A symbolic execution and ROP automatic penetration testing method based on progressive analysis switching
By employing a progressive analysis-based switching of symbolic execution and ROP automated penetration testing methods, the problem of missed detections in complex binary programs by existing tools has been solved. Stable vulnerability detection and cross-architecture automated processing have been achieved, improving the practicality and efficiency of automated tools.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- CHINA LIFE INSURANCE CO LTD
- Filing Date
- 2026-05-11
- Publication Date
- 2026-06-12
AI Technical Summary
Existing automated analysis tools are prone to hanging and have a high false negative rate when processing complex binary programs. They cannot automatically analyze the vulnerability patterns of complex binary programs, lack the ability to uniformly handle multiple architectures and linking methods, and cannot automatically select the optimal overflow strategy based on binary protection mechanisms.
The symbolic execution engine and ROP automated penetration testing method based on progressive analysis switching is adopted. By identifying the instruction set architecture, linking type and security protection mechanism of the binary program, and combining the progressive analysis deep switching mechanism and adaptive strategy logic, the stable operation of the symbolic execution engine and vulnerability detection are achieved.
It significantly reduces the false negative rate, achieves stable vulnerability detection and full-process automation on complex binary programs, can handle 100-megabyte IoT firmware programs, and generates unified payloads across architectures.
Smart Images

Figure CN122197034A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of network security assessment and binary vulnerability discovery technology, and in particular to an automated penetration testing method for symbolic execution and ROP based on progressive analysis switching. Background Technology
[0002] With the increasingly severe cybersecurity situation, binary vulnerability analysis and exploitation techniques have become essential skills for security researchers. In the PWN category of CTF competitions and in actual software security testing, it is often necessary to analyze ELF (Executable and Linkable Format) binary programs and exploit overflow vulnerabilities to gain privileges.
[0003] Existing automated analysis tools mainly suffer from the following technical problems: Symbolic execution is prone to suspension and has a high false negative rate: Existing automated analysis tools based on symbolic execution engines such as angr are highly susceptible to state explosions when constructing control flow graphs (CFGs) for complex binary data (especially statically linked or large programs), leading to process freezes or timeouts. Crucially, existing timeout handling strategies generally employ a "timeout equals process termination and discarding explored state" approach, resulting in severe false negatives in vulnerability discovery scenarios—the analyzer exits due to timeout and cannot report any results, even if the vulnerability does exist near the interrupted analysis path.
[0004] It cannot automate the analysis of vulnerability patterns in complex binary programs: in particular, it requires manual analysis of symbol tables, control flow graphs, etc., and it is difficult to automate the internal library function calls of statically linked programs.
[0005] Lack of unified processing capability for multiple architectures and linking methods: x86 and x64 are used in very different ways, and the memory layout of dynamic linking and static linking is completely different. Existing tools often require manual adaptation.
[0006] Unable to automatically select the optimal overflow strategy based on binary protection mechanisms: When faced with combined protections such as NX (non-executable stack), Canary (stack protection), PIE (address-independent executable), and RELRO (relocation read-only), manual repeated attempts are still required to select shellcode, ROP, or Ret2Libc strategies.
[0007] Therefore, there is an urgent need for an automated penetration testing technology solution that can operate stably in complex binary environments, significantly reduce false negative rates, and adaptively select exploitation strategies. Summary of the Invention
[0008] This invention proposes an automated penetration testing method for symbolic execution and ROP based on progressive analysis switching, in order to solve the technical problems of symbolic execution timeout failure and inability to adapt to architecture and protection strategies in the prior art.
[0009] To achieve the above objectives, the present invention adopts the following technical solution: a symbolic execution and ROP automated penetration testing method based on progressive analysis switching, comprising the following steps: S1: Load the target binary program, use the binary analysis engine to identify the instruction set architecture and link type of the target binary program, and parse its symbol table, GOT / PLT table information and security protection mechanism status; the security protection mechanism status includes at least the enabled status of NX, Canary, PIE and RELRO. S11: Load the target binary program file and identify the instruction set architecture Arch∈{x86,x64} and link type LinkType∈{Dynamic,Static} by parsing the ELF header information; S12: Extract the symbol table SymTab, global offset table GOT, and procedure link table PLT information of the program; S13: Detect and record the program's security protection mechanism state vector SecState=(NX,Canary,PIE,RELRO), with each component taking a Boolean value.
