[go: up one dir, main page]

CN119939590B - A method, device and apparatus for detecting vulnerabilities in binary code - Google Patents

A method, device and apparatus for detecting vulnerabilities in binary code

Info

Publication number
CN119939590B
CN119939590B CN202411773747.0A CN202411773747A CN119939590B CN 119939590 B CN119939590 B CN 119939590B CN 202411773747 A CN202411773747 A CN 202411773747A CN 119939590 B CN119939590 B CN 119939590B
Authority
CN
China
Prior art keywords
vulnerability
training
potential
points
code
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202411773747.0A
Other languages
Chinese (zh)
Other versions
CN119939590A (en
Inventor
冯博
郭胜贤
唐宁宁
任奎
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou High Tech Zone Binjiang Blockchain And Data Security Research Institute
Zhejiang University ZJU
Original Assignee
Hangzhou High Tech Zone Binjiang Blockchain And Data Security Research Institute
Zhejiang University ZJU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou High Tech Zone Binjiang Blockchain And Data Security Research Institute, Zhejiang University ZJU filed Critical Hangzhou High Tech Zone Binjiang Blockchain And Data Security Research Institute
Priority to CN202411773747.0A priority Critical patent/CN119939590B/en
Publication of CN119939590A publication Critical patent/CN119939590A/en
Application granted granted Critical
Publication of CN119939590B publication Critical patent/CN119939590B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

本申请涉及一种针对二进制代码的漏洞检测方法、装置和设备。包括:获取待检测代码,并基于待检测代码生成对应的扩展程序依赖图;识别扩展程序依赖图中潜在漏洞表现点和对应的潜在漏洞根源点,并基于潜在漏洞表现点和对应的潜在漏洞根源点,对扩展程序依赖图进行划分,得到至少一个扩展程序依赖子图;将扩展程序依赖子图输入至训练完备的图神经漏洞检测模型中,得到对应的漏洞检测结果,图神经漏洞检测模型,是基于预设的训练样本集训练得到的;训练样本集携带有漏洞真实性标签以及漏洞类型标签。采用本方法能够提高针对二进制代码的漏洞检测准确率和效率,并能准确定位漏洞,分析漏洞类型。

The present application relates to a vulnerability detection method, device and equipment for binary code. It includes: obtaining the code to be detected, and generating a corresponding extension dependency graph based on the code to be detected; identifying potential vulnerability manifestation points and corresponding potential vulnerability root points in the extension dependency graph, and dividing the extension dependency graph based on the potential vulnerability manifestation points and the corresponding potential vulnerability root points to obtain at least one extension dependency subgraph; inputting the extension dependency subgraph into a well-trained graph neural vulnerability detection model to obtain the corresponding vulnerability detection result. The graph neural vulnerability detection model is trained based on a preset training sample set; the training sample set carries a vulnerability authenticity label and a vulnerability type label. The use of this method can improve the accuracy and efficiency of vulnerability detection for binary code, and can accurately locate vulnerabilities and analyze vulnerability types.

