net/f/fun-and-games-with-mac-os-x-and-iphone-payloads-w35-pdf.pdf,2009
[124]A. Francillon and C. Castelluccia. Code injection attacks on Harvard-architecture devices[C].Proceedings of the15th ACM Conference on Computer and Communications Security, Alex-andria,2008,15-26
[125]S. Checkoway, A. Feldman, B. Kantor, et al. Can DREs provide long-lasting security? the caseof return-oriented programming and the tzi Advantage[C]. Proceedings of USENIX EVT/WOT,Montreal, Canda,2009,6-17
[126]Z. Wang, X. Jiang, W. Cui, et al. Countering kernel rootkits with lightweight hook protec-tion[C]. In Proceedings of the16th ACM Conference on Computer and Communications Secu-rity, Chicago,2009,545-554
[127]A. Seshadri, M. Luk, N. Qu, et al. Secvisor: A tiny hypervisor to provide lifetime kernel codeintegrity for commodity oses[C]. In Proceedings of Operating System Symposium SOSP, Ste-venson, VA,2007,335-350
[128]K. Onarlioglu, L. Bilge, A. Lanzi, et al. G-Free: defeating return-oriented programmingthrough gadget-less binaries[C]. Proceedings of the26th Annual Computer Security Applica-tions Conference (ACSAC),Austin,2010,49-58
[129] Online shellcode database[EB/OL]. http://www.shell-storm.org/shellcode/shellcode-linux.php,Sep.2011
[130] ROPGadget[EB/OL]. http://shell-storm.org/project/ROPgadget/, October2011
[131]SkyLined. Internet Explorer IFRAME src&name parameter BoF remote compromise[EB/OL].http://skypher.com/wiki/index.php?title=Www.edup.tudelft.nl/bjwever/advisory/iframe.html.php,2004
[132]C. Cowan, S. Beattie, J. Johansen, et al. PointGuard: Protecting pointers from buffer overfowvulnerabilities[C]. In Proceedings of the Usenix Security Symposium, Washington D.C.,2003,91–104
[133]H. Wang, Y. Guo, X. Chen. FPValidator: validating type equivalence of function Pointers onthe fly[C]. Proceedings of Annual Computer Security and Applications(ACSAC), Hawii,2009,51-59
[134]B. Yee, D. Sehr, G. Dardyk, et al. Native Client: a sandbox for portable, untrusted x86nativecode[C]. Proceeding of IEEE Security&Privacy, Oakland, CA,2009,79-93
[135]D. Sehr, R. Muth, C. Biffle, et al. Adapting software fault isolation to contemporary CPU ar-chitectures[C]. Proccedings of USENIX Security Symposium, Washington D.C.,2010,21-34
[136]B. Ford and R. Cox. Vx32: lightweight user-level sandboxing on the x86[C]. Proceedings ofUSENIX Annual Technical Conference, San Jose, CA,2008,293-306
[137]A. Srivastava, A. Edwards.Vulcan: Binary transformation in a distributed environment[R].Seattle: Microsoft Corp.,2001
[138]T. Bletsch, X. Jiang and V. Freeh. Mitigating code-reuse attacks with control flow locking[C].Proceedings of Annual Computer Security Applications Conference, Orlando, FL,2011,253-262
[139]M. Castro, M. Costa and T. Harris. Securing software by enforcing data-flow integrity[C].Proceedings of the7th symposium on Operating systems design and implementation(OSDI),Seattle WA,2006,147-160
[140]M. Castro, M. Costa, J. Martin, et al. Fast byte-granularity software fault isolation[C]. Pro-ceedings of the ACM SIGOPS22nd symposium on Operating systems principles(SOSP), BigSky Montana,2009,45-58
[141]林志强,王逸,茅兵,等. SafeBird:一种动态和透明的运行时缓冲区溢出防御工具集[J].电子学报,2007,35(5):882-889
[142]X. Wang, Y., S. Zhu, et al. STILL: exploit code detection via static taint and initializationAnalysis[C]. Proceedings of24th Annual Computer Security Applications Conference (AC-SAC), Anaheim, CA, December2008,289-298
[143]M. Christodorescu, S. Jha, S. Sanjit, et al. Semantics-aware malware detection[C]. Proceedingsof the2005IEEE Symposium on Security and Privacy, Oakland, CA,2005,32-46
[144]G. Balakrishnan, R. Gruian, T.Reps, et al. CodeSurfer/x86-A platform for analyzing x86ex-ecutables[C]. Proceedings of Compiler Construction, Edinburgh, Scotland,2005,250-254
[145] GrammaTech[EB/OL]. http://www.grammatech.com/, May2012
[146]M. Christodorescu, N. Kidd, and W. Goh. String analysis for x86binaries[C]. Proceedings ofthe6th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and En-gineering, Lisbon, Portugal,2005,88-95
[147]Microsoft PE and COFF Specification [EB/OL]. http://msdn.microsoft.com/library/windows/hardware/gg463125, May2012
[148] Metasploit framework[EB/OL]. http://www.metasploit.com, December2010
[149]G. Hunt, D. Brubacher. Detours: Binary interception of Win32functions[C]. Proceedings of the3rd conference on USENIX Windows NT, Seattle, WA,1999,41-51