[0010] The Arch, LinkType, SymTab, and SecState mentioned above are encapsulated into structured data and used as initialization parameters for subsequent steps.
[0011] S2: Initialize the symbolic execution engine based on the Arch, LinkType, and SecState obtained in step S1. Start the symbolic execution engine to perform vulnerability analysis on the target binary program. Obtain the overflow offset Offset and vulnerability type VulnType through constraint solving and output them. During symbolic execution, a progressive analysis depth switching mechanism based on exploration value assessment is adopted. The mechanism includes: S21: Perform symbolic execution using the full control flow graph construction mode and set a time threshold. ; S22: When analysis time is detected satisfy ≥ Or, the constraint solution complexity metric C satisfies C≥ At that time, a state serialization operation is performed to extract and preserve a set of snapshots of the currently explored program state. and the set of branch constraints that have been discovered And the analysis process is not terminated; S23: In retention and Based on this, the analysis mode is switched to the limited depth taint tracking mode; the limited depth taint tracking mode satisfies the following constraints: Condition 1: For the set of basic blocks of the control flow graph Any basic block b in the set of user-controllable input variables, if basic block b does not contain any user-controllable input variables. If any access operation to a variable is performed, and it is not located on the data dependency path of that variable, then the expansion of the basic block b is terminated; This refers to the set of symbolic variables corresponding to external data received by the program through input functions, where the input functions include at least read, gets, and scanf. Condition 2: Number of steps to track the spread of taint , Set the maximum number of tracking steps; Condition 3: For the standard library function set For any function f in the dataset, a function summary model is used. Instead of internal path enumeration Describe the effects of modifying the input registers, output registers, and memory of function f.
[0012] S3: Based on the overflow offset Offset output from step S2 and the security protection mechanism state SecState obtained from step S1, execute the adaptive strategy switching logic and output the strategy decision result Strategy. The adaptive strategy switching logic includes: if NX is enabled, the decision is to use either ROP or Ret2Libc exploitation strategy; if Canary is not enabled, the decision is to use stack overflow overwrite strategy; if PIE is not enabled, the fixed address layout strategy is adopted. S31: Obtain the overflow point information output in step S2, including the overflow offset and overflow type VulnType; S32: Combining the security protection mechanism state vector SecState obtained in step S1, execute the adaptive policy switching logic; define the policy selection function, whose decision rules are as follows: ; in, Indicates in the set of program constraints The Canary value is then transmitted to the feasible solution set of the observable output channel.
[0013] S4: Receive the strategy decision result Strategy output from step S3 and the offset output from step S2. When the strategy decision is ROP or Ret2Libc exploitation strategy, automatically extract the instruction fragments from the target binary program to generate the ROP chain, and generate the final penetration test payload by combining the offset through byte sequence splicing operation and output it. when hour: ; when hour: ,in This represents a sequence of Offset padding bytes. The return address is a placeholder; ⌒ indicates a byte sequence concatenation operation. The address of the pop_rdi;ret instruction segment. This is the memory address of the string " / bin / sh". For system functions address.
[0014] Compared with existing technologies, the beneficial effects of this invention are as follows: By using a progressive analysis depth switching mechanism based on exploratory value assessment, it solves the technical problem of "abandoning upon timeout leading to missed detections" in existing technologies, achieving stable vulnerability detection with a low missed detection rate on complex binary programs. When the system encounters analysis stagnation, it does not terminate the process but switches to a lightweight tracing mode to continue producing valid vulnerability information, significantly improving the practicality of the automation tool.
[0015] By using a multi-dimensional binary analysis engine and an adaptive strategy switching mechanism, the problem that existing technologies cannot automatically select the exploitation strategy based on the protection mechanism is solved, and the entire process from information extraction to payload generation is automated.
[0016] By using the intelligent processing logic of the static linker, the problem of analyzing large statically compiled programs is solved, enabling the system to stably process IoT firmware programs of hundreds of megabytes in size.