Description

Vulnerability detection method, device and equipment for binary codes
Technical Field
The present application relates to the field of computer software security technologies, and in particular, to a method, an apparatus, and a device for detecting a vulnerability of a binary code.
Background
For the software program, the security is crucial, if the vulnerability of the software program is utilized by an attacker, serious problems such as program crash and privacy disclosure are caused, however, the occurrence of the vulnerability cannot be completely avoided when the programmer writes the program manually, and in practical application, the vulnerability introduced by the third party library often affects the downstream binary code. Thus, detecting a binary code vulnerability is an important checkpoint for software security. In the prior art, most of the schemes for detecting the loopholes aim at source codes such as C/C++, tools cannot be directly applied to binary codes for security analysis, the binary codes for stripping sign information lack rich semantic information of source code levels, decompiled codes have the problems of low accuracy, unclear meaning, unclear structure and the like, and effective loophole detection is difficult to realize. The existing vulnerability detection method for binary codes is mainly used for directly comparing the similarity of codes in an assembly code layer or dynamically excavating the vulnerabilities by utilizing fuzzy test, and has the problems of low code coverage rate, high false alarm rate, coarse vulnerability analysis granularity, incapability of analyzing the vulnerability types, incapability of accurately positioning the vulnerabilities and the like.
At present, no effective solution is proposed for the problem of low accuracy and efficiency of vulnerability detection for binary codes in the prior art.
Disclosure of Invention
Based on the foregoing, it is necessary to provide a method, an apparatus and a device for detecting a vulnerability of a binary code.
In a first aspect, the present application provides a vulnerability detection method for binary codes. The method comprises the following steps:
acquiring a code to be detected, and generating a corresponding extended program dependency graph based on the code to be detected;
identifying potential vulnerability presentation points and corresponding potential vulnerability root source points in the extended program dependency graph, and dividing the extended program dependency graph based on the potential vulnerability presentation points and the corresponding potential vulnerability root source points to obtain at least one extended program dependency graph;
The method comprises the steps of inputting an extended program dependent subgraph into a well-trained graph nerve vulnerability detection model to obtain a corresponding vulnerability detection result, wherein the vulnerability detection result comprises a vulnerability type and a vulnerability authenticity result, the graph nerve vulnerability detection model is obtained by training based on a preset training sample set, and the training sample set carries a vulnerability authenticity label and a vulnerability type label.
In one embodiment, identifying potential vulnerability presentation points and corresponding potential vulnerability root source points in the extended program dependency graph includes:
Performing vulnerability recognition on the code to be detected based on vulnerability behavior characteristics respectively corresponding to different vulnerability types to obtain potential vulnerability presentation points and corresponding potential vulnerability root source points in the code to be detected, wherein the potential vulnerability presentation points and the potential vulnerability root source points are in one-to-many relation;
and identifying corresponding potential vulnerability representation points and potential vulnerability root source points in the extended program dependency graph based on the positions of the potential vulnerability root source points and the potential vulnerability representation points in the code to be detected.
In one embodiment, obtaining a vulnerability type tag in a preset training sample set includes:
Identifying the vulnerability training codes based on preset vulnerability training codes and based on vulnerability characteristics to obtain potential training vulnerability presentation points and potential training vulnerability root source points, and dividing an extended program dependency graph corresponding to the vulnerability training codes according to the potential training vulnerability presentation points and the potential training vulnerability root source points to obtain at least one training subgraph;
And determining a vulnerability type label corresponding to each training subgraph based on the vulnerability characteristics of the training vulnerability presentation points and the vulnerability characteristics of the training vulnerability root source points.
In one embodiment, obtaining the vulnerability authenticity tag in the preset training sample set includes:
Obtaining training patch codes corresponding to the vulnerability training codes, determining the positions of target training vulnerability root source points in the vulnerability training codes, and verifying each training subgraph according to the positions of the target training vulnerability root source points to obtain vulnerability authenticity labels corresponding to each training subgraph, wherein a training set sample is composed of the training subgraphs.
In one embodiment, partitioning the extended program dependency graph based on the potential vulnerability presentation points and the corresponding potential vulnerability root source points to obtain at least one extended program dependency subgraph includes:
And reversely slicing the extended program dependency graph by taking each potential vulnerability presentation point as a starting point until a preset slice depth is obtained to obtain an extended program dependency graph, wherein the slice depth comprises the distance between the potential vulnerability presentation point and the corresponding potential vulnerability root source point, and each extended program dependency graph comprises one potential vulnerability presentation point and one corresponding potential vulnerability root source point.
In one embodiment, the training sample set comprises a training subgraph consisting of nodes and edges between the nodes, and the obtaining the training sample set comprises:
embedding corresponding node feature vectors for each node and corresponding edge feature vectors for each edge, wherein the node feature vectors comprise, but are not limited to, operation node features, structured node features and semantic node features, and the edge feature vectors comprise, but are not limited to, types of edges, types of data streams corresponding to the edges and types of control streams corresponding to the edges.
In one embodiment, obtaining a trained neural vulnerability detection model comprises:
Acquiring an initial graph nerve vulnerability detection model and a preset training sample set carrying vulnerability authenticity labels and vulnerability type labels, wherein the initial graph nerve vulnerability detection model comprises a graph embedding network and a classification network;
inputting the training sample set into an initial graph nerve vulnerability detection model for training to obtain a training sample set prediction result, calculating a loss function result according to the training sample set prediction result, the vulnerability authenticity label and the vulnerability type label, and reversely transmitting the gradient of the loss function result to the initial nerve network model for iterative training to generate a graph nerve vulnerability detection model with complete training.
In one embodiment, generating a corresponding extended program dependency graph based on code to be detected includes:
Scanning instructions in the code to be detected in sequence, and obtaining a corresponding node based on each instruction, wherein the code to be detected is in the form of an assembler;
Determining a relationship between control flow and data flow between instructions based on a preceding instruction and a following instruction of the instructions, and determining edges between the instructions based on the control flow and the data flow;
Based on the nodes and edges, an extended program dependency graph is obtained.
In a second aspect, the application further provides a vulnerability detection device for binary codes. The device comprises:
The acquisition module is used for acquiring codes to be detected and generating corresponding extended program dependency graphs based on the codes to be detected;
the computing module is used for identifying potential vulnerability presentation points and corresponding potential vulnerability root source points in the extended program dependency graph, and dividing the extended program dependency graph based on the potential vulnerability presentation points and the corresponding potential vulnerability root source points to obtain at least one extended program dependency subgraph;
the generating module is used for inputting the extended program dependency subgraph into a well-trained graph nerve vulnerability detection model to obtain a corresponding vulnerability detection result, wherein the vulnerability detection result comprises a vulnerability type and a vulnerability authenticity result, the graph nerve vulnerability detection model is obtained by training based on a preset training sample set, and the training sample set carries a vulnerability authenticity label and a vulnerability type label.
In a third aspect, the present application also provides a computer device. The computer device comprises a memory storing a computer program and a processor which when executing the computer program performs the steps of:
acquiring a code to be detected, and generating a corresponding extended program dependency graph based on the code to be detected;
identifying potential vulnerability presentation points and corresponding potential vulnerability root source points in the extended program dependency graph, and dividing the extended program dependency graph based on the potential vulnerability presentation points and the corresponding potential vulnerability root source points to obtain at least one extended program dependency graph;