[150]W. Li, L. Lam, T. Chiueh. BIRD: binary interpretation using runtime disassembly[C]. Proceed-ing of Code Generation and Optimization(CGO), New York,2006,358-370
[151]S. Checkoway, L. Davi, A. Dmitrienko,et al. Return-Oriented-Programming without returns[C].Proceedings of Computer and Communications Security(CCS), Chicago,2010,559–572
[152] Metamorphic code[EB/OL]. http://en.wikipedia.org/wiki/Metamorphic_code, Sept.2011
[153]H. Kim, B. Karp. Autograph: Toward automated, distributed worm signature detection[C].Proceedings of USENIX Security Symposium, San Diego,2004,19-34
[154]S. Singh, C. Estan, G. Varghese, et al. The EarlyBird System for Real-time Detection of Un-known Worms[R]. San Diego: UC San Diego, August2003
[155]J. Newsome, B. Karp, D. Song. Polygraph: automatically generating signatures for polymor-phic worms[C]. Proccedings of IEEE Security and Privacy, Oakland, CA,2005,226-241
[156]K. Wang, G. Cretu, S. Stolfo. Anomalous payload-based worm detection and signature genera-tion[J]. Recent Advances in Intrusion Detection Lecture Notes in Computer Science,2006,3858,227-246
[157]Y Tang, S. Chen. Defending against Internet worms: a signature-based approach[C]. Procce-digns of IEEE Infocom, Miami, FL,2005,1384-1394
[158]Z. Li, M. Sanghi, Y. Chen, et al. Hamsa: fast signature generation for zero-day polymorphicworms with provable attack resilience[C]. Proccedings of IEEE Security and Privacy, Oakland,CA,2006,34-47
[159]C. Krugel, E. Kirda, D. Mutz, et al. Polymorphic worm detection using structural informationof Executables[C]. Proceedings of Recent Advances in Intrusion Detection, Seattle,2005,207-226
[160]J. Mason, S. Small, F. Monrose, et al. English shellcode[C]. Proceedings of the16th ACMconference on Computer and communications security(CCS), Chicago IL,2009,524-533
[161]Irfan Habib. Virtualization with KVM[J]. Linux Journal,2008,166:25-31
[162]P. Barham, B. Dragovic, K. Fraser, et al. Xen and the art of virtualization[C]. Proceedings ofthe9th ACM symposium on Operating systems principles(SOSP), Lake George, NY,2003,164-177
[163]K. Snow, S. Krishnan, F. Monrose, et al. SHELL OS: enabling fast detection and forensic anal-ysis of code injection attacks[C]. Proceedings of USENIX Security Symposium, San Francisco,2011,56-71
[164]U. Payer, P. Teufl, M. Lamberger. Hybrid engine for polymorphic shellcode detection[C].Proceedings of the Second international conference on Detection of Intrusions and Malware,and Vulnerability Assessment, Vienna, Austria,2005,19-31
[165]M. Polychronakis, K. Anagnostakis, E. Markato. Comprehensive shellcode detection usingruntime heuristics[C]. Proceedings of the26th Annual Computer Security Applications Con-ference, Orlando FL,2010,287-296
[166]B. Gu, X. Bai, Z. Yang, et al. Malicious shellcode detection with virtual memory snapshots[C].Proceedings of the29th conference on Information communications, San Diego,2010,974-982
[167] Libemu, x86shellcode emulation[EB/OL]. http://libemu.carnivore.it, November2011
[168] Scdbg[EB/OL]. http://sandsprite.com/blogs/index.php?uid=7&pid=152, November2011
[169] Winpcap[EB/OL]. http://www.winpcap.org/, Jan2012
[170] Libnids[EB/OL]. http://libnids.sourceforge.net, Jan2012
[2]国家漏洞库[EB/OL]. http://www.cnnvd.org.cn,2012
[3] A. One. Smashing stack for profit and fun[J]. Prack Magazine,1996,49(7):21-33
[4] C. Cowan, C. Pu, D. Maier, et al. StackGuard: automatic adaptive detection and prevention ofbuffer-overflow attacks[C]. Proceedings of USENIX Security Symposium, San Antonio, TX,1998,63-78
[5] E. Hiroaki and Y. Kunikazu. ProPolice: improved stacking-smashing attack detection[J].Transactions of Information Processing,2002:4034-4041
[6] S, Bhatkar, D. DuVarney and R. Sekar. Address obfuscation: an Efficient approach to combat abroad range of memory error exploits[C]. USENIX Security Symposium, Washington D.C.,2003,105-120
[7] Pax Project[EB/OL]. http://pax.grsecurity.net, May2005
[8] S. Bhatkar and R. Sekar. Data space randomization[C]. Proceedings of the5th internationalconference on Detection of Intrusions and Malware, and Vulnerability Assessment, Paris,2008,1-22
[9] G. Kc, A. D. Keromytis and V. Prevelakis. Countering code-injection attacks with instruc-tion-set randomization[C]. Proceedings of the10th ACM conference on Computer and com-munications security, New York,2003,272-280
[10] J. Viega, J. Bloch, Y. Kohno, et al. ITS4: A static vulnerability scanner for C and C++code[C].Proceedings16th Annual Computer Security Applications Conference(ACSAC), Louisiana,2000,257-267