[0017] By using multi-architecture ROP chain automatic generation technology, the problem of needing to manually write code for x86 and x64 architectures has been solved, and a unified payload generation capability across architectures has been achieved. Attached Figure Description
[0018] Figure 1 This is a flowchart illustrating the implementation of Embodiment 1 of the present invention. Detailed Implementation
[0019] To provide a further understanding of the purpose, structure, features, and functions of the present invention, detailed descriptions are provided below with reference to specific embodiments.
[0020] A symbolic execution and ROP automated penetration testing method based on progressive analysis switching includes the following sub-steps: S1: Load the target binary program, use the binary analysis engine to identify the instruction set architecture and linking type of the target binary program, and parse its symbol table, GOT / PLT table information, and security protection mechanism status; the security protection mechanism status includes at least the enabled status of NX, Canary, PIE, and RELRO; S11: Load the target binary program file, and identify the instruction set architecture by parsing the ELF header information. and link type ; Specifically, read the value at offset 0x12 in ELFHeader. Field (2 bytes): ; Link type The identification is achieved by checking for the existence of the program interpreter segment .interp. The section header table of the ELF file is parsed, and each section name is traversed; if a section with the name .interp exists, it is determined to be dynamically linked. ; S12: Extract the symbol table SymTab, global offset table GOT, and procedure link table PLT information of the program; For dynamically linked programs (LinkType=Dynamic), parse the following information: The Symbol Table (SymTab) reads the .dynsym section and extracts the name, type, binding attributes, and values for each symbol. It also imports a collection of functions. By symbol type And the bound attribute is The symbols constitute; The GOT table is read from the .got.plt section to establish an address mapping from functions to GOT table entries. : →Address; The address of a GOT entry is used to store the actual address of a function after it has been resolved, once the program is loaded. The PLT table reads the .plt section and extracts the starting address of the PLT stub code corresponding to each imported function. The PLT stub code is used to implement delayed binding, and the dynamic linker resolves the function address on the first call. For statically linked programs (LinkType=Static), record LinkType=Static and skip the dynamic resolution process described above.
[0021] S13: Detect and record the program's security protection mechanism state vector Each component takes a Boolean value.
[0022] Specifically, the following tests are included: 1. NX detection Read Program header entries Field (4 bytes). The permission flags are defined as follows: =1 (executable); =2 (writable); =4 (readable); The decision logic for NX is as follows: ; 2. Canary detection Traverse the symbol table and check if a symbol named __stack_chk_fail exists. This symbol is the failure handling function called by the GCC stack protection mechanism when a stack overflow is detected.
[0023] 3. Detection Read the value at offset 0x10 in ELFHeader Field (2 bytes): ; 4. Detection Read the permission flags of the segment containing the .got section. If the segment permissions do not include a writable flag ( If the result is positive, it is FullRELRO; otherwise, it is PartialRELRO. Address mapping: For statically linked programs (LinkType=Static), since there is no dynamic linker, the system automatically skips the resolution process for the .interp and .dynamic segments. When initializing the memory mapping of the symbolic execution engine, it is necessary to determine the address of each function in simulated memory. The following address mapping relationship is used: ,in, The address of function f in the symbolic execution simulation memory space is used by the symbolic execution engine to jump to when executing the call instruction; : The base address for loading statically linked programs. For x86 architecture, a typical value is 0x08048000 (this value comes from the default load address of the Linux kernel for 32-bit executables); for x64 architecture, a typical value is 0x00400000. The file offset of function f in the static binary file. This is achieved by parsing the section header table of the ELF file to locate the .text section, and then combining this with the information about function f in the symbol table. The field was calculated.
[0024] Specific calculation process: Read the program header table in the ELF file and find the type as... Furthermore, the virtual address range includes entries in the .text section; therefore, its value is taken. As For each function f, read from its symbol table entry. The field, the value of which is .
[0025] This mapping ensures that the symbolic execution engine can correctly locate all internal functions of the statically linked program in simulated memory, avoiding symbolic execution initialization failures due to address resolution errors. The aforementioned Arch, LinkType, SymTab, and SecState are encapsulated as structured data and used as initialization parameters for subsequent steps.
[0026] Through this step, the system completes a comprehensive static analysis of the target program within milliseconds, obtaining key parameters such as instruction set architecture (Arch), link type (LinkType), and security protection mechanism state (SecState), providing accurate basis for subsequent symbolic execution engine initialization configuration and exploitation strategy decisions.
