C語言同時擁有高階語言與低階語言的許多優點,執行效率高、能直接控制硬體、可移植性佳,因此非常廣泛地被採用;根據TIOBE INDEX網站的熱門語言排行榜,C語言從1989年至今都一直維持在前2名。 但是C語言先天上有許多問題,容易導致程式人員寫出不安全的程式碼,再加上因其悠久的歷史累積了大量的既有程式碼 (legacy code),因此大多仰賴動態分析或靜態分析工具來找出這些漏洞;其中C語言中的TOCTOU (time of check to time of use) 漏洞一旦遭利用將導致嚴重的系統安全問題,雖然陸續都有學者提出動態或靜態的分析方法,其結果卻不盡理想。 本論文提出結合符號執行 (symbolic execution) 與參數追蹤的偵測方法,做到精確的靜態分析,並且能處理變數別名與函數別名的狀況;再以Clang Static Analyzer實作出工具,並以命令列介面以及網頁形式呈現偵測結果,最後以Juliet Test Suite檢驗此分析的準確性,再分別與文獻提出的方法以及業界常用的C靜態工具進行比較分析。 ;C language has many advantages of high-level language and low-level language, such as high execution efficiency, direct control of hardware, and good portability, hence it is widely used in the industry. According to the popular programming language list of TIOBE INDEX website, C language has maintained its position in the top 2 since 1989. However, C language has many inborn problems, which is likely to cause programmers to write unsafe codes. In addition, it has accumulated a large number of legacy codes due to its long history. Therefore, most programmers rely on dynamic analysis or static analysis tools to identify these vulnerabilities. TOCTOU (time of check to time of use), one of those vulnerabilities, will lead to serious system security problems once abused. Although scholars have proposed some detection methods, the results are not ideal. We propose a detection method which combines symbolic execution and parameter tracking. The proposed method is able to detect TOCTOU more accurately, and deal with alias problems of variables and functions. Moreover, we implement this method with Clang Static Analyzer and present the detection result through command line and web pages. Finally, the tool we implemented is tested by Juliet Test Suite to verify its accuracy, and compared with the methods proposed in the literature and the C static tools commonly used in the industry.