[11] D. Gregor and S. Schupp. STLlint: Lifting static checking from languages to libraries[J].Software Practice&Experience archive,2006,36(3):225-254
[12] Mudflap: pointer use checking for C/C++[EB/OL]. http://gcc.gnu.org/wiki/Mudflap_Pointer_Debugging, December2012
[13] G. Necula, S. McPeak and W. Weimer. CCured:Type-safe retrotting of legacy code[C]. Procee-digns of Principles of Programming Languages, Portaland, OR,2002,128–139
[14] N. Hasabnis, A. Misra, and R. Sekar. Light-weight bounds checking. Proceedings of the Inter-national Symposium on Code Generation and Optimization(CGO), San Jose,CA,2012,135–144
[15] G. Necula. Proof-carrying code[C]. Proceedings of24th ACM Symposium on Principles ofProgramming Languages, Paris,1997,106–119
[16] R. Johnson and D. Wagner. Finding user/kernel pointer bugs with type inference[C]. Proceed-ings of USENIX Seucirty Technical Conference, San Diego, CA,2004,9-25
[17] Coverity[EB/OL]. http://www.covertiy.com, December2012
[18] G. Balakrishnan, T. Reps. WYSINWYX: What you see is not what you eXecute[J]. ACMTransactions Programming Languages and Systems,2010,32(6):1-84
[19] M. Christodorescu, S. Jha. Static analysis of executables to detect malicious patterns[C]. Pro-ceedings of12th USENIX Security Symposium, Washington D.C.,2003,12-20
[20]M. Preda, M. Christodorescu, S. Jha, et al. A semantics-based approach to malware detection[C].Proceedings of34th Annual Symposium on Principles of Programming Languages(POPL),Nice, France2007,377-388
[21] B. Miller, L. Fredriksen, B. So. An empirical study of the reliability of UNIX utili-ties[J].Communications of the ACM,1990,33(12):32-44
[22]邵林.软件缓冲区溢出漏洞自动化发掘系统[D].成都:电子科技大学,2009,23-25
[23] D. Dennging. A lattice model of secure information flow[J]. Communications of the ACM,1976,19(5):236-253
[24] J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signa-ture generation of exploits on commodity software[C]. Proceedings of the Network and Distri-buted System Security Symposium (NDSS), San Diego,2005,19-35
[25] O. Tripp, M Pistoia, S. Fink, et al. TAJ: effective taint analysis of web applications[C]. Pro-ceedings of ACM SIGPLAN conference on Programming language design and implementation,Dublin, Ireland,2009,87-97
[26] W. Enck, P. Gilbert, B. Chun, et al. TaintDroid: an information-flow tracking system for real-time privacy monitoring on smartphones[C]. Proccedings of Operating System Design and Im-plementation(OSDI), Vancouver, Canda,2010,393-407
[27] J.C. King. Symbolic execution and program testing[J]. Communicatinos of the ACM,1976,19(7):385-394
[28] C. Cadar, D. Engler. Execution generated test cases: how to make systems code crash itself[J].Lecture Notes in Computer Science,2005,3939:2-23
[29] P. Godefroid, N. Klarlund and K. Sen. DART: directed automated random testing[C]. Proceed-ings of the ACM SIGPLAN conference on Programming language design and implementation,Washington D.C.,2005,213-223
[30] V. Ganesh and D. Dill.A decision procedure for bit-vectors and arrays[C]. Proceedings of theInternational Conference in Computer Aided Verification(CAV2007), Berlin,2007,519-531
[31] Z3solver[EB/OL]. http://research.microsoft.com/en-us/um/redmond/projects/z3/old/index.html,May2010
[32] E. Reisner, C. Song, K. Ma, et al. Using symbolic evaluation to understand behavior in confi-gurable Software Systems[C]. Proceedings of the32nd International Conference on SoftwareEngineering(ICSE), Cape Town,2010,445-454
[33] P. Saxena, P. Poosankam, S. McCamant, et al. Loop-extended symbolic execution on binaryprograms[C]. Proceedings of the18th international symposium on Software testing and analysis,Chicago,2009,225-236
[34] C. Cadar, D. Dunbar, D. Engler. KLEE: unassisted and automatic generation of high-coveragetests for complex systems programs[C]. USENIX Symposium on Operating Systems Designand Implementation(ODSI), San Diego, CA,2008,209-224
[35] E. Schwartz, T. Avgerinos, D. Brumley. All you Ever wanted to know about dynamic Taintanalysis and forward symbolic execution (but might have been afraid to ask)[C]. Proceedings ofIEEE Symposium on Security and Privacy, Oakland, CA,2010,317-331
[36] M. Abadi, M. Budiu, U. Erlingsson,et al. Control flow integrity[C]. Proceedings of12th ACMConference on Computer and Communications Security, Alexandria, VA,2005,340-351
[37] U. Erlingsson, M. Abadi, M. Vrable, et al. XFI: software guards for system address spaces[C].Proceedings of the7th USENIX Symposium on Operating Systems Design and Implementa-tion(OSDI), Seattle,2006,75-88
