中大機構典藏-NCU Institutional Repository-提供博碩士論文、考古題、期刊論文、研究計畫等下載:Item 987654321/81057
English  |  正體中文  |  简体中文  |  Items with full text/Total items : 81570/81570 (100%)
Visitors : 47035586      Online Users : 241
RC Version 7.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
Scope Tips:
  • please add "double quotation mark" for query phrases to get precise results
  • please goto advance search for comprehansive author search
    •  Adv. Search
    HomeLoginUploadHelpAboutAdminister Goto mobile version


    Please use this identifier to cite or link to this item: http://ir.lib.ncu.edu.tw/handle/987654321/81057


    Title: TOCTOU 漏洞的靜態分析與實作;Static Analysis and Implementation of TOCTOU Vulnerability
    Authors: 曾耀儂;Tseng, Yao-Nang
    Contributors: 資訊工程學系
    Keywords: TOCTOU 漏洞;靜態分析;LLVM;Clang Static Analyzer;TOCTOU vulnerability;Static analysis;LLVM;Clang Static Analyzer
    Date: 2019-06-28
    Issue Date: 2019-09-03 15:31:43 (UTC+8)
    Publisher: 國立中央大學
    Abstract: C語言同時擁有高階語言與低階語言的許多優點,執行效率高、能直接控制硬體、可移植性佳,因此非常廣泛地被採用;根據TIOBE INDEX網站的熱門語言排行榜,C語言從1989年至今都一直維持在前2名。
    但是C語言先天上有許多問題,容易導致程式人員寫出不安全的程式碼,再加上因其悠久的歷史累積了大量的既有程式碼 (legacy code),因此大多仰賴動態分析或靜態分析工具來找出這些漏洞;其中C語言中的TOCTOU (time of check to time of use) 漏洞一旦遭利用將導致嚴重的系統安全問題,雖然陸續都有學者提出動態或靜態的分析方法,其結果卻不盡理想。
    本論文提出結合符號執行 (symbolic execution) 與參數追蹤的偵測方法,做到精確的靜態分析,並且能處理變數別名與函數別名的狀況;再以Clang Static Analyzer實作出工具,並以命令列介面以及網頁形式呈現偵測結果,最後以Juliet Test Suite檢驗此分析的準確性,再分別與文獻提出的方法以及業界常用的C靜態工具進行比較分析。
    ;C language has many advantages of high-level language and low-level language, such as high execution efficiency, direct control of hardware, and good portability, hence it is widely used in the industry. According to the popular programming language list of TIOBE INDEX website, C language has maintained its position in the top 2 since 1989.
    However, C language has many inborn problems, which is likely to cause programmers to write unsafe codes. In addition, it has accumulated a large number of legacy codes due to its long history. Therefore, most programmers rely on dynamic analysis or static analysis tools to identify these vulnerabilities. TOCTOU (time of check to time of use), one of those vulnerabilities, will lead to serious system security problems once abused. Although scholars have proposed some detection methods, the results are not ideal.
    We propose a detection method which combines symbolic execution and parameter tracking. The proposed method is able to detect TOCTOU more accurately, and deal with alias problems of variables and functions. Moreover, we implement this method with Clang Static Analyzer and present the detection result through command line and web pages. Finally, the tool we implemented is tested by Juliet Test Suite to verify its accuracy, and compared with the methods proposed in the literature and the C static tools commonly used in the industry.
    Appears in Collections:[Graduate Institute of Computer Science and Information Engineering] Electronic Thesis & Dissertation

    Files in This Item:

    File Description SizeFormat
    index.html0KbHTML165View/Open


    All items in NCUIR are protected by copyright, with all rights reserved.

    社群 sharing

    ::: Copyright National Central University. | 國立中央大學圖書館版權所有 | 收藏本站 | 設為首頁 | 最佳瀏覽畫面: 1024*768 | 建站日期:8-24-2009 :::
    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - 隱私權政策聲明