| 摘要: |
| 随着网络攻击事件的激增,内存破坏型漏洞因其对系统机密性、完整性和可用性的直接威胁而成为网络信息安全研究的重点。模糊测试(Fuzzing)作为主流检测手段,结合Sanitizer类工具可高效识别缓冲区溢出、释放后重用(UAF)等内存破坏型漏洞,推动漏洞数据库(如CVE)的快速增长。然而,现有Sanitizer技术存在显著缺陷:其侵入式内存检查会改变程序内存布局,可能会导致漏洞类型误报(如错误分类漏洞类型)及崩溃位置误判,影响漏洞修复与利用分析的可靠性。本文针对上述问题,提出一种基于指针标记的非侵入式内存漏洞检测方法VulRechecker。该方法利用64位系统下指针高16位空闲地址空间,通过编译时插桩技术将内存分配边界信息存储于独立元数据表,在程序运行时动态校验内存访问合法性,在不影响程序原内存布局的前提下,对于堆和栈上的对象均能实现精准有效的检测,为内存破坏型漏洞的后续分析提供了重要支撑。相较于传统内存安全检测工具(Sanitizer),该方案具有两大优势:其一,通过分离元数据存储机制,完全保留原始程序内存布局,避免因内存结构篡改引发的执行偏差;其二,基于指针边界信息的细粒度检查可精确报告堆缓冲区溢出等漏洞类型,显著降低误报率。实验表明,该方法相对于AddressSanitizer显著降低了误报率,在Juliet测试集的8个内存破坏型漏洞子集CWE121、CWE122、CWE124、CWE126、CWE127、CWE415、CWE416、CWE761,和来自libming、binutils等基础组件库的13个真实的CVE漏洞案例上实现了零误报。最后,通过详细对比未插桩原程序、AddressSanitizer插桩程序和VulRechecker插桩程序的内存布局,该方法在不影响程序原生行为的前提下,实现了对内存破坏型漏洞的高精度检测,为漏洞诊断与修复提供了更可靠的技术支撑,对提升自动化漏洞检测系统的实用性具有重要意义。 |
| 关键词: 内存破坏型漏洞 非侵入式检测 指针标记 漏洞误报 |
| DOI: |
| 投稿时间:2025-06-28修订日期:2025-10-30 |
| 基金项目:中国博士后科学基金 |
|
| VulRechecker: A Precise Memory Error Detection Method Based on Pointer Tagging |
|
mao ling chu, li rui lin, wang xiao lei, tang chao jing
|
| (College of Electronic Science and Technology, National University of Defense Technology) |
| Abstract: |
| With the surge in network attack incidents, memory corruption vulnerabilities have become a focus of information security research due to their direct threats to system confidentiality, integrity, and availability. Fuzzing, as a main-stream detection approach, combined with Sanitizer-based tools, efficiently identifies memory corruption vulnera-bilities such as buffer overflows and use-after-free (UAF), driving the rapid growth of vulnerability databases (e.g., CVE). However, existing Sanitizer technologies suffer from significant defects: their intrusive memory checks alter the program's memory layout, may leading to misreporting of vulnerability types (e.g., misclassifying vulnerability types) and misjudgment of crash locations, which severely undermines the reliability of vulnerability repair and exploit analysis.This paper addresses the above issues by proposing VulRechecker, a non-intrusive memory vul-nerability detection method based on pointer tagging. Leveraging the 16 high-order bits of idle address space in 64-bit systems, this method stores memory allocation boundary information in a separate metadata table via com-pile-time instrumentation, dynamically verifying the legitimacy of memory accesses at runtime. Without altering the original memory layout, it enables precise and effective detection for both heap and stack objects, providing critical support for subsequent analysis of memory corruption vulnerabilities. Compared with traditional memory safety detection tools (Sanitizers), this scheme offers two dvantages: first, by separating metadata storage, it fully pre-serves the original program memory layout, avoiding execution deviations caused by memory structure tampering; second, fine-grained checks based on pointer boundary information accurately report vulnerability types (e.g., heap buffer overflows), significantly reducing false positives. Experiments show that VulRechecker remarkably reduces false positives compared to AddressSanitizer, achieving zero false positives on 8 memory corruption vulnerability subsets (CWE121, CWE122, CWE124, CWE126, CWE127, CWE415, CWE416, CWE761) of the Juliet Test Suite and 13 real-world CVE vulnerabilities from basic component libraries (e.g., libming, binutils). Finally, through de-tailed comparisons of memory layouts among the original program, AddressSanitizer-instrumented program, and VulRechecker-instrumented program, this method enables high-precision detection of memory corruption vulnera-bilities without affecting the program's native behavior, providing more reliable technical support for vulnerability diagnosis and repair, and holding significant implications for enhancing the practicality of automated vulnerability detection systems. |
| Key words: memory corruption vulnerabilities non-intrusive detection pointer tagging vulnerability false positives |