[38] P. Akritidis, C. Cadar, C. Raiciu, et al. Preventing memory error exploits with WIT[C]. Pro-ceeding of IEEE Security and Privacy, Oakland, CA,2008,263-271
[39] R. Wahbe, S. Lucco, T. Anderson, et al. Efficient software-based fault isolation[C]. Proceedingsof Symposiums on Operating System Principles(SOSP), Asheville, NC,1993,203-216
[40] S. McCamant, G. Morrisett. Evaluating SFI for a CISC architecture[C]. Proceeding of USENIXSecurity Symposium, Vancouver, Canada,2006,209-224
[41] H. Shacham. The geometry of innocent flesh on the Bone: return-into-libc without functioncalls (on the x86)[C]. Proceedings of the14th ACM Conference on Computer and Communica-tions Security (CCS), Alexandria, VA,2007,552-561
[42] L. Davi, A. Sadeghi, M. Winandy. ROPdefender: a detection tool to defend against re-turn-oriented programming attacks[C]. Proceedings of the6th ACM Symposium on Informa-tion, Computer and Communications Security(ASIACCS), Hong Kong,2011,40-51
[43] P. Chen, H. Xiao, X. Shen, et al. DROP: Detecting Return-Oriented Programming MaliciousCode[J]. Lecture Notes in Computer Science,2009,5905:163-177
[44] M. Roesch. Snort: Lightweight Intrusion Detection for Networks[C]. Proceedings of the13thUSENIX Conference on Systems Administration, Seattle,1999,229-238
[45] T. Toth and C. Kruegel. Accurate buffer overfow Detection via abstract payload execution[C].Proceedings of Recent Advances in Intrusion Detection, Zurich,2002,274-291
[46] X. Wang, C. Pan, Peng Liu, et al. Sigfree: a signature-free buffer overflow attackblockers[C].USENIX Security Symposium, Vancouver,2006,65-79
[47] M. Polychronakis, K..G. Anagnostakis, E. Markatos. Network–level polymorphic shellcode de-tection using emulation[C]. Proceedings of DIMVA, Lucerne,2006,54-73
[48] ISO27005[EB/OL]. http://en.wikipedia.org/wiki/Vulnerability_%28computer_science%29,June2012
[49] IETF RFC2828[EB/OL]. http://www.ietf.org/rfc/rfc2828.txt, June2012
[50] R. Riley, X. Jiang, Dongyan Xu. Guest-transparent prevention of kernel rootkits withVMM-based memory shadowing[C]. Proceeding of Recent Advances in Intrusion Detection,Cambridge, MA,2008,1-20
[51] F. Bellard. QEMU, a fast and portable dynamic translator[C]. Proceeding of USENIX TechConference, Anaheim, CA,2005,41-46
[52] Understanding full virtualization, para virtualization and hardware assist[EB/OL].http://www.vmware.com/files/pdf/VMware_paravirtualization.pdf, August2012
[53] D. Bruening. Efficient, transparent and comprehensive runtime code Manipulation[D]. Bos-ton: MIT,2004,20-35
[54] N. Nethercote, J. Seward. Valgrind: a framework for heavyweight dynamic binary instrumenta-tion[C]. Proceedings of ACM SIGPLAN conference on Programming language design and im-plementationm, San Diego, CA,2007,89-100
[55] J. Seward, N. Nethercote. Using Valgrind to detect undefined value errors with bit-precision[C].Proceedings of the annual conference on USENIX Annual Technical Conference, Anaheim,CA,2005,17-30
[56] N. Nethercote, R. Walsh and R. Fitzhardinge. Building workload characterization tools withvalgrind[C]. IEEE International Symposium on Workload Characterization, San Jose, CA,2006,2-3
[57] M. Poletto and V. Sarkar. Linear scan register allocation[J]. ACM Transactions on ProgrammingLanguages and Systems,1999,21(5):895–913
[58] P. Feiner, A. Brown, A. Goel. Comprehensive kernel instrumentation via dynamic binarytranslation[C]. Proceedings of International Conference on Architectural Support for Pro-gramming Languages and Operating Systems(ASPLOS), London,2012,135-146
[59] W. Cheng, Q. Zhao, B. Yu, et al. TaintTrace: efficient flow tracing with dynamic binary re-writing[C]. IEEE Symposium on Computers and Communications (ISCC), Cagliari,2006,749-754
[60] C. Wang, S. Hu, H. Kim, et al. StarDBT: an efficient multi-platform dynamic binary transla-tion system[C]. Proceedings of the12th Asia-Pacific conference on Advances in ComputerSystems Architecture, Seoul,2007,4-15
[61] E. Clarke, O. Grumberg, D. Long. Model checking and abstraction[J]. ACM Transactions onProgramming Languages and Systems(TOPLAS),1994,16(5):1512-1542
[62] M. Zitser, R. Lippmann, T. Lee. Testing static analysis tools using exploitable buffer overflowsfrom open source code[C]. Proceedings of the12th ACM SIGSOFT twelfth international sym-posium on Foundations of software engineering, New Port Beach,CA,2004,97-106.