The method comprises the steps of inputting an extended program dependent subgraph into a well-trained graph nerve vulnerability detection model to obtain a corresponding vulnerability detection result, wherein the vulnerability detection result comprises a vulnerability type and a vulnerability authenticity result, the graph nerve vulnerability detection model is obtained by training based on a preset training sample set, and the training sample set carries a vulnerability authenticity label and a vulnerability type label.
The method, the device and the equipment for detecting the loopholes aiming at the binary codes acquire the codes to be detected, generate the corresponding extended program dependency graph based on the codes to be detected, identify potential loophole representation points and corresponding potential loophole root source points in the extended program dependency graph, divide the extended program dependency graph based on the potential loophole representation points and the corresponding potential loophole root source points to obtain at least one extended program dependency subgraph, and finally input the extended program dependency subgraph into a graph nerve loophole detection model with complete training to obtain corresponding loophole detection results, wherein the loophole detection results comprise a loophole type and a loophole authenticity result, the graph nerve loophole detection model is obtained by training based on a preset training sample set, and the training sample set carries a loophole authenticity label and a loophole type label. According to the application, the trained pattern nerve vulnerability detection model is applied to a vulnerability detection scene, so that the accuracy of vulnerability detection can be effectively improved, the method and the device have higher vulnerability detection precision, and not only can the existence of the vulnerability in the software code be detected, but also the vulnerability instruction level position can be positioned and the vulnerability type can be analyzed, so that the follow-up generation of patches for binary codes is facilitated, and the harm of the vulnerability is effectively reduced.
Drawings
FIG. 1 is an application environment diagram of a vulnerability detection method in one embodiment;
FIG. 2 is a flow chart of a vulnerability detection method in one embodiment;
FIG. 3 is a flow chart of a vulnerability detection method in a preferred embodiment;
FIG. 4 is a block diagram of a vulnerability detection apparatus in one embodiment;
fig. 5 is an internal structural diagram of a computer device in one embodiment.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
The vulnerability detection method for the binary codes, provided by the embodiment of the application, can be applied to an application environment shown in fig. 1. Wherein the terminal 102 communicates with the server 104 via a network. The data storage system may store data that the server 104 needs to process. The data storage system may be integrated on the server 104 or may be located on a cloud or other network server. The method comprises the steps of obtaining codes to be detected, generating a corresponding extended program dependency graph based on the codes to be detected, identifying potential vulnerability representation points and corresponding potential vulnerability root source points in the extended program dependency graph, dividing the extended program dependency graph based on the potential vulnerability representation points and the corresponding potential vulnerability root source points to obtain at least one extended program dependency subgraph, and finally inputting the extended program dependency subgraph into a graph nerve vulnerability detection model with complete training to obtain a corresponding vulnerability detection result, wherein the vulnerability detection result comprises a vulnerability type and a vulnerability authenticity result, and the graph nerve vulnerability detection model is obtained through training based on a preset training sample set, and the training sample set carries a vulnerability authenticity label and a vulnerability type label. The terminal 102 may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, internet of things devices, and portable wearable devices, where the internet of things devices may be smart speakers, smart televisions, smart air conditioners, smart vehicle devices, and the like. The portable wearable device may be a smart watch, smart bracelet, headset, or the like. The server 104 may be implemented as a stand-alone server or as a server cluster of multiple servers.
In one embodiment, as shown in fig. 2, a vulnerability detection method is provided, and the method is applied to the server in fig. 1 for illustration, and includes the following steps:
step S210, obtaining codes to be detected, and generating corresponding extended program dependency graphs based on the codes to be detected.
Specifically, the embodiment is used for performing vulnerability detection on binary codes, that is, the code to be detected is the binary code to be detected, and in practical application, since vulnerability detection processing cannot be directly performed on the binary code, after the binary code is obtained, the binary code is compiled into assembly code, and then a corresponding extended program dependency graph is generated. Each node in the extended program dependency graph represents an instruction in the code to be detected, the distance information between the node and the potential vulnerability representation point is contained, each side represents the dependency relationship between the control flow and the data flow between the instructions, node data and vulnerability context information can be propagated, and therefore the extended program dependency graph not only has the structural information of the instruction set granularity, but also has the context semantic association information between each instruction, and can effectively represent the CWE (Common Weakness Enumeration, general defect list) characteristics.
Step S220, identifying potential vulnerability presentation points and corresponding potential vulnerability root source points in the extension program dependency graph, and dividing the extension program dependency graph based on the potential vulnerability presentation points and the corresponding potential vulnerability root source points to obtain at least one extension program dependency graph.
Specifically, the vulnerability presentation point is a concrete presentation form of the vulnerability in the software program, such as data leakage, system crash, code injection and the like, and the vulnerability root source point is a root cause causing the existence of the vulnerability, such as design defect, coding error, improper configuration and the like. In practical application, in the process of identifying an extended program dependency graph, a situation that a potential vulnerability representation point corresponds to a plurality of potential vulnerability root source points often occurs, which is caused by that the identification of the vulnerability root source point and the vulnerability representation point is often based on CWE features (for example, for the overflow of integers in the CWE type, the feature of the vulnerability representation point is any call of a function for transferring integer parameters, the feature of the vulnerability root source point is an integer arithmetic operation, and for the overflow of stacks in the CWE type, the feature of the vulnerability representation point is any storage instruction for locally allocating memory, the feature of the vulnerability root source point is a write operation for the stack memory, etc.), so that the application identifies a target vulnerability root point actually causing the vulnerability representation point through a subsequent graph nerve vulnerability detection model.
In this embodiment, identifying potential vulnerability presentation points and potential vulnerability root points in the extended program dependency graph includes converting the binary form of code to be detected into assembly code by using a disassembler, generating an extended program dependency graph of the code, and identifying potential vulnerability presentation points and potential vulnerability root points in the graph according to CWE features. Then, dividing the potential vulnerability representation points and the potential vulnerability root source points according to the description above, it can be understood that the potential vulnerability representation points and the potential vulnerability root source points obtained by identifying according to the CWE features are often in a one-to-many relationship, that is, one potential vulnerability representation point corresponds to a plurality of potential vulnerability root source points, so that according to the positions of the potential vulnerability representation points and the corresponding potential vulnerability root source points in the extended program dependency graph, the extended program dependency graph is sliced according to the positions of the potential vulnerability representation points and the corresponding potential vulnerability root source points in the extended program dependency graph, a specific slicing method includes that each potential vulnerability representation point is taken as a starting point, the extended program dependency graph is traversed by a strategy with breadth-first search, the reverse slicing value is preset to a depth, a plurality of extended program dependency subgraphs are formed correspondingly, each extended program dependency subgraph includes one potential vulnerability representation point and a corresponding potential vulnerability root source point, the depth can generally include the distance between the potential vulnerability representation points and the potential vulnerability root source points, in some preferred embodiments, the depth can be set to be 100, and in practical application, the depth can be adjusted according to the actual vulnerability needs by related personnel.
Step S230, inputting the extended program dependency subgraph into a well-trained graph nerve vulnerability detection model to obtain corresponding vulnerability detection results, wherein the vulnerability detection results comprise vulnerability types and vulnerability authenticity results, which are obtained by training based on a preset training sample set, and the training sample set carries vulnerability authenticity labels and vulnerability type labels.
