Unlink攻击是一种Linux平台下面向堆溢出漏洞的攻击方式。已有的缓冲区溢出漏洞攻击检测技术通过检查程序控制流状态，确定程序漏洞触发点，并生成测试用例。但由于堆溢出数据很少直接导致程序控制流劫持以及相关保护机制的限制，已有的检测技术很难判断程序是否满足堆溢出攻击条件。为了提高程序的安全性，实现对unlink攻击的检测，本文通过对已有unlink攻击实例的分析，总结了unlink攻击特征，建立了unlink攻击检测模型，并根据该模型提出了unlink攻击检测方法。该方法使用污点分析实现了对程序输入数据以及敏感操作的监控；使用选择性符号执行技术构建程序污点变量传播的路径约束以及触发unlink攻击的数据约束；通过对上述约束的求解，判断程序堆溢出漏洞是否满足unlink攻击触发条件，并生成测试用例。实验证明，该方法能有效地实现针对unlink攻击的检测。

Unlink attack is a kind of attack against heap-based overflow vulnerability in Linux. Existed detection technology of the buffer overflow attack find the vulnerability trigger point and generate testcase by checking the control flow state. However, the heap-based overflow data seldom lead to the control flow hijack and the protection mechanisms limit the trigger condition, it is hard to judge the program whether or not the conditions of unlink attack is satisfied through existed detection technology. To improve the security of software, and detect the unlink attack, this paper summarized the features of unlink attack according to analyzing the instances, built the detection model of unlink attack, and proposed the unlink detection method based on the model. This method monitored the input data and sensitive cooperation of program by using taint analysis; built the path constraint of tainted data and data constraint which is satisfied the condition of unlink attack by selective symbolic execution; through solving the constraints above, judged if the program can be attacked by unlink and generated testcase. The experiments showed that this method can detect the unlink attack effectively.