[63] D. Brumley, P. Poosankam, D. Song, et al. Automatic patch-Based exploit generation is poss-ible: techniques and implications[C]. Proceedings of the IEEE Security and Privacy Sympo-sium, Oakland CA,2008,143-157
[64] M. Maurer, D. Brumley. Tachyon: tandem execution for efficient live patch testing[C]. Pro-ceedings of the USENIX Security Symposium, Bellevue WA,2012,43-57
[65] L. Szekeres, M. Payer, T. Wei, et al. SoK: eternal war in memory[C]. Proceedings of IEEESymposium on Security and Privacy, Oakland CA,2013,53-69
[66] OllyDbg[EB/OL]. http://www.ollydbg.de/, May2012
[67] WinDbg[EB/OL]. http://www.windbg.org/, June2012
[68] Fuzzing frameworks[EB/OL]. http://www.blackhat.com/presentations/bh-usa-07/Amini_andPortnoy/Whitepaper/bh-usa-07-amini_and_portnoy-WP.pdf, March2012
[69]陈锦富.基于错误注入的构件安全性测试理论与技术研究[D].武汉:华中科技大学,2009,12-20
[70]P. Godefroid, M. Levin, D. Molnar. Automated whitebox fuzz testing[C]. Proceedings of Net-work Distributed Security Symposium (NDSS), San Diego, CA,2008,32-46
[71]V. Ganesh, T. Leek, M. Rinard. Taint-based directed whitebox fuzzing[C]. Proccedings of IEEE31st International Conference on Software Engineeing(ICSE), Vancouver, Canada,2009,474-484
[72] S. Anand, C. P s reanu, W. Visser. JPF–SE: a symbolic execution extension to Java PathFind-er[C]. Proceedings of the13th international conference on Tools and algorithms for the con-struction and analysis of systems, Braga Portugal,2007,134-138
[73]E. Bounimova, P. Godefroid, and D. Molnar. Billions and billions of constraints: whitebox fuzztesting in production[R]. Seattle: Microsoft Corp., May2012
[74] P. Goidfroid. Random testing for security: blackbox vs. whitebox fuzzing[C]. Proceedings ofthe2nd international workshop on Random testing, Atlanta,2007,1-1
[75]D. Bell and L. LaPadula. Secure computer systems: mathematical foundations[R]. MA: MITRECorp.,1973
[76] K. J. Biba. Integrity considerations for secure computer systems[R]. Boston MA: USAF Elec-tronic Systems Division,1977
[77]T. Jaeger, R. Sailer, X. Zhang. Analyzing integrity protection in the SELinux example policy[C].Proceedings of USENIX Security Symposium, Washington D.C.,2003,59-74
[78] F. Qin, C. Wang, Z. Li, et al. LIFT: a low-overhead practical information fow tracking systemfor detecting general security attacks[C]. IEEE/ACM International Symposium on Microarchi-tecture, Florida,2006,135-148
[79] S. Chen, J. Xu, N. Nakka, et al. Defeating memory corruption attacks via pointer taintednessdetection[C]. Proceedings of IEEE International Conference on Dependable Systems and Net-works (DSN), Yokohama, Japan,2005,378-387
[80] J. Clause, W. Li, and A. Orso. Dytan: a generic dynamic taint analysis framework[C]. Proceed-ings of the ACM SIGSOFT International Symposium on Software Testing and Analysis(ISSTA),London,2007,196-206
[81] J. Clause, I. Doudalis, A. Orso, et al. Effective memory protection using dynamic tainting[C].Proceedings of the22nd IEEE and ACM International Conference on Automated Software En-gineering, Atlanta,2007,284-292
[82] V. Haldar, D. Chandra, and M. Franz. Dynamic taint propagationfor Java[C]. Annual ComputerSecurity Applications Conference, Tucson, USA,2005,303-311
[83] H. Yin, D. Song, M. Egele, et al. Panorama: capturing system-wide information flow for mal-ware detection and analysis[C]. Proceedings of the14th ACM Conference on Computer andCommunication Security (CCS), Alexandria, VA,2007,116-127
[84] H. Yin, Z. Liang, and D. Song. HookFinder: identifying and understanding malware hookingbehaviors[C]. Proceedings of the15th Annual Network and Distributed System Security Sym-posium (NDSS), San Diego, CA,2008,205-221
[85] H. Yin, P. Poosankam, S. Hanna, et al. HookScout: proactive and binary-Centric hook detec-tion[C]. Detection of Intrusions and Malware&Vulnerability Assessment (DIMVA’10), Bonn,Germany, July2010,1-20
[86] L. Yan, H. Yin. DroidScope: Seamlessly reconstructing OS and Dalvik semantic views fordynamic android malware analysis[C]. Proceedings of USENIX Security Symposium, Belle-vue WA,2012,29-43
[87] M. Zhang, A. Prakash, X. Li, et al. Identifying and analyzing pointer misuses for sophisti-cated memory-corruption exploit diagnosis[C]. Proceedings of Network and Distributed Sys-tem Security(NDSS), San Diego,2012,23-37
[88] L. Yan, M. Jayachandra, Z. Mu, et al. V2E: combining hardware virtualization and softwareemulation for transparent and extensible malware analysis[C]. Annual International Confe-rence on Virtual Execution Environments(VEE), London,2012,227-238