Specifically, in some preferred embodiments, the graph nerve vulnerability detection model is composed of two end-to-end modules, a first module is used for transmitting messages in the graph Structure so as to generate node embedding, learn the distance information between the nodes, the first model preferably uses an S2V (Structure 2 Vec) model, and a second module preferably adopts a neural network classifier and is used for learning each CWE feature, reasoning about the probability of vulnerability existence and positioning to the vulnerability representation point and the vulnerability root source point at the instruction level. The method comprises the steps of inputting an extended program dependency sub-graph into a graph nerve vulnerability detection model with complete training to obtain a corresponding vulnerability detection result, wherein the vulnerability detection result comprises a vulnerability type, a vulnerability authenticity result, a target vulnerability root point position and a target vulnerability representation point position, the vulnerability type indicates specific types of the vulnerability, including but not limited to stack overflow (CWE-121), heap overflow (CWE-122), integer overflow (CWE-190), double release (CWE-415) and post-release use (CWE-416), and the method has the advantages that the potential vulnerability representation point and the potential vulnerability root point are identified in the graph according to CWE characteristics, so that the potential vulnerability representation point possibly corresponds to one real potential vulnerability root point, and all the potential vulnerability root points possibly correspond to false, and if a code to be detected does not exist, the potential representation point and the potential vulnerability root point are false, and the target vulnerability root point is the root point of a true trigger point, and the target vulnerability point is the real vulnerability point. Further, when the graphic nerve vulnerability detection model is trained, the graphic nerve vulnerability detection model is obtained based on training sample sets carrying vulnerability authenticity labels and vulnerability type labels. The training sample set is composed of a large number of training subgraphs, each training subgraph comprises a potential training vulnerability presentation point and a corresponding potential training vulnerability root source point, preset vulnerability training codes are identified based on the vulnerability behavior characteristics, the potential training vulnerability presentation points and the potential training vulnerability root source points can be obtained, and the extended program dependency graphs corresponding to the vulnerability training codes are divided based on the potential training vulnerability presentation points and the potential training vulnerability root source points, so that the training subgraphs are obtained. The vulnerability authenticity label takes the training subgraph as a unit, and characterizes the authenticity of the potential training vulnerability presentation point and the corresponding potential training vulnerability root source point in the subgraph, namely whether the nodes and edges comprising the potential training vulnerability presentation point and the corresponding potential training vulnerability root source point are real vulnerability triggering chains or not. The vulnerability type tag characterizes the specific type of the vulnerability.
In summary, the method and the device identify potential vulnerability presentation points and potential vulnerability root source points in the extended program dependency graph, detect authenticity of each potential vulnerability presentation point and potential vulnerability root source point according to the graph nerve vulnerability detection model, and identify whether the potential vulnerability presentation points and the potential vulnerability root source points are true or not, and detect vulnerability types. In practical application, after obtaining the leak authenticity result and the leak type, the specific position of the leak on the original code to be detected can be further determined, wherein the specific positioning method comprises the steps of establishing a mapping relation between each extended program dependency subgraph and the code to be detected when the extended program dependency subgraph is manufactured, and positioning the position of the leak in the code to be detected, namely the original binary code, according to the mapping relation after obtaining the leak detection result aiming at the extended program dependency subgraph.
It should be noted that, when detecting the binary codes of different architectures, the above-mentioned graph nerve vulnerability detection model needs to be correspondingly trained by corresponding training sample sets of different architectures, so as to realize detection of the binary codes of different architectures, where the binary codes of different architectures include, but are not limited to, ARM (ADVANCED RISC MACHINE, advanced reduced instruction set computer), X86, MIPS (Microprocessor without Interlocked PIPELINE STAGES, microprocessor without internal interlocking pipeline stage), and the like.
Through steps S210 to S230, the extended program dependency graph is sliced based on the potential vulnerability representation points and the potential vulnerability root points to obtain a plurality of extended program dependency subgraphs, and the extended program dependency subgraphs are input into a graph nerve vulnerability detection model which is completely trained to obtain corresponding detection results. Moreover, the method has strong expansibility, does not occupy excessive computing resources and time when the completely trained graph nerve vulnerability detection model is applied, and has higher vulnerability detection efficiency. The method is wide in application range, can be used for carrying out vulnerability positioning on binary codes of different architectures, and only needs to complete training of corresponding models based on training sets of different architectures when training the detection models.
In some embodiments, the method further comprises:
Performing vulnerability recognition on the code to be detected based on vulnerability behavior characteristics respectively corresponding to different vulnerability types to obtain potential vulnerability presentation points and corresponding potential vulnerability root source points in the code to be detected, wherein the potential vulnerability presentation points and the potential vulnerability root source points are in one-to-many relation;
and identifying corresponding potential vulnerability representation points and potential vulnerability root source points in the extended program dependency graph based on the positions of the potential vulnerability root source points and the potential vulnerability representation points in the code to be detected.
Specifically, the types of loopholes to be detected are preset in the embodiment, and the corresponding loophole behavior characteristics of functions corresponding to different loophole types are correspondingly determined, in some preferred embodiments, the preset loophole types include, but are not limited to, stack overflow (CWE-121), heap overflow (CWE-122), integer overflow (CWE-190), double release (CWE-415) and release-back use (CWE-416), five types of loopholes with high occurrence rate and large harm influence are preset, and further, the loophole behavior characteristics corresponding to each loophole type are further defined, the corresponding loophole behavior characteristics are that, for the integer overflow type, the loophole performance point is any call to a function of an integer parameter, the loophole root source point is characterized by integer arithmetic operation, for the stack overflow type, the corresponding loophole behavior characteristics are characterized by any storage instruction locally allocated to memory, the root source point is characterized by write operation to the stack memory, the corresponding loophole performance characteristics are any storage instruction dynamically allocated, the root point is the loophole performance characteristics are the memory management characteristics are not allocated to the memory, the loophole performance is the loophole performance characteristics are not required to be dynamically allocated to the memory, the loophole performance before the stack performance point is the stack performance is the memory performance characteristics is the memory performance is not subjected to the memory performance characteristics is the memory performance mode, the source point of the vulnerability is characterized by a lack of checking whether the vulnerability has been released before accessing the heap memory.
In summary, based on the preset vulnerability type and the corresponding vulnerability behavior characteristics, vulnerability identification is performed on the code to be detected, that is, whether the code to be detected contains the characteristics is matched to detect and locate the vulnerability, so that potential vulnerability representation points and corresponding potential vulnerability root source points in the code to be detected are obtained, and in practical application, the potential vulnerability representation points and the potential vulnerability root source points identified through the vulnerability type and the vulnerability behavior characteristics are generally in one-to-many relationship.
Further, after the position of the potential vulnerability root point and the position of the potential vulnerability representation point are obtained through identification, the position of each point in the extended program dependency graph is determined according to the position mark, and finally, the extended program dependency graph generated by each assembly code, the potential vulnerability representation point mark in the graph and the potential vulnerability root point position mark are stored in the JSON file.
In the embodiment, the code to be detected is subjected to vulnerability identification through the preset vulnerability type and the corresponding vulnerability behavior characteristics to obtain the potential vulnerability representation point, the potential vulnerability root source point and the corresponding specific positions, so that the division of the dependency subgraph of the extension program and the identification of the authenticity of the potential vulnerability root source point in the subsequent steps are facilitated, and the vulnerability detection efficiency and accuracy are improved.
In some embodiments, obtaining the vulnerability type tag in the preset training sample set includes:
Identifying the vulnerability training codes based on preset vulnerability training codes and based on vulnerability characteristics to obtain potential training vulnerability presentation points and potential training vulnerability root source points, and dividing an extended program dependency graph corresponding to the vulnerability training codes according to the potential training vulnerability presentation points and the potential training vulnerability root source points to obtain at least one training subgraph;