[0027] S2: Initialize the symbolic execution engine based on the Arch, LinkType and SecState obtained in step S1, start the symbolic execution engine to perform vulnerability analysis on the target binary program, obtain the overflow offset Offset and vulnerability type VulnType through constraint solving and output them; Specifically, a progressive analysis depth switching mechanism based on exploratory value assessment is adopted during symbol execution. This mechanism includes: S21: Perform symbolic execution using the full control flow graph construction mode and set a time threshold. ; In this embodiment, angr is used as the underlying symbolic execution engine. First, the Project object is initialized based on the parameters obtained in step S1: If LinkType=Static, then a custom address mapping parameter is passed during loading, specifying the load base address through the main_opts field in load_options. Custom memory mapping rules ensure that library functions in the static linker can be correctly loaded into the simulated address space.
[0028] Constructing a complete control flow graph: Call the `project.analyses.CFGFast()` method, setting the parameter `resolve_indirect_jumps=True` to resolve instruction targets that jump indirectly through registers, and generate a complete control flow graph. .
[0029] Create initial symbol state : Determine the program's entry point (usually the main function or the _start function), and create a SimState object. Then, store the user input variables. The variable in the variable is set to a symbolic value. The determination rule is as follows: Identify all input function call points in the program (including read, gets, scanf, fgets, recv), mark the data written to the target buffer after calling these functions as symbolic variables, and add these symbolic variables to... gather.
[0030] Startup path exploration: Create a SimulationManager object and set the initial state. The explore() method is called to begin full-precision symbolic execution.
[0031] Set time threshold In this embodiment =30 seconds. The basis for determining this value is: according to the statistics of typical analysis time of CTFPWN problems, more than 95% of simple and medium difficulty problems can complete the full CFG construction and vulnerability location within 30 seconds; those that have not completed the analysis after more than 30 seconds are usually complex static compilation programs or large programs with state explosion, and continuing full-precision analysis in this case is extremely inefficient.
[0032] The runtime is continuously calculated during the analysis process: ,in The current system time. This is the system time at the start of phase S21.
[0033] S22: When analysis time is detected satisfy ≥ Or, the constraint solution complexity metric C satisfies C≥ At that time, a state serialization operation is performed to extract and preserve a set of snapshots of the currently explored program state. and the set of branch constraints that have been discovered And the analysis process is not terminated; Since the angr engine itself does not directly provide a statistical interface for constraint complexity, this embodiment achieves real-time calculation of C through the following method: Register the `step_func` callback function in `SimulationManager`. This function is called after each symbolic execution step (i.e., execution of a basic block). Within the callback function, iterate through all currently active states. For each state s in the constraint solver, obtain the constraint list (constraints) from its constraint solver.
[0034] For each constraint Calculate its two attributes: : Length of the constraint expression. This is achieved by traversing the abstract syntax tree (AST) of the constraint expression, recursively calculating the total number of all child nodes. Typical AST nodes include: variable nodes, constant nodes, and operator nodes (addition, subtraction, multiplication, division, comparison, logical operations, etc.). The sum of bit widths of symbolic variables involved in the constraint. Traverse all leaf nodes of the constraint AST, and if the variable type is symbolic, obtain its size() attribute (unit: bits), and sum them to get the total bit width.
[0035] The formula for calculating the constraint solution complexity metric C is: , where M is the number of currently active constraints; The number of abstract syntax tree nodes contained in the symbolic expression of the j-th constraint, typically ranging from 1 to several hundred; The sum of the bit widths of the symbolic variables in the j-th constraint is in bits. For example, for a constraint involving a 32-bit integer variable x and a 64-bit pointer variable y, =32 + 64 = 96. The formula uses an exponential term. The reason is that when constraint solvers (such as Z3) solve constraints containing wide bit variables, the computational complexity increases exponentially with the bit width, and this formula accurately reflects the actual solution time. In this embodiment, Values The basis for determining this value is: based on statistical analysis of 100 CTFPWN questions, when the C value reaches... At this scale, the single solution time of the constraint solver usually exceeds 5 seconds, which seriously affects the overall analysis efficiency. At this time, triggering mode switching can significantly shorten the overall analysis time while ensuring that no critical vulnerabilities are missed.