[89] W. Xu, S. Bhatkar and R. Sekar. Taint-enhanced policy enforcement: a practical approach todefeat a wide range of attacks[C]. USENIX Security Symposium, Vancouver, Canada, August2006,121-136
[90] Perl Security[EB/OL]. http://www.perl.compubdocmanualhtmlpodperlsec.html, August2011
[91] A. Nguyen, S. Guarnieri, D. Greene, et al. Automatically hardening web applications using pre-cise tainting[C]. In Twentieth IFIP Intl. Information Security Conference (SEC2005), Chiba,Japan, May2005,1-12
[92] T. Pietraszek and C. V. Berghe. Defending against injection attacks through context-sensitivestring evaluation[C]. Proceedings of RecentAdvances in Intrusion Detection(RAID2005), Seat-tle, Sep.2005,124-145
[93] W. Halfond, A. Orso, and P. Manolios. Using positive tainting and syntax-aware evaluation toprotect web applicationsp[C]. Proceedings of the14th ACM SIGSOFT Symposium on theFoundations of Software Engineering, Portland, Oregon,2006,175-185
[94] R.Sekar. An efficient black-box technique for defeating web application attacks[C]. Proceed-ings of Network and Distributed System Security(NDSS), San Diego,2009,25-39
[95] M. Dhawan and V. Ganapathy. Analyzing information fow in JavaScript-based browser exten-sions[C]. Proceedings of the25th Annual Computer Security Applications Conference, Hawaii,December2009,382-191
[96] D. Yu, A. Chander, N. Islam, et al. Javascript instrumentation for browser security[C]. Proceed-ings of Symposium on Principles of Programming Languages, Nice, France,2007,237-249
[97] N. Jovanovic, C. Kruegel, E. Kirda. Pixy: a static analysis tool for detecting Web applicationvulnerabilities[C]. Proceedings of IEEE Symposium on Security and Privacy, Oakland CA,2006,258-263
[98] Shadow memory[EB/OL]. http://en.wikipedia.org/wiki/Shadow_memory, May2011
[99] Q. Zhao, D. Bruening, and S. Amarasinghe. Umbra: efficient and scalable memory Shadow-ing[C]. International Symposium on Code Generation and Optimization (CGO), Toronto, Can-ada, April2010,22-31
[100] Detours[EB/OL]. http://research.microsoft.com/en-us/projects/detours/, December2011
[101]Tag fuzzer[EB/OL]. http://0x1byte.blogspot.com/2011/04/tif-file-format-tag-tags-fuzzer. html,Feb2012
[102] Kodak gallery[EB/OL]. http://r0k.us/graphics/kodak/kodim07.html, March2012
[103] IEEE template[EB/OL]. www.ieee.org/documents/MSW_A4_format.doc, March2012
[104]M. Frantzen, M. Shuey. Stackghost: hardware facilitated stack protection[C]. Proceedingsof the10th USENIX Security Symposium, Washington D.C.,2011,55-66
[105]Stackshield: A stack smashing technique protection tool for linux[EB/OL].http://www.angelfire.com/sk/stackshield/, Nov2010
[106]T. Chiueh and F. Hsu. RAD: A compile-time solution to buffer overflow attacks[C]. IEEE In-ternational Conference on Distributed Computing Systems, Phoenix, Arizona, April2001,409-417
[107]M. Prasad, T. Chiueh. A binary rewriting defense against stack-based buffer overflow at-tacks[C]. Proceedings of the USENIX Annual Technical Conference, San Antonio,2003,211-224
[108]D. Zovi. Security applications of dynamic binary translation[D]. New Mexico: University ofNew Mexico, Dec2002,15-18
[109]C. Cowan, M. Barringer, S. Beattle, et al. FormatGuard: automatic protection from printf for-mat string vulnerabilities[C]. Proceedings of the10th USENIX Security Symposium, Washing-ton D.C.,2001,191-199
[110]S. Forrest, A. Somayaji, and D. Ackley. Building diverse computer systems[C]. Workshop onHot Topics in Operating Systems, Los Alamitos, CA,1997,66-72
[111]S. Bhatkar, R. Sekar, Daniel C. DuVarney. Efficient techniques for comprehensive protectionfrom memory error exploits[C]. Proceedings of the14th conference on USENIX SecuritySymposium, Baltimore, MD,2005,17-32
[112]C. Kil, J. Jun, C. Bookholt. Address space layout permutation(ASLP): towards fine-grainedrandomization of commodity software[C]. Proceedings of22nd Annual Computer Security Ap-plications Conference(ACSAC), Florida,2006,339-348
[113]L. Xun. A linux executable editing library[D]. Singapore: National University of Singapore,1999,40-45
[114]WehnTrus[EB/OL]. http://www.wehnus.com/, August2010
[115]H. Shacham, M. Page, B. Pfaff, et al. On the effectiveness of address-space randomization[C].Proceedings of the11th ACM conference on Computer and Communications Security, Wash-ington D.C.,2004,298-307