And determining a vulnerability type label corresponding to each training subgraph based on the vulnerability characteristics of the training vulnerability presentation points and the vulnerability characteristics of the training vulnerability root source points.
Specifically, the preset vulnerability training codes and corresponding training patch codes are obtained, and in some preferred embodiments, the vulnerability training codes of open source software in the existing CVE (Common Vulnerabilities & Exposures, general vulnerability disclosure) vulnerability library and the corresponding patch repaired codes can be obtained. According to the code repaired by the patch, detailed information of the vulnerability in the vulnerability training code, such as the vulnerability type, the real root position of the training vulnerability, and the like, and marking the vulnerability training code according to the training patch code, preferably, the tag can be set as a triplet < active/active, line, type >, namely if the vulnerability training code does not exist, the first item is active, at this time, the tag of the code is < active, 0>, and if the vulnerability training code exists, the first element is active, the line marks the number of lines of the root position of the vulnerability in the source code, and the type is the type of the vulnerability.
After the vulnerability training codes are obtained, the vulnerability training codes can be identified based on the vulnerability characteristics, and potential training vulnerability presentation points and potential training vulnerability root source points are obtained. And dividing the extended program dependency graph corresponding to the vulnerability training code according to the potential vulnerability representation points and the potential vulnerability root source points to obtain at least one training subgraph, wherein the dividing method is the same as the method for dividing the extended program dependency graph of the code to be detected. And finally, determining the vulnerability type label corresponding to each training subgraph according to the characteristics of the training vulnerability presentation points and the characteristics of the training vulnerability root source points. In some preferred embodiments, after the recognition is completed, the vulnerability type of the training subgraph can be rechecked according to the type in the triplet result, so that the accuracy of making the vulnerability type label in the training set is improved.
Through the embodiment, the corresponding labels can be set for the training sample set, so that the training of the model can be conveniently completed subsequently.
In some embodiments, obtaining the vulnerability authenticity tag in the preset training sample set includes:
Obtaining training patch codes corresponding to the vulnerability training codes, determining the positions of target training vulnerability root source points in the vulnerability training codes, and verifying each training subgraph according to the positions of the target training vulnerability root source points to obtain vulnerability authenticity labels corresponding to each training subgraph, wherein a training set sample is composed of the training subgraphs.
Specifically, in the training stage, the recognition result of the vulnerability training code based on the vulnerability characteristics is generally a potential training vulnerability presentation point, and a plurality of potential training vulnerability root source points correspond to each other, and it can be known by those skilled in the art that, in the case that the vulnerability training code has a vulnerability, the potential training vulnerability root source points include a root source point that actually causes the vulnerability presentation point.
After the potential training vulnerability root point and the potential training vulnerability representation point are obtained, determining the authenticity of each training sub-graph according to the triplet (active/active, line, type) label of the vulnerability training code, so as to obtain the authenticity label, wherein the triplet label comprises the target training vulnerability root point position, namely the position of the real training vulnerability root point.
In some preferred embodiments, the authenticity of the vulnerability in each sub-graph can be determined by screening and pruning control flow and data flow relationships in each training sample set sub-graph, wherein the control flow and data flow relationships represent the vulnerability from potential training vulnerability root points to potential training vulnerability presentation points, and the authenticity label of the vulnerability is obtained according to label information transmitted by source codes through debugging information. In practical application, the number of lines where the bug is located cannot be directly displayed in the compiled assembly code, and the position where the bug is located in the compiled assembly code needs to be determined by virtue of debugging symbol information generated in the compiling process, so that tag information can be transferred to instruction-level codes of the assembly language through the debugging symbol information, and the node position of the root point of the potential bug is marked in a subsequent extended program dependency graph.
By the embodiment, the authenticity label of the loopholes in the training sample set can be determined.
In some embodiments, the method further comprises:
And reversely slicing the extended program dependency graph by taking each potential vulnerability presentation point as a starting point until a preset slice depth is obtained to obtain an extended program dependency graph, wherein the slice depth comprises the distance between potential vulnerability root source points corresponding to the potential vulnerability presentation points, and each extended program dependency graph comprises one potential vulnerability presentation point and one corresponding potential vulnerability root source point.
Specifically, the embodiment provides a method for obtaining an extended program dependency graph, which includes reversely slicing the extended program dependency graph by taking each potential vulnerability presentation point as a starting point, traversing the extended program dependency graph by using a breadth-first search strategy, reversely slicing to a preset slice depth, and forming a plurality of subgraphs by taking the potential vulnerability presentation points as ending nodes and potential vulnerability root source points as starting nodes. For slice completeness, the preset slice depth should include a potential vulnerability presentation point and a corresponding potential vulnerability root source point.
In some embodiments, the training sample set comprises a training subgraph consisting of nodes and edges between the nodes, and the obtaining the training sample set comprises:
embedding corresponding node feature vectors for each node and corresponding edge feature vectors for each edge, wherein the node feature vectors comprise, but are not limited to, operation node features, structured node features and semantic node features, and the edge feature vectors comprise, but are not limited to, types of edges, types of data streams corresponding to the edges and types of control streams corresponding to the edges.
Specifically, in this embodiment, a corresponding node feature vector is embedded for each node in the subgraph, where the node feature vector represents a basic feature of an instruction, and a corresponding edge feature vector is embedded for each edge in the subgraph, which represents a basic feature of a data stream or a control stream between instructions, so as to be used for learning by the neural network in the training process. Specifically, the node feature vector mainly includes operation node features (such as static values, operation codes, etc.), structured node features (such as data dependency numbers, control dependency numbers, distances between nodes and vulnerability presentation points, etc.), and semantic node features (such as output types of node operations). The edge feature vector mainly includes the type of edge (e.g., control flow or data flow), the specific data type of data flow (e.g., floating point, pointer, etc.), the specific data type of control flow (e.g., sequential execution, skip execution) so that the model can capture the way of what type of data. The model learns the flow direction of static values, external input and data types, so that the model has enough information to simulate the influence of data on a program, and rich features of each node and each edge in the graph are helpful for the model to capture semantic information of codes, thereby improving the vulnerability detection performance of the model.
It should be noted that, in this embodiment, when a training sample set is obtained, it is required to embed a corresponding feature vector for each node and each side, so as to enrich semantic information, and similarly, after model training is complete, for an application and reasoning stage of a code to be detected, the corresponding feature vector may also be embedded for an extension program of the code to be detected depending on edges and nodes of a sub-graph, so as to improve accuracy of model detection, where an embedding method of the feature vector is the same as that of the training sub-graph in this embodiment.
In some of these embodiments, obtaining a trained, complete graphical nerve vulnerability detection model includes:
Acquiring an initial graph nerve vulnerability detection model and a preset training sample set carrying vulnerability authenticity labels and vulnerability type labels, wherein the initial graph nerve vulnerability detection model comprises a graph embedding network and a classification network;
inputting the training sample set into an initial graph nerve vulnerability detection model for training to obtain a training sample set prediction result, calculating a loss function result according to the training sample set prediction result, the vulnerability authenticity label and the vulnerability type label, and reversely transmitting the gradient of the loss function result to the initial nerve network model for iterative training to generate a graph nerve vulnerability detection model with complete training.