[0036] In other embodiments, It can be dynamically adjusted according to hardware configuration: .
[0037] The system performs a state serialization operation when the following triggering conditions are met: ; The specific implementation of the state serialization and saving operation is as follows: State snapshot saving: The current SimulationManager object is serialized using Python's pickle library. The data to be saved includes: active_states (a list of active states), stalls (a dictionary of states in each stall area, including categories such as deadended, avoid, and errored), and the exploration strategy configuration. The serialized data is written to the file snapshot.pkl.
[0038] Constraint set storage: Traverse the constraint list of all states, extract the string representation of each constraint and the associated symbolic variable information, and save it in JSON format as a constraints.json file.
[0039] After serialization is complete, the system does not call sys.exit() or the process termination function, but continues to step S23. This design is the key difference between this invention and the existing "timeout abandonment" strategy.
[0040] S23: In retention and Based on this, the analysis mode is switched to the limited depth taint tracking mode; the limited depth taint tracking mode satisfies the following constraints: Condition 1: For the set of basic blocks of the control flow graph Any basic block b in the set of user-controllable input variables, if basic block b does not contain any user-controllable input variables. If any access operation to a variable is performed, and it is not located on the data dependency path of that variable, then the expansion of the basic block b is terminated; This refers to the set of symbolic variables corresponding to external data received by the program through input functions, where the input functions include at least read, gets, and scanf. Among them, the correlation function R(b, ), used to determine whether basic block b is related to user-controllable input.
[0041] Judgment rule: In the VEXIR statement sequence of basic block b, if there is a read from... An operation on any symbolic variable or its data dependency chain on a temporary variable is considered an association, R(b, )=1; otherwise R(b, )=0.
[0042] Implementation: Add taint propagation logic to the step_func callback function. During initialization, Variables in the IR are marked as "tainted". When executing each IR statement, if the source operand of the statement is tainted, the destination operand is also marked as tainted. If, after a basic block b is executed, no register or memory location in its exit state is tainted, it is determined that the basic block is not associated with user input, its address is added to the avoid set of SimulationManager, and subsequent explorations will automatically skip this address.
[0043] Condition 2: Number of steps to track the spread of taint , Set the maximum number of tracking steps; Here, the number of tracking steps is defined. This represents the number of basic block jumps from the tainted instruction to the current instruction. Maintain a step counter associated with each state; during state transitions, the new state's... =Parent state +1.
[0044] The tracking process strictly meets the following constraints: ≤ In this embodiment, The value is 50. This value strikes the best balance between analysis efficiency and vulnerability discovery coverage.
[0045] During the tracing process, the system continuously collects path constraints from the taint introduction point to the current instruction, forming a constraint set. . The mathematical definition of Φ is: tracked ={Ф i |Ф i The path constraint from the taint introduction point to the current instruction.
[0046] When the number of tracking steps in a certain state achieve If a symbolic state S is added to a deadended stash, the system performs an overflow condition check on that state. If all constraints and overflow conditions are included, a potential overflow is determined, and the overflow offset is recorded. The overflow conditions include: for the strcpy(dst,src) function, the constraint is len(src) > sizeof(dst); for the read(fd,buf,size) function, the constraint is... .
[0047] Condition 3: For the standard library function set For any function f in the dataset, a function summary model is used. Instead of internal path enumeration Describe the effects of modifying the input registers, output registers, and memory of function f; The abstract model Σ(f) is a triple:
[0048] .in For input registers and parameter sets, This is the set of output registers and return values, and MemEffect describes the memory modification effect.
[0049] Implementation: A pre-defined summary dictionary is used, with the key being the library function name and the value being the corresponding processing function. When symbolic execution encounters a `call` instruction and the target address belongs to... Instead of creating a new SimState to enter the function body, the corresponding processing function in the summary dictionary is called directly, passing in the current state and the calling parameters. The processing function returns the modified state.