[116]E. Barrantes, D. Ackley, S. Forrest, et al. Randomized instruction set emulation to disrupt bi-nary code injection attacks[C]. ACM conference on Computer and Communications Security(CCS), Washington D.C., October2003,272-280
[117]M. Chew and D. Song. Mitigating buffer overflows by operating system randomization[R].Pittsburgh: Carnegie Mellon University,2002,21-26
[118] Stack Patch of Solar Designer[EB/OL]. http://www.openwall.com/linux, March2010
[119]PaX Team. PaX non-executable pages Design&Implementation[EB/OL].http://pax.grsecurity.net/docs/noexec.tx, March2010
[120]R. Hund, T. Holz, and F. Freiling. Return-oriented rootkits: bypassing kernel code integrityprotection mechanisms[C]. Proceedings of the18th USENIX Security Symposium, Montreal,Canda,2009,383-398
[121]E. Buchanan, R. Roemer, H. Shacham, et al. When good instructions go bad: Generalizing re-turn-oriented programming to RISC[C]. Proceedings of the15th ACM Conference on Comput-er and Communications Security(CCS), Alexandria, VA,2008,27-38
[122]T. Kornau. Return-Oriented-Programming for the ARM architecture[D]. Bochum: Ruhr Uni-versity Bochum,2009,5-15
[123]V. Iozzo and C. Miller. Fun and games with Mac OS X and iPhone payloads[EB/OL].http://security2.net/f/fun-and-games-with-mac-os-x-and-iphone-payloads-w35-pdf.pdf,2009
[124]A. Francillon and C. Castelluccia. Code injection attacks on Harvard-architecture devices[C].Proceedings of the15th ACM Conference on Computer and Communications Security, Alex-andria,2008,15-26
[125]S. Checkoway, A. Feldman, B. Kantor, et al. Can DREs provide long-lasting security? the caseof return-oriented programming and the tzi Advantage[C]. Proceedings of USENIX EVT/WOT,Montreal, Canda,2009,6-17
[126]Z. Wang, X. Jiang, W. Cui, et al. Countering kernel rootkits with lightweight hook protec-tion[C]. In Proceedings of the16th ACM Conference on Computer and Communications Secu-rity, Chicago,2009,545-554
[127]A. Seshadri, M. Luk, N. Qu, et al. Secvisor: A tiny hypervisor to provide lifetime kernel codeintegrity for commodity oses[C]. In Proceedings of Operating System Symposium SOSP, Ste-venson, VA,2007,335-350
[128]K. Onarlioglu, L. Bilge, A. Lanzi, et al. G-Free: defeating return-oriented programmingthrough gadget-less binaries[C]. Proceedings of the26th Annual Computer Security Applica-tions Conference (ACSAC),Austin,2010,49-58
[129] Online shellcode database[EB/OL]. http://www.shell-storm.org/shellcode/shellcode-linux.php,Sep.2011
[130] ROPGadget[EB/OL]. http://shell-storm.org/project/ROPgadget/, October2011
[131]SkyLined. Internet Explorer IFRAME src&name parameter BoF remote compromise[EB/OL].http://skypher.com/wiki/index.php?title=Www.edup.tudelft.nl/bjwever/advisory/iframe.html.php,2004
[132]C. Cowan, S. Beattie, J. Johansen, et al. PointGuard: Protecting pointers from buffer overfowvulnerabilities[C]. In Proceedings of the Usenix Security Symposium, Washington D.C.,2003,91–104
[133]H. Wang, Y. Guo, X. Chen. FPValidator: validating type equivalence of function Pointers onthe fly[C]. Proceedings of Annual Computer Security and Applications(ACSAC), Hawii,2009,51-59
[134]B. Yee, D. Sehr, G. Dardyk, et al. Native Client: a sandbox for portable, untrusted x86nativecode[C]. Proceeding of IEEE Security&Privacy, Oakland, CA,2009,79-93
[135]D. Sehr, R. Muth, C. Biffle, et al. Adapting software fault isolation to contemporary CPU ar-chitectures[C]. Proccedings of USENIX Security Symposium, Washington D.C.,2010,21-34
[136]B. Ford and R. Cox. Vx32: lightweight user-level sandboxing on the x86[C]. Proceedings ofUSENIX Annual Technical Conference, San Jose, CA,2008,293-306
[137]A. Srivastava, A. Edwards.Vulcan: Binary transformation in a distributed environment[R].Seattle: Microsoft Corp.,2001
[138]T. Bletsch, X. Jiang and V. Freeh. Mitigating code-reuse attacks with control flow locking[C].Proceedings of Annual Computer Security Applications Conference, Orlando, FL,2011,253-262
[139]M. Castro, M. Costa and T. Harris. Securing software by enforcing data-flow integrity[C].Proceedings of the7th symposium on Operating systems design and implementation(OSDI),Seattle WA,2006,147-160
[140]M. Castro, M. Costa, J. Martin, et al. Fast byte-granularity software fault isolation[C]. Pro-ceedings of the ACM SIGOPS22nd symposium on Operating systems principles(SOSP), BigSky Montana,2009,45-58
[141]林志强,王逸,茅兵,等. SafeBird:一种动态和透明的运行时缓冲区溢出防御工具集[J].电子学报,2007,35(5):882-889