Specifically, the graph nerve vulnerability detection model in the application is composed of two end-to-end modules, and the first module can learn long-distance information between nodes through the first model S2V、node2vec(node2vec:Scalable Feature Learning for Networks)、SDNE(Structural Deep Network Embedding),. The second module is a deep neural network classifier for learning each CWE feature and reasoning about the probability of vulnerability. It should be noted that, when the method is applied to the environment of vulnerability detection of a plurality of binary codes (such as ARM, X86, MIPS) with different architectures, a corresponding model is trained according to the binary codes with different architectures, so as to implement vulnerability detection on the binary code with each architecture.
And the graph nerve vulnerability detection model is a full-supervision model, a loss function result is calculated according to the vulnerability authenticity label and the vulnerability type label in the training sample set, and the gradient of the loss function result is reversely transmitted to the initial nerve vulnerability detection model for iterative training, so that the graph nerve vulnerability detection model with complete training is generated.
According to the method and the device, the loophole positioning can be carried out on the binary codes of different architectures, so that the loophole positioning can be carried out on the Linux or RTOS firmware-based binary codes, and the loophole positioning can be carried out on other general binary codes.
In some embodiments, the method further comprises:
Scanning instructions in the code to be detected in sequence, and obtaining a corresponding node based on each instruction, wherein the code to be detected is in the form of an assembler;
Determining a relationship between control flow and data flow between instructions based on a preceding instruction and a following instruction of the instructions, and determining edges between the instructions based on the control flow and the data flow;
Based on the nodes and edges, an extended program dependency graph is obtained.
Specifically, the embodiment provides a method for generating an extended program dependency graph, which expresses codes in the form of the program dependency graph, is convenient for describing code control flow and data flow, and is beneficial to deep learning. In the extended program dependency graph, each node represents an atomic machine level instruction and contains distance information between the node and a potential tag point of the vulnerability, so that the model can better identify the characteristics of the underlying machine instruction related to the vulnerability.
For each assembler, an extended program dependency graph is generated by adopting a static scanning code method, firstly, the first instruction starts to scan by instruction, each instruction forms a node in the graph, then, the second scanning is carried out on edges between the nodes, based on the successive instructions and the subsequent instructions of each instruction, and based on the defined and used values, the relation between control flow and data flow among the instructions, namely the types and the attributes of the edges in the graph are determined, wherein the edges of the control flow are endowed with void data types, and the edges of the data flow are endowed with the data types (such as int, double and the like) according to the specific transmitted data types. In summary, the dependency graph of the extension program is obtained through nodes and edges.
The application also provides a preferred embodiment of the vulnerability detection method for binary codes, and fig. 3 is a schematic flow diagram in a preferred embodiment.
Step S311, obtaining the vulnerability training code and the training patch code. The vulnerability training codes can be vulnerability codes of open source software in a CVE vulnerability library and corresponding patch repaired codes, so that detailed vulnerability information in the vulnerability training codes, such as vulnerability types, real training vulnerability root source point positions and the like, can be obtained based on the vulnerability training codes and the training patch codes, and the vulnerability training codes are marked according to the training patch codes.
Step S312, compiling the vulnerability training code into assembly code form, wherein the architecture may be identified using binwalk tools, and then disassembling the binary to assembly code using a disassembler.
Step S313, a training extension program dependency graph is generated according to training codes in the form of assembly codes, wherein training potential vulnerability presentation points and training potential vulnerability root source points are marked in the graph according to CWE features.
In step S314, the training subgraph is obtained by performing the inverse slicing on the training expansion program dependency graph.
Step S315, feature vectors are embedded into the training subgraph, then a training sample set is obtained based on the training subgraph, and the model is trained based on the training sample set, so that a graph nerve vulnerability detection model is obtained. The above steps S311 to S315 are training processes of the model.
Step S321, obtaining codes to be detected, and converting binary codes to be detected into an assembly language form to obtain assembly codes. The code to be detected is a binary code which needs to be subjected to vulnerability detection, the code to be detected can be in various forms such as ARM, x86, MIPS and the like, and a person skilled in the art can select the code to be detected and train a graph nerve vulnerability detection model of a corresponding framework according to actual needs.
Step S322, generating an extended program dependency graph of the code to be detected according to the assembly code.
Step S323, identifying the extended program dependency graph based on the vulnerability characteristics to obtain potential vulnerability presentation points and potential vulnerability root source points.
And step S324, reversely slicing the extended program dependency graph according to the potential vulnerability presentation points and the potential vulnerability root source points to obtain an extended program dependency subgraph.
Step S325, feature vectors are embedded into the extended program dependent subgraph, and the extended program dependent subgraph is identified according to a trained and complete graph nerve vulnerability detection model, so as to obtain a vulnerability detection result. The above steps S321 to S325 are application processes of the model, that is, model reasoning processes.
It should be understood that, although the steps in the flowcharts related to the embodiments described above are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.
Based on the same inventive concept, the embodiment of the application also provides a vulnerability detection device for realizing the vulnerability detection method. The implementation of the solution to the problem provided by the device is similar to that described in the above method, so the specific limitation of the embodiment of the leak detection device or embodiments provided below may be referred to the limitation of the leak detection method hereinabove, and will not be repeated here.
In one embodiment, as shown in fig. 4, there is provided a vulnerability detection apparatus, including an acquisition module 41, a calculation module 42, and a generation module 43, wherein:
the acquiring module 41 is configured to acquire a code to be detected, and generate a corresponding extended program dependency graph based on the code to be detected;
The computing module 42 is configured to identify a potential vulnerability presentation point and a corresponding potential vulnerability root source point in the extended program dependency graph, and divide the extended program dependency graph based on the potential vulnerability presentation point and the corresponding potential vulnerability root source point to obtain at least one extended program dependency graph;
The generating module 43 is configured to input the extended program dependency subgraph into a well-trained graph nerve vulnerability detection model to obtain a corresponding vulnerability detection result, where the vulnerability detection result includes a vulnerability type, a target vulnerability root point and a target vulnerability representation point, and the graph nerve vulnerability detection model is obtained by training based on a preset training sample set carrying a vulnerability authenticity label and a vulnerability type label.
The modules in the above-described vulnerability detection apparatus may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, a computer device is provided, which may be a server, the internal structure of which may be as shown in fig. 5. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the computer device is used for storing vulnerability detection related data. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program, when executed by a processor, implements a vulnerability detection method.
It will be appreciated by those skilled in the art that the structure shown in FIG. 5 is merely a block diagram of some of the structures associated with the present inventive arrangements and is not limiting of the computer device to which the present inventive arrangements may be applied, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.
The user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, presented data, etc.) related to the present application are information and data authorized by the user or sufficiently authorized by each party.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magneto-resistive random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (PHASE CHANGE Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in various forms such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), etc. The databases referred to in the embodiments provided herein may include at least one of a relational database and a non-relational database. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processor referred to in the embodiments provided in the present application may be a general-purpose processor, a central processing unit, a graphics processor, a digital signal processor, a programmable logic unit, a data processing logic unit based on quantum computing, or the like, but is not limited thereto.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The foregoing examples illustrate only a few embodiments of the application and are described in detail herein without thereby limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of the application should be assessed as that of the appended claims.