[0050] Through the synergistic effect of the three constraints mentioned above, the second analysis phase can maintain the ability to effectively detect overflow vulnerabilities while significantly reducing computational complexity. S3: Based on the overflow offset Offset output from step S2 and the security protection mechanism state SecState obtained from step S1, execute the adaptive strategy switching logic and output the strategy decision result Strategy. The adaptive strategy switching logic includes: if NX is enabled, the decision is to use either ROP or Ret2Libc exploitation strategy; if Canary is not enabled, the decision is to use stack overflow overwrite strategy; if PIE is not enabled, the fixed address layout strategy is adopted. S31: Obtain the overflow point information output in step S2, including the overflow offset and overflow type VulnType; The overflow offset Offset: the number of padding bytes required to cover the return address, is directly output by the overflow determination process in step S2; The overflow type, VulnType, is a vulnerability type identifier, where VulnType ∈ {StackOverflow, FormatString, HeapOverflow}. A typical application scenario for this invention is StackOverflow.
[0051] S32: Combining the security protection mechanism state vector SecState obtained in step S1, execute the adaptive policy switching logic; define the policy selection function. Its decision-making rules are as follows:
[0052] in, Indicates in the set of program constraints The Canary value is then transmitted to the feasible solution set of the observable output channel.
[0053] When SecState.Canary=True, the system performs a Canary leak search. The specific implementation steps are as follows: Canary symbolic variable location: In the symbolic execution engine, the Canary value is usually read from fs:[0x28] (x64) or gs:[0x14] (x86). During initialization, a separate symbolic variable is allocated for this memory location and marked as CanaryValue.
[0054] Output channel identification: During symbolic execution, monitor all call points of output functions. Output functions include: write, printf, puts, fwrite, send, etc. For each output function call, analyze the sources of taint in its output buffer parameters.
[0055] Leakage Detection: If the data dependency path of the output buffer contains the symbolic variable CanaryValue, and there is no masking or truncation operation on this variable, then a feasible solution with a Canary leak is determined to exist. At this point, .
[0056] Result processing: like If so, then Strategy = ROP_with_Leak. During subsequent payload generation, the Canary value obtained from the leak channel needs to be embedded in the ROP chain.
[0057] like If Strategy=Unexploitable, it means that the Canary value cannot be obtained under the current constraints. This overflow point cannot be used for actual purposes, and the system will exit after marking it.
[0058] If SecState.PIE=False, it means that address-independent executable protection is not enabled in the program, and the addresses of the code segment and data segment are fixed. In this case, the fixed addresses parsed from the binary file (such as the address of the system function, gadget address, etc.) can be used directly in the subsequent ROP chain generation, without the need for address leakage and base address calculation.
[0059] This step enables automatic strategy selection without manual intervention, significantly lowering the barrier to solving CTFPWN problems. The system automatically matches the optimal utilization strategy based on the combination of protection mechanisms, avoiding the process of repeated manual trials.
[0060] S4: Receive the strategy decision result Strategy output from step S3 and the offset output from step S2. When the strategy decision is ROP or Ret2Libc exploitation strategy, automatically extract the instruction fragments from the target binary program to generate the ROP chain, and generate the final penetration test payload by combining the offset through byte sequence splicing operation and output it. when hour: ; when hour: ,in This represents a sequence of Offset padding bytes. The return address is a placeholder; ⌒ indicates a byte sequence concatenation operation. The address of the pop_rdi;ret instruction segment. This is the memory address of the string " / bin / sh". For system functions address. Example
[0061] Example 1: Automated Exploitation of a 64-bit Dynamically Linked Program with NX Protection. This example applies to pwn1, a common PWN challenge in CTF competitions. The program is a 64-bit dynamically linked ELF file with the following protection mechanism: , Canary=False, PIE=False, ; S1: The system loads pwn1 and parses the ELF header. =62 → Arch=x64; .interp section exists → LinkType=Dynamic. Security check: GNU_STACK permissions are RW (no EXEC) → NX=True; __stack_chk_fail is not found in the symbol table → Canary=False; =2 (ET_EXEC) → PIE = False; .got section permissions are RW → RELRO = Partial.
[0062] S2: The system initializes angrProject, running in full CFG mode. Within 8 seconds, the input stream of the gets function is traced, revealing that the RIP register is overwritten when the input length exceeds 40 bytes. Offset = 40 bytes and VulnType = StackOverflow are confirmed. Because... =8 seconds< =30 seconds, no mode switching triggered.