[142]X. Wang, Y., S. Zhu, et al. STILL: exploit code detection via static taint and initializationAnalysis[C]. Proceedings of24th Annual Computer Security Applications Conference (AC-SAC), Anaheim, CA, December2008,289-298
[143]M. Christodorescu, S. Jha, S. Sanjit, et al. Semantics-aware malware detection[C]. Proceedingsof the2005IEEE Symposium on Security and Privacy, Oakland, CA,2005,32-46
[144]G. Balakrishnan, R. Gruian, T.Reps, et al. CodeSurfer/x86-A platform for analyzing x86ex-ecutables[C]. Proceedings of Compiler Construction, Edinburgh, Scotland,2005,250-254
[145] GrammaTech[EB/OL]. http://www.grammatech.com/, May2012
[146]M. Christodorescu, N. Kidd, and W. Goh. String analysis for x86binaries[C]. Proceedings ofthe6th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and En-gineering, Lisbon, Portugal,2005,88-95
[147]Microsoft PE and COFF Specification [EB/OL]. http://msdn.microsoft.com/library/windows/hardware/gg463125, May2012
[148] Metasploit framework[EB/OL]. http://www.metasploit.com, December2010
[149]G. Hunt, D. Brubacher. Detours: Binary interception of Win32functions[C]. Proceedings of the3rd conference on USENIX Windows NT, Seattle, WA,1999,41-51
[150]W. Li, L. Lam, T. Chiueh. BIRD: binary interpretation using runtime disassembly[C]. Proceed-ing of Code Generation and Optimization(CGO), New York,2006,358-370
[151]S. Checkoway, L. Davi, A. Dmitrienko,et al. Return-Oriented-Programming without returns[C].Proceedings of Computer and Communications Security(CCS), Chicago,2010,559–572
[152] Metamorphic code[EB/OL]. http://en.wikipedia.org/wiki/Metamorphic_code, Sept.2011
[153]H. Kim, B. Karp. Autograph: Toward automated, distributed worm signature detection[C].Proceedings of USENIX Security Symposium, San Diego,2004,19-34
[154]S. Singh, C. Estan, G. Varghese, et al. The EarlyBird System for Real-time Detection of Un-known Worms[R]. San Diego: UC San Diego, August2003
[155]J. Newsome, B. Karp, D. Song. Polygraph: automatically generating signatures for polymor-phic worms[C]. Proccedings of IEEE Security and Privacy, Oakland, CA,2005,226-241
[156]K. Wang, G. Cretu, S. Stolfo. Anomalous payload-based worm detection and signature genera-tion[J]. Recent Advances in Intrusion Detection Lecture Notes in Computer Science,2006,3858,227-246
[157]Y Tang, S. Chen. Defending against Internet worms: a signature-based approach[C]. Procce-digns of IEEE Infocom, Miami, FL,2005,1384-1394
[158]Z. Li, M. Sanghi, Y. Chen, et al. Hamsa: fast signature generation for zero-day polymorphicworms with provable attack resilience[C]. Proccedings of IEEE Security and Privacy, Oakland,CA,2006,34-47
[159]C. Krugel, E. Kirda, D. Mutz, et al. Polymorphic worm detection using structural informationof Executables[C]. Proceedings of Recent Advances in Intrusion Detection, Seattle,2005,207-226
[160]J. Mason, S. Small, F. Monrose, et al. English shellcode[C]. Proceedings of the16th ACMconference on Computer and communications security(CCS), Chicago IL,2009,524-533
[161]Irfan Habib. Virtualization with KVM[J]. Linux Journal,2008,166:25-31
[162]P. Barham, B. Dragovic, K. Fraser, et al. Xen and the art of virtualization[C]. Proceedings ofthe9th ACM symposium on Operating systems principles(SOSP), Lake George, NY,2003,164-177
[163]K. Snow, S. Krishnan, F. Monrose, et al. SHELL OS: enabling fast detection and forensic anal-ysis of code injection attacks[C]. Proceedings of USENIX Security Symposium, San Francisco,2011,56-71
[164]U. Payer, P. Teufl, M. Lamberger. Hybrid engine for polymorphic shellcode detection[C].Proceedings of the Second international conference on Detection of Intrusions and Malware,and Vulnerability Assessment, Vienna, Austria,2005,19-31
[165]M. Polychronakis, K. Anagnostakis, E. Markato. Comprehensive shellcode detection usingruntime heuristics[C]. Proceedings of the26th Annual Computer Security Applications Con-ference, Orlando FL,2010,287-296
[166]B. Gu, X. Bai, Z. Yang, et al. Malicious shellcode detection with virtual memory snapshots[C].Proceedings of the29th conference on Information communications, San Diego,2010,974-982
[167] Libemu, x86shellcode emulation[EB/OL]. http://libemu.carnivore.it, November2011
[168] Scdbg[EB/OL]. http://sandsprite.com/blogs/index.php?uid=7&pid=152, November2011
[169] Winpcap[EB/OL]. http://www.winpcap.org/, Jan2012
[170] Libnids[EB/OL]. http://libnids.sourceforge.net, Jan2012