Claims (10)

1.一种针对二进制代码的漏洞检测方法,其特征在于,所述方法包括:1. A vulnerability detection method for binary code, characterized in that the method comprises: 获取待检测代码,并基于所述待检测代码生成对应的扩展程序依赖图;Obtaining the code to be detected, and generating a corresponding extension dependency graph based on the code to be detected; 识别所述扩展程序依赖图中潜在漏洞表现点和对应的潜在漏洞根源点,并基于所述潜在漏洞表现点和对应的所述潜在漏洞根源点,对所述扩展程序依赖图进行划分,得到至少一个扩展程序依赖子图;identifying potential vulnerability manifestation points and corresponding potential vulnerability root points in the extension dependency graph, and partitioning the extension dependency graph based on the potential vulnerability manifestation points and the corresponding potential vulnerability root points to obtain at least one extension dependency subgraph; 将所述扩展程序依赖子图输入至训练完备的图神经漏洞检测模型中,得到对应的漏洞检测结果,其中,所述漏洞检测结果包括漏洞类型和漏洞真实性结果;所述图神经漏洞检测模型,是基于预设的训练样本集训练得到的;所述训练样本集携带有漏洞真实性标签以及漏洞类型标签。The extension dependency subgraph is input into a well-trained graph neural vulnerability detection model to obtain corresponding vulnerability detection results, wherein the vulnerability detection results include vulnerability types and vulnerability authenticity results; the graph neural vulnerability detection model is trained based on a preset training sample set; the training sample set carries vulnerability authenticity labels and vulnerability type labels. 2.根据权利要求1所述的方法,其特征在于,所述识别所述扩展程序依赖图中潜在漏洞表现点和对应的潜在漏洞根源点,包括:2. The method according to claim 1, wherein identifying potential vulnerability manifestation points and corresponding potential vulnerability root points in the extension dependency graph comprises: 基于不同漏洞类型分别对应的漏洞行为特征,对所述待检测代码进行漏洞识别,得到所述待检测代码中的所述潜在漏洞表现点和对应的潜在漏洞根源点,其中,所述潜在漏洞表现点和所述潜在漏洞根源点是一对多的关系;Based on vulnerability behavior characteristics corresponding to different vulnerability types, vulnerability identification is performed on the code to be detected to obtain potential vulnerability manifestation points and corresponding potential vulnerability root points in the code to be detected, wherein the potential vulnerability manifestation points and the potential vulnerability root points are in a one-to-many relationship; 基于所述潜在漏洞根源点和所述潜在漏洞表现点在所述待检测代码中的位置,在所述扩展程序依赖图中识别对应的所述潜在漏洞表现点和所述潜在漏洞根源点。Based on the positions of the potential vulnerability root points and the potential vulnerability manifestation points in the code to be detected, the corresponding potential vulnerability manifestation points and the potential vulnerability root points are identified in the extension dependency graph. 3.根据权利要求1所述的方法,其特征在于,获取所述预设的训练样本集中的所述漏洞类型标签,包括:3. The method according to claim 1, wherein obtaining the vulnerability type label in the preset training sample set comprises: 基于预设的漏洞训练代码,并基于漏洞特征对所述漏洞训练代码进行识别,得到潜在训练漏洞表现点和潜在训练漏洞根源点,并根据所述潜在训练漏洞表现点和所述潜在训练漏洞根源点,对所述漏洞训练代码对应的扩展程序依赖图进行划分,得到至少一个训练子图;Based on a preset vulnerability training code, the vulnerability training code is identified based on vulnerability features to obtain potential training vulnerability manifestation points and potential training vulnerability root points, and an extension program dependency graph corresponding to the vulnerability training code is divided according to the potential training vulnerability manifestation points and the potential training vulnerability root points to obtain at least one training subgraph; 基于所述训练漏洞表现点的漏洞特征和所述训练漏洞根源点的漏洞特征确定每一所述训练子图对应的所述漏洞类型标签。The vulnerability type label corresponding to each of the training subgraphs is determined based on the vulnerability features of the training vulnerability manifestation points and the vulnerability features of the training vulnerability root points. 4.根据权利要求3所述的方法,其特征在于,获取所述预设的训练样本集中的所述漏洞真实性标签,包括:4. The method according to claim 3, wherein obtaining the vulnerability authenticity label in the preset training sample set comprises: 获取与所述漏洞训练代码对应的训练补丁代码,确定所述漏洞训练代码中目标训练漏洞根源点的位置,并根据所述目标训练漏洞根源点的位置对每一所述训练子图进行验证,得到与每一所述训练子图对应的漏洞真实性标签,其中,所述训练样本集由所述训练子图构成。Obtain a training patch code corresponding to the vulnerability training code, determine the location of a target training vulnerability root point in the vulnerability training code, and verify each of the training subgraphs according to the location of the target training vulnerability root point to obtain a vulnerability authenticity label corresponding to each of the training subgraphs, wherein the training sample set is composed of the training subgraphs. 5.根据权利要求1所述的方法,其特征在于,所述基于所述潜在漏洞表现点和对应的所述潜在漏洞根源点,对所述扩展程序依赖图进行划分,得到至少一个扩展程序依赖子图,包括:5. The method according to claim 1, wherein the step of partitioning the extension dependency graph based on the potential vulnerability manifestation points and the corresponding potential vulnerability root points to obtain at least one extension dependency subgraph comprises: 以每个所述潜在漏洞表现点为起点,对所述扩展程序依赖图进行反向切片直至预设的切片深度,得到所述扩展程序依赖子图;其中,所述切片深度包括所述潜在漏洞表现点与对应的所述潜在漏洞根源点之间的距离;每个所述扩展程序依赖子图包括一个所述潜在漏洞表现点,以及一个对应的所述潜在漏洞根源点。Taking each potential vulnerability manifestation point as a starting point, the extension program dependency graph is reversely sliced to a preset slicing depth to obtain the extension program dependency subgraph; wherein the slicing depth includes the distance between the potential vulnerability manifestation point and the corresponding potential vulnerability root point; each extension program dependency subgraph includes a potential vulnerability manifestation point and a corresponding potential vulnerability root point. 6.根据权利要求1所述的方法,其特征在于,所述训练样本集包括训练子图,所述训练子图由结点和所述结点之间的边组成;获取所述训练样本集,包括:6. The method according to claim 1, wherein the training sample set comprises a training subgraph, wherein the training subgraph comprises nodes and edges between the nodes; and obtaining the training sample set comprises: 为每一所述结点嵌入对应的结点特征向量,并为每一所述边嵌入对应的边特征向量,其中,所述结点特征向量包括,操作结点特征、结构化结点特征、语义结点特征;所述边特征向量包括,所述边的类型、所述边对应的数据流的类型、所述边对应的控制流类型。A corresponding node feature vector is embedded for each of the nodes, and a corresponding edge feature vector is embedded for each of the edges, wherein the node feature vector includes operation node features, structured node features, and semantic node features; the edge feature vector includes the type of the edge, the type of data flow corresponding to the edge, and the type of control flow corresponding to the edge. 7.根据权利要求1所述的方法,其特征在于,获取所述训练完备的图神经漏洞检测模型,包括:7. The method according to claim 1, wherein obtaining the fully trained graph neural vulnerability detection model comprises: 获取初始图神经漏洞检测模型以及预设的携带有所述漏洞真实性标签和所述漏洞类型标签的训练样本集,其中,所述初始图神经漏洞检测模型包括图嵌入网络和分类网络;Obtaining an initial graph neural vulnerability detection model and a preset training sample set carrying the vulnerability authenticity label and the vulnerability type label, wherein the initial graph neural vulnerability detection model includes a graph embedding network and a classification network; 将所述训练样本集输入至所述初始图神经漏洞检测模型中进行训练,得到训练样本集预测结果,根据所述训练样本集预测结果与所述漏洞真实性标签和所述漏洞类型标签计算损失函数结果,并将所述损失函数结果的梯度反向传输至所述初始图神经漏洞检测模型进行迭代训练,生成训练完备的所述图神经漏洞检测模型。The training sample set is input into the initial graph neural vulnerability detection model for training to obtain the prediction result of the training sample set, the loss function result is calculated based on the prediction result of the training sample set and the vulnerability authenticity label and the vulnerability type label, and the gradient of the loss function result is reversely transmitted to the initial graph neural vulnerability detection model for iterative training to generate the fully trained graph neural vulnerability detection model. 8.根据权利要求1所述的方法,其特征在于,所述基于所述待检测代码生成对应的扩展程序依赖图,包括:8. The method according to claim 1, wherein generating a corresponding extended program dependency graph based on the code to be detected comprises: 对所述待检测代码中的指令按顺序进行扫描,基于每一所述指令得到对应的一个结点,其中,所述待检测代码为汇编程序的形式;Scanning instructions in the code to be detected in sequence, and obtaining a corresponding node based on each instruction, wherein the code to be detected is in the form of an assembly program; 基于所述指令的先继指令和后继指令,确定所述指令之间控制流和数据流的关系,基于所述控制流和所述数据流确定所述指令之间的边;Determining a control flow and a data flow relationship between the instructions based on a preceding instruction and a subsequent instruction of the instruction, and determining an edge between the instructions based on the control flow and the data flow; 基于所述结点和所述边,得到所述扩展程序依赖图。The extended program dependency graph is obtained based on the nodes and the edges. 9.一种针对二进制代码的漏洞检测装置,其特征在于,所述装置包括:9. A vulnerability detection device for binary code, characterized in that the device comprises: 获取模块,用于获取待检测代码,并基于所述待检测代码生成对应的扩展程序依赖图;An acquisition module, configured to acquire the code to be detected and generate a corresponding extension dependency graph based on the code to be detected; 计算模块,用于识别所述扩展程序依赖图中潜在漏洞表现点和对应的潜在漏洞根源点,并基于所述潜在漏洞表现点和对应的所述潜在漏洞根源点,对所述扩展程序依赖图进行划分,得到至少一个扩展程序依赖子图;a calculation module, configured to identify potential vulnerability manifestation points and corresponding potential vulnerability root points in the extension program dependency graph, and partition the extension program dependency graph based on the potential vulnerability manifestation points and the corresponding potential vulnerability root points to obtain at least one extension program dependency subgraph; 生成模块,用于将所述扩展程序依赖子图输入至训练完备的图神经漏洞检测模型中,得到对应的漏洞检测结果,其中,所述漏洞检测结果包括漏洞类型和漏洞真实性结果;所述图神经漏洞检测模型,是基于预设的训练样本集训练得到的;所述训练样本集携带有漏洞真实性标签以及漏洞类型标签。A generation module is used to input the extension dependency subgraph into a well-trained graph neural vulnerability detection model to obtain corresponding vulnerability detection results, wherein the vulnerability detection results include vulnerability types and vulnerability authenticity results; the graph neural vulnerability detection model is trained based on a preset training sample set; the training sample set carries vulnerability authenticity labels and vulnerability type labels. 10.一种计算机设备,包括存储器和处理器,所述存储器存储有计算机程序,其特征在于,所述处理器执行所述计算机程序时实现权利要求1至8中任一项所述的方法的步骤。10. A computer device comprising a memory and a processor, wherein the memory stores a computer program, wherein the processor implements the steps of the method according to any one of claims 1 to 8 when executing the computer program.
CN202411773747.0A 2024-12-04 2024-12-04 A method, device and apparatus for detecting vulnerabilities in binary code Active CN119939590B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411773747.0A CN119939590B (en) 2024-12-04 2024-12-04 A method, device and apparatus for detecting vulnerabilities in binary code