[0063] S3: The strategy decision module receives SecState and Offset. Since NX=True and Canary=False, Strategy=ROP. Since PIE=False, a fixed address strategy is adopted.
[0064] S4: ROP generates a module that scans the code segment and extracts the pop_rdi gadget at address 0x4006a3. It searches for the string / bin / sh in the .rodata section, finding it at address 0x4007b4. It retrieves the address of the system function from the symbol table, finding it to be 0x4005e0. Payload generated: P = (A) {40} ⌒(0x4006a3)⌒(0x4007b4)⌒(0x4005e0); Result: Successfully obtained system shell after executing the payload. The entire process took 8.2 seconds.
[0065] Example 2: Preventing false negatives in large statically compiled programs This embodiment applies to the statically linked program httpd extracted from the firmware of an IoT device. The program is x86 architecture, 15.3MB in size, and its protection mechanism status is: SecState=(NX=True,Canary=False,PIE=False,RELRO=Partial) S1: Arch=x86, LinkType=Static. Addr_base is set to 0x08048000. Skip the dynamic resolution process and establish a static address mapping relationship.
[0066] S2: Seconds 0-30: The first analysis phase runs, building the complete CFG. Because the static link includes the complete musl-libc library, the number of CFG_full nodes exceeds 2×10^4, making the build process extremely slow. Continued growth.
[0067] 30 seconds: =30 seconds, satisfied ≥ This triggers the switching condition.
[0068] State preservation: The system calls pickle to serialize the current SimulationManager object and save it. (Contains approximately 2500 analyzed basic block states) and The process does not exit.
[0069] Mode switching: Engine from .pkl restores state and switches to limited depth taint tracking mode. The value is 50.
[0070] Seconds 31-38: The second analysis phase only tracks the user input stream read by the `read` function, skipping the expansion of unrelated basic blocks such as the AES decryption function in `libcrypto.a`. Library function calls preceding dangerous functions like `strcpy` are processed using the digest model Σ(f).
[0071] At 38 seconds: A buffer overflow was detected at the sprintf function call in the parse_request function. The constraint solver returned a feasible solution, outputting Offset=1024 bytes, VulnType=StackOverflow.
[0072] S3: The strategy decision module determines Strategy=ROP (because NX=True, Canary=False).
[0073] S4: Since the static linker contains a large number of gadgets, the ROP generation module extracts the sequence popaix;popebx;popecx;int0x80, constructs the execve system call chain, and generates the complete payload.
[0074] Results: The vulnerability was stably located and exploit code was generated within a total time of 38 seconds. In contrast, the unmodified angr tool exited directly after 30 seconds due to a timeout setting, with empty output (false negative). The false negative rate of this invention in this scenario is 0.
[0075] The present invention has been described in the above-described embodiments; however, these embodiments are merely examples for implementing the present invention. It must be noted that the disclosed embodiments do not limit the scope of the present invention. Conversely, any modifications and refinements made without departing from the spirit and scope of the present invention are within the scope of patent protection of the present invention.
Claims
1. A symbolic execution and ROP automated penetration testing method based on progressive analysis switching, characterized in that, include: S1: Load the target binary program, use the binary analysis engine to identify the instruction set architecture Arch and link type LinkType of the target binary program, and parse its symbol table, GOT / PLT table information and security protection mechanism status SecState; The security protection mechanism status includes at least the enabled status of NX, Canary, PIE, and RELRO, with values being Boolean. S2: Initialize the symbolic execution engine based on the Arch, LinkType and SecState obtained in step S1, start the symbolic execution engine to perform vulnerability analysis on the target binary program, obtain the overflow offset Offset and vulnerability type VulnType through constraint solving and output them; Specifically, a progressive analysis depth switching mechanism based on exploratory value assessment is adopted during symbol execution. This mechanism includes: S21: Perform symbolic execution using the full control flow graph construction mode and set a time threshold. ; S22: When analysis time is detected satisfy ≥ Or, the constraint solution complexity metric C satisfies C≥ At that time, a state serialization operation is performed to extract and preserve a set of snapshots of the currently explored program state. and the set of branch constraints that have been discovered And the analysis process is not terminated; S23: In retention and Based on this, the analysis mode is switched to the limited depth taint tracking mode; the limited depth taint tracking mode satisfies the following constraints: Condition 1: For the set of basic blocks of the control flow graph Any basic block b in the set of user-controllable input variables, if basic block b does not contain any user-controllable input variables. If any access operation to a variable is performed, and it is not located on the data dependency path of that variable, then the expansion of the basic block b is terminated; This refers to the set of symbolic variables corresponding to external data received by the program through input functions, where the input functions include at least read, gets, and scanf. Condition 2: Number of steps to track the spread of taint , Set the maximum number of tracking steps; Condition 3: For the standard library function set For any function f in the dataset, a function summary model is used instead of internal path enumeration. Describe the effects of modifying the input registers, output registers, and memory of function f; S3: Based on the overflow offset Offset output from step S2 and the security protection mechanism state SecState obtained from step S1, execute the adaptive strategy switching logic and output the strategy decision result Strategy. The adaptive strategy switching logic includes: if NX is enabled, the decision is to use either ROP or Ret2Libc exploitation strategy; if Canary is not enabled, the decision is to use stack overflow overwrite strategy; if PIE is not enabled, the fixed address layout strategy is adopted. S4: Receive the strategy decision result (Strategy) output from step S3 and the offset output from step S2. When the strategy decision is ROP or Ret2Libc, automatically extract the instruction fragments from the target binary program to generate the ROP chain, and generate the final penetration test payload by combining the offset through byte sequence splicing operation and output it.
2. The symbolic execution and ROP automated penetration testing method based on progressive analysis switching as described in claim 1, characterized in that, In the second analysis phase of S23, the maximum number of tracking steps The range of values for satisfies: And when tracking steps At that time, based on the already collected set of constraints Determine whether there are potential overflow conditions; the constraint set Defined as: Φ tracked ={Ф i |Ф i The path constraint from the taint introduction point to the current instruction; if there exists a symbolic state S that simultaneously satisfies Φ tracked If all constraints and overflow determination conditions are found, a potential overflow is determined, and the overflow offset Offset is recorded. The overflow determination conditions include: for the strcpy(dst,src) function, the constraint condition is len(src)>sizeof(dst); for the read(fd,buf,size) function, the constraint condition is size>sizeof(buf).
3. The symbolic execution and ROP automated penetration testing method based on progressive analysis switching as described in claim 1, characterized in that, In the S1 information extraction step, if the LinkType of the target binary program is identified as Static, the parsing of the dynamic linker path is automatically skipped, and the following address mapping relationship is used to determine the mapping address of function f in simulated memory: ,in, This is the address of function f in simulated memory. The base address is loaded by the static linker. This is the file offset of function f in the static binary file.
4. The symbolic execution and ROP automated penetration testing method based on progressive analysis switching as described in claim 1, characterized in that: In the S22 switching decision and state maintenance step, the constraint solution complexity metric C is defined as: Where M is the number of currently active constraints, Let be the number of abstract syntax tree nodes contained in the symbolic expression of the j-th constraint. The sum of the bit widths of the symbolic variables in the j-th constraint; when When this occurs, the state serialization operation and mode switching are triggered. The preset complexity threshold is set to a value of 1. .
5. The symbolic execution and ROP automated penetration testing method based on progressive analysis switching as described in claim 1, characterized in that: The S3 strategy decision-making step further includes: if Canary=True in SecState, then perform a Canary leak search to determine the program constraint set. Does a feasible solution exist that satisfies the following conditions: the Canary value is transmitted to an observable output channel, which includes at least standard output, standard error, network socket write, and file write? If no feasible solution exists that satisfies the conditions, then the Strategy is marked as Unexploitable.
6. The symbolic execution and ROP automated penetration testing method based on progressive analysis switching as described in claim 1, characterized in that: In the S4 load generation step, for the X64 architecture, the generated ROP chain load structure satisfy: ; For the x86 architecture, the generated ROP chain load structure satisfy: ,in This represents a sequence of Offset padding bytes. The return address is a placeholder; ⌒ indicates a byte sequence concatenation operation. The address of the pop_rdi;ret instruction segment. This is the memory address of the string " / bin / sh". For system functions address.