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411773747.0A CN119939590B (en) 2024-12-04 2024-12-04 A method, device and apparatus for detecting vulnerabilities in binary code

Publications (2)

Publication Number Publication Date
CN119939590A CN119939590A (en) 2025-05-06
CN119939590B true CN119939590B (en) 2025-10-03

Family

ID=95538480

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411773747.0A Active CN119939590B (en) 2024-12-04 2024-12-04 A method, device and apparatus for detecting vulnerabilities in binary code

Country Status (1)

Country Link
CN (1) CN119939590B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110245496A (en) * 2019-05-27 2019-09-17 华中科技大学 A source code vulnerability detection method and detector, its training method and system
CN118520465A (en) * 2024-04-25 2024-08-20 北京理工大学 PHP source code vulnerability detection method based on extended program dependency graph

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115357904B (en) * 2022-07-29 2024-04-02 南京航空航天大学 Multi-class vulnerability detection method based on program slicing and graph neural network
US20240330455A1 (en) * 2023-03-28 2024-10-03 Optum, Inc. Source code vulnerability detection using deep learning
CN117093223A (en) * 2023-08-24 2023-11-21 南京邮电大学 High-efficiency static stain analysis method based on higher-order function

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110245496A (en) * 2019-05-27 2019-09-17 华中科技大学 A source code vulnerability detection method and detector, its training method and system
CN118520465A (en) * 2024-04-25 2024-08-20 北京理工大学 PHP source code vulnerability detection method based on extended program dependency graph

Also Published As

Publication number Publication date
CN119939590A (en) 2025-05-06

Similar Documents

Publication Publication Date Title
Du et al. Deepstellar: Model-based quantitative analysis of stateful deep learning systems
AU2019200046B2 (en) Utilizing artificial intelligence to test cloud applications
CN109857652A (en) A kind of automated testing method of user interface, terminal device and medium
CN115455382B (en) A method and device for semantic comparison of binary function codes
CN114491566A (en) Fuzzy test method and device based on code similarity and storage medium
CN110287702A (en) A binary vulnerability clone detection method and device
CN113468525A (en) Similar vulnerability detection method and device for binary program
CN113673568B (en) Method, system, computer device and storage medium for detecting tampered images
Cheng et al. Logextractor: Extracting digital evidence from android log messages via string and taint analysis
CN113326187A (en) Data-driven intelligent detection method and system for memory leakage
CN118536119B (en) Smart contract vulnerability detection method, device, equipment and medium
CN111177731A (en) Software source code vulnerability detection method based on artificial neural network
Mao et al. Explainable software vulnerability detection based on attention-based bidirectional recurrent neural networks
Saberi et al. A passive online technique for learning hybrid automata from input/output traces
CN117150512A (en) Source code vulnerability detection method, model training method, device and computer equipment
CN112783513A (en) Code risk checking method, device and equipment
Park et al. Benzene: A practical root cause analysis system with an under-constrained state mutation
AU2021251463A1 (en) Generating performance predictions with uncertainty intervals
CN116401169A (en) Automatic on-chain intelligent contract code defect monitoring method and system
Elahi et al. Partial structure discovery is sufficient for no-regret learning in causal bandits
CN119292895A (en) A test case filtering method based on reachability prediction model and related equipment
CN119939590B (en) A method, device and apparatus for detecting vulnerabilities in binary code
CN112860544A (en) Code detection method, device, equipment and computer readable storage medium
CN102708054A (en) Detection method for security flaws in loop write-only memory of binary program
Li et al. Automating Cloud Deployment for Real-Time Online Foundation Model Inference

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant